[Openswan Users] Asynchronous network error w/ Android 2.3 and NAT on both sides

[Paul Wouters]

On Wed, 22 Feb 2012, Corrado Primier wrote:

>
> ------
> I did a more thorough tcpdump session, and noticed that it's a
> client-side router problem: the client sends the IKE request, the
> router replies and then nothing more comes back. I tried setting up
> the client router so that it forcefully forwards port 500 to the
> Android device and, lo and behold, everything works fine.

It's called "IPsec passthrough". Those devices should be thrown out.

> Now my thought is: is this right? Since both the source and
> destination ports are the same, if the packets are correctly seen as
> related by the router they should be forwarded to the client
> automatically, shouldn't they? That's what I suppose anyway, since
> every other connection works bi-directionally, but maybe the router
> doesn't get this because we're using UDP here.

It tries to "help".

> Since this happened to me on a few NATted connections I wonder if
> there's a way to move the IKE handshake to TCP, and if this idea makes
> sense anyway...

> Now, about this last idea of mine... this obviously means that the
> Android device should try the connection on the ISAKMP TCP port, and I
> don't think it is able to. Is it a lost cause?

There is no ISAKMP TCP port. Cisco tunnels over tcp port 10000 but
that's not an IETF standard.

It's an arms race. If people block port 500/4500 because they don't
want vpn, and tcp 10000 works, then if too many do that they will
block that port. Then we have to move again, until we have turned
into skype.

Paul