Hello,
I have been trying to test the new IKEv2 protocol fixes done in IOS 9 Beta 2.
I have been having an issue with the following setup :
Apple IPad --- Fw/Nat --- Internet --- Fw/NAT --- VPN Strongswan Gw
Basically, we go through two NAT firewalls to access the VPN gateway.
The connection works for both IKA SA_INIT and IKE AUTH but the DPD sent by the Strongswan Gateway are ignored by the Ipad or dropped. (no logs seen on the device)
My question is :
- Is it possible the Ikev2 DPD with a notify (41) payload is ignored by the Ipad when configured with NAT both on the client side (ipad) and server public side (i..e gateway is behind a NAT also) ?
My configuration (ipsec.conf):
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=yes
ike=aes256-sha256-modp1024,aes256-sha256
esp=aes256-sha256-modp1024,aes256-sha256
# Ikev2, Pre-Shared Key, AES256-SHA256-MODP1024(DH group 2)
conn road_ikev2_psk
authby=secret
rekey=yes
dpdaction=clear
left=%any
leftsubnet=0.0.0.0/0
leftsourceip=%cfg
right=%any
rightsourceip=10.50.50.10-10.50.50.20
rightdns=XXX.XXX.XXX.XXX
auto=add