Udppassivekeepalivehack

UDPPassiveKeepAliveHack

by: sertys@estates.bg

UDP passive keep-alive scenario success

I have been dealing with mobile roadwarriors for quite some time. By mobile i mean Nokia VPN client. Openswan is great with them, but connectivity is always an issue and 3g/umts gates are not always standards-compliant. I have been using mainly nokia e51s/e71s with constant VPN connectivity. Using DPD is a great option to keep the tunnels alive and properly NAT-mapped, but it drains a lot of power. When in good coverage the e51s would have lasted 6-8 hours on constant connectivity, e52s would last like 18-24 hours due to bigger battery and better sleep mode capabilities. I use a 120s dpd hearbeat delay and everything above that makes the umts gateway “forget” the udp hole.

I thought of the following dirty hack, involving iptables and the TTL target.(due to my unwillingness to modify openswan code) It’s specific to the operator i use, but is possibly deployable on any network. I actually modify the TTL on the isakmp-nat-keepalive packets so that the packet dies before it reaches the device.

iptables -t mangle -F OUTPUT
iptables -t mangle -A OUTPUT -p udp --sport 4500 -d x.x.0.0/16 -m length --length 29 -j TTL --ttl-set 6
iptables -t mangle -A OUTPUT -p udp --sport 4500 -d x.x.0.0/16 -m length --length 29 -j ACCEPT
# (below line is because i want to NOT send keepalives when devices are
# roaming on WLAN or other operator i have no routing data with)
iptables -t mangle -A OUTPUT -p udp --sport 4500 -m length --length 29 -j DROP

I’m using keep_alive=50s and force_natkeepalive=yes to emmit packets. The operator has 2 hops after the NAT gateway, which are the key for this “hack” to work. The packet leaves the udp porthole open and dies on the hop after, thus not reaching the client device and NOT draining battery off it. Now my devices will stay alive for 12-16 hours, given the fact i refresh connections very often. With fine tuning i think i might reach 24+ hours of non-stop connectivity.