MOBIKE

The MOBIKE IKEv2 extension (RFC 4555) allows an initiator to change its network attachement point (e.g. roam to an other interface/address).

strongSwan implements MOBIKE by watching interfaces, addresses and routes. If the configuration changes, route lookups are done to find a better path than the current one and, if necessary, the path is changed using a MOBIKE update (UPDATE_SA_ADDRESS).

strongSwan is running the MOBIKE protocol by default. However, it can be disabled on a per-connection basis by adding the parameter mobike = no to the corresponding connection definition in swanctl.conf.

Please note that when MOBIKE is enabled as initiator, strongSwan will switch to UDP port 4500 starting with the IKE_INTERMEDIATE or IKE_AUTH request, even if no NAT has been detected. Because MOBIKE_SUPPORTED is only exchanged during IKE_AUTH, we have to switch, according to RFC 4555, section 3.3, even if we don’t know yet whether the peer supports the extension or not. Thus make sure to open the NAT-traversal port UDP/4500 on any firewalls necessary.