udpnat is a useful tool to figure out the optimal interval for sending out UDP keepalive packets in a specific environment. From the description:
When a client sends UDP packets from behind a NAT, the NAT creates a temporary port mapping to allow the external server to send reply packets. If no UDP packets are seen after a given timeout, the port is reclaimed by the NAT, and the server can no longer reach the client.
This timeout becomes important on mobile devices, where waking up the radio has battery impact. (If you send NAT keepalive packets too frequently, your battery drains quickly; if too sparsely, the NAT mapping will timeout.)
NAT devices can have different timeouts, and you may not have access to their configuration details. This tool is designed to help you empirically derive that timeout. It operates in a “master” or “slave” mode. The master is responsible for sending a ping request and then sleeping. The slave passively replies to any incoming pings.
This tool can be useful for setting the natt_keepalive timer variable in racoon.conf when running an IPsec VPN in NAT-Traversal (NAT-T) mode.
Here is the output of my workstation behind a NAT gateway pinging remotehost.
./udpnat -h remotehost -p 9999
Outgoing packet to remotehost:9999
Started slave mode
Waiting for ping for just over 0 sec...
Received ping; sending reply!
Waiting for ping for just over 15 sec...
Received ping; sending reply!
Waiting for ping for just over 30 sec...
Received ping; sending reply!
Waiting for ping for just over 60 sec...
Received ping; sending reply!
Waiting for ping for just over 90 sec...
Received ping; sending reply!
Waiting for ping for just over 120 sec...
Received ping; sending reply!
Waiting for ping for just over 150 sec...
Received ping; sending reply!
Waiting for ping for just over 180 sec...
Received ping; sending reply!
Waiting for ping for just over 240 sec...
Received ping; sending reply!
Waiting for ping for just over 300 sec...
Failed with timeoutApparently, my router (a not-so-young-anymore FritzBox 7270) closes UDP ports somewhere between 4 and 5 minutes of inactivity. Mobile networks usually have much shorter timeout values, somewhere between 1 and 2 minutes.
What can you do with this information? For example, strongSwan has a default NAT keepalive interval of 20 seconds. If you are confident that ports are kept open much longer than that, you could increase the length of this interval (via the charon.keep_alive key). This could have a positive effect on battery if you use a mobile VPN client.
[via jsharkey.org]