[Openswan Users] Netfilter/conntrack

David Coulson david at davidcoulson.net
Thu Jan 20 18:12:44 CET 2005



Jason Sigurdur wrote:

> Hi, I have just noticed that with using the following rules on my external
> interface that the
> Ipsec "ESP" packets go throught the 'ESTABLISHED,RELATED' rule. IF I comment
> out the lines with the
> -p 50 and -p 51 and restart ipsec it still uses the 'ESTABLISHED RELATED'
> rule?
> 
> What is happening here?

Check /proc/net/ip_conntrack. Restarting IPSec won't drop the tracked 
ESP/AH/IKEKMP connections from the kernel.

David


More information about the Users mailing list