[Openswan Users] ike and netfilter timeout

Michael Smith msmith at cbnco.com
Tue Jan 15 07:54:26 EST 2008

On Tue, 15 Jan 2008, Marco Berizzi wrote:

> Paul Wouters wrote:

> > don't you only care about this behind NAT, so then you are using
> > port 4500, which also sees the NAT IKE keepalives if there is
> > no traffic?

> Not only behind nat. Please see:
> http://lists.netfilter.org/pipermail/netfilter-devel/2006-March/023736.html

That's interesting - your local clients are grabbing port 500 because the 
state table on the firewall/VPN device has forgotten about its own 
connection? I haven't seen that yet, but I've seen it happen if the local 
client starts up before the firewall/VPN finishes booting. IKE keepalive 
wouldn't help there. You also have to worry about clients grabbing the NAT 
mapping for ESP (proto 50).

What I ended up doing is NATting only TCP, UDP and ICMP, instead of all 
IP, and forcing the port range above used ports:

iptables -t nat -A POSTROUTING -i "$indev" -o "$outdev"		\
	-p tcp -j SNAT --to-source "$localip":10000-50000

iptables -t nat -A POSTROUTING -i "$indev" -o "$outdev"		\
	-p udp -j SNAT --to-source "$localip":10000-50000

iptables -t nat -A POSTROUTING -i "$indev" -o "$outdev"		\
	-p icmp -j SNAT --to-source "$localip"


More information about the Users mailing list