[Openswan Users] ike and netfilter timeout
Michael Smith
msmith at cbnco.com
Tue Jan 15 07:54:26 EST 2008
On Tue, 15 Jan 2008, Marco Berizzi wrote:
> Paul Wouters wrote:
> > don't you only care about this behind NAT, so then you are using
> > port 4500, which also sees the NAT IKE keepalives if there is
> > no traffic?
> Not only behind nat. Please see:
>
> http://lists.netfilter.org/pipermail/netfilter-devel/2006-March/023736.html
That's interesting - your local clients are grabbing port 500 because the
state table on the firewall/VPN device has forgotten about its own
connection? I haven't seen that yet, but I've seen it happen if the local
client starts up before the firewall/VPN finishes booting. IKE keepalive
wouldn't help there. You also have to worry about clients grabbing the NAT
mapping for ESP (proto 50).
What I ended up doing is NATting only TCP, UDP and ICMP, instead of all
IP, and forcing the port range above used ports:
iptables -t nat -A POSTROUTING -i "$indev" -o "$outdev" \
-p tcp -j SNAT --to-source "$localip":10000-50000
iptables -t nat -A POSTROUTING -i "$indev" -o "$outdev" \
-p udp -j SNAT --to-source "$localip":10000-50000
iptables -t nat -A POSTROUTING -i "$indev" -o "$outdev" \
-p icmp -j SNAT --to-source "$localip"
Mike
More information about the Users
mailing list