[Openswan Users] ike and netfilter timeout
Marco Berizzi
pupilla at hotmail.com
Tue Jan 15 08:19:04 EST 2008
Michael Smith wrote:
> On Tue, 15 Jan 2008, Marco Berizzi wrote:
>
> > Paul Wouters wrote:
>
> > > don't you only care about this behind NAT, so then you are using
> > > port 4500, which also sees the NAT IKE keepalives if there is
> > > no traffic?
>
> > Not only behind nat. Please see:
> >
> >
http://lists.netfilter.org/pipermail/netfilter-devel/2006-March/023736.html
>
> That's interesting - your local clients are grabbing port 500 because
the
> state table on the firewall/VPN device has forgotten about its own
> connection?
yes, exactly.
> I haven't seen that yet, but I've seen it happen if the local
> client starts up before the firewall/VPN finishes booting. IKE
keepalive
> wouldn't help there.
Not true: my linux box (slackware), first start
openswan and then the firewall.
> You also have to worry about clients grabbing the NAT
> mapping for ESP (proto 50).
I don't need snat esp 50.
> What I ended up doing is NATting only TCP, UDP and ICMP, instead of
all
> IP, and forcing the port range above used ports:
I also need snat udp500 for vpn clients like cisco/
checkpoint and other ipsec based.
I know that I could insert some rules to drop udp500
when the destination is one of our company ipsec
gateway, but it is pretty hard to mantain. My question
is about this problem. If openswan could send an
ike packets every, for example, 10 min this would do
the trick.
More information about the Users
mailing list