[Openswan Users] ike and netfilter timeout

Marco Berizzi pupilla at hotmail.com
Wed Jan 16 06:02:43 EST 2008


Paul Wouters wrote:

> On Wed, 16 Jan 2008, Marco Berizzi wrote:
>
> > > don't you only care about this behind NAT, so then you are using
> > > port 4500, which also sees the NAT IKE keepalives if there is
> > > no traffic?
> >
> > Hi Paul.
> > Thinking again about this issue.
> > How about ikeping? Adding an options to
> > ipsec.conf, something like ikeping=5min, so
> > openswan send an ikeping to the left/right
> > ip address every five minutes. This would
> > do the trick. Isn't it?
>
> You cannot use ikeping when you have an ike daemon running.

ouch :-(

> I still don't understand why you are 1) using NAT and 2) not have
> enough with the keep-alives sent. If this is due to various NAT'ing
> of IKE packets behind the IPsec gateway, then there is a problem
> with your NAT rules.

Here is my network schema:

priv-net-A--|openswan-A|--pub-ip-A**internet**pub-ip-B--|openswan-B|--pr
iv-net-B

There is an ipsec tunnel between the two private
networks: priv-net-A and priv-net-B. The
two ipsec endpoint addresses are pub-ip-A and
pub-ip-B.
On both the openswan boxes there are a forward &
nat rule that allow udp 500: packet with dport=500
from the priv-net-B are allowed to be forwarded &
natted (with pub-ip-B) to the internet.

One of our users was connected to priv-net-B, and
mistakenly has double clicked on the vpn connection
and his windows xp laptop, has tried to establish an
ipsec tunnel, for the priv-net-A subnet, with the
openswan-A system: ike packets with dport=500 were
natted (with the pub-ip-B) and forwarded to pub-ip-A.
Time for IKE rekey between openswan-A & openswan-B:
openswan-A (pub-ip-A) try to talk to openswan-B
(pub-ip-B), but openswan-B forward ike packets with
dport=500 to the user laptop. Negotiation for the
tunnel priv-net-A <==> priv-net-B fails...




More information about the Users mailing list