[strongSwan] Best practices for connection tracking and IPSec

Tom Rymes trymes at rymes.com
Tue Sep 29 01:21:39 CEST 2015

I am sure that this is a dumb question that will reveal my lack of sophisticated networking skills, but here goes anyway:

We have used a number of Linux Firewall distributions that have issues with connection tracking (NAT) and StrongSwan IPSec tunnels. 

Specifically, issues arise with SIP (over UDP) registrations when a tunnel drops and a bad connection tracking entry prevents traffic from passing across the tunnel. Telnet, ping, etc to the same device works just fine. When it happens, deleting the offending connection tracking entry immediately resolves the issue, as does moving the device to another IP or unplugging it until the tracking entry expires.

I have also seen issues with TFTP and FTP, where they fail to work across IPSec tunnels unless you unload the associated conntrack helper kernel modules.

>From where I sit, it seems to me that connection tracking over tunnels should be disabled, as there is no NAT involved. Is this correct? What is the recommended practice here, as It seems that a number of distributions are struggling with this, and it is causing me no end of troubles!

Many thanks,


More information about the Users mailing list