[strongSwan] Best practices for connection tracking and IPSec
Tom Rymes
trymes at rymes.com
Tue Sep 29 01:37:21 CEST 2015
And I already put my foot in my mouth. I meant to specify that I was referring to the conntrack NAT helpers for specific protocols, not connection tracking in general.
> On Sep 28, 2015, at 7:22 PM, Tom Rymes <trymes at rymes.com> wrote:
>
> I am sure that this is a dumb question that will reveal my lack of sophisticated networking skills, but here goes anyway:
>
> We have used a number of Linux Firewall distributions that have issues with connection tracking (NAT) and StrongSwan IPSec tunnels.
>
> Specifically, issues arise with SIP (over UDP) registrations when a tunnel drops and a bad connection tracking entry prevents traffic from passing across the tunnel. Telnet, ping, etc to the same device works just fine. When it happens, deleting the offending connection tracking entry immediately resolves the issue, as does moving the device to another IP or unplugging it until the tracking entry expires.
>
> I have also seen issues with TFTP and FTP, where they fail to work across IPSec tunnels unless you unload the associated conntrack helper kernel modules.
>
> From where I sit, it seems to me that connection tracking over tunnels should be disabled, as there is no NAT involved. Is this correct? What is the recommended practice here, as It seems that a number of distributions are struggling with this, and it is causing me no end of troubles!
>
> Many thanks,
>
> Tom
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list