[strongSwan] Best practices for connection tracking and IPSec
Alarig Le Lay
alarig at swordarmor.fr
Tue Sep 29 10:58:55 CEST 2015
On Mon Sep 28 19:37:21 2015, Tom Rymes wrote:
> And I already put my foot in my mouth. I meant to specify that I was
> referring to the conntrack NAT helpers for specific protocols, not
> connection tracking in general.
>
> > On Sep 28, 2015, at 7:22 PM, Tom Rymes <trymes at rymes.com> wrote:
> >
> > I am sure that this is a dumb question that will reveal my lack of
> > sophisticated networking skills, but here goes anyway:
> >
> > We have used a number of Linux Firewall distributions that have
> > issues with connection tracking (NAT) and StrongSwan IPSec tunnels.
> >
> > Specifically, issues arise with SIP (over UDP) registrations when a
> > tunnel drops and a bad connection tracking entry prevents traffic
> > from passing across the tunnel. Telnet, ping, etc to the same device
> > works just fine. When it happens, deleting the offending connection
> > tracking entry immediately resolves the issue, as does moving the
> > device to another IP or unplugging it until the tracking entry
> > expires.
> >
> > I have also seen issues with TFTP and FTP, where they fail to work
> > across IPSec tunnels unless you unload the associated conntrack
> > helper kernel modules.
> >
> > From where I sit, it seems to me that connection tracking over
> > tunnels should be disabled, as there is no NAT involved. Is this
> > correct? What is the recommended practice here, as It seems that a
> > number of distributions are struggling with this, and it is causing
> > me no end of troubles!
> >
> > Many thanks,
> >
> > Tom
Why not using IPv6? You will not have to deal with NAT.
--
Alarig Le Lay
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150929/77cc9b32/attachment.pgp>
More information about the Users
mailing list