conntrack: UDP NAT vs. VPN tunnel

conntrack: UDP NAT vs. VPN tunnel

[Thomas Jarosch]

Hello together,

I've got a delicate problem for that I wanted to ask for comments:

There's an IP phone connected via an IPsec tunnel to a PBX.
The phone in on the IP 192.168.1.212, the PXB on 192.168.10.181,
voice traffice is done via UDP.

This works fine until the IPsec box gets rebooted. What happens during reboot: 
The box comes up again and the firewall gets loaded. After some time
the VPN tunnel is reestablished.

In the meantime the phone tries to connect to the PBX every two seconds.
As the VPN tunnel is not up yet, this creates a NAT conntrack entry:

-------------------------------------------------------------------
udp 17 10 src=192.168.1.212 dst=192.168.10.181 sport=9301 dport=9300 
packets=3707 bytes=463375 [UNREPLIED] src=192.168.10.181 dst=217.91.119.99 
sport=9300 dport=9301 packets=0 bytes=0 mark=0 use=
-------------------------------------------------------------------

When the VPN tunnel is running again, this entry never expires as the phone 
tries to connect every two seconds and resets the conntrack timeout. 
What happens is that packets intended for the VPN tunnel never get there.

If you unplug the phone for 30 seconds (UDP conntrack timeout), the entry gets 
deleted. After that reconnecting to the PBX via the VPN tunnel works and the 
following conntrack entry gets created as it should be:

-------------------------------------------------------------------
udp 17 29 src=192.168.1.212 dst=192.168.10.181 sport=9301 dport=9300 packets=1 
bytes=125 src=192.168.10.181 dst=192.168.1.212 sport=9300 dport=9301 
packets=1 bytes=514 mark=0 use=1
-------------------------------------------------------------------

I've now searched for possible solutions. I could write a program that gets 
called after the VPN tunnel is reestablished and deletes all UDP NAT 
conntracks matching the IPs of the VPN tunnel. This is rather complex,
but possible. Maybe there is a more simple solution?

Thanks in advance,
Thomas

Re: conntrack: UDP NAT vs. VPN tunnel

[Philip Craig]

Thomas Jarosch wrote:
> I've now searched for possible solutions. I could write a program that gets 
> called after the VPN tunnel is reestablished and deletes all UDP NAT 
> conntracks matching the IPs of the VPN tunnel. This is rather complex,
> but possible. Maybe there is a more simple solution?

Add a filter rule that drops packets with a VPN destination that are
not going over the VPN.  Then the conntrack is never created until
the VPN is up.  This is good for security too, so that you aren't
leaking private data.

[BTW, the netfilter list is more appropriate for this question.]

Re: conntrack: UDP NAT vs. VPN tunnel

[Thomas Jarosch]

Philip,

On Friday, 3. August 2007, Philip Craig wrote:
> > I've now searched for possible solutions. I could write a program that
> > gets called after the VPN tunnel is reestablished and deletes all UDP NAT
> > conntracks matching the IPs of the VPN tunnel. This is rather complex,
> > but possible. Maybe there is a more simple solution?
>
> Add a filter rule that drops packets with a VPN destination that are
> not going over the VPN.  Then the conntrack is never created until
> the VPN is up.  This is good for security too, so that you aren't
> leaking private data.

Thanks, that's the perfect and simplest solution for the problem!
(read: Doh!) I was stuck with the idea to write some code, that's why
I posted it to -devel. It's always good to ask for a second opinion :-)

Have a nice weekend,
Thomas