On Friday 31 May 2002 9:10 pm, Shazad Malik wrote: > Hi all, > > I have iptables and freeswan VPN working in my lab but a very interesting > thing is happening and not sure if someone else has seen this: > > When I start my ipsec client from my windows2000 to my iptables servers > which is running NAT too works perfectly fine. It's when i logoff my > ipsec connection then I get this error message on my iptables logs which > start to drop all packets in both directions! This is the message I get: > > ip_conntack: table full, dropping packets
Is this perhaps something to do with the routing table changes which happen when FreeS/Wan comes up and down ? Do your netfilter rules tend to specify interfaces, or do you just use IP addresses ? I'm thinking perhaps if you use interface names in the rules, they're going to be different depending on whether FreeS/Wan is up or down, so they're not going to route packets in the same way ? I think your connection tracking table is filling up because you're building up a whole set of half-open TCP connections which are not getting repled to because the link is down ? Hope this helps, Antony.
