Let's try some more. Karl O. Pinc wrote: > > no; it is because the OpenVPN client creates the same src + dst pair > > for every connection. > > Enrico is right. It's in the IP RFC, the 2MSL (twice the maximum > segment lifetime) rule. (STD 5 is the right rfc?)
I agree that the statement about TCP/UDP 4-tuple is correct for the two participating systems. They identify the connection that way, and it's even easy to see as a user with something basic such as netstat. Internally they of course store lots of other information related to the connection, associated to the 4-tuple. > I haven't otherwise been following the discussion, but if there's > no other way to do what he wants to do with OpenVPN then > OpenVPN is violating the RFC. My point is that a "stateful" firewall should keep more info about connections than just a 4-tuple. The firewall that is causing Enrico trouble seems to not do this, since it does not recognize a new connection if uses the same 4-tuple. To me, that actually sounds like the textbook definitition of a _stateless_ firewall. :) I am convinced that it is simpler to add code to OpenVPN to work around this problem, than to fix the firewall, but I still don't think this is really a fault in OpenVPN. I'm just another user though. //Peter