Aleksandar Milivojevic wrote:
I've just submitted bug report on Red Hat's bugzilla, and felt like discussing
on Netfilter list too.
What happens is, for connections that go through GRE tunnel (wich is in turn
encapsulated into IPSec tunnel), ip_conntrack is loosing connection tracking
information. The connection is sucessfully established, works for some period
of time (random, I observed anywhere from several minutes to up to one hour).
I can see entry for it in /proc/net/ip_conntrack. Then all the sudden
Netfilter starts dropping packets belonging to this TCP connection. When I
check /proc/net/ip_conntrack on remote side (always happens on remote side of
the tunnel, although both sides are the same), the entry for this TCP
connection is no longer there.
The problem is the handling of IPsec packets, not GRE. I'm working on
a couple of patches to resolve this, hopefully I'll finish them in time
for 2.6.16.
