Forward packages over openvpn and ipsec in strongswan container in docker in Kubernetes

Question

I am running a deployment with an IPsec(strongswan) and an OpenVPN container.

Configuration of IPsec:

config setup

conn customer
    keyexchange=ikev1
    left=%defaultroute
    leftsubnet=192.168.224.0/24
    right=X.X.X.X
    rightsubnet=10.5.0.0/16
    ike=aes256-sha256-modp3072!
    esp=aes256-sha256-modp3072!
    authby=psk
    ikelifetime=28800
    lifetime=3600
    auto=start
    type=tunnel

ipsec-start-sh:

    ip link add name eth1 type dummy
    ifconfig eth1 up
    ip addr add 192.168.224.1 dev eth1
    ifconfig eth1 mtu 1440
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -I FORWARD -s 0/0 -i tun0 -o eth0 -j ACCEPT
    ipsec start

IPsec is functional!

I can ping a server on the other side of the IPsec.

openvpn configuration:

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/vpn.seeberger.adito.cloud.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/vpn.seeberger.adito.cloud.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 10.5.0.0 255.255.0.0

### Push Configurations Below
push "route 10.5.0.0 255.255.0.0"
#push "block-outside-dns"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

ifconfig: 
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/vpn.seeberger.adito.cloud.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/vpn.seeberger.adito.cloud.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 10.5.0.0 255.255.0.0

### Push Configurations Below
push "route 10.5.0.0 255.255.0.0"
#push "block-outside-dns"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

ifconfig:

eth0      Link encap:Ethernet  HWaddr 4A:1C:D3:AB:2E:DE  
          inet addr:10.42.74.74  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: fe80::481c:d3ff:feab:2ede/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1440  Metric:1
          RX packets:1454 errors:0 dropped:0 overruns:0 frame:0
          TX packets:316 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:234613 (229.1 KiB)  TX bytes:26814 (26.1 KiB)

eth1      Link encap:Ethernet  HWaddr 9E:B3:59:1F:3A:03  
          inet addr:192.168.224.1  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: fe80::9cb3:59ff:fe1f:3a03/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1440  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:70 (70.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.255.1  P-t-P:192.168.255.2  Mask:255.255.255.255
          inet6 addr: fe80::a4c1:6d34:21b:1d7a/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:240 (240.0 B)  TX bytes:304 (304.0 B)

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         169.254.1.1     0.0.0.0         UG    0      0        0 eth0
10.5.0.0        192.168.255.2   255.255.0.0     UG    0      0        0 tun0
169.254.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0
192.168.255.0   192.168.255.2   255.255.255.0   UG    0      0        0 tun0
192.168.255.2   0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Can you help me with the iptable routes to route traffic from tun0 to the ipsec-tunnel, so I ping a server (e.g. 10.5.1.170) from my local pc to the server on the other end of the ipsec-tunnel?

---edit---

openvpnclient-ip: 192.168.255.6

tcpdump on ipsec-container: ping openvpn-container -> 10.5.1.170 (working!)

13:33:18.347397 IP 10.42.74.71.4500 > X.X.X.X.4500: UDP-encap: ESP(spi=0xb6ab40ec,seq=0x15), length 136
13:33:18.358348 IP X.X.X.X.4500 > 10.42.74.71.4500: UDP-encap: ESP(spi=0xcd9b9abe,seq=0x16), length 136
13:33:18.358348 IP 10.5.1.170 > 192.168.224.1: ICMP echo reply, id 8192, seq 0, length 64

ping openvpn-client -> 10.5.1.170 (not working!)

13:27:03.644454 IP 192.168.255.6 > 10.5.1.170: ICMP echo request, id 1, seq 952, length 40

X.X.X.X is the ip of the other company

Best regards and thanks in advance.

Jofu

Answer 1

This can't work. Your IPsec tunnel is between the subnets 192.168.224.0/24 and 10.5.0.0/16. A packet with source IP 192.168.255.6 does not match that IPsec policy so it is dropped.

If you can't change the IPsec policy (so it covers these packets), you could maybe NAT packets from 192.168.255.0/24 to an IP in 192.168.224.0/24 so the policy matches.