0

I'm having a bit of trouble communicating between containers using my IPsec tunnels. Here's my setup:

I have Docker installed on multiple Ubuntu 14.04 hosts and I'm running various containers on each. I need some of these containers to be able to communicate with containers on different servers.

I have just moved from an OpenVPN config to a StrongSwan config. Here are the configuration files from two of my nodes.

ipsec.conf on node4

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev2
        closeaction=restart
        dpdaction=restart
        authby=secret
        leftfirewall=yes
        lefthostaccess=yes
        auto=start
        left=node4.publicdomain.com
        leftsourceip=192.168.255.4

conn me
        leftsourceip=
        leftsubnet=192.168.255.4/32
        right=%any
        rightsourceip=%config

ipsec.conf on node5

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev2
        closeaction=restart
        dpdaction=restart
        authby=secret
        leftfirewall=yes
        lefthostaccess=yes
        auto=start
        left=node5.publicdomain.com
        leftsourceip=192.168.255.5

conn node1
        right=node1.publicdomain.com
        rightsubnet=192.168.255.1/32

conn node3
        right=node3.publicdomain.com
        rightsubnet=192.168.255.3/32

conn node4
        right=node4.publicdomain.com
        rightsubnet=192.168.255.4/32

conn me
        leftsourceip=
        leftsubnet=192.168.255.5/32
        right=%any
        rightsourceip=%config

On node5 host I can ping all configured nodes successfully. However, if I enter a docker container on node5 and try to ping here is the result.

root@b0cf0114b815:/# ping 192.168.255.5
PING 192.168.255.5 (192.168.255.5): 56 data bytes
64 bytes from 192.168.255.5: icmp_seq=0 ttl=64 time=0.074 ms
64 bytes from 192.168.255.5: icmp_seq=1 ttl=64 time=0.059 ms
64 bytes from 192.168.255.5: icmp_seq=2 ttl=64 time=0.063 ms
^C--- 192.168.255.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.059/0.065/0.074/0.000 ms
root@b0cf0114b815:/# ping 192.168.255.4
PING 192.168.255.4 (192.168.255.4): 56 data bytes
92 bytes from [node5 PUBLIC IP]: Destination Host Unreachable
92 bytes from [node5 PUBLIC IP]: Destination Host Unreachable
92 bytes from [node5 PUBLIC IP]: Destination Host Unreachable

I can reach node5's address, but not node4's. Does anyone know how I can reconfigure this so all my containers on node5 are able to communicate with node4 and the other nodes I have configured?

Thanks!

David Jacob
  • 13
  • 1
  • 4
  • Your use of _left|rightsourceip_ seems a bit strange, using _left|rightsubnet_ (optionally with narrowing) might work just as well. IPsec is policy based, so you have to make sure there is a policy that allows traffic from IPs of containers on node5 to node4's IP or containers there (NATing traffic to node5's internal tunnel IP might work too, or sending the container traffic over a tunnel - e.g. GRE - between node5 and node4). – ecdsa Aug 03 '15 at 14:07

2 Answers2

0

Did you figure this out? I think the issue may be with your subnets: 192.168.255.1/32 means 192.168.255.1 to 192.168.255.6 so it is conflicting with 192.168.255.3/32 or 192.168.255.4/32 or 192.168.255.5/32

they should not overlap so you could use something like

192.168.255.1/32

192.168.255.8/32

192.168.255.16/32

192.168.255.24/32

instead

MrE
  • 418
  • 1
  • 6
  • 14
0

Unfortunately could not figure this out.

As an alternative, I used tinc: http://www.tinc-vpn.org/

It was easier for me to configure and the virtual interface is always nice. I didn't have to do anything special and the config files were about four or five lines each.

Thanks for the help anyway!

David Jacob
  • 13
  • 1
  • 4