• 5
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Docker & StrongSwan: Destination Host Unreachable

I'm having a bit of trouble communicating between containers using my IPsec tunnels. Here's my setup:

I have Docker installed on multiple Ubuntu 14.04 hosts and I'm running various containers on each. I need some of these containers to be able to communicate with containers on different servers.

I have just moved from an OpenVPN config to a StrongSwan config. Here are the configuration files from two of my nodes.

ipsec.conf on node4

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev2
        closeaction=restart
        dpdaction=restart
        authby=secret
        leftfirewall=yes
        lefthostaccess=yes
        auto=start
        left=node4.publicdomain.com
        leftsourceip=192.168.255.4

conn me
        leftsourceip=
        leftsubnet=192.168.255.4/32
        right=%any
        rightsourceip=%config

ipsec.conf on node5

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev2
        closeaction=restart
        dpdaction=restart
        authby=secret
        leftfirewall=yes
        lefthostaccess=yes
        auto=start
        left=node5.publicdomain.com
        leftsourceip=192.168.255.5

conn node1
        right=node1.publicdomain.com
        rightsubnet=192.168.255.1/32

conn node3
        right=node3.publicdomain.com
        rightsubnet=192.168.255.3/32

conn node4
        right=node4.publicdomain.com
        rightsubnet=192.168.255.4/32

conn me
        leftsourceip=
        leftsubnet=192.168.255.5/32
        right=%any
        rightsourceip=%config

On node5 host I can ping all configured nodes successfully. However, if I enter a docker container on node5 and try to ping here is the result.

root@b0cf0114b815:/# ping 192.168.255.5
PING 192.168.255.5 (192.168.255.5): 56 data bytes
64 bytes from 192.168.255.5: icmp_seq=0 ttl=64 time=0.074 ms
64 bytes from 192.168.255.5: icmp_seq=1 ttl=64 time=0.059 ms
64 bytes from 192.168.255.5: icmp_seq=2 ttl=64 time=0.063 ms
^C--- 192.168.255.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.059/0.065/0.074/0.000 ms
root@b0cf0114b815:/# ping 192.168.255.4
PING 192.168.255.4 (192.168.255.4): 56 data bytes
92 bytes from [node5 PUBLIC IP]: Destination Host Unreachable
92 bytes from [node5 PUBLIC IP]: Destination Host Unreachable
92 bytes from [node5 PUBLIC IP]: Destination Host Unreachable

I can reach node5's address, but not node4's. Does anyone know how I can reconfigure this so all my containers on node5 are able to communicate with node4 and the other nodes I have configured?

Thanks!

      • 2
    • Your use of left|rightsourceip seems a bit strange, using left|rightsubnet (optionally with narrowing) might work just as well. IPsec is policy based, so you have to make sure there is a policy that allows traffic from IPs of containers on node5 to node4's IP or containers there (NATing traffic to node5's internal tunnel IP might work too, or sending the container traffic over a tunnel - e.g. GRE - between node5 and node4).

Did you figure this out? I think the issue may be with your subnets: 192.168.255.1/32 means 192.168.255.1 to 192.168.255.6 so it is conflicting with 192.168.255.3/32 or 192.168.255.4/32 or 192.168.255.5/32

they should not overlap so you could use something like

192.168.255.1/32

192.168.255.8/32

192.168.255.16/32

192.168.255.24/32

instead

  • 0
Reply Report

Unfortunately could not figure this out.

As an alternative, I used tinc: http://www.tinc-vpn.org/

It was easier for me to configure and the virtual interface is always nice. I didn't have to do anything special and the config files were about four or five lines each.

Thanks for the help anyway!

  • 0
Reply Report

Trending Tags