Hello,
I'm a very satisfied user of LXC that I use extensively for my teaching about
computer networks for my students.
I'm currently preparing a project involving IPSec Tunnel, and I've discovered
the annoying truth : IPSec tunnel support doesn't work.
I've spent the last days figuring how this appends and to extensively test it.
I'll describe the tests that I've performed :
- first, for convenience, and because it is mandatory in my University, I use a
VMWare virtual machine in order to get root access required for configuring
network stack (the computers used by the students are locked and they only
could use a vmware vm on a USB stick) ;
- second, I've chosen Ubuntu because it's a mainstream distro with all bells
and whistles in order to achieve high level of adherence from my students (also
because it's based on debian) ;
- third, I use LXC containers and virtual bridges to create some lab
environment in order to configure networks and routes, to sniff packets, to
craft packet with Scapy etc.
So, I've tried to make the following network :
LAN2Host Router2 Router1 LAN1Host
| 1 254| | 252 253| | 254
|1
---------------------------- --------------------
---------------------
LAN2_bridge WAN_bridge LAN1_bridge
192.168.100.0/24 172.16.8.0/24 192.168.200.0/24
Between Router1 and Router2, I've configured the following IPsec Tunnel (on
Router1) :
#!/usr/sbin/setkey -f
# Configuration for Router1
flush;
spdflush;
add 172.16.8.253 172.16.8.252 esp 0x201 -m tunnel -E 3des-cbc
0x464b95fb210a3b6a3cfd31d65b5e1b24df45e24c28565ff0;
add 172.16.8.252 172.16.8.253 esp 0x301 -m tunnel -E 3des-cbc
0x4d87087785db066aca799d229900fa457b1545ae51573774;
spdadd 192.168.200.0/24 192.168.100.0/24 any -P out ipsec
esp/tunnel/172.16.8.253-172.16.8.252/require;
spdadd 192.168.100.0/24 192.168.200.0/24 any -P in ipsec
esp/tunnel/172.16.8.252-172.16.8.253/require;
(For the router2, the configuration is the same with "in" and "out" swapped).
I've removed the rp_filter protection globally before launching LXC containers
sysctl -w net.ipv4.conf.all.rp_filter=0
When I try the following command on LAN2Host :
ping 192.168.200.1
I could sniff ESP packet going through the WAN_bridge.
I could even sniff ESP packet entering Router1.
I could see the decapsulated packet of ICMP echo request packet appearing on
the same interface that the previously sniffed ESP packets.
BUT, after this... NOTHING !
The decapsulated (decrypted) packet vanished !
I've tried the same configuration with two VMware VMs replacing Router1 and
Router2, with LAN2Host and LAN1Host being LXC containers : IT WORKS !
So, my conclusion is that the decapsulated packets never enter the routing
table in Router1 !
(I can perform some LOG on them with iptables before being decrypted, as ESP
packets).
Do I've made something wrong ?
(Remember that It would be for teaching purpose, so I prefer not to expose
students to dirty tricks that are too distant from real networking...).
Do you have any plan to support full IPsec in LXC containers ?
Best regards,
Pierre-François Bonnefoi.
P-S: you can grab my IPsec keys, I'll change them ;-)
--
Bonnefoi Pierre-Francois | E-mail : bonne...@unilim.fr
Universite de Limoges, Laboratoire XLIM | Tel : 06 28 18 03 38
83, rue d'Isle | Mrs. Peel, we're needed...
87000 Limoges - FRANCE | The Avengers.
------------------------------------------------------------------------------
Fulfilling the Lean Software Promise
Lean software platforms are now widely adopted and the benefits have been
demonstrated beyond question. Learn why your peers are replacing JEE
containers with lightweight application servers - and what you can gain
from the move. http://p.sf.net/sfu/vmware-sfemails
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
