On Mon, 7 Dec 2015, Fabian van der Werf wrote:
Ok, I am trying to setup a tunnel between my home network and a virtual network of docker instances on a vps. I am running into some problems. The problem is that I cannot connect from docker instances on the VPS to my home network (the other way around works though)
conn home left=37.97.133.227 leftid=37.97.133.227 leftsubnet=172.17.0.0/16 leftsourceip=172.17.0.1 right=84.104.37.209 rightid=84.104.37.209 rightsubnet=192.168.178.0/24 rightsourceip=192.168.178.1 authby=secret auto=start forceencaps=yes Both the router and the VPS/libreswan say that the tunnel is set up successful. So the current situation is that I am able to connect from my home network to the docker instances fine (e.g., a webservice). The problem is connections going in the other direction: from the docker instances to the home network. Below is my firewall configuration. But even with a disabled firewall I am unable to create connections from a docker instance to my home network.
[debug info] That all looks fine.
000 Total IPsec connections: loaded 3, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(3), authenticated(3), anonymous(0) 000 000 #10: "home":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 153s; newest IPSEC; eroute owner; isakmp#9; idle; import:admin initiate 000 #10: "home" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=17KB! ESPmax=4194303B 000 #11: "home":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1841s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #2: "home":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 11008s; isakmp#1; idle; import:admin initiate 000 #2: "home" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B 000 #7: "home":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 20902s; isakmp#6; idle; import:admin initiate 000 #7: "home" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
Why are there so many duplicate tunnels? You should have only one? Is the tunnel continiously being re-setup ? Can you run tcpdump on the docker host to get an idea of what's happening to the packets? Are they leaking plaintext? Are they encrypted but ignored? Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
