There have previously been problems with running XFRM in OpenVZ containers (meaning it didn't work at all, despite claims of the OpenVZ developers it did).
Please provide the following outputs:
ipsec statusall (or swanctl -l, if you use swanctl)
sysctl -A | grep rp_filter
ip route show table all
ip rule
'tcpdump -n -i ipsec0' when you're trying to connect over the tunnels
On 19.12.2017 08:57, Quaker wrote:
> I am using Strongswan 5.6.1 on my OpenVZ servers
> And strongswan 5.6.1 is compiled by myself. kernel-libipsec enabled by
> ./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2
> --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc
> --enable-eap-dynamic--enable-eap-radius --enable-xauth-eap \
> --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock
> --enable-unity \ --enable-certexpire --enable-radattr --enable-tools
> --enable-openssl --disable-gmp --enable-kernel-libipsec
> the strongswan.conf configuration modified as :
>
> charon {
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> kernel-netlink {
> fwmark = !0x4
> }
> socket-default {
> fwmark = 0x4
> }
> kernel-libipsec {
> allow_peer_ts = yes
> }
> }
> }
> I have created ipsec tunnel successfully between my OpenVZ server alpha and
> beta:
> But the socket connection fails.
> By investigate the problem, I tried tcpdump, found that
> If I ping from alpha to beta
> tcpdump could found
> esp from alpha->beta
> esp from beta->alpha
> but ping timeout
>
> If I ping from beta to alpha
> tcpdump could found
> esp from beta->alpha
> and ping timeout
>
> if using tcp, and answer is similar
> alpha->beta
> alpha SYN_SENT
> beta SYN_RECV
>
> beta->alpha
> beta SYN_SENT
> alpha NULL
>
> I guess there should be some problem during esp to socket
> anyone could tell me how to detect the problem, or some further information
> should I give.
>
> alpha and beta belongs to different OpenVZ supplier, don't know the problem.
> I have reinstalled alpha sometimes, but doesn't work.
>
> beta:Linux beta 2.6.32-042stab125.5 #1 SMP Tue Oct 17 12:48:22 MSK 2017
> x86_64 GNU/Linux
>
> alpha: Linux alpha 2.6.32-042stab123.3 #1 SMP Fri May 5 12:29:05 MSK 2017
> x86_64 GNU/Linux
>
> Regards
> Quaker
signature.asc
Description: OpenPGP digital signature
