[strongSwan] proxmox with strongswan

Simon Deziel simon.deziel at gmail.com
Wed Nov 5 22:16:28 CET 2014 

Hi Karol,

For a container to be able to use the host's tunnel, you need to disable
the policy check in the container itself. Here is the command to run in
the container to achieve this:

# Allow IPsec running on the host to communicate with VZ
cat << EOF > /etc/sysctl.d/60-openvz-host-ipsec.conf
# Disabling IPSEC policy (SPD) on the VZ's interface(s)
# is required to allow communication using IPsec running
# in the host's context
net.ipv4.conf.venet0.disable_policy = 1

# This needs to be adapted if veth devices are used

# For more details see :
# bugzilla.openvz.org/show_bug.cgi?id=1554 and
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590661
EOF


Since you are using veth devices the file will need some tweaking. Also,
I'm unfortunately not aware of any IPv6 equivalent of this sysctl knob.

Regards,
Simon

On 11/05/2014 04:08 PM, Karol Czachorowski wrote:
> Hi,
> 
> I have two Proxmox servers with a tunnel between them. One host has
> internal network 10.99.5.0/24 and the second 10.99.6.0/24. They can see
> each other (so ping from 10.99.5.2 to 10.99.6.2 works).
> 
> Both servers have OpenVZ containers connected to the bridged interface.
> Containers from 10.99.5.0/24 cannot ping any host from 10.99.6.0/24 and
> vice versa.
> 
> Here's iptables logs from host 10.99.5.2 (proxmox host) when trying to
> ping it from 10.99.6.106 (container)
> 
> Nov  5 21:52:15 gondolin kernel: IN=vmbr0 OUT=
> MAC=d4:3d:7e:e2:fd:68:3c:94:d5:4b:1d:1f:08:00 SRC=10.99.6.106
> DST=10.99.5.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
> CODE=0 ID=10932 SEQ=3
> 
> And here is the log from 10.99.6.106 (container) when trying to ping it
> from 10.99.5.2 (proxmox host):
> 
> Nov  5 21:53:53 morsy kernel: IN=eth0 OUT=
> MAC=a2:96:3e:87:22:3a:02:9a:78:e9:fe:fa:08:00 SRC=10.99.5.2
> DST=10.99.6.106 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=9142 SEQ=3
> 
> In both cases there are no responses. But when trying from 10.99.5.2
> (proxmox host) to 10.99.6.2 (proxmox host) everything is OK:
> 
> Nov  5 21:55:36 nevrast kernel: IN=vmbr0 OUT=
> MAC=d4:3d:7e:f8:ee:60:54:e0:32:f2:a5:12:08:00 SRC=10.99.5.2
> DST=10.99.6.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8
> CODE=0 ID=9674 SEQ=22
> Nov  5 21:55:36 nevrast kernel: IN= OUT=vmbr0 SRC=10.99.6.2
> DST=10.99.5.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=2466 PROTO=ICMP TYPE=0
> CODE=0 ID=9674 SEQ=22
> 
> How to diagnose such problem, any thoughts? I'm not sure if it's related
> to Strongswan, Proxmox or my network setup...
> 
> thanks,
> Karol
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

More information about the Users mailing list