[strongSwan] LXC container can not get ip address when ipsec up

YIyun Meng manfonly at gmail.com
Thu Aug 18 17:32:11 CEST 2016 

Hi guys,

My LXC container uses NAT to get IP address, which can work very well when my strongswan VPN is not up:
start-stop-daemon -S -x /usr/sbin/dnsmasq -- \
            --dhcp-leasefile=/var/run/lxc-dnsmasq.leases \
            --listen-address=10.0.3.1 \
            --except-interface=lo \
            --bind-interfaces \
            --dhcp-range=10.0.3.2,10.0.3.2
        # Setup ip forwarding
        /usr/sbin/iptables -I INPUT -i lxcbr0 -p udp --dport 67 -j ACCEPT
        /usr/sbin/iptables -I INPUT -i lxcbr0 -p tcp --dport 67 -j ACCEPT
        /usr/sbin/iptables -I INPUT -i lxcbr0 -p tcp --dport 53 -j ACCEPT
        /usr/sbin/iptables -I INPUT -i lxcbr0 -p udp --dport 53 -j ACCEPT
        /usr/sbin/iptables -I FORWARD -i lxcbr0 -j ACCEPT
        /usr/sbin/iptables -I FORWARD -o lxcbr0 -j ACCEPT
        /usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
        /usr/sbin/iptables -t mangle -A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

[root at lorawan etc]# lxc-info -n lab
Name:           lab
State:          RUNNING
PID:            2236
IP:             10.0.3.2
CPU use:        55.62 seconds
Memory use:     2.63 MiB

I want my Linux host use Cisco VPN to connect with ASA server, and all of the containers in this host can use this tunnel. Now the tunnel is up, all of the traffic from my host is encrypted by ESP, but my container lost IP address, even I set the static IP address, they still can not ping host and ASA server:

# ping 10.0.3.2
PING 10.0.3.2 (10.0.3.2): 56 data bytes
^C
--- 10.0.3.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:5F:86:5C:01:18  
          inet addr:192.168.1.2  Bcast:192.168.1.7  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8873 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7884 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:740371 (723.0 KiB)  TX bytes:675753 (659.9 KiB)
          Interrupt:193 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:336 (336.0 B)  TX bytes:336 (336.0 B)

lxcbr0    Link encap:Ethernet  HWaddr FE:DB:88:B1:3D:70  
          inet addr:10.0.3.1  Bcast:0.0.0.0  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          RX packets:5552 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3973 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:397997 (388.6 KiB)  TX bytes:248747 (242.9 KiB)

vethUSAXIT Link encap:Ethernet  HWaddr FE:DB:88:B1:3D:70  
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          RX packets:5317 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3857 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:457523 (446.7 KiB)  TX bytes:241016 (235.3 KiB)

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.10.0.29           policy match dir in pol ipsec reqid 1 proto esp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.10.0.29           policy match dir in pol ipsec reqid 1 proto esp
ACCEPT     all  --  10.10.0.29           anywhere             policy match dir out pol ipsec reqid 1 proto esp
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.10.0.29           anywhere             policy match dir out pol ipsec reqid 1 proto esp

This is my ipsec.conf
onfig setup
    uniqueids=never

ca default_ca
    cacert=/opt/private/vpn/cacert.pem
    auto=add

conn %default
    keyexchange=ikev1
    type=tunnel
    left=%any
    auto=add
    dpdaction=clear
    margintime=0s
    rekeyfuzz=20%
conn cisco-ezvpn
    keyexchange=ikev1
    left=192.168.1.2
    leftid=19
    leftsourceip=%config
    leftfirewall=yes
    right=192.168.1.1
    rightsubnet=0.0.0.0/0
    xauth_identity=test
    auto=add
    leftauth2=xauth
    xauth=client
    aggressive=yes
    leftauth=psk
    rightauth=psk
    ikelifetime=86000s
    lifetime=86000s
    ike=aes128-sha1-modp1024,aes128-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024,aes192-sha1-modp1024,aes192-md5-modp1024,aes256-sha1-modp1024,aes256-md5-modp1024,3des-sha1-modp768,3des-md5-modp768
    esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5,aes192-sha1,aes192-md5,aes256-sha1,aes256-md5,des-md5,des-sha1


I have tried a lot, even cleared iptables, still not work. The only way to let LXC to get IP address is stop strongswan.
Is there any way to let container get IP address?

Regards,
Yiyun Meng

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160818/79cc0ea2/attachment-0001.html>

More information about the Users mailing list