[strongSwan] route traffic to docker0 bridge
Christoph Gysin
christoph.gysin at gmail.com
Wed Oct 11 17:04:29 CEST 2017
Wow, thanks for the quick response. I managed to get it to work by
simply using the bypass-lan plugin:
https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan
Chris
On Wed, Oct 11, 2017 at 5:44 PM, Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> Use `ip link` instead. It shows you every possible detail about your network interfaces. `brctl` is deprecated.
> (e.g. `ip -d link show`)
>
> IPsec policies and routing are different things. You need to configure a passthrough policy for the traffic to/from the docker subnet.
>
> Kind regards
>
> Noel
>
> On 11.10.2017 16:38, Christoph Gysin wrote:
>> Docker creates a bridge docker0 and routes traffic through it:
>>
>> $ brctl show
>> bridge name bridge id STP enabled interfaces
>> docker0 8000.0242e39e4cfd no vethc5308b1
>>
>> $ ip route
>> [...]
>> 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
>>
>> After starting an ipsec connection, this stops working.
>>
>> I'm trying to understand how traffic is routed, and read:
>> https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#Routing
>>
>> I can see it created the routing table 220:
>>
>> $ ip route show table 220
>> default via 10.181.24.1 dev wlp2s0 proto static src 10.191.2.52
>>
>> I also found some pointers in https://wiki.strongswan.org/issues/1247,
>> but I'm still not sure what is the right way to fix this.
>>
>> How can I configure my system to allow traffic to 172.17.0.0/16 be
>> routed to docker0 even when the ipsec connection is up?
>>
>> Thanks,
>> Chris
>
--
echo mailto: NOSPAM !#$.'<*>'|sed 's. ..'|tr "<*> !#:2" org at fr33z3
More information about the Users
mailing list