[strongSwan] Docker on road warrior laptop

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 30 13:45:43 CET 2020


Hello Harri,

The NAT rules on the host need to change the source IP address to match the negotiated IPsec policies' local TS.

Kind regards

Noel

Am 30.01.20 um 13:37 schrieb Harald Dunkel:
> Hi folks,
> 
> are there any recommendations how to give a Docker container running on
> a road warrior laptop access to the host's IPsec connection?
> 
> Easy testcase (using Docker's default bridge network):
> 
>     % docker run -it --rm debian
>     # ping some.internal.ip.address
>     From 10.100.0.2 icmp_seq=1 Destination Port Unreachable
>     From 10.100.0.2 icmp_seq=2 Destination Port Unreachable
>     From 10.100.0.2 icmp_seq=3 Destination Port Unreachable
>     From 10.100.0.2 icmp_seq=4 Destination Port Unreachable
>     ^C
>     --- some.internal.ip.address ping statistics ---
>     4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 6ms
> 
> As you might have guessed, 10.100.0.2 is the local gateway,
> 
> Problem is, the Docker container seems to ignore the IPsec connection and
> the subnets accessible via the peer. It tries to use the default gateway.
> Thats unfortunate, cause Docker copied /etc/resolv.conf from the host.
> 
> I checked the Wiki, of course, but maybe I was too blind to see.
> Running Docker *inside* a container is not the use case here; not to
> mention that I found https://wiki.strongswan.org/projects/strongswan/wiki/Cloudplatforms
> 
> 
> Every helpful hint is highly appreciated
> 
> Harri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200130/f189924e/attachment.sig>


More information about the Users mailing list