[strongSwan] Docker on road warrior laptop
Harald Dunkel
harald.dunkel at aixigo.com
Fri Jan 31 16:10:56 CET 2020
Hi Noel,
On 2020-01-30 13:45, Noel Kuntze wrote:
> Hello Harri,
>
> The NAT rules on the host need to change the source IP address to match the negotiated IPsec policies' local TS.
>
The road warrior's IP address in the TS appears to be chosen by the IPsec
gateway. How is the Docker container's network driver (responsible for the
NAT, AFAICT) supposed to know? Not to mention that the Docker container
might already be running when the IPsec connection is set up. I am not sure
if this is the right path to follow.
Would you suggest to use route-based VPN or maybe a TUN device via the
kernel-libipsec plugin? Actually the road warrior is supposed to use the
network manager applet to manage the IPsec connection.
I tried a similar scenario on a Macbook: The docker container can make use
of the IPsec connection setup on MacOS. Of course I understand that there
is some hypervisor involved, so its difficult to compare.
Regards
Harri
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
More information about the Users
mailing list