[strongSwan] Docker on road warrior laptop

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jan 31 16:18:39 CET 2020

Hello Harri,

You can't automate this within docker.
You need to do exactly what I wrote.
A tun device will only help you by making the iptables rule you need easier to write.
Docker doesn't do anything dynamic regarding SNAT rules. It just has a single MASQUERADE rule and some logic for not doing SNAT for packets to local addresses.

You could script the creation and destruction of the rule in the updown script.

Kind regards


Am 31.01.20 um 16:10 schrieb Harald Dunkel:
> Hi Noel,
> On 2020-01-30 13:45, Noel Kuntze wrote:
>> Hello Harri,
>> The NAT rules on the host need to change the source IP address to match the negotiated IPsec policies' local TS.
> The road warrior's IP address in the TS appears to be chosen by the IPsec
> gateway. How is the Docker container's network driver (responsible for the
> NAT, AFAICT) supposed to know? Not to mention that the Docker container
> might already be running when the IPsec connection is set up. I am not sure
> if this is the right path to follow.
> Would you suggest to use route-based VPN or maybe a TUN device via the
> kernel-libipsec plugin? Actually the road warrior is supposed to use the
> network manager applet to manage the IPsec connection.
> I tried a similar scenario on a Macbook: The docker container can make use
> of the IPsec connection setup on MacOS. Of course I understand that there
> is some hypervisor involved, so its difficult to compare.
> Regards
> Harri
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
> https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200131/411505e0/attachment.sig>

More information about the Users mailing list