From: Thomas Bach <t.bach@ilexius.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter@vger.kernel.org
Subject: Re: IPSec, masquerade and dnat with nftables
Date: Tue, 18 Oct 2016 11:39:38 +0200 [thread overview]
Message-ID: <87k2d6ro6d.fsf@ilexius.de> (raw)
In-Reply-To: <20161017194405.GH24375@salvia> (Pablo Neira Ayuso's message of "Mon, 17 Oct 2016 21:44:05 +0200")
Hi there,
Pablo Neira Ayuso <pablo@netfilter.org> writes:
> On Fri, Sep 09, 2016 at 09:06:59AM +0200, Thomas Bach wrote:
>> Hi,
>>
>> I have two hosts with public ip addresses running Ubuntu 16.04 with
>> Kernel version 4.4.0.
>>
>> I want to interconnect two containers (systemd-nspawn) with veth
>> interfaces running on these hosts in a server client setup.
>>
>> […]
>>
>> This works as expected and without any problems at all. Now IPSec
>> enters the picture. As soon as I setup a policy to encrypt everyting
>> between the two hosts the following happens:
>> + I can still connect from the second host to the server in the
>> container without problems,
>> + I can still /connect/ (i.e. establish a connection) from the
>> container on the second host to the server on the first host, but
>> + in tcpdump listening on the interface of the container (on the
>> second host) I see lots of TCP Retransmissions and the TCP connection
>> is effectively broken.
>>
>> Can someone give me a hint what is going on here?
>
> Did you find the root cause for this problem?
Actually not. I worked around the issue by switching from the
"ipsec-tools" package (i.e. static rules and keying done by hand) to
strongswan. Now the whole setup works as intended with the rules being
more or less the ones cited in my original post.
It would be nice to know what the differences are on the package level
between strongswan configured ipsec and the ones configured via
ipsec-tools.
Regards
Thomas.
--
ilexius GmbH
Thomas Bach
Unter den Eichen 5
Haus i
65195 Wiesbaden
Fon: +49-(0)611 - 180 33 49
Fax: +49-(0)611 - 236 80 84 29
----------------------------------------
ilexius GmbH
vertreten durch die Geschäftsleitung:
Thomas Schlüter und Sebastian Koch
Registergericht: Wiesbaden
Handelsregister: HRB 21723
Steuernummer: 040 236 22640
Ust-IdNr.: DE240822836
----------------------------------------
next prev parent reply other threads:[~2016-10-18 9:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-09 7:06 IPSec, masquerade and dnat with nftables Thomas Bach
2016-10-17 19:44 ` Pablo Neira Ayuso
2016-10-17 19:52 ` Noel Kuntze
2016-10-17 20:11 ` Pablo Neira Ayuso
2016-10-17 20:17 ` Noel Kuntze
2016-10-17 20:27 ` Pablo Neira Ayuso
2016-10-17 21:07 ` Noel Kuntze
2016-10-18 8:59 ` Florian Westphal
2016-10-18 20:38 ` Noel Kuntze
2016-10-18 20:55 ` Florian Westphal
2016-10-18 21:50 ` Noel Kuntze
2016-10-18 9:39 ` Thomas Bach [this message]
2016-10-18 11:33 ` Noel Kuntze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k2d6ro6d.fsf@ilexius.de \
--to=t.bach@ilexius.de \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox