[Openswan Users] IPsec packets sent on wrong interface with OpenVZ host

Marcus Better marcus at better.se
Thu Jun 19 04:26:48 EDT 2008


I have a problem with OpenSWAN on an OpenVZ virtualisation server. However I cannot tell if the problem is with OpenSWAN or OpenVZ (or just me), so I'm asking in both places.

I'm running OpenSWAN on the VZ host node to provide tunnels to some virtual environments (VEs) on a common internal subnet. The VEs are connected with veth devices that are bridged together to br0 on the host side. The IPsec tunnel is correctly established, but response traffic from the VE is being sent out on br0, not the external interface eth0.

Details of the setup:

Server is OpenVZ 2.6.24 (compiled from OpenVZ git tree), Debian x86_64, OpenSWAN 2.4.12.

Host node interfaces:
eth0: public address server.example.org
br0: bridge, internal address, only slave interface veth106.0
veth106.0: host end of veth.

Virtual environment interfaces:
eth0: other end of veth pair, address

Now "ping" from the IPsec client (client.example.org with private address works correctly, but "ping" shows this:
[host:~]# tcpdump -i br0
10:31:43.238582 IP > ICMP echo request, id 9274, seq 40, length 64
10:31:43.238617 IP server.example.org.4500 > client.example.org.4500: UDP-encap: ESP(spi=0xeee72df0,seq=0x35c), length 132
10:31:44.230477 IP > ICMP echo request, id 9274, seq 41, length 64
10:31:44.230509 IP server.example.org.4500 > client.example.org.4500: UDP-encap: ESP(spi=0xeee72df0,seq=0x35d), length 132

Here the packets destined for client.example.org are only seen on br0, not on the external interface. I have forwarding enabled on both br0 and eth0.



More information about the Users mailing list