[Openswan Users] IPSec between virtual machines

Fri Feb 4 09:39:04 EST 2011

Hi guys!
I've a question about the IPSec setup between a group of virtual
machines running on a different hosts.

This is the scenario:

  - Two physical hosts with a public ip address on primary network
  interface (eth0). Physical hosts are member of the same network
  and are switch-linked.

  - Every physical host has a bridge (br0) and eth0 is a port of
  this bridge.

  - Many VMs randomly distribuited between the two physical hosts.
  All VMs are memebers of the same private network (172.16.1.0/24)
  and communicate with each other using br0.

   - Openswan: Linux Openswan U2.6.24/K2.6.32-44.2.el6.x86_64 (netkey)
   - Kernel: 2.6.32-44.2.el6.x86_64

This is my "ipsec.conf" file:

version 2.0

config setup
   protostack=netkey
   nat_traversal=yes
   virtual_private=%v4:172.16.1.0/24
   oe=off
   nhelpers=0
   include /etc/ipsec.d/*.conf

This is my "test.conf" file:

conn net2net
   left=xxx.yyy.zzz.248
   leftsubnet=172.16.1.0/24
   leftid=@node1
   leftrsasigkey=0sAQKtr4...
   leftnexthop=%defaultroute

   right=xxx.yyy.zzz.252
   rightsubnet=172.16.1.0/24
   rightid=@node2
   rightrsasigkey=0sAQPUSL...
   rightnexthop=%defaultroute

   auto=ignore
   type=tunnel

This is the left/right command sequence used to startup ipsec:

   $> service ipsec start
   $> ipsec auto --add net2net
   $> ipsec auto --up net2net
      [...]
      004 "net2net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode...

At this point everithing seems to work, but when a VM ping another VM
there is no trace of ESP packets. The sniffing procedure is executed
on br0.

Any suggestions?

I hope that the description of my problem is clear. Thanks in advance.

   PAOLO

-- 
PAOLO SMIRAGLIA
http://portale.isf.polito.it/paolo-smiraglia