[Openswan Users] IPSec between virtual machines

Paul Wouters paul at xelerance.com
Fri Feb 4 15:12:39 EST 2011 

On Fri, 4 Feb 2011, Paolo Smiraglia wrote:

> Hi guys!
> I've a question about the IPSec setup between a group of virtual
> machines running on a different hosts.
>
> This is the scenario:
>
>  - Two physical hosts with a public ip address on primary network
>  interface (eth0). Physical hosts are member of the same network
>  and are switch-linked.
>
>  - Every physical host has a bridge (br0) and eth0 is a port of
>  this bridge.

If you eth0 is part of a bridge, you cannot/should not put an IP address
on it. In my experience that does not work. You can put it as alias on
the br0 device.

>  - Many VMs randomly distribuited between the two physical hosts.
>  All VMs are memebers of the same private network (172.16.1.0/24)
>  and communicate with each other using br0.

>   - Openswan: Linux Openswan U2.6.24/K2.6.32-44.2.el6.x86_64 (netkey)
>   - Kernel: 2.6.32-44.2.el6.x86_64

Please upgrade openswan if possible to 2.6.32.

> config setup
>   protostack=netkey
>   nat_traversal=yes
>   virtual_private=%v4:172.16.1.0/24

This makes no sense. Since there is no NAT involed AFAIK, you should just comment it out.

> conn net2net
>   left=xxx.yyy.zzz.248
>   leftsubnet=172.16.1.0/24
>   leftid=@node1
>   leftrsasigkey=0sAQKtr4...
>   leftnexthop=%defaultroute
>
>   right=xxx.yyy.zzz.252
>   rightsubnet=172.16.1.0/24
>   rightid=@node2
>   rightrsasigkey=0sAQPUSL...
>   rightnexthop=%defaultroute

You cannot put an empty line in a "conn". Remove the empty line or put an indented # there
You can also not have the same subnet on left and right. I assume you are making host-host
tunnels between the VMs, so remote the subnet lines.

But I'm still confused about what it is you are trying to do to begin with.

>   $> service ipsec start
>   $> ipsec auto --add net2net
>   $> ipsec auto --up net2net
>      [...]
>      004 "net2net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> tunnel mode...

with the above config this can never happen, so this is a case of "the customer
is lying". Your config does not match the claimed logs.

Paul

More information about the Users mailing list