[Openswan Users] IPSec between virtual machines
paul at xelerance.com
Fri Feb 4 15:12:39 EST 2011
On Fri, 4 Feb 2011, Paolo Smiraglia wrote:
> Hi guys!
> I've a question about the IPSec setup between a group of virtual
> machines running on a different hosts.
> This is the scenario:
> - Two physical hosts with a public ip address on primary network
> interface (eth0). Physical hosts are member of the same network
> and are switch-linked.
> - Every physical host has a bridge (br0) and eth0 is a port of
> this bridge.
If you eth0 is part of a bridge, you cannot/should not put an IP address
on it. In my experience that does not work. You can put it as alias on
the br0 device.
> - Many VMs randomly distribuited between the two physical hosts.
> All VMs are memebers of the same private network (172.16.1.0/24)
> and communicate with each other using br0.
> - Openswan: Linux Openswan U2.6.24/K2.6.32-44.2.el6.x86_64 (netkey)
> - Kernel: 2.6.32-44.2.el6.x86_64
Please upgrade openswan if possible to 2.6.32.
> config setup
This makes no sense. Since there is no NAT involed AFAIK, you should just comment it out.
> conn net2net
You cannot put an empty line in a "conn". Remove the empty line or put an indented # there
You can also not have the same subnet on left and right. I assume you are making host-host
tunnels between the VMs, so remote the subnet lines.
But I'm still confused about what it is you are trying to do to begin with.
> $> service ipsec start
> $> ipsec auto --add net2net
> $> ipsec auto --up net2net
> 004 "net2net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> tunnel mode...
with the above config this can never happen, so this is a case of "the customer
is lying". Your config does not match the claimed logs.
More information about the Users