[Openswan Users] Fwd: ARP Problem of strongswan Client in Container

Samir Hussain shussain at xelerance.com
Fri Mar 31 08:46:08 EDT 2017


Rescued from the spam bucket.  Please remember to subscribe to the
mailing list before posting to it.


-------- Forwarded Message --------
Subject: 	ARP Problem of strongswan Client in Container
Date: 	Fri, 31 Mar 2017 06:53:01 +0000
From: 	Fan Zhang <Fan.Zhang at arm.com>
To: 	users at lists.openswan.org <users at lists.openswan.org>



Hi,


I have created a VPN client in a container on Ubuntu. The top is like:


host_eth0 -- host_kernel_bridge_docker0 -- container_eth0 --
container_ipsec0


The problem is that the plain arp message sent
by host_kernel_bridge_docker0 to container_eth0 was forwarded to
container_ipsec0 and the ip address in arp message had been decrypted
into something unknown to ipsec0.


I had the correct configuration as long as VPN was concerned as the
ipsec tunnel worked for couple of seconds before no-arp-reply problem
detected by kernel.  When I configured a static arp in host, the VPN
connection worked well.


Once I have used verion 5.1.2, there was no ipsec0 created and VPN
connection worked well.


OS:
Linux net-x86-mirror 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11
16:58:52 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
strongswan:  charon-cmd, strongSwan 5.3.5
Cmd:  charon-cmd --ike-proposal aes256-sha1-modp1024 --esp-proposal
aes256-sha1-modp1024 --host 10.169.43.83 --identity test
--xauth-username test --cert ~/certs/server11-root-ca.pem --profile
ikev2-eap --remote-identity 10.0.0.11
host_eth0: 10.169.36.67
host_bridge_docker0: 172.17.0.1
container_eth0: 172.17.0.3
container_ipsec0: 192.168.10.1

Would you please advice how to configure to solve the problem? Thank you
very much!

Best Regards
Zhang Fan

IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy
the information in any medium. Thank you.


More information about the Users mailing list