On 18.10.2016 11:39, Thomas Bach wrote: > Hi there, > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> writes: > >> > On Fri, Sep 09, 2016 at 09:06:59AM +0200, Thomas Bach wrote: >>> >> Hi, >>> >> >>> >> I have two hosts with public ip addresses running Ubuntu 16.04 with >>> >> Kernel version 4.4.0. >>> >> >>> >> I want to interconnect two containers (systemd-nspawn) with veth >>> >> interfaces running on these hosts in a server client setup. >>> >> >>> >> […] >>> >> >>> >> This works as expected and without any problems at all. Now IPSec >>> >> enters the picture. As soon as I setup a policy to encrypt everyting >>> >> between the two hosts the following happens: >>> >> + I can still connect from the second host to the server in the >>> >> container without problems, >>> >> + I can still /connect/ (i.e. establish a connection) from the >>> >> container on the second host to the server on the first host, but >>> >> + in tcpdump listening on the interface of the container (on the >>> >> second host) I see lots of TCP Retransmissions and the TCP connection >>> >> is effectively broken. >>> >> >>> >> Can someone give me a hint what is going on here? >> > >> > Did you find the root cause for this problem? > Actually not. I worked around the issue by switching from the > "ipsec-tools" package (i.e. static rules and keying done by hand) to > strongswan. Now the whole setup works as intended with the rules being > more or less the ones cited in my original post. > > It would be nice to know what the differences are on the package level > between strongswan configured ipsec and the ones configured via > ipsec-tools. You'll have to figure that out by yourself, I don't know what racoon configures. If racoon actually uses XFRM, the differences should only be the configuration of the SAs. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Attachment:
signature.asc
Description: OpenPGP digital signature
