IPsec server in LXC container


#1

Hello,
I have a VM setup with a VLAN between two VMs, one is running an IPsec server and another a client, through Strongswan, and it works (running Debian Stretch in guests and the host).
On the same machine, I set up an LXC container that runs the server and set up the LXC container to be reachable through the VLAN (working checked through netcat and ping).

And I am unable to get the IPsec server running in LXC working.
swanctl --log -vvv

14[NET] received packet: from 192.168.102.158[500] to 192.168.102.237[500] (936 bytes)
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
14[IKE] no IKE config found for 192.168.102.237…192.168.102.158, sending NO_PROPOSAL_CHOSEN
14[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
14[NET] sending packet: from 192.168.102.237[500] to 192.168.102.158[500] (36 bytes)
07[NET] received packet: from 192.168.102.158[500] to 192.168.102.237[500] (936 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
07[IKE] no IKE config found for 192.168.102.237…192.168.102.158, sending NO_PROPOSAL_CHOSEN
07[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
07[NET] sending packet: from 192.168.102.237[500] to 192.168.102.158[500] (36 bytes)
16[NET] received packet: from 192.168.102.158[500] to 192.168.102.237[500] (936 bytes)
16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
16[IKE] no IKE config found for 192.168.102.237…192.168.102.158, sending NO_PROPOSAL_CHOSEN
16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
16[NET] sending packet: from 192.168.102.237[500] to 192.168.102.158[500] (36 bytes)

config:

connections {
rw {
pools = rw_pool
local {
auth = pubkey
certs = ipsec1_cert.pem
id = ipsec1
}
remote {
auth = pubkey
}
children {
net-net {
local_ts = 192.168.100.0/24

  esp_proposals = aes256gcm128-prfsha512-ecp521
        }
    }

version = 2
proposals = aes256gcm128-prfsha512-ecp521
}
}

pools {
rw_pool {
addrs = 10.0.1.0/24
}
}

Client

[IKE] initiating IKE_SA home[35] to 192.168.102.237
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.102.158[500] to 192.168.102.237[500] (936 bytes)
[IKE] retransmit 1 of request with message ID 0
[NET] sending packet: from 192.168.102.158[500] to 192.168.102.237[500] (936 bytes)
[NET] received packet: from 192.168.102.237[500] to 192.168.102.158[500] (36 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN notify error
initiate failed: establishing CHILD_SA ‘home’ failed

config:

connections {
home {
remote_addrs = 192.168.102.237
vips = 0.0.0.0

    local {
        auth = pubkey
        certs = client1_cert.pem
        id = client1
    }
    remote {
        auth = pubkey
        id = ipsec1
    }
    children {
        home {
  remote_ts = 192.168.100.0/24
            start_action = start
  esp_proposals = aes256gcm128-prfsha512-ecp521
        }
    }

version = 2
}
}

192.168.102.0/24 is a shared interface between servers and clients
192.168.100.0/24 is an interface only on the server that the client can access once connected through the IPsec server

The configuration is exact same to a VM setup, I literally copied the configuration without changes so it’s very unlikely there is something wrong there.

Can anyone confirm that LXC does allow IPsec servers to be ran, anything specific to add to the LXC config?
For now, I simply created a container from the debian template and added my network bridges