Problem with IP network routes from containers - different than from host (StrongSwan)

Hello,

I have been using LinuX Container (LXC) for a few years (10 years maybe more) - from Promox or alone.

This is the first time I post a discussion topic on your site.

Thanks to the developers of the LinuX Container projects, you rock!

I see (it seems to me) that there is a problem with the “network routes” of the Containers.

The symptom is that I have the impression (sure) that the containers do not read the routing table 220.

On Linux, “strongSwan” installs by default the routes in the routing table 220 and thus requires that the kernel supports policy-based routing.

ip -6 route show table 220

Documentation strongSwan :: Introduction to strongSwan → Routing
Documentation strongSwan :: Route-based VPN


I’ll give you an example :slight_smile:

Host IPv6 routes :

root@vps-uk:~ # ip -6 route show
2001:41d0:801:2000::44f9 dev vmbr0 proto kernel metric 256 pref medium
fc00:41d0:801:2000::/64 dev vmbr1 proto kernel metric 256 pref medium
fe80::/64 dev ens3 proto kernel metric 256 pref medium
fe80::/64 dev vmbr0 proto kernel metric 256 pref medium
fe80::/64 dev veth_1 proto kernel metric 256 pref medium
fe80::/64 dev vmbr1 proto kernel metric 256 pref medium
fec1::1 dev vmbr0 proto kernel metric 256 pref medium
default via 2001:41d0:801:2000::1 dev vmbr0 metric 1024 onlink pref medium

IPv6 routes reserved for StrongSwan (table 220) :

root@vps-uk:~ # ip -6 route show table 220
fc00:41d0:701:1100::/64 dev vmbr0 proto static src fec1::1 metric 1024 pref medium
fc01::10:6:0:0/104 dev vmbr0 proto static src fec1::1 metric 1024 pref medium
fc01::10:126:0:0/104 dev vmbr0 proto static src fec1::1 metric 1024 pref medium
fc01::172:16:0:0/104 dev vmbr0 proto static src fec1::1 metric 1024 pref medium
fc01::192:168:0:0/104 dev vmbr0 proto static src fec1::1 metric 1024 pref medium
fc10:11:6:42:1::/96 dev vmbr0 proto static src fec1::1 metric 1024 pref medium
fec0::/16 dev vmbr0 proto static src fec1::1 metric 1024 pref medium
fec2::/16 dev vmbr0 proto static src fec1::1 metric 1024 pref medium

A ping to a machine on a strongSwan VPN secure site from the host :

root@vps-uk:~ # ping6 fc01::10:126:42:1000 -c4
PING fc01::10:126:42:1000(fc01::10:126:42:1000) 56 data bytes
64 bytes from fc01::10:126:42:1000: icmp_seq=1 ttl=60 time=37.7 ms
64 bytes from fc01::10:126:42:1000: icmp_seq=2 ttl=60 time=36.9 ms
64 bytes from fc01::10:126:42:1000: icmp_seq=3 ttl=60 time=36.3 ms
64 bytes from fc01::10:126:42:1000: icmp_seq=4 ttl=60 time=36.4 ms

--- fc01::10:126:42:1000 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 36.339/36.825/37.701/0.542 ms

The IPv6 traceroute to the strongSwan VPN secure site machine from the host :

root@vps-uk:~ # traceroute6 fc01::10:126:42:1000 -I
traceroute to fc01::10:126:42:1000 (fc01::10:126:42:1000), 30 hops max, 80 byte packets
 1  fec0::1 (fec0::1)  13.112 ms  13.047 ms  13.022 ms
 2  fec2::1 (fec2::1)  35.768 ms * *
 3  fc01::172:16:0:254 (fc01::172:16:0:254)  35.693 ms * *
 4  fc01::10:126:0:1 (fc01::10:126:0:1)  35.694 ms  35.671 ms  36.247 ms
 5  fc01::10:126:42:1000 (fc01::10:126:42:1000)  36.903 ms * *

So far so good.


Now I go into a container and that’s where the requests - go out through the GUA (Global Unicast Address) address :

root@vps-uk:~ # lxc-attach ns4
root@vps-uk.ns4:~ #

Container IPv6 routes :

root@vps-uk.ns4:~ # ip -6 r s
fc00:41d0:801:2000::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fc00:41d0:801:2000::fffe dev eth0 metric 1024 pref medium

Pinging to the same machine of the strongSwan VPN secure site from the container.

root@vps-uk.ns4:~ # ping6 fc01::10:126:42:1000 -c4
PING fc01::10:126:42:1000(fc01::10:126:42:1000) 56 data bytes
From 2001:41d0:801:2000::44f9 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:41d0:801:2000::44f9 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:41d0:801:2000::44f9 icmp_seq=3 Destination unreachable: Address unreachable
From 2001:41d0:801:2000::44f9 icmp_seq=4 Destination unreachable: Address unreachable

--- fc01::10:126:42:1000 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3076ms

The traceroute :

root@vps-uk.ns4:~ # traceroute6 fc01::10:126:42:1000
traceroute to fc01::10:126:42:1000 (fc01::10:126:42:1000), 30 hops max, 80 byte packets
 1  fc00:41d0:801:2000::fffe (fc00:41d0:801:2000::fffe)  0.079 ms  0.018 ms  0.014 ms
 2  vps.uk.ipv10.net (2001:41d0:801:2000::44f9)  3060.410 ms !H  3060.336 ms !H  3060.303 ms !H

Here it is – it seems to me that there is a problem with network routes from the containers :wink:

Thanks to you - Correct this for me as soon as possible <3


If you are interested in trying strongSwan 6.0beta Vici Post-Quantum IKEv2 Daemon – or – the official version ([docs](https ://docs.strongswan.org/)) 5.9.

[Documentation StrongSwan](https ://docs.strongswan.org/) - Modern vici-based Scenarios [IPv6 Configuration Examples](https ://docs.strongswan.org/docs/5.9/config/IPv6.html) and the page [Usable Examples configurations](https ://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples).

[-> My configuration tests (I have nothing better at the moment)](https ://www.zw3b.com/pub/vpn/strongSwan-v6.0/)

  1. Config “1” is an example of the “/etc/strongSwan.conf” files (Server / Client)
  2. Config “2” is OK without subnets (public IPv4 to public IPv4 - the traceroute does not jump between the 2 connected machines).
  3. Config “3” is OK from “site” to “site” (ping & services) with IPv6 subnets.
  4. Config “4” is OK from “site” to “server” to “site”: (ping and services) with subnets, I am there.

I’m adding my script “[firewall-icmpv6]( https ://howto.zw3b.fr/linux/securite/comment-faire-un-reseau-ipv6-firewall-icmpv6)” where I added the function “ipv6_strongswan()” which allows UDP/TCP requests to pass on the “IPv6 SWAN Site-Local scoped” address prefix in addition to ICMPv6 (ping) :wink:

a bit of firewall-ipv6 - check the network range `fe80::/10` and `fec0::/10` and the multicast `ff00::/8` ;)
#####
# we set the rules for IPv6 addresses
#####

function ipv6_link_multicast()
{
        echo "   |";
        echo "   + IPv6 - Addrs Link-Local Unicast and Multicast -----------------------";

        # Allow Link-Local addresses
        # network range : fe80:0000:0000:0000:0000:0000:0000:0000-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        echo "   |";
        $IP6TABLE -A INPUT -s fe80::/10 -j ACCEPT
        $IP6TABLE -A FORWARD -s fe80::/10 -d fe80::/10 -j ACCEPT
        $IP6TABLE -A OUTPUT -d fe80::/10 -j ACCEPT
        echo "   +--? "fe80::/10 : ACCEPT;
        echo "   |";
        echo "   "+ IPv6 - Addrs Link-Local : [OK]

        # Allow multicast
        # network range : ff00:0000:0000:0000:0000:0000:0000:0000-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        echo "   |";
        $IP6TABLE -A INPUT -d ff00::/8 -j ACCEPT
        $IP6TABLE -A FORWARD -s ff00::/8 -d ff00::/8 -j ACCEPT
        $IP6TABLE -A OUTPUT -d ff00::/8 -j ACCEPT
        echo "   +--? "ff00::/8 : ACCEPT;
        echo "   |";
        echo "   "+ IPv6 - Addrs Multicast : [OK]
}

#####
# we set the rules for secure IPv6 addresses (VPN/strongSwan)
#####

function ipv6_strongswan()
{
        echo "   |";
        echo "   + IPv6 - Addrs Site-Local Secure Area Network -------------------------";

        # Allow  Secure Area Network addresses
        # network range : fec0:0000:0000:0000:0000:0000:0000:0000-feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        echo "   |";
        $IP6TABLE -A INPUT -s fec0::/10 -j ACCEPT
        $IP6TABLE -A FORWARD -s fec0::/10 -d fec0::/10 -j ACCEPT
        $IP6TABLE -A OUTPUT -d fec0::/10 -j ACCEPT
        echo "   +--? "fec0::/10 : ACCEPT;
        echo "   |";
        echo "   "+ IPv6 - Addrs Secure Area Network : [OK]
}

GestióIP : IPv6 subnet calculator

Good day, ladies and gentlemen.

Romain


Post Scriptum: Is there a moderator who could modify my links (5 links maximum in the first message) – I put “http(space)://” to “display” the addresses of the websites. Thanks.

I opened the same topic on the forum :

Good day to all.

Solved in Problem route table 220 (strongswan) from a container - post #5