Hello Harri, The NAT rules on the host need to change the source IP address to match the negotiated IPsec policies' local TS.
Kind regards Noel Am 30.01.20 um 13:37 schrieb Harald Dunkel: > Hi folks, > > are there any recommendations how to give a Docker container running on > a road warrior laptop access to the host's IPsec connection? > > Easy testcase (using Docker's default bridge network): > > % docker run -it --rm debian > # ping some.internal.ip.address > From 10.100.0.2 icmp_seq=1 Destination Port Unreachable > From 10.100.0.2 icmp_seq=2 Destination Port Unreachable > From 10.100.0.2 icmp_seq=3 Destination Port Unreachable > From 10.100.0.2 icmp_seq=4 Destination Port Unreachable > ^C > --- some.internal.ip.address ping statistics --- > 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 6ms > > As you might have guessed, 10.100.0.2 is the local gateway, > > Problem is, the Docker container seems to ignore the IPsec connection and > the subnets accessible via the peer. It tries to use the default gateway. > Thats unfortunate, cause Docker copied /etc/resolv.conf from the host. > > I checked the Wiki, of course, but maybe I was too blind to see. > Running Docker *inside* a container is not the use case here; not to > mention that I found > https://wiki.strongswan.org/projects/strongswan/wiki/Cloudplatforms > > > Every helpful hint is highly appreciated > > Harri
signature.asc
Description: OpenPGP digital signature
