[Users] IPsec packets from VEs sent to wrong interface

Marcus Better marcus at better.se
Wed Jun 18 04:42:44 EDT 2008


I'm running OpenSWAN on the host node to provide tunnels to some VEs. The VEs are connected on veth devices that are bridged together to br0. The IPsec tunnel is correctly established, but response traffic from the VE is being sent out on br0, not the external interface eth0. Is there a workaround for this?

Details of the setup:

Server is OpenVZ 2.6.24 (compiled from git), Debian x86_64, OpenSWAN 2.4.12.

Host node interfaces:
eth0: public address server.example.org
br0: bridge, internal address, only slave interface veth106.0
veth106.0: host end of veth.

VE interfaces:
eth0: veth interface, address

Now "ping" from the IPsec client (client.example.org with private address works correctly, but "ping" shows this:
[host:~]# tcpdump -i br0
10:31:43.238582 IP > ICMP echo request, id 9274, seq 40, length 64
10:31:43.238617 IP server.example.org.4500 > client.example.org.4500: UDP-encap: ESP(spi=0xeee72df0,seq=0x35c), length 132
10:31:44.230477 IP > ICMP echo request, id 9274, seq 41, length 64
10:31:44.230509 IP server.example.org.4500 > client.example.org.4500: UDP-encap: ESP(spi=0xeee72df0,seq=0x35d), length 132

Here the packets destined for client.example.org are only seen on br0, not on the external interface. I have forwarding enabled on both br0 and eth0.



More information about the Users mailing list