[Lxc-users] missing feature for learning environment

Pierre-François Bonnefoi pierre-francois.bonnefoi at unilim.fr
Fri Apr 22 16:28:05 UTC 2011


Hello,

I'm a very satisfied user of LXC that I use extensively for my teaching about computer networks for my students.

I'm currently preparing a project involving IPSec Tunnel, and I've discovered the annoying truth : IPSec tunnel support doesn't work.
I've spent the last days  figuring how this appends and to extensively test it.

I'll describe the tests that I've performed :

- first, for convenience, and because it is mandatory in my University, I use a VMWare virtual machine in order to get root access required for configuring network stack (the computers used by the students are locked and they only could use a vmware vm on a USB stick) ;
- second, I've chosen Ubuntu because it's a mainstream distro with all bells and whistles in order to achieve high level of adherence from my students (also because it's based on debian) ;
- third, I use LXC containers and virtual bridges to create some lab environment in order to configure networks and routes, to sniff packets, to craft packet with Scapy etc.

So, I've tried to make the following network :

LAN2Host               Router2                   Router1               LAN1Host
      | 1                  254|         | 252         253|         | 254             |1
----------------------------      --------------------        --------------------- 
     LAN2_bridge                WAN_bridge             LAN1_bridge
192.168.100.0/24            172.16.8.0/24            192.168.200.0/24   

Between Router1 and Router2, I've configured the following IPsec Tunnel (on Router1) :

#!/usr/sbin/setkey -f
# Configuration for Router1
flush;
spdflush;

add 172.16.8.253 172.16.8.252 esp 0x201 -m tunnel -E 3des-cbc 0x464b95fb210a3b6a3cfd31d65b5e1b24df45e24c28565ff0;
add 172.16.8.252 172.16.8.253  esp 0x301 -m tunnel -E 3des-cbc 0x4d87087785db066aca799d229900fa457b1545ae51573774;

spdadd 192.168.200.0/24 192.168.100.0/24 any -P out ipsec esp/tunnel/172.16.8.253-172.16.8.252/require;
spdadd 192.168.100.0/24 192.168.200.0/24 any -P in ipsec esp/tunnel/172.16.8.252-172.16.8.253/require;

(For the router2, the configuration is the same with "in" and "out" swapped).

I've removed the rp_filter protection globally before launching LXC containers
sysctl -w net.ipv4.conf.all.rp_filter=0 

When I try the following command on LAN2Host :
ping 192.168.200.1 

I could sniff ESP packet going through the WAN_bridge.

I could even sniff ESP packet entering Router1.

I could see the decapsulated packet of ICMP echo request packet appearing on the same interface that the previously sniffed ESP packets.

BUT, after this... NOTHING !
The decapsulated (decrypted) packet vanished !

I've tried the same configuration with two VMware VMs replacing Router1 and Router2, with LAN2Host and LAN1Host being LXC containers : IT WORKS !


So, my conclusion is that the decapsulated packets never enter the routing table in Router1 !
(I can perform some LOG on them with iptables before being decrypted, as ESP packets).

Do I've made something wrong ?
(Remember that It would be for teaching purpose, so I prefer not to expose students to dirty tricks that are too distant from real networking...).

Do you have any plan to support full IPsec in LXC containers ?

Best regards,
Pierre-François Bonnefoi.

P-S: you can grab my IPsec keys, I'll change them ;-)

-- 
Bonnefoi Pierre-Francois                |    E-mail : bonnefoi at unilim.fr
Universite de Limoges, Laboratoire XLIM |       Tel : 06 28 18 03 38
83, rue d'Isle                          |  Mrs. Peel, we're needed...
87000 Limoges - FRANCE                  |                 The Avengers.





More information about the lxc-users mailing list