You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're setting up a clean swarm (17.06.2, mix of ubuntu 14.04 and 16.04) between two hosters. To secure traffic for some services we're using an encrypted overlay network. Machines at hoster A can talk to each other over the encrypted overlay, same for hoster B, but traffic between hosters does not flow. sudo ip -s xfrm state on all machines reveals odd tunnels being created.
For the sake of continuity lets assume these conditions to be correct:
VM2 and VM3 have their eth0 set to their local addr., VM1 has its eth0 set to its public ip. This, I think, is the culprit here.
sudo ip -s xfrm state on VM1(hosterA) shows these tunnels:
src 172.22.0.1 >>VM2(hosterB)<< dst 100.x.x.1 >>VM1(hosterA)<<
proto esp spi 0x2b6a593c(728389948) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 172.22.0.1 >>VM2(hosterB)<< dst 100.x.x.1 >>VM1(hosterA)<<
proto esp spi 0x63f3262d(1676879405) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 100.x.x.1 >>VM1(hosterA)<< dst 172.22.0.1 >>VM2(hosterB)<<
proto esp spi 0x63f3262d(1676879405) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 172.22.0.1 >>VM2(hosterB)<< dst 100.x.x.1 >>VM1(hosterA)<<
proto esp spi 0x483521cd(1211441613) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 100.x.x.1 >>VM1(hosterA)<< dst 100.x.x.1 >>VM1(hosterA)<<
proto esp spi 0x10372a49(272050761) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 100.x.x.1 >>VM1(hosterA)<< dst 100.x.x.1 >>VM1(hosterA)<<
proto esp spi 0x047b1c41(75177025) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 100.x.x.1 >>VM1(hosterA)<< dst 100.x.x.1 >>VM1(hosterA)<<
proto esp spi 0xa2b65be4(2729860068) reqid 13681891(0x00d0c4e3) mode transport
(...)
And vice versa, the same command run on VM2(hosterB):
src 172.22.0.1 >>VM2(hosterB)<< dst 172.22.0.2 >>VM3(hosterB)<<
proto esp spi 0x3d503b25(1028668197) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 172.22.0.2 >>VM3(hosterB)<< dst 172.22.0.1 >>VM2(hosterB)<<
proto esp spi 0x9eab976f(2662045551) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 172.22.0.1 >>VM2(hosterB)<< dst 50.x.x.1 >>VM2(hosterB)<<
proto esp spi 0x01d29cfd(30579965) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 50.x.x.1 >>VM2(hosterB)<< dst 172.22.0.1 >>VM2(hosterB)<<
proto esp spi 0xde932ff7(3734188023) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 172.22.0.2 >>VM3(hosterB)<< dst 172.22.0.1 >>VM2(hosterB)<<
proto esp spi 0x72420ef5(1916931829) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 172.22.0.2 >>VM3(hosterB)<< dst 172.22.0.1 >>VM2(hosterB)<<
proto esp spi 0xb3766530(3010880816) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 50.x.x.1 >>VM2(hosterB)<< dst 172.22.0.1 >>VM2(hosterB)<<
proto esp spi 0x01d29cfd(30579965) reqid 13681891(0x00d0c4e3) mode transport
(...)
src 50.x.x.1 >>VM2(hosterB)<< dst 172.22.0.1 >>VM2(hosterB)<<
proto esp spi 0x78df4f38(2027900728) reqid 13681891(0x00d0c4e3) mode transport
(...)
This strikes me as extremely odd, as VM2 and VM3 have been swarm join'ed with --advertise-addr=>>publicIP of VM<<.
This, consecutively, leads to a situation where VM2 and VM3 (because they're at the same hoster and connected via local network, not just public network) can send traffic via the encrypted overlay, but there is no traffic between VM1 and the others.
Description
We're setting up a clean swarm (17.06.2, mix of ubuntu 14.04 and 16.04) between two hosters. To secure traffic for some services we're using an encrypted overlay network. Machines at hoster A can talk to each other over the encrypted overlay, same for hoster B, but traffic between hosters does not flow.
sudo ip -s xfrm state
on all machines reveals odd tunnels being created.For the sake of continuity lets assume these conditions to be correct:
VM2 and VM3 have their eth0 set to their local addr., VM1 has its eth0 set to its public ip. This, I think, is the culprit here.
sudo ip -s xfrm state
on VM1(hosterA) shows these tunnels:And vice versa, the same command run on VM2(hosterB):
This strikes me as extremely odd, as VM2 and VM3 have been
swarm join
'ed with--advertise-addr=>>publicIP of VM<<
.This, consecutively, leads to a situation where VM2 and VM3 (because they're at the same hoster and connected via local network, not just public network) can send traffic via the encrypted overlay, but there is no traffic between VM1 and the others.
nc -z -v -u
/nc -z -v
confirm ports are open.ESP is allowed via security groups / iptables:
I would have expected docker to create the ipsec tunnels not with the address stored for eth0 but for the address given as
--advertise-addr=
.Is there a way to force docker to follow my expected behaviour / correct the behaviour during
swarm join
?Steps to reproduce the issue:
docker stack deploy
a stack with encrypted overlay network to swarmDescribe the results you received:
ipsec tunnels created by docker are not public-ip to public-ip but local-ip to public-ip and therefore don't work
Describe the results you expected:
ipsec tunnels created by docker are created from
--advertise-addr=
to--adveritise-addr=
Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version
:Output of
docker info
:Same on all VMs
Additional environment details (AWS, VirtualBox, physical, etc.):
If it helps:
The text was updated successfully, but these errors were encountered: