Strongswan in Docker using vici cannot connect in real-life network

[mariuslp]

I have a system in which two Docker instances (hosted by different servers with different IPs) want to establish a VPN. The code works well in local (where both Docker instances are on the same network)

However, in real life Strongswan is unable to send packages over the network.

root@589b07703e81:/app# swanctl --log
plugin 'test-vectors': failed to load - test_vectors_plugin_create not found and no plugin file available
plugin 'ldap': failed to load - ldap_plugin_create not found and no plugin file available
plugin 'pkcs11': failed to load - pkcs11_plugin_create not found and no plugin file available
plugin 'rdrand': failed to load - rdrand_plugin_create not found and no plugin file available
plugin 'gcrypt': failed to load - gcrypt_plugin_create not found and no plugin file available
plugin 'af-alg': failed to load - af_alg_plugin_create not found and no plugin file available
plugin 'curve25519': failed to load - curve25519_plugin_create not found and no plugin file available
plugin 'chapoly': failed to load - chapoly_plugin_create not found and no plugin file available
plugin 'cmac': failed to load - cmac_plugin_create not found and no plugin file available
plugin 'ctr': failed to load - ctr_plugin_create not found and no plugin file available
plugin 'ccm': failed to load - ccm_plugin_create not found and no plugin file available
plugin 'curl': failed to load - curl_plugin_create not found and no plugin file available


13[CFG] loaded IKE shared key with id '100-102-IKE' for: '%any'
16[CFG] loaded PPK shared key with id '100-102-PPK' for: '%any'
13[CFG] updated vici connection: 100
05[CFG] vici initiate IKE_SA '100'
09[IKE] initiating IKE_SA 100[2] to 2.2.2.2
09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ]
09[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (312 bytes)
04[NET] error writing to socket: Network is unreachable
10[IKE] retransmit 1 of request with message ID 0
10[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (312 bytes)
04[NET] error writing to socket: Network is unreachable
16[IKE] retransmit 2 of request with message ID 0
16[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (312 bytes)
04[NET] error writing to socket: Network is unreachable
16[IKE] retransmit 3 of request with message ID 0
16[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (312 bytes)
04[NET] error writing to socket: Network is unreachable
06[IKE] retransmit 4 of request with message ID 0
06[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (312 bytes)
04[NET] error writing to socket: Network is unreachable
12[IKE] retransmit 5 of request with message ID 0
12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (312 bytes)
04[NET] error writing to socket: Network is unreachable
13[IKE] giving up after 5 retransmits
13[IKE] establishing IKE_SA failed, peer not responding

My Dockerfile has EXPOSE 500/udp 4500/udp and my docker-compose.yml maps the ports "500:500/udp" (same for 4500).

From one docker instance, I am able to check that remote port 500 is open for UDP:

root@589b07703e81:/app# nc -uvz 2.2.2.2 500
2.2.2.2: inverse host lookup failed: Unknown host
(UNKNOWN) [2.2.2.2] 500 (isakmp) open

In local testing (in which Docker instances are in the same network), the key establishment is immediate and there is no network unreachable issue (see [0] at the end).

Strongswan is installed in Docker via the following Dockerfile commands:

RUN apt-get install -y systemd strongswan libstrongswan strongswan-swanctl strongswan-charon charon-systemd;
EXPOSE 500/udp 4500/udp
ENTRYPOINT ["bash", "start.sh"]

Then start.sh is

#!/bin/bash

ipsec start &
echo 'waiting 2s for ipsec to start' && sleep 2 && chmod 777 /run/charon.vici
flask --app app.py run -h 0.0.0.0 -p 5000  # app where user can trigger a VPN with any other node of its choice

What I really do not understand is why it works in local but fails to work in real-life network.

[0]:

root@fa6ee7367f75:/app# swanctl --log
plugin 'test-vectors': failed to load - test_vectors_plugin_create not found and no plugin file available
plugin 'ldap': failed to load - ldap_plugin_create not found and no plugin file available
plugin 'pkcs11': failed to load - pkcs11_plugin_create not found and no plugin file available
plugin 'rdrand': failed to load - rdrand_plugin_create not found and no plugin file available
plugin 'gcrypt': failed to load - gcrypt_plugin_create not found and no plugin file available
plugin 'af-alg': failed to load - af_alg_plugin_create not found and no plugin file available
plugin 'curve25519': failed to load - curve25519_plugin_create not found and no plugin file available
plugin 'chapoly': failed to load - chapoly_plugin_create not found and no plugin file available
plugin 'cmac': failed to load - cmac_plugin_create not found and no plugin file available
plugin 'ctr': failed to load - ctr_plugin_create not found and no plugin file available
plugin 'ccm': failed to load - ccm_plugin_create not found and no plugin file available
plugin 'curl': failed to load - curl_plugin_create not found and no plugin file available

15[CFG] loaded IKE shared key with id '100-102-IKE' for: '%any'
05[CFG] loaded PPK shared key with id '100-102-PPK' for: '%any'
11[CFG] updated vici connection: 102
15[CFG] vici initiate IKE_SA '102'
11[IKE] initiating IKE_SA 102[4] to 172.18.0.7
11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(USE_PPK) ]
11[NET] sending packet: from 172.18.0.8[500] to 172.18.0.7[500] (312 bytes)
16[NET] received packet: from 172.18.0.7[500] to 172.18.0.8[500] (320 bytes)
16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(USE_PPK) N(CHDLESS_SUP) N(MULT_AUTH) ]
16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
16[IKE] authentication of '100-102-IKE' (myself) with pre-shared key
16[ENC] generating IKE_AUTH request 1 [ IDi AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(PPK_ID) ]
16[NET] sending packet: from 172.18.0.8[4500] to 172.18.0.7[4500] (192 bytes)
13[NET] received packet: from 172.18.0.7[4500] to 172.18.0.8[4500] (160 bytes)
13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(PPK_ID) ]
13[IKE] authentication of '100-102-IKE' with pre-shared key successful
13[CFG] using PPK for PPK_ID '100-102-PPK'
13[IKE] peer supports MOBIKE
13[IKE] IKE_SA 102[4] established between 172.18.0.8[100-102-IKE]...172.18.0.7[100-102-IKE]
13[IKE] scheduling rekeying in 14037s
13[IKE] maximum IKE_SA lifetime 15477s

[tobiasbrunner]

RUN apt-get install -y systemd strongswan libstrongswan strongswan-swanctl strongswan-charon charon-systemd;

This installs two IKE daemons, which you generally want to avoid (although, in a Docker container that might not be an issue depending on what's going on with systemd). You could just omit charon-systemd (and systemd I guess) and if you don't use ipsec.conf, just vici, you technically only need strongswan-swanctl and strongswan-charon and start charon directly (no need for ipsec and starter that's pulled in by strongswan via strongswan-starter).

What I really do not understand is why it works in local but fails to work in real-life network.

There might be some external firewall blocking the traffic.

[mariuslp]

Hello,
Thank you so much for your answer.

you technically only need strongswan-swanctl and strongswan-charon and start charon directly (no need for ipsec and starter that's pulled in by strongswan via strongswan-starter).

I tried that, but could not locate charon anywhere. This mass install was me giving up on sanity, but I acknowledge there is probably better.

There might be some external firewall blocking the traffic.

I talked with the people hosting the servers, turns out there was some NAT behind the schemes, which explains the discrepancy with my local dev network.

Thank you again!

[tobiasbrunner]

I tried that, but could not locate charon anywhere. This mass install was me giving up on sanity, but I acknowledge there is probably better.

It's in /usr/lib/ipsec/charon.