Strongswan in Docker using vici cannot connect in real-life network #2300
-
I have a system in which two Docker instances (hosted by different servers with different IPs) want to establish a VPN. The code works well in local (where both Docker instances are on the same network) However, in real life Strongswan is unable to send packages over the network.
My Dockerfile has From one docker instance, I am able to check that remote port 500 is open for UDP:
In local testing (in which Docker instances are in the same network), the key establishment is immediate and there is no network unreachable issue (see [0] at the end). Strongswan is installed in Docker via the following Dockerfile commands:
Then
What I really do not understand is why it works in local but fails to work in real-life network. [0]:
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
This installs two IKE daemons, which you generally want to avoid (although, in a Docker container that might not be an issue depending on what's going on with systemd). You could just omit
There might be some external firewall blocking the traffic. |
Beta Was this translation helpful? Give feedback.
-
Hello,
I tried that, but could not locate charon anywhere. This mass install was me giving up on sanity, but I acknowledge there is probably better.
I talked with the people hosting the servers, turns out there was some NAT behind the schemes, which explains the discrepancy with my local dev network. Thank you again! |
Beta Was this translation helpful? Give feedback.
This installs two IKE daemons, which you generally want to avoid (although, in a Docker container that might not be an issue depending on what's going on with systemd). You could just omit
charon-systemd
(andsystemd
I guess) and if you don't useipsec.conf
, just vici, you technically only needstrongswan-swanctl
andstrongswan-charon
and startcharon
directly (no need foripsec
andstarter
that's pulled in bystrongswan
viastrongswan-starter
).There might be some external firewall…