Using IPSec(Libreswan) on Host with Rancher

Hello,

I have Install Rancher Server (CentOS7 + Docker 1.7) and i have 8 Host (CentOS7 + Docker 1.7) which install Rancher Agent, Also i have configure private IP 10.10.0.1/24 on Rancher Netowrk, now out of 8 Host one Host is connected to Third Party (Mobile Operators) via IPsec VPN for certain Service. I want to use that VPN Connection with Rancher Container to communicate to that service. I am not so good in Docker Networking, Please advise or Suggest some solution.

Kind Regards,

Mehul Bhatt
(Director)

A & M Holdings Limited
P.O Box 20946, Dar es Salaam, Tanzania.
Cell: [+255] 685-929-088 | 658-929-088
Tel: [+255] 222-138-030 | Fax: [+255] 222-138-031
E-mail: mehulsbhatt@hotmail.com | mehulsbhatt@gmail.com | Skype: mehulsbhatt

The default behavior of Docker networking is that outbound traffic goes through the host. It sounds like what you want is for the containers output traffic to route across the Rancher private network and then go out the VPN you have setup. Do you need all traffic or just a specific HTTP service? Or do you want just a single container on that host to communicate across the VPN?

Hello,

Thanks for your response, Yes what you understand is right

what we need is, to have VPN Connected on Host and from that VPN Subnet we provide RANCHER NETWORK to communicate all outbound traffic through that VPN, for inbound we don’t have any specific requirement. So what happened we have RANCHER NETWORK which serve our Third Party Services through Multiple Rancher Hosts.

Regards,

Mehul Bhatt

Any solution for my request, we want to roll out some services using such solution through RANCHER

It sounds like you want to set the container default route. Today the container default route is the docker0 bridge which means if the traffic isn’t bound for our IPsec network we just forward out docker0 and let the host routing rules take over which usually forward out eth0 to the host default gateway. If you change the container default gateway to be a network agent on a host that is connected to your VPN we should be able to get that traffic routed. There’s a lot of technical details that I’m glossing over, but this should be doable. Changing the default gateway of a container is not something we support today, but we could show you how to script it. If it works and is useful we could look at making that a feature in Rancher.

Hi

Thanks, i am appreciating your support.

Until you get solution for IPSec traffic routing can you please help me running Rancher-Agent on that IPSec Host so i can able to build some container without interrupting my HOST IPSec and Rancher.

As rancher agent use port 500/4500 i can not able to create any Container on that host.

Regards,

Mehul Bhatt

Well one simple thing you could do is run your own IPSec on alternate ports like 501 and 4501. There’s nothing fundamentally special about 500/4500 other than they are the officially registered IANA defaults.

Hi @mehulsbhatt

I try to setup the same infrastructure. A vpn container (libreswan) , and make the others container to connect to my vpn container.
Do you reach your goal ?