IPSec firewall rules and cross-host communication

Archive Rancher 1.x
1

Hi,

I’m trying to set up a Rancher cluster on two hosts and have a problem with cross-host communication. My test application named consumer is supposed to use a RabbitMQ service (the alias is rabbit). Everything works fine when I have a RabbitMQ instance on the same host, but if I shut this instance down having only the second RabbitMQ instance on the other host, it doesn’t work because the second host is inaccessible. When I execute “ping rabbit” from the consumer’s shell, I can see “PING rabbit.rancher.internal (10.42.187.109): 48 data bytes” so the IP of the second RabbitMQ instance (10.42.187.109) is resolved successfully, but no reply for ping.

I’ve seen in the documentation and here on the forum the note that IPSec security groups or firewalls should allow traffic on UDP ports 500 and 4500. I think this is it, but I cannot find any details how to do it specifically: how can I see whether these pors are open and how to open them if they aren’t. Probably this is something obvious but I’m new to Linux and pretty stucked at this step. I know about and executed commands like “swanctl --list-sas”, “iptables” and “nc” but I’m not sure how to interpret their output. Here it is: (the commands were executed from the host2, IP 192.168.99.102, from within the Network Agent container)

iptables -L -n --line-numbers -t nat

root@6a886850b512:/# iptables -L -n --line-numbers -t nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all – 10.42.0.1 0.0.0.0/0

swanctl --list-sas

conn-192.168.99.101: #2, ESTABLISHED, IKEv2, cec43c625793386e:531460288e38d4fe
local ‘172.17.0.2’ @ 172.17.0.2
remote ‘172.17.0.2’ @ 192.168.99.101
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 3394s ago, rekeying in 10262s
conn-192.168.99.101: #1, ESTABLISHED, IKEv2, dc241096c3d5a97f:88e024f733b9145f
local ‘172.17.0.2’ @ 172.17.0.2
remote ‘172.17.0.2’ @ 192.168.99.101
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 3421s ago, rekeying in 10631s

nc -u 192.168.99.101 4500

no output, just hangs

I’m on Windows platform and VirtualBox environment.

Thanks in advance!