IPsec/VPN connection from a PCS 6.0 host (as a client) to a container in bridged mode (as a server) on this PCS 6.0 host is not operable, because too many packets are lost.
The implementation of virtual networks and bridged mode in PCS 6.0 relies on the feature
via_phys_dev, which keeps the MAC address of the bridge equal to the MAC address of the physical interface, with this option the server routes all traffic for unknown destination through the plugged physical interface, and this feature ensures that there is only one physical interface plugged into the bridge interface.
This reduces the amount of resources needed for traffic forwarding and it simplifies management of bridges for virtual environments, as there is no need to move all network configuration from a physical interface to a bridged interface upon attaching the physical interface to the bridge.
For this specific type of VPN connection, this feature results in packets being sent to a wrong direction most of time.
In the long-term perspective, the feature
via_phys_dev is to be removed in the future versions.
From another point of view, there is no sense in securing connections between the host server and the environment running on the same host:
- connections via
venet0interface in routed mode are always secure - containers have no way to get traffic designated to other containers;
- promiscuous mode for virtual environments in bridged mode is disabled by default, and only broadcast packets can be captured in addition to the traffic designated to this virtual environment, as it is controlled by Linux bridge which acts as the network switch;
- there is very easy way to setup dedicated connection with a virtual environment - add an Ethernet interface and use appropriate interface from the host side to send packets to communicate with that environment (
vmeENVID.Nfor virtual machines).