Docker Community Forums

Share and learn in the Docker community.

Containers cant ping each other after creating a overlay encrypted network

I’ve been stepping through the tutorial Networking with overlay networks | Docker Documentation. I’m using the section to create an overlay network between stand-alone-containers.

Everything in the tutorial works, however I attempted to take this example farther by creating an encrypted tunnel.

I tested two versions of the following command:

docker network create --driver=overlay --attachable --subnet= --opt encrypted=true --opt openldap-net

docker network create --driver=overlay --attachable --subnet= --opt encrypted=true openldap-net

I’m testing against two stand-alone containers deployed on two separate VM’s virtualized by the bhyve supervisor on FreeNAS.

After creating the external network, I created two test containers (one on the manager node and the second on the worker node):

sudo docker run -dit --name alpine1 --network openldap-net alpine    <----On manager node
sudo docker run -dit --name alpine2 --network openldap-net alpine    <----On worker node

I confirmed the open-ldap was recognized and visible both on the manager and worker node:

$ sudo docker network ls                                                                       
NETWORK ID     NAME              DRIVER    SCOPE
387dcb0447d9   bridge            bridge    local
a83eff2fd2ec   docker-net        bridge    local
03274edc9e94   docker_gwbridge   bridge    local
5969c9f024f2   host              host      local
lt38gs7h9d9q   ingress           overlay   swarm
bde961b8ece2   none              null      local
k7ukgdb40cdm   openldap-net      overlay   swarm

I shelled into both containers via a docker exec -it <container_name> /bin/sh and attempted to ping the other container. In all cases – with/without altering MTU – each container could not ping the other container. I had 100% packet loss.

When not employing the option when creating the network: --opt encryption=true the two containers could ping one another without a problem.

Is there a trick to creating a DNS-SEC tunnel or using an encrypted overlay network??