[Swan] Mesh Host to Host Encryption - need help

James G Stroud stroudj at us.ibm.com
Tue Apr 17 04:26:35 UTC 2018 


Hi, I joined the mailing list tonight  and I've been struggling with
getting Kubernetes to work with libreswan IPSec host to host encryption   I
spent many hours on this but I'm not an IPSec expert and maybe I'm missing
something, such an iptables command or rule.
I disabled the firewall.

I think I set up everything properly and would to know if anyone sees a
mistake or something missing
I have 3 servers (not visible on the internet)
hackrhnode121.rtp.raleigh.ibm.com
hackrhnode122.rtp.raleigh.ibm.com
hackrhnode123.rtp.raleigh.ibm.com

Configured as
hackrhnode121 = node 1 - Kubernetes master node (host 1 or node 1)
hackrhnode122 = node 2 - Kubernetes worker node 1 (host 2 or node 2)
hackrhnode123 = node 3 - Kubernetes worker node 3 (host 3 or node 3)

I can set up encryption between the master node (host 1 or node 1) and the
1st worker node (host 2 or node 2) and things work fine.  Meaning our
application still works and Kubernetes is working fine
While leaving host 1 to host 2 encryption enabled, when I set up encryption
between nodes 2 & 3 our application breaks.
When I disable the encryption between hosts 2 & 3 and reboot things are
fine.
Similarly if I leave encryption on between hosts 1 & 2 and enable it
between 1 & 3, Kubernetes breaks again.
When I say Kubernetes breaks, there is a command that lists all the
Kubernetes pods (We have 4 pods) and the pods simply do not start up.

In our case we have
Red Hat 7.4
Docker version 17.12.0-ce, build c97c6d6
Kubernetes version 1.7.11 (we will move to 1.9.3)


I  mostly followed
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks#sec-Host-To-Host_VPN_Using_Libreswan
I've done this a few times but things break after I encrypt nodes 2 & 3 (I
rolled back this encryption between these 2 nodes)


Here is my detailed documentation and verification (I hope this .txt file
gets through).

(See attached file: commands-used-for-ipsec-rh-linux-kubernetes.txt)

Thanks for any help and I'll take any suggestions

********
James Stroud
Financial Crimes Insight Team Lead
 stroudj at us.ibm.com - cell # = (703) 965 4516


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180417/9c44c07a/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: commands-used-for-ipsec-rh-linux-kubernetes.txt
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180417/9c44c07a/attachment-0001.txt>

More information about the Swan mailing list