[Swan] NAT-Traversal with IPsec transport mode
Ahmed Sameh
me at ahmedsameh.com
Thu Sep 9 15:12:08 UTC 2021
Hi Paul,
I am trying to enable IPsec for Kubernetes nodes, that uses IPVS for
in-cluster load balancing, more details are here
https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/
In short, in the example below access to cluster IP 10.240.0.1 port 443 is
redirected to one of Kubernetes master nodes port 6443
[root at host ~]# ipvsadm -ln
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.240.0.1:443 rr
-> 10.140.24.135:6443 Masq 1 0 0
-> 10.140.24.204:6443 Masq 1 0 0
-> 10.140.24.64:6443 Masq 1 1 0
BR,
Ahmed
On Thu, Sep 9, 2021 at 4:58 PM Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 9 Sep 2021, Ahmed Sameh wrote:
>
> > Can anyone share an example of NAT-Traversal with IPsec transport mode ?
>
> Your quality of life with improve a lot if you avoid ever using
> Transport Mode with NAT. Everyone has moved away from it. Only use
> transport mode if you are not affected by NAT.
>
> > I have the following configuration working for normal traffic but not
> the NATed one.
> >
> > conn private-or-clear
> > auto=ondemand
> > type=transport
> > authby=rsasig
> > failureshunt=passthrough
> > negotiationshunt=passthrough
> > ikev2=insist
> > left=%defaultroute
> > leftcert={{ cert_name_pattern }}
> > leftid=%fromcert
> > leftrsasigkey=%cert
> > rightrsasigkey=%cert
> > rightid=%fromcert
> > right=%opportunisticgroup
>
> Opportunistic Encryption does not support transport mode plus NAT.
>
> It only supports NAT for the initiator, not for the responder.
>
> It might be worth explaining what you are trying to do so we can discuss
> different solutions to your problem.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210909/df2617d9/attachment.html>
More information about the Swan
mailing list