[Swan] NAT-Traversal with IPsec transport mode

Paul Wouters paul at nohats.ca
Wed Sep 15 18:57:25 UTC 2021 

On Thu, 9 Sep 2021, Ahmed Sameh wrote:

> I am trying to enable IPsec for Kubernetes nodes, that uses IPVS for in-cluster load balancing, more details are here
> https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/
>  
> In short, in the example below access to cluster IP 10.240.0.1 port 443 is redirected to one of Kubernetes master nodes
> port 6443

If you are NAT'ing then Opportunistic becomes very complicated. And you
cannot really use Transport Mode anymore. I also do not fully understand
how you want to do this. An OE node connecting to IP a.b.c.d expects an
ipsec connection from its own IP to a.b.c.d. If that is NAT'ed to a
different node, that node needs to be aware of the pre-NAT IP because
it needs to use that as ipsec policy, and then it needs to be able to
send/receive on that other IP address as well.

Paul


> [root at host ~]# ipvsadm -ln
> Prot LocalAddress:Port Scheduler Flags
>   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
> TCP  10.240.0.1:443 rr
>   -> 10.140.24.135:6443           Masq    1      0          0          
>   -> 10.140.24.204:6443           Masq    1      0          0          
>   -> 10.140.24.64:6443            Masq    1      1          0      
> 
> BR,
> Ahmed
> On Thu, Sep 9, 2021 at 4:58 PM Paul Wouters <paul at nohats.ca> wrote:
>       On Thu, 9 Sep 2021, Ahmed Sameh wrote:
>
>       > Can anyone share an example of NAT-Traversal with IPsec transport mode ?
>
>       Your quality of life with improve a lot if you avoid ever using
>       Transport Mode with NAT. Everyone has moved away from it. Only use
>       transport mode if you are not affected by NAT.
>
>       > I have the following configuration working for normal traffic but not the NATed one.
>       >
>       > conn private-or-clear
>       > auto=ondemand
>       > type=transport
>       > authby=rsasig
>       > failureshunt=passthrough
>       > negotiationshunt=passthrough
>       > ikev2=insist
>       > left=%defaultroute
>       > leftcert={{ cert_name_pattern }}
>       > leftid=%fromcert
>       > leftrsasigkey=%cert
>       > rightrsasigkey=%cert
>       > rightid=%fromcert
>       > right=%opportunisticgroup
>
>       Opportunistic Encryption does not support transport mode plus NAT.
>
>       It only supports NAT for the initiator, not for the responder.
>
>       It might be worth explaining what you are trying to do so we can discuss
>       different solutions to your problem.
>
>       Paul
> 
> 
>

More information about the Swan mailing list