[Swan] NAT-Traversal with IPsec transport mode
Ahmed Sameh
me at ahmedsameh.com
Thu Sep 16 20:00:26 UTC 2021
I am OK to switch to tunnel mode, if that will solve my problem, and I
appreciate if you can share an example config.
BR,
Ahmed
On Wed, Sep 15, 2021, 8:57 PM Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 9 Sep 2021, Ahmed Sameh wrote:
>
> > I am trying to enable IPsec for Kubernetes nodes, that uses IPVS for
> in-cluster load balancing, more details are here
> >
> https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/
> >
> > In short, in the example below access to cluster IP 10.240.0.1 port 443
> is redirected to one of Kubernetes master nodes
> > port 6443
>
> If you are NAT'ing then Opportunistic becomes very complicated. And you
> cannot really use Transport Mode anymore. I also do not fully understand
> how you want to do this. An OE node connecting to IP a.b.c.d expects an
> ipsec connection from its own IP to a.b.c.d. If that is NAT'ed to a
> different node, that node needs to be aware of the pre-NAT IP because
> it needs to use that as ipsec policy, and then it needs to be able to
> send/receive on that other IP address as well.
>
> Paul
>
>
> > [root at host ~]# ipvsadm -ln
> > Prot LocalAddress:Port Scheduler Flags
> > -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> > TCP 10.240.0.1:443 rr
> > -> 10.140.24.135:6443 Masq 1 0 0
> > -> 10.140.24.204:6443 Masq 1 0 0
> > -> 10.140.24.64:6443 Masq 1 1 0
> >
> > BR,
> > Ahmed
> > On Thu, Sep 9, 2021 at 4:58 PM Paul Wouters <paul at nohats.ca> wrote:
> > On Thu, 9 Sep 2021, Ahmed Sameh wrote:
> >
> > > Can anyone share an example of NAT-Traversal with IPsec
> transport mode ?
> >
> > Your quality of life with improve a lot if you avoid ever using
> > Transport Mode with NAT. Everyone has moved away from it. Only use
> > transport mode if you are not affected by NAT.
> >
> > > I have the following configuration working for normal traffic
> but not the NATed one.
> > >
> > > conn private-or-clear
> > > auto=ondemand
> > > type=transport
> > > authby=rsasig
> > > failureshunt=passthrough
> > > negotiationshunt=passthrough
> > > ikev2=insist
> > > left=%defaultroute
> > > leftcert={{ cert_name_pattern }}
> > > leftid=%fromcert
> > > leftrsasigkey=%cert
> > > rightrsasigkey=%cert
> > > rightid=%fromcert
> > > right=%opportunisticgroup
> >
> > Opportunistic Encryption does not support transport mode plus NAT.
> >
> > It only supports NAT for the initiator, not for the responder.
> >
> > It might be worth explaining what you are trying to do so we can
> discuss
> > different solutions to your problem.
> >
> > Paul
> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210916/08f32931/attachment.html>
More information about the Swan
mailing list