[Swan] NAT-Traversal with IPsec transport mode

Ahmed Sameh me at ahmedsameh.com
Thu Sep 16 20:00:26 UTC 2021 

I am OK to switch to tunnel mode, if that will solve my problem, and I
appreciate if you can share an example config.

BR,
Ahmed


On Wed, Sep 15, 2021, 8:57 PM Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 9 Sep 2021, Ahmed Sameh wrote:
>
> > I am trying to enable IPsec for Kubernetes nodes, that uses IPVS for
> in-cluster load balancing, more details are here
> >
> https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/
> >
> > In short, in the example below access to cluster IP 10.240.0.1 port 443
> is redirected to one of Kubernetes master nodes
> > port 6443
>
> If you are NAT'ing then Opportunistic becomes very complicated. And you
> cannot really use Transport Mode anymore. I also do not fully understand
> how you want to do this. An OE node connecting to IP a.b.c.d expects an
> ipsec connection from its own IP to a.b.c.d. If that is NAT'ed to a
> different node, that node needs to be aware of the pre-NAT IP because
> it needs to use that as ipsec policy, and then it needs to be able to
> send/receive on that other IP address as well.
>
> Paul
>
>
> > [root at host ~]# ipvsadm -ln
> > Prot LocalAddress:Port Scheduler Flags
> >   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
> > TCP  10.240.0.1:443 rr
> >   -> 10.140.24.135:6443           Masq    1      0          0
> >   -> 10.140.24.204:6443           Masq    1      0          0
> >   -> 10.140.24.64:6443            Masq    1      1          0
> >
> > BR,
> > Ahmed
> > On Thu, Sep 9, 2021 at 4:58 PM Paul Wouters <paul at nohats.ca> wrote:
> >       On Thu, 9 Sep 2021, Ahmed Sameh wrote:
> >
> >       > Can anyone share an example of NAT-Traversal with IPsec
> transport mode ?
> >
> >       Your quality of life with improve a lot if you avoid ever using
> >       Transport Mode with NAT. Everyone has moved away from it. Only use
> >       transport mode if you are not affected by NAT.
> >
> >       > I have the following configuration working for normal traffic
> but not the NATed one.
> >       >
> >       > conn private-or-clear
> >       > auto=ondemand
> >       > type=transport
> >       > authby=rsasig
> >       > failureshunt=passthrough
> >       > negotiationshunt=passthrough
> >       > ikev2=insist
> >       > left=%defaultroute
> >       > leftcert={{ cert_name_pattern }}
> >       > leftid=%fromcert
> >       > leftrsasigkey=%cert
> >       > rightrsasigkey=%cert
> >       > rightid=%fromcert
> >       > right=%opportunisticgroup
> >
> >       Opportunistic Encryption does not support transport mode plus NAT.
> >
> >       It only supports NAT for the initiator, not for the responder.
> >
> >       It might be worth explaining what you are trying to do so we can
> discuss
> >       different solutions to your problem.
> >
> >       Paul
> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210916/08f32931/attachment.html>

More information about the Swan mailing list