[Swan] NAT-Traversal with IPsec transport mode

Paul Wouters paul at nohats.ca
Thu Sep 23 02:36:21 UTC 2021

On Wed, 22 Sep 2021, Ahmed Sameh wrote:

> It seems to be incompatibility between kube-ipvs and ipsec, but is there a chance that we can solve this by a
> different configuration from ipsec side?
> https://github.com/cloudnativelabs/kube-router/issues/877

Sorry, that still does not help me understand the problem better.


> BR, 
> Ahmed
> On Thu, Sep 16, 2021 at 10:14 PM Paul Wouters <paul at nohats.ca> wrote:
>       On Thu, 16 Sep 2021, Ahmed Sameh wrote:
>       > I am OK to switch to tunnel mode, if that will solve my problem, and I appreciate if you can
>       share an
>       > example config.
>       I don't know enough about kubernetes to give you a working config. One
>       of the main issue is whether the nodes know their "public IP" that does
>       not live within their own container. Eg you would need to define a
>       leftsubnet= and rightsubnet= to get the native IPs of the nodes, but
>       I'm not sure how you could communicate that to generate the config.
>       there might be tricks to play, like using with narrowing=yes
>       but then there is a security issue of how do you know/trust the remote
>       node's IP address. What if they pick ?
>       Paul

More information about the Swan mailing list