Re: [Swan] NAT-Traversal with IPsec transport mode

Wed, 15 Sep 2021 11:57:46 -0700 

On Thu, 9 Sep 2021, Ahmed Sameh wrote:


I am trying to enable IPsec for Kubernetes nodes, that uses IPVS for in-cluster 
load balancing, more details are here
https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/
 
In short, in the example below access to cluster IP 10.240.0.1 port 443 is 
redirected to one of Kubernetes master nodes
port 6443


If you are NAT'ing then Opportunistic becomes very complicated. And you
cannot really use Transport Mode anymore. I also do not fully understand
how you want to do this. An OE node connecting to IP a.b.c.d expects an
ipsec connection from its own IP to a.b.c.d. If that is NAT'ed to a
different node, that node needs to be aware of the pre-NAT IP because
it needs to use that as ipsec policy, and then it needs to be able to
send/receive on that other IP address as well.

Paul



[root@host ~]# ipvsadm -ln
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  10.240.0.1:443 rr
  -> 10.140.24.135:6443           Masq    1      0          0          
  -> 10.140.24.204:6443           Masq    1      0          0          
  -> 10.140.24.64:6443            Masq    1      1          0      

BR,
Ahmed
On Thu, Sep 9, 2021 at 4:58 PM Paul Wouters <[email protected]> wrote:
      On Thu, 9 Sep 2021, Ahmed Sameh wrote:

      > Can anyone share an example of NAT-Traversal with IPsec transport mode ?

      Your quality of life with improve a lot if you avoid ever using
      Transport Mode with NAT. Everyone has moved away from it. Only use
      transport mode if you are not affected by NAT.

      > I have the following configuration working for normal traffic but not 
the NATed one.
      >
      > conn private-or-clear
      > auto=ondemand
      > type=transport
      > authby=rsasig
      > failureshunt=passthrough
      > negotiationshunt=passthrough
      > ikev2=insist
      > left=%defaultroute
      > leftcert={{ cert_name_pattern }}
      > leftid=%fromcert
      > leftrsasigkey=%cert
      > rightrsasigkey=%cert
      > rightid=%fromcert
      > right=%opportunisticgroup

      Opportunistic Encryption does not support transport mode plus NAT.

      It only supports NAT for the initiator, not for the responder.

      It might be worth explaining what you are trying to do so we can discuss
      different solutions to your problem.

      Paul




_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to