Hi Paul, I am trying to enable IPsec for Kubernetes nodes, that uses IPVS for in-cluster load balancing, more details are here https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/
In short, in the example below access to cluster IP 10.240.0.1 port 443 is redirected to one of Kubernetes master nodes port 6443 [root@host ~]# ipvsadm -ln Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.240.0.1:443 rr -> 10.140.24.135:6443 Masq 1 0 0 -> 10.140.24.204:6443 Masq 1 0 0 -> 10.140.24.64:6443 Masq 1 1 0 BR, Ahmed On Thu, Sep 9, 2021 at 4:58 PM Paul Wouters <[email protected]> wrote: > On Thu, 9 Sep 2021, Ahmed Sameh wrote: > > > Can anyone share an example of NAT-Traversal with IPsec transport mode ? > > Your quality of life with improve a lot if you avoid ever using > Transport Mode with NAT. Everyone has moved away from it. Only use > transport mode if you are not affected by NAT. > > > I have the following configuration working for normal traffic but not > the NATed one. > > > > conn private-or-clear > > auto=ondemand > > type=transport > > authby=rsasig > > failureshunt=passthrough > > negotiationshunt=passthrough > > ikev2=insist > > left=%defaultroute > > leftcert={{ cert_name_pattern }} > > leftid=%fromcert > > leftrsasigkey=%cert > > rightrsasigkey=%cert > > rightid=%fromcert > > right=%opportunisticgroup > > Opportunistic Encryption does not support transport mode plus NAT. > > It only supports NAT for the initiator, not for the responder. > > It might be worth explaining what you are trying to do so we can discuss > different solutions to your problem. > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
