I am OK to switch to tunnel mode, if that will solve my problem, and I appreciate if you can share an example config.
BR, Ahmed On Wed, Sep 15, 2021, 8:57 PM Paul Wouters <[email protected]> wrote: > On Thu, 9 Sep 2021, Ahmed Sameh wrote: > > > I am trying to enable IPsec for Kubernetes nodes, that uses IPVS for > in-cluster load balancing, more details are here > > > https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/ > > > > In short, in the example below access to cluster IP 10.240.0.1 port 443 > is redirected to one of Kubernetes master nodes > > port 6443 > > If you are NAT'ing then Opportunistic becomes very complicated. And you > cannot really use Transport Mode anymore. I also do not fully understand > how you want to do this. An OE node connecting to IP a.b.c.d expects an > ipsec connection from its own IP to a.b.c.d. If that is NAT'ed to a > different node, that node needs to be aware of the pre-NAT IP because > it needs to use that as ipsec policy, and then it needs to be able to > send/receive on that other IP address as well. > > Paul > > > > [root@host ~]# ipvsadm -ln > > Prot LocalAddress:Port Scheduler Flags > > -> RemoteAddress:Port Forward Weight ActiveConn InActConn > > TCP 10.240.0.1:443 rr > > -> 10.140.24.135:6443 Masq 1 0 0 > > -> 10.140.24.204:6443 Masq 1 0 0 > > -> 10.140.24.64:6443 Masq 1 1 0 > > > > BR, > > Ahmed > > On Thu, Sep 9, 2021 at 4:58 PM Paul Wouters <[email protected]> wrote: > > On Thu, 9 Sep 2021, Ahmed Sameh wrote: > > > > > Can anyone share an example of NAT-Traversal with IPsec > transport mode ? > > > > Your quality of life with improve a lot if you avoid ever using > > Transport Mode with NAT. Everyone has moved away from it. Only use > > transport mode if you are not affected by NAT. > > > > > I have the following configuration working for normal traffic > but not the NATed one. > > > > > > conn private-or-clear > > > auto=ondemand > > > type=transport > > > authby=rsasig > > > failureshunt=passthrough > > > negotiationshunt=passthrough > > > ikev2=insist > > > left=%defaultroute > > > leftcert={{ cert_name_pattern }} > > > leftid=%fromcert > > > leftrsasigkey=%cert > > > rightrsasigkey=%cert > > > rightid=%fromcert > > > right=%opportunisticgroup > > > > Opportunistic Encryption does not support transport mode plus NAT. > > > > It only supports NAT for the initiator, not for the responder. > > > > It might be worth explaining what you are trying to do so we can > discuss > > different solutions to your problem. > > > > Paul > > > > > > >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
