Skip to content

IPsec for Kubernetes clusters with Calico in IPIP mode

Notifications You must be signed in to change notification settings

adohkan/calico-ipsec

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

calico-ipsec

IPsec for Kubernetes clusters with Calico in IPIP mode

Minimal disruption deployment

  1. First start Daemonset with IPSEC_AUTO_PARAM set to add - that will load all the connections without starting them.
  2. Then modify Daemonset environment variable IPSEC_AUTO_PARAM to route - Strongswan will install kernel traps for traffic and will start the connection automatically.

MTU overhead

Tunnel configuration AES_CBC_128/HMAC_SHA2_256_128 - best case overhead is 62, worst 77. MTU on veth should be 1500(base)-20(ipencap)-62(ipsec) so 1418.

Fixes

  • mention firewall rules

About

IPsec for Kubernetes clusters with Calico in IPIP mode

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published