IPsec for Kubernetes clusters with Calico in IPIP mode
- First start Daemonset with
IPSEC_AUTO_PARAM
set toadd
- that will load all the connections without starting them. - Then modify Daemonset environment variable
IPSEC_AUTO_PARAM
toroute
- Strongswan will install kernel traps for traffic and will start the connection automatically.
Tunnel configuration AES_CBC_128/HMAC_SHA2_256_128
- best case overhead is 62, worst 77. MTU on veth should be 1500(base)-20(ipencap)-62(ipsec) so 1418.
- mention firewall rules