New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traffic to containers via NAT stops working when using IPSec to encrypt network connections #244

Open
amhuber opened this Issue Jun 7, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@amhuber

amhuber commented Jun 7, 2018

Using Windows Server 1709 or 1803 we are attempting to use IPSec encryption along with Windows Containers using NAT. For example:

Working:
Client --(unencrypted TCP)--> Container Host --> NAT --> Container

working

Not working:
Client --(encrypted with IPSec)--> Container Host --> NAT --> Container

notworking

IPSec is being enabled via standard WFP configuration with:

New-NetIPsecRule -LocalAddress [local] -RemoteAddress [remote]-InboundSecurity Require -OutboundSecurity Require 

We can reproduce this issue with Cloud Foundry which uses hcsshim as part of the https://github.com/cloudfoundry/winc component and we also see the same behavior using Docker, such as:

docker run -d -p 8080:80 --name aspnet microsoft/aspnet

It appears that this is a fundamental limitation with WinNAT / HNS / WFP but we aren't sure if some combination of settings can make this work.

@natalieparellano

This comment has been minimized.

natalieparellano commented Jun 12, 2018

@dineshgovindasamy this is the other issue we discussed. Is the info here sufficient, or is there another specific trace that you would like us to run?

cc @mhoran @ajgokhale

@amhuber

This comment has been minimized.

amhuber commented Jun 12, 2018

Just FYI, we've also tested this on a recent Server 2019 preview release (build 17677) and see exactly the same thing.

@amhuber

This comment has been minimized.

amhuber commented Aug 2, 2018

FYI, we requested Microsoft update their documentation to make it clear that IPSec to the container is not supported at this time:

https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture#unsupported-features-and-network-options

It is being considered for inclusion in a future version of Windows per Microsoft support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment