Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traffic to containers via NAT stops working when using IPSec to encrypt network connections #244

Open
amhuber opened this issue Jun 7, 2018 · 6 comments

Comments

@amhuber
Copy link

@amhuber amhuber commented Jun 7, 2018

Using Windows Server 1709 or 1803 we are attempting to use IPSec encryption along with Windows Containers using NAT. For example:

Working:
Client --(unencrypted TCP)--> Container Host --> NAT --> Container

working

Not working:
Client --(encrypted with IPSec)--> Container Host --> NAT --> Container

notworking

IPSec is being enabled via standard WFP configuration with:

New-NetIPsecRule -LocalAddress [local] -RemoteAddress [remote]-InboundSecurity Require -OutboundSecurity Require 

We can reproduce this issue with Cloud Foundry which uses hcsshim as part of the https://github.com/cloudfoundry/winc component and we also see the same behavior using Docker, such as:

docker run -d -p 8080:80 --name aspnet microsoft/aspnet

It appears that this is a fundamental limitation with WinNAT / HNS / WFP but we aren't sure if some combination of settings can make this work.

@natalieparellano
Copy link

@natalieparellano natalieparellano commented Jun 12, 2018

@dineshgovindasamy this is the other issue we discussed. Is the info here sufficient, or is there another specific trace that you would like us to run?

cc @mhoran @ajgokhale

@amhuber
Copy link
Author

@amhuber amhuber commented Jun 12, 2018

Just FYI, we've also tested this on a recent Server 2019 preview release (build 17677) and see exactly the same thing.

@amhuber
Copy link
Author

@amhuber amhuber commented Aug 2, 2018

FYI, we requested Microsoft update their documentation to make it clear that IPSec to the container is not supported at this time:

https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture#unsupported-features-and-network-options

It is being considered for inclusion in a future version of Windows per Microsoft support.

@genevieve
Copy link

@genevieve genevieve commented Feb 28, 2019

@dineshgovindasamy Is there any update on whether IPSec is supported now?

@davidk355
Copy link

@davidk355 davidk355 commented Jun 17, 2019

Do we have an update on when IPSec will be supported?

@jmprice
Copy link

@jmprice jmprice commented Jul 23, 2019

Any progress on this? What do we need to do to get some traction or at least if it is being worked on? Is there a better place to report or track this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.