Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traffic to containers via NAT stops working when using IPSec to encrypt network connections #244

amhuber opened this issue Jun 7, 2018 · 6 comments


Copy link

amhuber commented Jun 7, 2018

Using Windows Server 1709 or 1803 we are attempting to use IPSec encryption along with Windows Containers using NAT. For example:

Client --(unencrypted TCP)--> Container Host --> NAT --> Container


Not working:
Client --(encrypted with IPSec)--> Container Host --> NAT --> Container


IPSec is being enabled via standard WFP configuration with:

New-NetIPsecRule -LocalAddress [local] -RemoteAddress [remote]-InboundSecurity Require -OutboundSecurity Require 

We can reproduce this issue with Cloud Foundry which uses hcsshim as part of the component and we also see the same behavior using Docker, such as:

docker run -d -p 8080:80 --name aspnet microsoft/aspnet

It appears that this is a fundamental limitation with WinNAT / HNS / WFP but we aren't sure if some combination of settings can make this work.

Copy link

natalieparellano commented Jun 12, 2018

@dineshgovindasamy this is the other issue we discussed. Is the info here sufficient, or is there another specific trace that you would like us to run?

cc @mhoran @ajgokhale

Copy link

amhuber commented Jun 12, 2018

Just FYI, we've also tested this on a recent Server 2019 preview release (build 17677) and see exactly the same thing.

Copy link

amhuber commented Aug 2, 2018

FYI, we requested Microsoft update their documentation to make it clear that IPSec to the container is not supported at this time:

It is being considered for inclusion in a future version of Windows per Microsoft support.

Copy link

genevieve commented Feb 28, 2019

@dineshgovindasamy Is there any update on whether IPSec is supported now?

Copy link

davidk355 commented Jun 17, 2019

Do we have an update on when IPSec will be supported?

Copy link

jmprice commented Jul 23, 2019

Any progress on this? What do we need to do to get some traction or at least if it is being worked on? Is there a better place to report or track this issue?

dcantah pushed a commit to dcantah/hcsshim that referenced this issue Mar 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

5 participants