Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Using Windows Server 1709 or 1803 we are attempting to use IPSec encryption along with Windows Containers using NAT. For example:
Client --(unencrypted TCP)--> Container Host --> NAT --> Container
Client --(encrypted with IPSec)--> Container Host --> NAT --> Container
IPSec is being enabled via standard WFP configuration with:
New-NetIPsecRule -LocalAddress [local] -RemoteAddress [remote]-InboundSecurity Require -OutboundSecurity Require
We can reproduce this issue with Cloud Foundry which uses hcsshim as part of the https://github.com/cloudfoundry/winc component and we also see the same behavior using Docker, such as:
docker run -d -p 8080:80 --name aspnet microsoft/aspnet
It appears that this is a fundamental limitation with WinNAT / HNS / WFP but we aren't sure if some combination of settings can make this work.
The text was updated successfully, but these errors were encountered:
@dineshgovindasamy this is the other issue we discussed. Is the info here sufficient, or is there another specific trace that you would like us to run?
cc @mhoran @ajgokhale
Sorry, something went wrong.
Just FYI, we've also tested this on a recent Server 2019 preview release (build 17677) and see exactly the same thing.
FYI, we requested Microsoft update their documentation to make it clear that IPSec to the container is not supported at this time:
It is being considered for inclusion in a future version of Windows per Microsoft support.
@dineshgovindasamy Is there any update on whether IPSec is supported now?
Do we have an update on when IPSec will be supported?
Any progress on this? What do we need to do to get some traction or at least if it is being worked on? Is there a better place to report or track this issue?
Merge pull request microsoft#244 from Microsoft/fix_reboot
Fixing Reboot system call flags
No branches or pull requests