Traffic to containers via NAT stops working when using IPSec to encrypt network connections

[amhuber]

Using Windows Server 1709 or 1803 we are attempting to use IPSec encryption along with Windows Containers using NAT. For example:

Working:
Client --(unencrypted TCP)--> Container Host --> NAT --> Container

Not working:
Client --(encrypted with IPSec)--> Container Host --> NAT --> Container

IPSec is being enabled via standard WFP configuration with:

New-NetIPsecRule -LocalAddress [local] -RemoteAddress [remote]-InboundSecurity Require -OutboundSecurity Require 

We can reproduce this issue with Cloud Foundry which uses hcsshim as part of the https://github.com/cloudfoundry/winc component and we also see the same behavior using Docker, such as:

docker run -d -p 8080:80 --name aspnet microsoft/aspnet

It appears that this is a fundamental limitation with WinNAT / HNS / WFP but we aren't sure if some combination of settings can make this work.

[natalieparellano]

@dineshgovindasamy this is the other issue we discussed. Is the info here sufficient, or is there another specific trace that you would like us to run?

cc @mhoran @ajgokhale

[amhuber]

Just FYI, we've also tested this on a recent Server 2019 preview release (build 17677) and see exactly the same thing.

[amhuber]

FYI, we requested Microsoft update their documentation to make it clear that IPSec to the container is not supported at this time:

https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture#unsupported-features-and-network-options

It is being considered for inclusion in a future version of Windows per Microsoft support.

[genevieve]

@dineshgovindasamy Is there any update on whether IPSec is supported now?

[davidk355]

Do we have an update on when IPSec will be supported?

[jmprice]

Any progress on this? What do we need to do to get some traction or at least if it is being worked on? Is there a better place to report or track this issue?