Subctl diagnose firewall doesn't detect blocked ESP protocol

[yboaron]

The Subct diagnose firewall has recently been enhanced to detect and report if the ESP protocol is blocked, check [1] for more details.

According to this slack thread subctl diagnose firewall inter-cluster command seems to succeed even though the ESP protocol is blocked. Tested with subctl 0.16.5.

[1] https://github.com/submariner-io/subctl/commit/89d2449e9e06d57a7b6b678eb9ad68751c61f030

[yboaron]

In the ^^ slack thread NAT Discovery selects the private IP, which means ESP traffic will not be UDP encapsulated (it will be sent over IP, IP protocol 0x32).

We need to find a way to generate ESP on top of IP traffic and make sure it is received on the server side

[yboaron]

To verify if the root cause of IPSec tunnels being in error state is the blocked ESP protocol, we can enable UDP encapsulation for IPSec traffic and see if that resolves the issue

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.