Subctl diagnose firewall doesn't detect blocked ESP protocol

submariner-io / subctl

CLI tool that provides helper commands to install, inspect, and troubleshoot a Submariner deployment.

Apache License 2.0

16 stars 22 forks source link

Subctl diagnose firewall doesn't detect blocked ESP protocol #1137

Open yboaron opened 1 month ago

yboaron commented 1 month ago

The Subct diagnose firewall has recently been enhanced to detect and report if the ESP protocol is blocked, check [1] for more details.

According to this slack thread subctl diagnose firewall inter-cluster command seems to succeed even though the ESP protocol is blocked. Tested with subctl 0.16.5.

[1] https://github.com/submariner-io/subctl/commit/89d2449e9e06d57a7b6b678eb9ad68751c61f030

yboaron commented 1 month ago

In the ^^ slack thread NAT Discovery selects the private IP, which means ESP traffic will not be UDP encapsulated (it will be sent over IP, IP protocol 0x32).

We need to find a way to generate ESP on top of IP traffic and make sure it is received on the server side

yboaron commented 2 weeks ago

To verify if the root cause of IPSec tunnels being in error state is the blocked ESP protocol, we can enable UDP encapsulation for IPSec traffic and see if that resolves the issue