Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subctl diagnose firewall doesn't detect blocked ESP protocol #1137

Open
yboaron opened this issue May 30, 2024 · 3 comments
Open

Subctl diagnose firewall doesn't detect blocked ESP protocol #1137

yboaron opened this issue May 30, 2024 · 3 comments
Assignees
@yboaron
Labels
enhancement New feature or request

Comments

@yboaron
Copy link
Contributor

yboaron commented May 30, 2024

The Subct diagnose firewall has recently been enhanced to detect and report if the ESP protocol is blocked, check [1] for more details.

According to this slack thread subctl diagnose firewall inter-cluster command seems to succeed even though the ESP protocol is blocked. Tested with subctl 0.16.5.

[1]
89d2449
@yboaron yboaron added the bug Something isn't working label May 30, 2024
@yboaron yboaron self-assigned this May 30, 2024
@yboaron
Copy link
Contributor Author

yboaron commented Jun 2, 2024

In the ^^ slack thread NAT Discovery selects the private IP, which means ESP traffic will not be UDP encapsulated (it will be sent over IP, IP protocol 0x32).

We need to find a way to generate ESP on top of IP traffic and make sure it is received on the server side

@dfarrell07 dfarrell07 added enhancement New feature or request and removed bug Something isn't working labels Jun 4, 2024
@maayanf24 maayanf24 added this to Backlog Jul 2, 2024
@maayanf24 maayanf24 moved this to Backlog in Backlog Jul 2, 2024
@yboaron
Copy link
Contributor Author

yboaron commented Jul 4, 2024

To verify if the root cause of IPSec tunnels being in error state is the blocked ESP protocol, we can enable UDP encapsulation for IPSec traffic and see if that resolves the issue

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 2, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale label Nov 2, 2024
@tpantelis tpantelis removed the stale label Nov 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yboaron yboaron

Labels
enhancement New feature or request
Projects
Backlog
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dfarrell07 @tpantelis @yboaron