IPsec configuration with VPP


Big picture

Enable IPsec encryption for the traffic flowing between the nodes.


IPsec is the fastest option to encrypt the traffic between nodes. It enables blanket application traffic encryption with very little performance impact.

Before you begin…

In order to enable IPsec encryption, you will need a Kubernetes cluster with:

Also ensure that all the pods in your cluster are running and all containers are ready using kubectl get pods -o wide -A before attempting to enable IPsec.

How to

Create the IKEv2 PSK

Create a Kubernetes secret that contains the PSK used for the IKEv2 exchange between the nodes. You can use the following command to create a random PSK. It will generate a unique random key. You may also replace the part after psk= with a key of your choice.

kubectl -n calico-vpp-dataplane create secret generic calicovpp-ipsec-secret \
   --from-literal=psk="$(dd if=/dev/urandom bs=1 count=36 2>/dev/null | base64)"

Configure the VPP dataplane

To enable IPsec, you need to configure two environment variables on the calico-vpp-node pod. You can do so with the following kubectl command:

kubectl -n calico-vpp-dataplane patch daemonset calico-vpp-node --patch "$(curl https://raw.githubusercontent.com/projectcalico/vpp-dataplane/v0.14.0-calicov3.19.0/yaml/patches/ipsec.yaml)"

Once IPsec is enabled, all the traffic that uses IP-in-IP encapsulation in the cluster will be automatically encrypted.

Next steps

Verify encryption

In order to verify that the traffic is encrypted, open a VPP debug CLI session to check the configuration with calivppctl

calivppctl vppctl myk8node1

Then at the vpp# prompt, you can run the following commands:

  • show ikev2 profile will list the configured IKEv2 profiles, there should be one per other node in your cluster
  • show ipsec sa will list the establish IPsec SA, two per IKEv2 profile
  • show interface will list all the interfaces configured in VPP. The ipip interfaces (which correspond to the IPsec tunnels) should be up

You can also capture the traffic flowing between the nodes to verify that it is encrypted.