IPsec configuration with VPP
Enable IPsec encryption for the traffic flowing between the nodes.
IPsec is the fastest option to encrypt the traffic between nodes. It enables blanket application traffic encryption with very little performance impact.
Before you begin…
In order to enable IPsec encryption, you will need a Kubernetes cluster with:
Also ensure that all the pods in your cluster are running and all containers are ready using
kubectl get pods -o wide -A before attempting to enable IPsec.
Create the IKEv2 PSK
Create a Kubernetes secret that contains the PSK used for the IKEv2 exchange between the nodes. You can use the following command to create a random PSK. It will generate a unique random key. You may also replace the part after
psk= with a key of your choice.
kubectl -n calico-vpp-dataplane create secret generic calicovpp-ipsec-secret \ --from-literal=psk="$(dd if=/dev/urandom bs=1 count=36 2>/dev/null | base64)"
Configure the VPP dataplane
To enable IPsec, you need to configure two environment variables on the
calico-vpp-node pod. You can do so with the following kubectl command:
kubectl -n calico-vpp-dataplane patch daemonset calico-vpp-node --patch "$(curl https://raw.githubusercontent.com/projectcalico/vpp-dataplane/v0.14.0-calicov3.19.0/yaml/patches/ipsec.yaml)"
Once IPsec is enabled, all the traffic that uses IP-in-IP encapsulation in the cluster will be automatically encrypted.
In order to verify that the traffic is encrypted, open a VPP debug CLI session to check the configuration with calivppctl
calivppctl vppctl myk8node1
Then at the
vpp# prompt, you can run the following commands:
show ikev2 profilewill list the configured IKEv2 profiles, there should be one per other node in your cluster
show ipsec sawill list the establish IPsec SA, two per IKEv2 profile
show interfacewill list all the interfaces configured in VPP. The ipip interfaces (which correspond to the IPsec tunnels) should be up
You can also capture the traffic flowing between the nodes to verify that it is encrypted.