Logo

Documentation

IPsec Encryption of Tunnel Traffic with Antrea

Antrea supports encrypting tunnel traffic across Nodes with IPsec ESP. At this moment, IPsec encyption works only for GRE tunnel (but not Geneve, VXLAN, and STT tunnel types).

Prerequisites

IPsec requires a set of Linux kernel modules. Check the required kernel modules listed in the strongSwan documentation. Make sure the required kernel modules are loaded on the Kubernetes Nodes before deploying Antrea with IPsec encyption enabled.

Installation

You can simply apply the Antrea IPsec deployment yaml to deploy Antrea with IPsec encyption enabled. To deploy a released version of Antrea, pick a version from the list of releases. Note that IPsec support was added in release 0.3.0, which means you can not pick a release older than 0.3.0. For any given release <TAG> (e.g. v0.3.0), get the Antrea IPsec deployment yaml at:

https://github.com/vmware-tanzu/antrea/releases/download/<TAG>/antrea-ipsec.yml

To deploy the latest version of Antrea (built from the main branch), get the IPsec deployment yaml at:

https://raw.githubusercontent.com/vmware-tanzu/antrea/main/build/yamls/antrea-ipsec.yml

Antrea leverages strongSwan as the IKE daemon, and supports using pre-shared key (PSK) for IKE authentication. The deployment yaml creates a Kubernetes Secret antrea-ipsec to store the PSK string. For security consideration, we recommend to change the default PSK string in the yaml file. You can edit the yaml file, and update the psk field in the antrea-ipsec Secret spec to any string you want to use. Check the antrea-ipsec Secret spec below:

---
apiVersion: v1
kind: Secret
metadata:
  name: antrea-ipsec
  namespace: kube-system
stringData:
  psk: changeme
type: Opaque

After updating the PSK value, deploy Antrea with:

kubectl apply -f antrea-ipsec.yml

Getting Started

To help you get started, see the documentation.