IPsec Encryption of Tunnel Traffic with Antrea

Antrea supports encrypting tunnel traffic across Nodes with IPsec ESP. IPsec encyption works for all tunnel types supported by OVS including Geneve, GRE, VXLAN, and STT tunnel.


IPsec requires a set of Linux kernel modules. Check the required kernel modules listed in the strongSwan documentation. Make sure the required kernel modules are loaded on the Kubernetes Nodes before deploying Antrea with IPsec encyption enabled.

If you want to enable IPsec with Geneve, please make sure this commit is included in the kernel. For Ubuntu 18.04, kernel version should be at least 4.15.0-128. For Ubuntu 20.04, kernel version should be at least 5.4.70.


You can simply apply the Antrea IPsec deployment yaml to deploy Antrea with IPsec encyption enabled. To deploy a released version of Antrea, pick a version from the list of releases. Note that IPsec support was added in release 0.3.0, which means you can not pick a release older than 0.3.0. For any given release <TAG> (e.g. v0.3.0), get the Antrea IPsec deployment yaml at:


To deploy the latest version of Antrea (built from the main branch), get the IPsec deployment yaml at:


Antrea leverages strongSwan as the IKE daemon, and supports using pre-shared key (PSK) for IKE authentication. The deployment yaml creates a Kubernetes Secret antrea-ipsec to store the PSK string. For security consideration, we recommend to change the default PSK string in the yaml file. You can edit the yaml file, and update the psk field in the antrea-ipsec Secret spec to any string you want to use. Check the antrea-ipsec Secret spec below:

apiVersion: v1
kind: Secret
  name: antrea-ipsec
  namespace: kube-system
  psk: changeme
type: Opaque

After updating the PSK value, deploy Antrea with:

kubectl apply -f antrea-ipsec.yml

Getting Started

To help you get started, see the documentation.