Is it possible to implement IPSEC encryption of the calico IP-IP tunnels?


We are having Kubernetes cluster with Calico 3.17.1. The requirement is to support the encryption of the communication between the pods in a single cluster. Unfortunately, Wiregaurd is not acceptable in our deployments. One of the options we are considering is to Ipsec encrypt the IPIP tunnels of calico.

We have tried adding a encryption policy with endpoints of the tunel0 between the node1 (hosting test client) and node2 (hosting test server). But some how when we captured the pcaps the data is not encrypted.

I am new to both calico and ipsec, and will be working on understanding the calico and IPSEC more. But, I wanted check with the community if anyone has already worked on something similar and appreciate any kind of suggestions.


Sadly Calico won’t help you to set up ipsec between nodes. But if you had already created ipsec tunnels between nodes and they appeared as a virtual interface (e.g. an ipsec VTI), you could configure Calico to use that interface using the IP autodetection setting. Note that this style of ipsec will reduce throughput to about 10% of normal.

The other option is to use the (beta) VPP dataplane and enable ipsec in that. VPP IPsec is extremely performant and we’ve seen it run a line-rate.