Vxlan - No encryption issue

[Apostolis Prassas]

Hello all,

I have 3 nodes topology.

One node is the submariner broker, while the rest two are the gateways.

I deployed both the broker and the join process for the gateways via helm package manager.

I used VXLAN option for the cable driver.

According to the submariner Docs, I am waiting to see unencrypted traffic between the two gateway nodes. However, using tcpdump and wireshark I see encryption with IPSEC.

The command that was used for the deployment of the broker is:

helm install "${BROKER_NS}" submariner-latest/submariner-k8s-broker --create-namespace --namespace "${BROKER_NS}"

while for the join of gateways to the broker:

helm --kubeconfig=\$kubeconfig_path install submariner-operator submariner-latest/submariner-operator \
        --create-namespace \
        --namespace "${SUBMARINER_NS}" \
        --set ipsec.psk="${SUBMARINER_PSK}" \
        --set broker.server="${SUBMARINER_BROKER_URL}" \
        --set broker.token="${SUBMARINER_BROKER_TOKEN}" \
        --set broker.namespace="${BROKER_NS}" \
        --set broker.ca="${SUBMARINER_BROKER_CA}" \
        --set submariner.cableDriver=vxlan \
        --set submariner.clusterId="\${CLUSTER_ID}" \
        --set submariner.clusterCidr="\${CLUSTER_CIDR}" \
        --set submariner.serviceCidr="\${SERVICE_CIDR}" \
        --set submariner.globalCidr="${GLOBAL_CIDR}" \
        --set serviceAccounts.globalnet.create="\${GLOBALNET}" \
        --set submariner.natEnabled="false" \
        --set crd.create=true \
        --set submariner.serviceDiscovery=true \
        --set serviceAccounts.lighthouse.create=true

I attach, a test.pcap file with the captured traffic as also two screenshots that clarify that the gateways are using as cable driver the VXLAN type of tunnel.

Does the Submariner have unencrypted traffic?

Is there anyone can help?

Thanks in advance.

Kind regards,

Apostolis