IP Multimedia Subsystem(IMS) encapsulates SIP traffic between UE and P-CSCF (Gm Interface) in IPsec Encapsulating Security Payloads (ESP) payloads. IPsec breaks when a network is behind the NAT. On deploying the IMS on Kubernetes, NAT has been introduced as pods have a private CIDR as opposed to the P-CSCF externally exposed service.( As a result, the packet from Client gets both SNAT and DNAT to Pod IP of P-CSCF). DNAT manipulates packet header, it replaces the service IP address with P-CSCF Pod's IP and vice versa. However, modifying the header content violates the IPsec’s integrity guarantee and breaks it( Transport (TCP) pseudo header is used to calculate checksum created by using P-CSCF service IP at UE side but since Natting happens due to Kubernetes, checksum is failed as it is compared with checksum calculated with Pod IP and packet is dropped at kernel).
Strategies -
- Tunnel IPsec mode encapsulated in UDP header (NAT-T) to the end host(Does not work as Mobile handset support IP-SEC Transport mode only)
- Tunnel (UE -Worker_Node and Worker_Node - P-CSCF) [3GPP Specification does not approve of it]
Finally, We break the IPsec component from P-CSCF into separate microservices. A ESPserver for handling ESP associations is created which uses host Network of Pod and creates IPsec Association and policies in the kernel. The rest of the Functionality is done by P-CSCF. So, as soon as the encrypted packet comes to worker nodes, it gets automatically decrypted and the routing as per services happens. because of this, we have created constraint.
Please help me in removing above constraint or give strategies so that IPsec can work with NAT in above scenario and we do not have to break P-CSCF into separate microservices.