Ipsec configuration

Is there any documentation for these options?

I remember having problems with hairpin NAT a while back I think due to my container registry being within the rancher environment.

Do I need to enable it?

I went with No for the hairpin option as part of the upgrade to 1.6.3. Unfortunately after upgrading all the infrastructure services, the load balances are failing with the following errors:

Rolling-Back (Expected state running but got stopped: Couldn't bring up network: netplugin failed but error parsing its diagnostic message "": unexpected end of JSON input)

Rolling-Back (Expected state running but got stopped: Timeout getting IP address)

Any ideas?

In fact it seems like the infrastructure services are doing the same thing.

Funny thing is that its only affecting 2 of the 3 rancher environments. One is completely fine.

Sorted by completely removing the hosts and adding them back one by one to each of the problematic environments.

+1 for this one
A little explanation for when Hairpin or promiscuous mode should be used (or not), what it is they are doing, their respective caveats, and such things would be great.