Re: [vpp-dev] VPP IPSec failed to add SA
Thanks Balaji, I’m able to see crypto engines loaded after installing the plugins, but I still got the same error that the sa failed. vpp# show ipsec backend IPsec AH backends available: Name Index Active crypto engine backend 0 yes IPsec ESP backends available: Name Index Active crypto engine backend 0 no dpdk backend 1 yes vpp# sh crypto engine NamePrioDescription ia32100 Intel IA32 ISA Optimized Crypto ipsecmb 80 Intel(R) Multi-Buffer Crypto for IPsec Library 0.52.0 openssl 50 OpenSSL vpp# set interface state VirtualFunctionEthernet0/6/0 up vpp# set interface ip address VirtualFunctionEthernet0/5/0 192.168.70.100/24 vpp# set interface ip address VirtualFunctionEthernet0/5/0 192.168.100.3/24 vpp# set int promiscuous on VirtualFunctionEthernet0/5/0 vpp# set int promiscuous on VirtualFunctionEthernet0/6/0 vpp# set ip arp VirtualFunctionEthernet0/6/0 192.168.100.4 fa:16:3e:b3:8b:fd vpp# ip route add count 1 104.0.0.0/32 via 192.168.100.4 VirtualFunctionEthernet0/6/0 vpp# ipsec spd add 1 vpp# set interface ipsec spd VirtualFunctionEthernet0/6/0 1 vpp# ipsec sa add 1 spi 25500128 esp tunnel-src 192.168.100.3 tunnel-dst 192.168.100.4 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 ipsec sa: failed Anything else that I need to take care of? Thanks a lot. Best Regards, Ruoyu From: Balaji Venkatraman (balajiv) Sent: Friday, October 18, 2019 11:59 PM To: Ying, Ruoyu ; Neale Ranns (nranns) ; Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) ; vpp-dev@lists.fd.io Subject: Re: [vpp-dev] VPP IPSec failed to add SA I think the vpp-plugin-core, vpp-plugin-dpdk should carry them: sudo apt-get install vpp-plugin-core vpp-plugin-dpdk and confirm the crypto engine is loaded : show plugins -- Regards, Balaji. From: "Ying, Ruoyu" mailto:ruoyu.y...@intel.com>> Date: Friday, October 18, 2019 at 8:43 AM To: "Neale Ranns (nranns)" mailto:nra...@cisco.com>>, "Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco)" mailto:fteh...@cisco.com>>, "Balaji Venkatraman (balajiv)" mailto:bala...@cisco.com>>, "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" mailto:vpp-dev@lists.fd.io>> Subject: RE: [vpp-dev] VPP IPSec failed to add SA Hi Neale, I’m really new to VPP and can you tell me where’s the plugins you mentioned? Thanks a lot. Best Regards, Ruoyu From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> On Behalf Of Neale Ranns via Lists.Fd.Io Sent: Friday, October 18, 2019 4:02 PM To: Ying, Ruoyu mailto:ruoyu.y...@intel.com>>; Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) mailto:fteh...@cisco.com>>; Balaji Venkatraman (balajiv) mailto:bala...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Ruoyo, You need to load one of the crypto_* plugins that provide the engine functions. /neale From: "Ying, Ruoyu" mailto:ruoyu.y...@intel.com>> Date: Friday 18 October 2019 at 09:44 To: "Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco)" mailto:fteh...@cisco.com>>, "Balaji Venkatraman (balajiv)" mailto:bala...@cisco.com>>, "Neale Ranns (nranns)" mailto:nra...@cisco.com>>, "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" mailto:vpp-dev@lists.fd.io>> Subject: RE: [vpp-dev] VPP IPSec failed to add SA Hi Filip, I tried them also, but I still get a similar error: vpp# set crypto handler aes-128-cbc openssl failed to set engine openssl for aes-128-cbc! vpp# set crypto handler aes-128-cbc ia32 failed to set engine ia32 for aes-128-cbc! And the handlers look like this: vpp# sh crypto handlers AlgoTypeActive Candidates (nil) des-cbc encrypt decrypt 3des-cbcencrypt decrypt aes-128-cbc encrypt decrypt aes-192-cbc encrypt decrypt aes-256-cbc encrypt decrypt aes-128-ctr encrypt decrypt aes-192-ctr encrypt decrypt aes-256-ctr encrypt decrypt aes-128-gcm aead-encrypt aead-decrypt aes-192-gcm aead-encrypt aead-decrypt aes-256-gcm aead-encrypt aead-decrypt hmac-md5hmac hmac-sha-1 hmac hmac-s
Re: [vpp-dev] VPP IPSec failed to add SA
Hi Neale, I’m really new to VPP and can you tell me where’s the plugins you mentioned? Thanks a lot. Best Regards, Ruoyu From: vpp-dev@lists.fd.io On Behalf Of Neale Ranns via Lists.Fd.Io Sent: Friday, October 18, 2019 4:02 PM To: Ying, Ruoyu ; Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) ; Balaji Venkatraman (balajiv) ; vpp-dev@lists.fd.io Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Ruoyo, You need to load one of the crypto_* plugins that provide the engine functions. /neale From: "Ying, Ruoyu" mailto:ruoyu.y...@intel.com>> Date: Friday 18 October 2019 at 09:44 To: "Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco)" mailto:fteh...@cisco.com>>, "Balaji Venkatraman (balajiv)" mailto:bala...@cisco.com>>, "Neale Ranns (nranns)" mailto:nra...@cisco.com>>, "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" mailto:vpp-dev@lists.fd.io>> Subject: RE: [vpp-dev] VPP IPSec failed to add SA Hi Filip, I tried them also, but I still get a similar error: vpp# set crypto handler aes-128-cbc openssl failed to set engine openssl for aes-128-cbc! vpp# set crypto handler aes-128-cbc ia32 failed to set engine ia32 for aes-128-cbc! And the handlers look like this: vpp# sh crypto handlers AlgoTypeActive Candidates (nil) des-cbc encrypt decrypt 3des-cbcencrypt decrypt aes-128-cbc encrypt decrypt aes-192-cbc encrypt decrypt aes-256-cbc encrypt decrypt aes-128-ctr encrypt decrypt aes-192-ctr encrypt decrypt aes-256-ctr encrypt decrypt aes-128-gcm aead-encrypt aead-decrypt aes-192-gcm aead-encrypt aead-decrypt aes-256-gcm aead-encrypt aead-decrypt hmac-md5hmac hmac-sha-1 hmac hmac-sha-224hmac hmac-sha-256hmac hmac-sha-384hmac hmac-sha-512hmac Am I setting with the correct command? Thanks a lot. Best Regards, Ruoyu From: Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) mailto:fteh...@cisco.com>> Sent: Friday, October 18, 2019 3:29 PM To: Ying, Ruoyu mailto:ruoyu.y...@intel.com>>; Balaji Venkatraman (balajiv) mailto:bala...@cisco.com>>; Neale Ranns (nranns) mailto:nra...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: RE: [vpp-dev] VPP IPSec failed to add SA Hi Ruoyu, Just replace „engine“ with an actual engine name, example: DBGvpp# show crypto engines NamePrioDescription ia32100 Intel IA32 ISA Optimized Crypto ipsecmb 80 Intel(R) Multi-Buffer Crypto for IPsec Library 0.52.0 openssl 50 OpenSSL DBGvpp# set crypto handler aes-128-cbc ia32 DBGvpp# Filip [cid:image001.png@01D5860D.6ADCA6C0] Filip Tehlar Engineer - Software fteh...@cisco.com<mailto:fteh...@cisco.com> Tel: +421 2 5825 5068 Cisco Systems, Inc. Pribinova Street 10 Central 3 BRATISLAVA 81109 Slovakia cisco.com [cid:image002.gif@01D5860D.6ADCA6C0] Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please click here<http://www.cisco.com/c/en/us/about/legal/terms-sale-software-license-agreement/company-registration-information.html> for Company Registration Information. From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> On Behalf Of Ying, Ruoyu Sent: Friday, October 18, 2019 4:29 AM To: Balaji Venkatraman (balajiv) mailto:bala...@cisco.com>>; Neale Ranns (nranns) mailto:nra...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Balaji, I checked the docs and tried to set the handler engine. Since there’s no example for the command, I’m not sure if I’m setting the right value for ‘cipher’ here. I tried with different values, but it just returns error msg like this: vpp# set crypto handler aes-128-cbc engine failed to set engine engine for aes-128-cbc! vpp# set crypto handler openssl engine failed to set engine engine for openssl! And according to the wiki page here( https://wiki.fd.io/view/VPP/IPSec) that there’re three choices for the engines. But I cannot get any of them work ☹. Any other clues for registering the engines? Thanks a lot. Best Regards, Ruoyu From: Bala
Re: [vpp-dev] VPP IPSec failed to add SA
Hi Filip, I tried them also, but I still get a similar error: vpp# set crypto handler aes-128-cbc openssl failed to set engine openssl for aes-128-cbc! vpp# set crypto handler aes-128-cbc ia32 failed to set engine ia32 for aes-128-cbc! And the handlers look like this: vpp# sh crypto handlers AlgoTypeActive Candidates (nil) des-cbc encrypt decrypt 3des-cbcencrypt decrypt aes-128-cbc encrypt decrypt aes-192-cbc encrypt decrypt aes-256-cbc encrypt decrypt aes-128-ctr encrypt decrypt aes-192-ctr encrypt decrypt aes-256-ctr encrypt decrypt aes-128-gcm aead-encrypt aead-decrypt aes-192-gcm aead-encrypt aead-decrypt aes-256-gcm aead-encrypt aead-decrypt hmac-md5hmac hmac-sha-1 hmac hmac-sha-224hmac hmac-sha-256hmac hmac-sha-384hmac hmac-sha-512hmac Am I setting with the correct command? Thanks a lot. Best Regards, Ruoyu From: Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) Sent: Friday, October 18, 2019 3:29 PM To: Ying, Ruoyu ; Balaji Venkatraman (balajiv) ; Neale Ranns (nranns) ; vpp-dev@lists.fd.io Subject: RE: [vpp-dev] VPP IPSec failed to add SA Hi Ruoyu, Just replace „engine“ with an actual engine name, example: DBGvpp# show crypto engines NamePrioDescription ia32100 Intel IA32 ISA Optimized Crypto ipsecmb 80 Intel(R) Multi-Buffer Crypto for IPsec Library 0.52.0 openssl 50 OpenSSL DBGvpp# set crypto handler aes-128-cbc ia32 DBGvpp# Filip [https://www.cisco.com/c/dam/m/en_us/signaturetool/images/banners/standard/10_standard_graphic.png] Filip Tehlar Engineer - Software fteh...@cisco.com<mailto:fteh...@cisco.com> Tel: +421 2 5825 5068 Cisco Systems, Inc. Pribinova Street 10 Central 3 BRATISLAVA 81109 Slovakia cisco.com [http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif] Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please click here<http://www.cisco.com/c/en/us/about/legal/terms-sale-software-license-agreement/company-registration-information.html> for Company Registration Information. From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> On Behalf Of Ying, Ruoyu Sent: Friday, October 18, 2019 4:29 AM To: Balaji Venkatraman (balajiv) mailto:bala...@cisco.com>>; Neale Ranns (nranns) mailto:nra...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Balaji, I checked the docs and tried to set the handler engine. Since there’s no example for the command, I’m not sure if I’m setting the right value for ‘cipher’ here. I tried with different values, but it just returns error msg like this: vpp# set crypto handler aes-128-cbc engine failed to set engine engine for aes-128-cbc! vpp# set crypto handler openssl engine failed to set engine engine for openssl! And according to the wiki page here( https://wiki.fd.io/view/VPP/IPSec) that there’re three choices for the engines. But I cannot get any of them work ☹. Any other clues for registering the engines? Thanks a lot. Best Regards, Ruoyu From: Balaji Venkatraman (balajiv) mailto:bala...@cisco.com>> Sent: Friday, October 18, 2019 9:37 AM To: Ying, Ruoyu mailto:ruoyu.y...@intel.com>>; Neale Ranns (nranns) mailto:nra...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] VPP IPSec failed to add SA Looking at the docs, I think you need to set one using the: set crypto handler cipher [cipher2 cipher3 …] engine Not sure, what’s the default behavior. -- Regards, Balaji. From: mailto:vpp-dev@lists.fd.io>> on behalf of "Ying, Ruoyu" mailto:ruoyu.y...@intel.com>> Date: Thursday, October 17, 2019 at 6:03 PM To: "Neale Ranns (nranns)" mailto:nra...@cisco.com>>, "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Neale, Thanks for replying. I think you’ve pointed out the root cause. The cmds provides the response like this: vpp# show crypto engine No crypto engines registered vpp# show ipsec backend IPsec AH backends available: Name
Re: [vpp-dev] VPP IPSec failed to add SA
Hi Balaji, I checked the docs and tried to set the handler engine. Since there’s no example for the command, I’m not sure if I’m setting the right value for ‘cipher’ here. I tried with different values, but it just returns error msg like this: vpp# set crypto handler aes-128-cbc engine failed to set engine engine for aes-128-cbc! vpp# set crypto handler openssl engine failed to set engine engine for openssl! And according to the wiki page here( https://wiki.fd.io/view/VPP/IPSec) that there’re three choices for the engines. But I cannot get any of them work ☹. Any other clues for registering the engines? Thanks a lot. Best Regards, Ruoyu From: Balaji Venkatraman (balajiv) Sent: Friday, October 18, 2019 9:37 AM To: Ying, Ruoyu ; Neale Ranns (nranns) ; vpp-dev@lists.fd.io Subject: Re: [vpp-dev] VPP IPSec failed to add SA Looking at the docs, I think you need to set one using the: set crypto handler cipher [cipher2 cipher3 …] engine Not sure, what’s the default behavior. -- Regards, Balaji. From: mailto:vpp-dev@lists.fd.io>> on behalf of "Ying, Ruoyu" mailto:ruoyu.y...@intel.com>> Date: Thursday, October 17, 2019 at 6:03 PM To: "Neale Ranns (nranns)" mailto:nra...@cisco.com>>, "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Neale, Thanks for replying. I think you’ve pointed out the root cause. The cmds provides the response like this: vpp# show crypto engine No crypto engines registered vpp# show ipsec backend IPsec AH backends available: Name Index Active crypto engine backend 0 yes IPsec ESP backends available: Name Index Active crypto engine backend 0 no dpdk backend 1 yes Looks like that no crypto engine is registered. I’m checking the related docs, but are the engines registered by default or we need to manually register them? Thanks. Best Regards, Ruoyu From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> On Behalf Of Neale Ranns via Lists.Fd.Io Sent: Thursday, October 17, 2019 8:36 PM To: Ying, Ruoyu mailto:ruoyu.y...@intel.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Ruoyo, Possiblly because your loaded crypto engine/backend does not support the requested algorithms. Please provide : show crypto engine show ipsec backend also whenever asking for assistance: sh version Thanks, neale From: mailto:vpp-dev@lists.fd.io>> on behalf of "Ying, Ruoyu" mailto:ruoyu.y...@intel.com>> Date: Thursday 17 October 2019 at 10:52 To: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" mailto:vpp-dev@lists.fd.io>> Subject: [vpp-dev] VPP IPSec failed to add SA Hi, I tried to use vpp to enable IPSec in my environment. And when I tried to create a SA, I always got an error for that. Detailed configs look like this: Interface details: vpp# show int Name IdxState MTU (L3/IP4/IP6/MPLS) Counter Count VirtualFunctionEthernet0/5/0 1 up 9000/0/0/0 VirtualFunctionEthernet0/6/0 2 up 9000/0/0/0 local00 down 0/0/0/0 IPSec configs: set interface state VirtualFunctionEthernet0/5/0 up set interface state VirtualFunctionEthernet0/6/0 up set interface ip address VirtualFunctionEthernet0/5/0 192.168.70.100/24 set interface ip address VirtualFunctionEthernet0/6/0 192.168.100.3/24 set int promiscuous on VirtualFunctionEthernet0/5/0 set int promiscuous on VirtualFunctionEthernet0/6/0 set ip arp VirtualFunctionEthernet0/6/0 192.168.100.4 fa:16:3e:b3:8b:fd set ip arp VirtualFunctionEthernet0/5/0 192.168.70.200 fa:16:3e:f5:2f:e9 ip route add count 1 104.0.0.0/32 via 192.168.100.4 VirtualFunctionEthernet0/6/0 ip route add count 1 004.0.0.0/32 via 192.168.70.200 VirtualFunctionEthernet0/5/0 ipsec spd add 1 set interface ipsec spd VirtualFunctionEthernet0/6/0 1 ipsec sa add 1 spi 1001 esp tunnel-src 192.168.100.3 tunnel-dst 192.168.100.4 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 //This line will return an error ‘ipsec sa: failed’ ipsec sa add 2 spi 25500128 esp tunnel-src 192.168.100.4 tunnel-dst 192.168.100.3 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 ipsec policy add spd 1 outbound priority 100 action protect sa 1 remote-ip-range 104.0.0.0-104.0.0.0 ipsec policy add spd 1 outbound priority 90 protocol 50 action bypa
Re: [vpp-dev] VPP IPSec failed to add SA
Attaching the version information also. And I install VPP through apt. vpp# sh version vpp v19.08.1-release built by root on a0e0f3d06c53 at Wed Sep 18 18:14:09 UTC 2019 Best Regards, Ruoyu From: vpp-dev@lists.fd.io On Behalf Of Ying, Ruoyu Sent: Friday, October 18, 2019 9:03 AM To: nra...@cisco.com; vpp-dev@lists.fd.io Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Neale, Thanks for replying. I think you’ve pointed out the root cause. The cmds provides the response like this: vpp# show crypto engine No crypto engines registered vpp# show ipsec backend IPsec AH backends available: Name Index Active crypto engine backend 0 yes IPsec ESP backends available: Name Index Active crypto engine backend 0 no dpdk backend 1 yes Looks like that no crypto engine is registered. I’m checking the related docs, but are the engines registered by default or we need to manually register them? Thanks. Best Regards, Ruoyu From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> On Behalf Of Neale Ranns via Lists.Fd.Io Sent: Thursday, October 17, 2019 8:36 PM To: Ying, Ruoyu mailto:ruoyu.y...@intel.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Ruoyo, Possiblly because your loaded crypto engine/backend does not support the requested algorithms. Please provide : show crypto engine show ipsec backend also whenever asking for assistance: sh version Thanks, neale From: mailto:vpp-dev@lists.fd.io>> on behalf of "Ying, Ruoyu" mailto:ruoyu.y...@intel.com>> Date: Thursday 17 October 2019 at 10:52 To: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" mailto:vpp-dev@lists.fd.io>> Subject: [vpp-dev] VPP IPSec failed to add SA Hi, I tried to use vpp to enable IPSec in my environment. And when I tried to create a SA, I always got an error for that. Detailed configs look like this: Interface details: vpp# show int Name IdxState MTU (L3/IP4/IP6/MPLS) Counter Count VirtualFunctionEthernet0/5/0 1 up 9000/0/0/0 VirtualFunctionEthernet0/6/0 2 up 9000/0/0/0 local00 down 0/0/0/0 IPSec configs: set interface state VirtualFunctionEthernet0/5/0 up set interface state VirtualFunctionEthernet0/6/0 up set interface ip address VirtualFunctionEthernet0/5/0 192.168.70.100/24 set interface ip address VirtualFunctionEthernet0/6/0 192.168.100.3/24 set int promiscuous on VirtualFunctionEthernet0/5/0 set int promiscuous on VirtualFunctionEthernet0/6/0 set ip arp VirtualFunctionEthernet0/6/0 192.168.100.4 fa:16:3e:b3:8b:fd set ip arp VirtualFunctionEthernet0/5/0 192.168.70.200 fa:16:3e:f5:2f:e9 ip route add count 1 104.0.0.0/32 via 192.168.100.4 VirtualFunctionEthernet0/6/0 ip route add count 1 004.0.0.0/32 via 192.168.70.200 VirtualFunctionEthernet0/5/0 ipsec spd add 1 set interface ipsec spd VirtualFunctionEthernet0/6/0 1 ipsec sa add 1 spi 1001 esp tunnel-src 192.168.100.3 tunnel-dst 192.168.100.4 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 //This line will return an error ‘ipsec sa: failed’ ipsec sa add 2 spi 25500128 esp tunnel-src 192.168.100.4 tunnel-dst 192.168.100.3 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 ipsec policy add spd 1 outbound priority 100 action protect sa 1 remote-ip-range 104.0.0.0-104.0.0.0 ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass ipsec policy add spd 1 inbound priority 100 action protect sa 1 remote-ip-range 004.0.0.0-004.0.0.0 ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass Anyone know the cause for that? Thanks a lot!! Best Regards, Ruoyu -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14222): https://lists.fd.io/g/vpp-dev/message/14222 Mute This Topic: https://lists.fd.io/mt/34696319/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] VPP IPSec failed to add SA
Hi Neale, Thanks for replying. I think you’ve pointed out the root cause. The cmds provides the response like this: vpp# show crypto engine No crypto engines registered vpp# show ipsec backend IPsec AH backends available: Name Index Active crypto engine backend 0 yes IPsec ESP backends available: Name Index Active crypto engine backend 0 no dpdk backend 1 yes Looks like that no crypto engine is registered. I’m checking the related docs, but are the engines registered by default or we need to manually register them? Thanks. Best Regards, Ruoyu From: vpp-dev@lists.fd.io On Behalf Of Neale Ranns via Lists.Fd.Io Sent: Thursday, October 17, 2019 8:36 PM To: Ying, Ruoyu ; vpp-dev@lists.fd.io Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Ruoyo, Possiblly because your loaded crypto engine/backend does not support the requested algorithms. Please provide : show crypto engine show ipsec backend also whenever asking for assistance: sh version Thanks, neale From: mailto:vpp-dev@lists.fd.io>> on behalf of "Ying, Ruoyu" mailto:ruoyu.y...@intel.com>> Date: Thursday 17 October 2019 at 10:52 To: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" mailto:vpp-dev@lists.fd.io>> Subject: [vpp-dev] VPP IPSec failed to add SA Hi, I tried to use vpp to enable IPSec in my environment. And when I tried to create a SA, I always got an error for that. Detailed configs look like this: Interface details: vpp# show int Name IdxState MTU (L3/IP4/IP6/MPLS) Counter Count VirtualFunctionEthernet0/5/0 1 up 9000/0/0/0 VirtualFunctionEthernet0/6/0 2 up 9000/0/0/0 local00 down 0/0/0/0 IPSec configs: set interface state VirtualFunctionEthernet0/5/0 up set interface state VirtualFunctionEthernet0/6/0 up set interface ip address VirtualFunctionEthernet0/5/0 192.168.70.100/24 set interface ip address VirtualFunctionEthernet0/6/0 192.168.100.3/24 set int promiscuous on VirtualFunctionEthernet0/5/0 set int promiscuous on VirtualFunctionEthernet0/6/0 set ip arp VirtualFunctionEthernet0/6/0 192.168.100.4 fa:16:3e:b3:8b:fd set ip arp VirtualFunctionEthernet0/5/0 192.168.70.200 fa:16:3e:f5:2f:e9 ip route add count 1 104.0.0.0/32 via 192.168.100.4 VirtualFunctionEthernet0/6/0 ip route add count 1 004.0.0.0/32 via 192.168.70.200 VirtualFunctionEthernet0/5/0 ipsec spd add 1 set interface ipsec spd VirtualFunctionEthernet0/6/0 1 ipsec sa add 1 spi 1001 esp tunnel-src 192.168.100.3 tunnel-dst 192.168.100.4 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 //This line will return an error ‘ipsec sa: failed’ ipsec sa add 2 spi 25500128 esp tunnel-src 192.168.100.4 tunnel-dst 192.168.100.3 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 ipsec policy add spd 1 outbound priority 100 action protect sa 1 remote-ip-range 104.0.0.0-104.0.0.0 ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass ipsec policy add spd 1 inbound priority 100 action protect sa 1 remote-ip-range 004.0.0.0-004.0.0.0 ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass Anyone know the cause for that? Thanks a lot!! Best Regards, Ruoyu -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14221): https://lists.fd.io/g/vpp-dev/message/14221 Mute This Topic: https://lists.fd.io/mt/34696319/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] VPP IPSec failed to add SA
Hi, I tried to use vpp to enable IPSec in my environment. And when I tried to create a SA, I always got an error for that. Detailed configs look like this: Interface details: vpp# show int Name IdxState MTU (L3/IP4/IP6/MPLS) Counter Count VirtualFunctionEthernet0/5/0 1 up 9000/0/0/0 VirtualFunctionEthernet0/6/0 2 up 9000/0/0/0 local00 down 0/0/0/0 IPSec configs: set interface state VirtualFunctionEthernet0/5/0 up set interface state VirtualFunctionEthernet0/6/0 up set interface ip address VirtualFunctionEthernet0/5/0 192.168.70.100/24 set interface ip address VirtualFunctionEthernet0/6/0 192.168.100.3/24 set int promiscuous on VirtualFunctionEthernet0/5/0 set int promiscuous on VirtualFunctionEthernet0/6/0 set ip arp VirtualFunctionEthernet0/6/0 192.168.100.4 fa:16:3e:b3:8b:fd set ip arp VirtualFunctionEthernet0/5/0 192.168.70.200 fa:16:3e:f5:2f:e9 ip route add count 1 104.0.0.0/32 via 192.168.100.4 VirtualFunctionEthernet0/6/0 ip route add count 1 004.0.0.0/32 via 192.168.70.200 VirtualFunctionEthernet0/5/0 ipsec spd add 1 set interface ipsec spd VirtualFunctionEthernet0/6/0 1 ipsec sa add 1 spi 1001 esp tunnel-src 192.168.100.3 tunnel-dst 192.168.100.4 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 //This line will return an error 'ipsec sa: failed' ipsec sa add 2 spi 25500128 esp tunnel-src 192.168.100.4 tunnel-dst 192.168.100.3 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 ipsec policy add spd 1 outbound priority 100 action protect sa 1 remote-ip-range 104.0.0.0-104.0.0.0 ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass ipsec policy add spd 1 inbound priority 100 action protect sa 1 remote-ip-range 004.0.0.0-004.0.0.0 ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass Anyone know the cause for that? Thanks a lot!! Best Regards, Ruoyu -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14193): https://lists.fd.io/g/vpp-dev/message/14193 Mute This Topic: https://lists.fd.io/mt/34696319/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
