It seems that vpp is stricter in this version and it has been relaxed in the
later version of code via
https://github.com/FDio/vpp/commit/c7cceeebb738b0fabd93d2c4fdfd561321a2be1d
By commenting out the right and left ids, authenticatio goes through and SA
gets established
[root@83afb4b1f677
hi team
I have a strong-swan running as an initiator in linux and vpp, version 21.10,
as a IPSEC IKEv2 responder.
When IKEv2 auth request reached vpp, we see that it is getting dropped sayin
that ispi is not found though initiator spi is proper in both ikey SA INIT and
SA AUTH REQ messages
Hello guys,
Does IKEV2 support MOBIKE..
Thank you.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22498): https://lists.fd.io/g/vpp-dev/message/22498
Mute This Topic: https://lists.fd.io/mt/96493925/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Vpp + strongswan plugin does.
From: vpp-dev@lists.fd.io On Behalf Of amine belroul
Sent: Thursday, January 5, 2023 12:15 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] ikev2 mediation
hello guys,
Does vpp support ikev2 mediation?
thanks
hello guys,
Does vpp support ikev2 mediation?
thanks.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22418): https://lists.fd.io/g/vpp-dev/message/22418
Mute This Topic: https://lists.fd.io/mt/96069813/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Hi,
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload
to enable stronger guarantees of forward secrecy.
When the KEi payload is included in the CREATE_CHILD_SA request,
responder should reply with the KEr payload and complete the key
exchange, in accordance with the RFC.
Could you
Hi Benoit,
Thank you for the quick work!
--
Best regards,
Atzm WATANABE
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21781): https://lists.fd.io/g/vpp-dev/message/21781
Mute This Topic: https://lists.fd.io/mt/92887834/21656
Group Owner:
Hi,
In current implementation of ikev2 plugin, it seems to keep old inbound IPsec
SA for a while after rekeying is done, and this old IPsec SA seems to be
deleted by manager process later.
But it is not deleted and remains forever if rekeying request comes again
before deleting it, because 2
Merged, thanks Atzm!
Best
ben
> -Original Message-
> From: vpp-dev@lists.fd.io On Behalf Of
> atzm...@gmail.com
> Sent: Monday, August 8, 2022 10:18
> To: vpp-dev@lists.fd.io
> Subject: [vpp-dev] ikev2 rekeying with multiple notify payloads
>
> Hi,
>
&g
Hi,
In RFC 7296, Child SA rekey using CREATE_CHILD_SA may include multiple Notify
payloads.
VPP's current ikev2 plugin implementation seems to support multiple Notify
payloads but to expect the REKEY_SA message is placed after any other Notify
payloads.
Some implementation sends rekey request
t; fteh...@cisco.com>
> *Cc:* vpp-dev ; Benoit Ganne (bganne) <
> bga...@cisco.com>
> *Subject:* Re: [vpp-dev] ikev2 and nat-t
>
> Hi Filip,
>
> In my case an initiator is behind NAT while a responder has a public IP.
> What node should check for SPI=0? I also
pp-dev ; Benoit Ganne (bganne)
Subject: Re: [vpp-dev] ikev2 and nat-t
Hi Filip,
In my case an initiator is behind NAT while a responder has a public IP.
What node should check for SPI=0? I also have LCP enabled on some interfaces,
maybe it breaks the default punt behaviour.
On Fri, 13 May 2022 at
via lists.fd.io
> *Sent:* Friday, May 13, 2022 10:26 AM
> *To:* Stanislav Zaikin ; vpp-dev
> *Subject:* Re: [vpp-dev] ikev2 and nat-t
>
> Hmm good catch, I wonder why we did not catch it - maybe the unit tests
> use only non-standard port...
> Can you try to patch it accor
To: Stanislav Zaikin ; vpp-dev
Subject: Re: [vpp-dev] ikev2 and nat-t
Hmm good catch, I wonder why we did not catch it - maybe the unit tests use
only non-standard port...
Can you try to patch it accordingly and if it solves the issue, push it on
gerrit for review?
If you can update the unit
be ideal of course.
Best
Ben
> -Original Message-
> From: vpp-dev@lists.fd.io On Behalf Of Stanislav
> Zaikin
> Sent: Thursday, May 12, 2022 18:11
> To: vpp-dev
> Subject: [vpp-dev] ikev2 and nat-t
>
> Hello folks,
>
> I have an issue with ikev2 and the host
Hello folks,
I have an issue with ikev2 and the host over the nat. IKE_AUTH packet goes
to ikev2-ip4 node instead of ikev2-ip4-natt and it causes
IKEV2_ERROR_BAD_LENGTH.
I'm not an expert in ike, but are there the right nodes specified below?
udp_register_dst_port (vm, IKEV2_PORT,
> Yeah, i would rather not mark all api in progress since that would make
> the transition much longer.
Agreed.
> So I suggest a 1 month period during a developer that wants to downgrade
> an API, prepares a change with *just that action*, clearly marked “API
> downgrade”, type: fix, adds me as
> Personally, I think it would be a good idea to mark ALL APIs as In-Progress,
> as it matches the (lack of) guarantees in previous releases,
> and let maintainers mark some messages as Production on their own pace.
I'm not sure how you could reconcile that with e.g. the CRC job verifier nor
all
-
From: vpp-dev@lists.fd.io On Behalf Of Benoit Ganne
(bganne) via lists.fd.io
Sent: Tuesday, 2020-June-16 18:29
To: vpp-dev@lists.fd.io
Cc: Filip Tehlar -X (ftehlar - PANTHEON TECH SRO at Cisco) ;
Andrew Yourtchenko (ayourtch)
Subject: [vpp-dev] ikev2 API & new API change process
Hi a
Hi all,
The ikev2 plugin is currently getting some much needed love [1] [2] but it also
means that its API is starting to show its age.
We'd like to mark it as "In-Progress" under the new API change process [3] so
that we can quickly improve it.
The rationale is:
- the requirement for an API
12:52 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] IKEv2/IPSEC with VPP initiator and Strongswan responder
#vnet #ipsec
Hi,
My setup is is a Strongswan responder and a VPP initiator, i don't have right
subnet but i want, the VPP initiator to get virtual IP from the Strongswan
responder
Hi,
My setup is is a Strongswan responder and a VPP initiator, i don't have right
subnet but i want, the VPP initiator to get virtual IP from the Strongswan
responder.
In phase1 negotiaon everything seems to be working fine, but in phase 2, can't
figure out what is going wrong. I assume that
, 2019 12:42 PM
To: vpp-dev@lists.fd.io
Subject: [**EXTERNAL**] Re: [vpp-dev] ikev2-ipsec-tunnel && NAT-T ?
Are there any updates on this topic? We are playing around with IPSEC/IKEV2
sitting behind NAT and up through v19.04.1 we are not seeing an option to
configure IKEv2 over UDP. I do
Are there any updates on this topic? We are playing around with IPSEC/IKEV2
sitting behind NAT and up through v19.04.1 we are not seeing an option to
configure IKEv2 over UDP. I do see CLI support was added for
configuring/enabling IPSEC tunnel to use UDP via "ipsec sa add", but "show
trace"
t; 发送时间: 2018-12-06 18:16
> 收件人: [2]wangchuan...@163.com
> 抄送: [3]vpp-dev
> 主题: Re: Re: [vpp-dev] ikev2-ipsec-tunnel && NAT-T ?
> ipsec_sad_add_del_entry API - udp_encap parameter must be set to 1
>
> Regards,
> Klement
>
-06 18:16
收件人: wangchuan...@163.com
抄送: vpp-dev
主题: Re: Re: [vpp-dev] ikev2-ipsec-tunnel && NAT-T ?
ipsec_sad_add_del_entry API - udp_encap parameter must be set to 1
Regards,
Klement
Quoting wangchuan...@163.com (2018-12-06 02:16:35)
>hi Klement,
>whi
ngchuan...@163.com
>
>
> 发件人: [1]Klement Sekera
> 发送时间: 2018-12-04 18:09
> 收件人: [2]wangchuan...@163.com
> 主题: Re: [vpp-dev] ikev2-ipsec-tunnel && NAT-T ?
> There is an API to enable udp encap, but unless this is called
> ext
Hi all,
Can the ipsec tunnel generated by ikev2 support udp-encap(NAT-T) ?
How?
Thanks!
wangchuan...@163.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11485): https://lists.fd.io/g/vpp-dev/message/11485
Mute This Topic:
Hi,
Replies inline.
Regards,
Radu
On 6/21/2018 5:15 PM, berengerf via Lists.Fd.Io wrote:
Hello,
I have some questions regarding the integration of IKEv2 within VPP.
When an IKEv2 negotiation succeeds, an ipsecX interface is created.
Then in order to encrypt the outgoing traffic, the
Hello,
I have some questions regarding the integration of IKEv2 within VPP. When an
IKEv2 negotiation succeeds, an ipsecX interface is created. Then in order to
encrypt the outgoing traffic, the interface has to be set up manually, an
address needs to be assigned to this interface (the address
Hi,
Any help here would be appreciable.
Please help with configurations.
Thanks,
Saurabh Jain
Hi,
I had configured VPP with IKEv2 & the other end is Strongswan.
VPN tunnel is established successfully. When I start ping from Strongswan I can
see encapsulated packet towards VPP & VPP is able to successfilly decap it &
give it to host. But ICMP reply from host is by passed through VPP.
Hi,
I had configured VPP with IKEv2 & the other end is Strongswan.VPN tunnel is
established successfully. When I start ping from Strongswan I can see
encapsulated packet towards VPP & VPP is able to successfilly decap it & give
it to host. But ICMP reply from host is by passed through VPP.When
Hi all,
Do we have plan to make IKEV2 support the role sponsor?
Regards,
xulang
[mailto:vpp-dev-boun...@lists.fd.io] On
Behalf Of ???
Sent: Thursday, June 1, 2017 8:09 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] IKEV2 Negotiation Failed
Hi guys,
We are testing IKEV2. Something run unsuccessfully.The configuration and the
information is shown below:
configuration:
create host
Hi guys,
We are testing IKEV2. Something run unsuccessfully.The configuration and the
information is shown below:
configuration:
create host-interface name eth0 hw-addr 02:fe:a0:d5:26:62
create host-interface name eth1 hw-addr 02:fe:63:d4:c1:df
set interface ip addr host-eth0 192.168.155.11/24
36 matches
Mail list logo
