Re: [vpp-dev] ipip0 or ipsec0 is not getting created after executing "ikev2 initiate sa-init pr1"

2022-08-30 Thread Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
the debugs will get dumped. Can you please help ? Thanks Nilesh Inamdar On Fri, Aug 26, 2022 at 6:14 PM Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io<http://lists.fd.io> mailto:cisco@lists.fd.io>> wrote: Hi Nilesh, looks like you didn't configure

Re: [vpp-dev] ipip0 or ipsec0 is not getting created after executing "ikev2 initiate sa-init pr1"

2022-08-26 Thread Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
Hi Nilesh, looks like you didn't configure esp-integ-alg (it is not a good idea not to use integrity algorithm) . So, either configure esp-integ-alg, or use crypto algorithm that does integrity check too, like "esp-crypto-alg aes-gcm-16 256" Filip From:

Re: [vpp-dev] ikev2 and nat-t

2022-05-13 Thread Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
Hi Stanislav, punt-dispatch should be doing it; below is an example of packet trace from my test env: ... 00:00:11:655232: ip4-receive UDP: 192.168.10.1 -> 10.0.0.2 tos 0x00, ttl 63, length 280, checksum 0xc2c9 dscp CS0 ecn NON_ECN fragment id 0xa360, flags DONT_FRAGMENT

Re: [vpp-dev] ikev2 and nat-t

2022-05-13 Thread Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
I'm not entirely sure that's the case - the reason being that default port 4500 is used for both nat traversal and encrypted dataplane traffic. The way to distinguish between those two is having SPI=0 in case of NATT. For this there is punt mechanism in vpp, which forwards 4500 IKE packets to

[vpp-dev] API downgrade: due to lack of ikev2 tests

2020-06-19 Thread Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
Hi VPP community, this [1] is a proposal for downgrading API for IKEv2 plugin as it is not ready to be in production state due to lack of tests. Thanks, Filip [1] https://gerrit.fd.io/r/c/vpp/+/27598 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online

Re: [vpp-dev] IKEv2/IPSEC with VPP initiator and Strongswan responder #vnet #ipsec

2020-06-16 Thread Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
Hi, requesting virtual addresses is currently unsupported in ikev2 plugin. I have created jira ticket to track this issue: https://jira.fd.io/browse/VPP-1912 Thanks, Filip From: vpp-dev@lists.fd.io on behalf of gte...@telco.com Sent: Tuesday, June 16, 2020

Re: [vpp-dev] questions on IKEv2

2020-06-02 Thread Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
Hi Mahdi, I plan to add the missing API messages soon. As for the ikev2_initiate_sa_init returning always success will probably stay as is for now, returning an actual result of session initiation requires (probably big) architectural change for that message. Also initiate_sa_init does send

Re: [SUSPECTED SPAM] [vpp-dev] Troubleshooting IPsec peer behind NAT (AWS instance)

2020-05-07 Thread Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
Hi Muthu, I don't see any reason why your approach shouldn't work. Do you have any specific problem with it? Filip From: Muthu Raj Sent: Thursday, May 7, 2020 9:08 AM To: Filip Tehlar -X (ftehlar - PANTHEON TECH SRO at Cisco) Cc: vpp-dev@lists.fd.io Subject: