Hi, I’m experimenting with IPsec using the AES-NI MB cryptodev and seeing some weird behavior.
I have a tunnel up. Both ends of the tunnel are VPP instances, both configured to use the AES-NI MB cryptodev. The SAs are established with AES-CBC-128 and SHA1. I can ping from a host on one side of the tunnel to a host on the other side. The packets successfully make it across the tunnel, as do the replies. When I try to send TCP or UDP packets in either direction, the VPP instance on the receiving side fails to decrypt the packet. The trace shows that the auth failed. Of note in the packet traces, when TCP or UDP packets arrive at the receiving side, the sequence numbers printed in the trace are wrong - i.e. they are not what the sending side lists as the current sequence number. If I ping, then try to send a DNS request, then ping again, I see the following: successful ping: 02:21:37:455916: dpdk-esp-decrypt cipher aes-cbc-128 auth sha1-96 ESP: spi 1333702992, seq 42 02:21:37:455921: dpdk-crypto-input status: success not successful DNS packet: 02:21:40:710125: dpdk-esp-decrypt cipher aes-cbc-128 auth sha1-96 ESP: spi 1333702992, seq 4641 02:21:40:710129: dpdk-crypto-input status: auth failed successful ping: 02:21:43:857313: dpdk-esp-decrypt cipher aes-cbc-128 auth sha1-96 ESP: spi 1333702992, seq 44 02:21:43:857318: dpdk-crypto-input status: success Before I spend several hours figuring out what’s going on, I thought I’d check whether anyone else has seen this issue before or has any theories on what might be causing it. Thanks! -Matt _______________________________________________ vpp-dev mailing list [email protected] https://lists.fd.io/mailman/listinfo/vpp-dev
