Hi
I have facing issue with packet being dropped at the IPSEC decoder.
I have setup with traffic pumped from pktgen on both ports and they arrive at a
set of VPP-IPSEC gateways (GWs). In FWD path first GW received from P0 of
pktgen, does the encoding and sends it to second GW which does the decoding and
then sends it towards P1 of the pktgen. Reverse happens in the REV path.
In both the direction when I send data at 1Gbps, pkt size 1024, I see packet
drop happening during decoding. I see the following from the traces:
Packet 6
00:01:57:914904: dpdk-input
TenGigabitEtherneta/0/0 rx queue 0
buffer 0x153a6: current data 14, length 1064, free-list 0, clone-count 0,
totlen-nifb 0, trace 0x5
l4-cksum-computed l4-cksum-correct l2-hdr-offset 0
l3-hdr-offset 14
PKT MBUF: port 0, nb_segs 1, pkt_len 1078
buf_len 2176, data_len 1078, ol_flags 0x180, data_off 128, phys_addr
0x3674ea00
packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
IP4: 14:02:ec:70:ae:55 -> 14:02:ec:72:ee:dc
IPSEC_ESP: 192.168.1.2 -> 192.168.1.1
tos 0x00, ttl 253, length 1064, checksum 0x3650
fragment id 0x0000
00:01:57:914915: ip4-input-no-checksum
IPSEC_ESP: 192.168.1.2 -> 192.168.1.1
tos 0x00, ttl 253, length 1064, checksum 0x3650
fragment id 0x0000
00:01:57:914924: ipsec-input-ip4
esp: sa_id 20 spi 1000 seq 13544422
00:01:57:914925: dpdk-esp-decrypt
cipher aes-cbc-128 auth sha1-96
ESP: spi 1000, seq 13544422
00:01:57:914928: dpdk-crypto-input
status: auth failed
00:01:57:914944: error-drop
ip4-input: valid ip4 packets
In the same trace successful case is as below:
acket 7
00:01:57:914904: dpdk-input
TenGigabitEtherneta/0/0 rx queue 0
buffer 0x1b8af: current data 14, length 1064, free-list 0, clone-count 0,
totlen-nifb 0, trace 0x6
l4-cksum-computed l4-cksum-correct l2-hdr-offset 0
l3-hdr-offset 14
PKT MBUF: port 0, nb_segs 1, pkt_len 1078
buf_len 2176, data_len 1078, ol_flags 0x180, data_off 128, phys_addr
0x364e2c40
packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
IP4: 14:02:ec:70:ae:55 -> 14:02:ec:72:ee:dc
IPSEC_ESP: 192.168.1.2 -> 192.168.1.1
tos 0x00, ttl 253, length 1064, checksum 0x3650
fragment id 0x0000
00:01:57:914915: ip4-input-no-checksum
IPSEC_ESP: 192.168.1.2 -> 192.168.1.1
tos 0x00, ttl 253, length 1064, checksum 0x3650
fragment id 0x0000
00:01:57:914924: ipsec-input-ip4
esp: sa_id 20 spi 1000 seq 13544423
00:01:57:914925: dpdk-esp-decrypt
cipher aes-cbc-128 auth sha1-96
ESP: spi 1000, seq 13544423
00:01:57:914928: dpdk-crypto-input
status: success
00:01:57:914945: dpdk-esp-decrypt-post
cipher aes-cbc-128 auth sha1-96
TCP: 192.168.100.3 -> 192.168.100.2
tos 0x00, ttl 3, length 1006, checksum 0x04a7
fragment id 0x660d
TCP: 1234 -> 5678
seq. 0x12345678 ack 0x12345690
flags 0x10 ACK, tcp header: 20 bytes
window 8192, checksum 0xd8e8
00:01:57:914945: ip4-input-no-checksum
TCP: 192.168.100.3 -> 192.168.100.2
tos 0x00, ttl 3, length 1006, checksum 0x04a7
fragment id 0x660d
TCP: 1234 -> 5678
seq. 0x12345678 ack 0x12345690
flags 0x10 ACK, tcp header: 20 bytes
window 8192, checksum 0xd8e8
00:01:57:914953: ip4-lookup
fib 0 dpo-idx 1 flow hash: 0x00000000
TCP: 192.168.100.3 -> 192.168.100.2
tos 0x00, ttl 3, length 1006, checksum 0x04a7
fragment id 0x660d
TCP: 1234 -> 5678
seq. 0x12345678 ack 0x12345690
flags 0x10 ACK, tcp header: 20 bytes
window 8192, checksum 0xd8e8
00:01:57:914953: ip4-rewrite
tx_sw_if_index 2 dpo-idx 1 : ipv4 via 192.168.100.2 TenGigabitEthernetc/0/0:
1402ec70ae6c1402ec70ae540800 flow hash: 0x00000000
00000000: 1402ec70ae6c1402ec70ae540800450003ee660d0000020605a7c0a86403c0a8
00000020: 640204d2162e123456781234569050102000d8e800007778797a3031
00:01:57:914953: TenGigabitEthernetc/0/0-output
TenGigabitEthernetc/0/0
IP4: 14:02:ec:70:ae:54 -> 14:02:ec:70:ae:6c
TCP: 192.168.100.3 -> 192.168.100.2
tos 0x00, ttl 2, length 1006, checksum 0x05a7
fragment id 0x660d
TCP: 1234 -> 5678
seq. 0x12345678 ack 0x12345690
flags 0x10 ACK, tcp header: 20 bytes
window 8192, checksum 0xd8e8
00:01:57:914953: TenGigabitEthernetc/0/0-tx
TenGigabitEthernetc/0/0 tx queue 2
buffer 0x1b8af: current data 44, length 1020, free-list 0, clone-count 0,
totlen-nifb 0, trace 0x6
l4-cksum-computed l4-cksum-correct l2-hdr-offset 0
l3-hdr-offset 14
PKT MBUF: port 0, nb_segs 1, pkt_len 1020
buf_len 2176, data_len 1020, ol_flags 0x180, data_off 172, phys_addr
0x364e2c40
packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
IP4: 14:02:ec:70:ae:54 -> 14:02:ec:70:ae:6c
TCP: 192.168.100.3 -> 192.168.100.2
tos 0x00, ttl 2, length 1006, checksum 0x05a7
fragment id 0x660d
TCP: 1234 -> 5678
seq. 0x12345678 ack 0x12345690
flags 0x10 ACK, tcp header: 20 bytes
window 8192, checksum 0xd8e8
Overall count is as below:
vpp# show interface
Name Idx State Counter Count
TenGigabitEtherneta/0/0 1 up rx packets
82968621
rx bytes
89440173438
drops
10826164
ip4
155239708
TenGigabitEthernetc/0/0 2 up tx packets
72142447
tx bytes
73585295940
tx-error
128640
local0 0 down
vpp#
RULES:
GW1:
-sh-4.2# cat ipsec.commands
set int ip address TenGigabitEthernetc/0/0 192.168.200.2/24
set int state TenGigabitEthernetc/0/0 up
set ip arp TenGigabitEthernetc/0/0 192.168.100.2 14:02:ec:70:ae:6c
set int ip address TenGigabitEtherneta/0/0 192.168.1.1/24
set int state TenGigabitEtherneta/0/0 up
set ip arp TenGigabitEtherneta/0/0 192.168.1.2 14:02:EC:70:AE:55
ipsec sa add 10 spi 1001 esp tunnel-src 192.168.1.1 tunnel-dst 192.168.1.2
crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key
4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96
ipsec sa add 20 spi 1000 esp tunnel-src 192.168.1.2 tunnel-dst 192.168.1.1
crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key
4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96
ipsec spd add 1
set interface ipsec spd TenGigabitEtherneta/0/0 1
ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range
192.168.100.2 - 192.168.100.2 remote-ip-range 192.168.100.3 - 192.168.100.3
ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range
192.168.100.2 - 192.168.100.2 remote-ip-range 192.168.100.3 - 192.168.100.3
ip route add 192.168.100.3/32 via 192.168.1.2 TenGigabitEtherneta/0/0
ip route add 192.168.100.2/32 via TenGigabitEthernetc/0/0
-sh-4.2#
-sh-4.2# cat ipsec.commands
set int ip address TenGigabitEthernet9/0/1 192.168.200.3/24
set int state TenGigabitEthernet9/0/1 up
set ip arp TenGigabitEthernet9/0/1 192.168.100.3 14:02:ec:70:ae:6d
set int ip address TenGigabitEthernetb/0/1 192.168.1.2/24
set int state TenGigabitEthernetb/0/1 up
set ip arp TenGigabitEthernetb/0/1 192.168.1.1 14:02:EC:72:EE:DC
ipsec sa add 10 spi 1001 esp tunnel-src 192.168.1.1 tunnel-dst 192.168.1.2
crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key
4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96
ipsec sa add 20 spi 1000 esp tunnel-src 192.168.1.2 tunnel-dst 192.168.1.1
crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key
4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96
ipsec spd add 1
set interface ipsec spd TenGigabitEthernetb/0/1 1
ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 10 inbound action protect sa 10 local-ip-range
192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2
ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range
192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2
ip route add 192.168.100.2/32 via 192.168.1.1 TenGigabitEthernetb/0/1
ip route add 192.168.100.3/32 via TenGigabitEthernet9/0/1
-sh-4.2#
Regards
Shashi
_______________________________________________
vpp-dev mailing list
[email protected]
https://lists.fd.io/mailman/listinfo/vpp-dev
