Re: [vpp-dev] Issue with Bidirectional IPSEC

Fri, 15 Dec 2017 04:28:27 -0800 

Hi,

What platform is VPP running on?
Are you using latest VPP master?

Thanks,
Sergio

On 15/12/2017 11:06, Shashi Kant Singh wrote:


Hi

I have facing issue with packet being dropped at the IPSEC decoder.
I have setup with traffic pumped from pktgen on both ports and they arrive at a set of VPP-IPSEC gateways (GWs). In FWD path first GW received from P0 of pktgen, does the encoding and sends it to second GW which does the decoding and then sends it towards P1 of the pktgen. Reverse happens in the REV path.
In both the direction when I send data at 1Gbps, pkt size 1024, I see packet drop happening during decoding. I see the following from the traces: 

Packet 6

00:01:57:914904: dpdk-input

  TenGigabitEtherneta/0/0 rx queue 0
  buffer 0x153a6: current data 14, length 1064, free-list 0, clone-count 0, totlen-nifb 0, trace 0x5
                  l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14 

  PKT MBUF: port 0, nb_segs 1, pkt_len 1078
    buf_len 2176, data_len 1078, ol_flags 0x180, data_off 128, phys_addr 0x3674ea00 

    packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0

    Packet Offload Flags

      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid

      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid

    Packet Types

      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet

      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers

  IP4: 14:02:ec:70:ae:55 -> 14:02:ec:72:ee:dc

  IPSEC_ESP: 192.168.1.2 -> 192.168.1.1

    tos 0x00, ttl 253, length 1064, checksum 0x3650

    fragment id 0x0000

00:01:57:914915: ip4-input-no-checksum

  IPSEC_ESP: 192.168.1.2 -> 192.168.1.1

    tos 0x00, ttl 253, length 1064, checksum 0x3650

    fragment id 0x0000

00:01:57:914924: ipsec-input-ip4

  esp: sa_id 20 spi 1000 seq 13544422

00:01:57:914925: dpdk-esp-decrypt

  cipher aes-cbc-128 auth sha1-96

  ESP: spi 1000, seq 13544422

00:01:57:914928: dpdk-crypto-input

  status: auth failed

00:01:57:914944: error-drop

  ip4-input: valid ip4 packets

In the same trace successful case is as below:

acket 7

00:01:57:914904: dpdk-input

  TenGigabitEtherneta/0/0 rx queue 0
  buffer 0x1b8af: current data 14, length 1064, free-list 0, clone-count 0, totlen-nifb 0, trace 0x6
                  l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14 

  PKT MBUF: port 0, nb_segs 1, pkt_len 1078
    buf_len 2176, data_len 1078, ol_flags 0x180, data_off 128, phys_addr 0x364e2c40 

    packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0

    Packet Offload Flags

      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid

      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid

    Packet Types

      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet

      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers

  IP4: 14:02:ec:70:ae:55 -> 14:02:ec:72:ee:dc

  IPSEC_ESP: 192.168.1.2 -> 192.168.1.1

    tos 0x00, ttl 253, length 1064, checksum 0x3650

    fragment id 0x0000

00:01:57:914915: ip4-input-no-checksum

  IPSEC_ESP: 192.168.1.2 -> 192.168.1.1

    tos 0x00, ttl 253, length 1064, checksum 0x3650

    fragment id 0x0000

00:01:57:914924: ipsec-input-ip4

  esp: sa_id 20 spi 1000 seq 13544423

00:01:57:914925: dpdk-esp-decrypt

  cipher aes-cbc-128 auth sha1-96

  ESP: spi 1000, seq 13544423

00:01:57:914928: dpdk-crypto-input

  status: success

00:01:57:914945: dpdk-esp-decrypt-post

  cipher aes-cbc-128 auth sha1-96

  TCP: 192.168.100.3 -> 192.168.100.2

    tos 0x00, ttl 3, length 1006, checksum 0x04a7

    fragment id 0x660d

  TCP: 1234 -> 5678

    seq. 0x12345678 ack 0x12345690

    flags 0x10 ACK, tcp header: 20 bytes

    window 8192, checksum 0xd8e8

00:01:57:914945: ip4-input-no-checksum

  TCP: 192.168.100.3 -> 192.168.100.2

    tos 0x00, ttl 3, length 1006, checksum 0x04a7

    fragment id 0x660d

  TCP: 1234 -> 5678

    seq. 0x12345678 ack 0x12345690

    flags 0x10 ACK, tcp header: 20 bytes

    window 8192, checksum 0xd8e8

00:01:57:914953: ip4-lookup

  fib 0 dpo-idx 1 flow hash: 0x00000000

  TCP: 192.168.100.3 -> 192.168.100.2

    tos 0x00, ttl 3, length 1006, checksum 0x04a7

    fragment id 0x660d

  TCP: 1234 -> 5678

    seq. 0x12345678 ack 0x12345690

    flags 0x10 ACK, tcp header: 20 bytes

    window 8192, checksum 0xd8e8

00:01:57:914953: ip4-rewrite
  tx_sw_if_index 2 dpo-idx 1 : ipv4 via 192.168.100.2 TenGigabitEthernetc/0/0: 1402ec70ae6c1402ec70ae540800 flow hash: 0x00000000
  00000000: 1402ec70ae6c1402ec70ae540800450003ee660d0000020605a7c0a86403c0a8 

  00000020: 640204d2162e123456781234569050102000d8e800007778797a3031

00:01:57:914953: TenGigabitEthernetc/0/0-output

  TenGigabitEthernetc/0/0

  IP4: 14:02:ec:70:ae:54 -> 14:02:ec:70:ae:6c

  TCP: 192.168.100.3 -> 192.168.100.2

    tos 0x00, ttl 2, length 1006, checksum 0x05a7

    fragment id 0x660d

  TCP: 1234 -> 5678

    seq. 0x12345678 ack 0x12345690

    flags 0x10 ACK, tcp header: 20 bytes

    window 8192, checksum 0xd8e8

00:01:57:914953: TenGigabitEthernetc/0/0-tx

  TenGigabitEthernetc/0/0 tx queue 2
  buffer 0x1b8af: current data 44, length 1020, free-list 0, clone-count 0, totlen-nifb 0, trace 0x6
                  l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14 

  PKT MBUF: port 0, nb_segs 1, pkt_len 1020
    buf_len 2176, data_len 1020, ol_flags 0x180, data_off 172, phys_addr 0x364e2c40 

    packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0

    Packet Offload Flags

      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid

      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid

    Packet Types

      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet

      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers

  IP4: 14:02:ec:70:ae:54 -> 14:02:ec:70:ae:6c

  TCP: 192.168.100.3 -> 192.168.100.2

    tos 0x00, ttl 2, length 1006, checksum 0x05a7

    fragment id 0x660d

  TCP: 1234 -> 5678

    seq. 0x12345678 ack 0x12345690

    flags 0x10 ACK, tcp header: 20 bytes

    window 8192, checksum 0xd8e8

Overall count is as below:

vpp# show interface
              Name               Idx State          Counter          Count
TenGigabitEtherneta/0/0           1 up       rx packets              82968621 

rx bytes             89440173438

drops                   10826164

ip4                    155239708
TenGigabitEthernetc/0/0           2 up       tx packets              72142447 

tx bytes             73585295940

tx-error                  128640

local0                            0 down

vpp#

RULES:

GW1:

-sh-4.2# cat ipsec.commands

set int ip address TenGigabitEthernetc/0/0 192.168.200.2/24

set int state TenGigabitEthernetc/0/0 up

set ip arp TenGigabitEthernetc/0/0 192.168.100.2 14:02:ec:70:ae:6c

set int ip address TenGigabitEtherneta/0/0 192.168.1.1/24

set int state TenGigabitEtherneta/0/0 up

set ip arp TenGigabitEtherneta/0/0 192.168.1.2 14:02:EC:70:AE:55
ipsec sa add 10 spi 1001 esp tunnel-src 192.168.1.1 tunnel-dst 192.168.1.2 crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96
ipsec sa add 20 spi 1000 esp tunnel-src 192.168.1.2 tunnel-dst 192.168.1.1 crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 

ipsec spd add 1

set interface ipsec spd TenGigabitEtherneta/0/0 1

ipsec policy add spd 1 priority 100 inbound action bypass protocol 50

ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 192.168.100.2 - 192.168.100.2 remote-ip-range 192.168.100.3 - 192.168.100.3
ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 192.168.100.2 - 192.168.100.2 remote-ip-range 192.168.100.3 - 192.168.100.3 

ip route add 192.168.100.3/32 via 192.168.1.2 TenGigabitEtherneta/0/0

ip route add 192.168.100.2/32 via TenGigabitEthernetc/0/0

-sh-4.2#

-sh-4.2# cat ipsec.commands

set int ip address TenGigabitEthernet9/0/1 192.168.200.3/24

set int state TenGigabitEthernet9/0/1 up

set ip arp TenGigabitEthernet9/0/1 192.168.100.3 14:02:ec:70:ae:6d

set int ip address TenGigabitEthernetb/0/1 192.168.1.2/24

set int state TenGigabitEthernetb/0/1 up

set ip arp TenGigabitEthernetb/0/1 192.168.1.1 14:02:EC:72:EE:DC
ipsec sa add 10 spi 1001 esp tunnel-src 192.168.1.1 tunnel-dst 192.168.1.2 crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96
ipsec sa add 20 spi 1000 esp tunnel-src 192.168.1.2 tunnel-dst 192.168.1.1 crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 

ipsec spd add 1

set interface ipsec spd TenGigabitEthernetb/0/1 1

ipsec policy add spd 1 priority 100 outbound action bypass protocol 50

ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 10 inbound action protect sa 10 local-ip-range 192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2
ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range 192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2 

ip route add 192.168.100.2/32 via 192.168.1.1 TenGigabitEthernetb/0/1

ip route add 192.168.100.3/32 via TenGigabitEthernet9/0/1

-sh-4.2#

Regards

Shashi



_______________________________________________
vpp-dev mailing list
[email protected]
https://lists.fd.io/mailman/listinfo/vpp-dev



_______________________________________________
vpp-dev mailing list
[email protected]
https://lists.fd.io/mailman/listinfo/vpp-dev

Reply via email to