Re: [vpp-dev] Cannot configure IPsec in tunnel mode with manual SAs

[Neale Ranns via Lists.Fd.Io]

Dear Varban,

Welcome to the VPP community 😊 you have reached the right group…

I suspect you need to flip the IP ranges for your inbound policy command. For 
the outbound policy the remote address is compared with the packet's 
destination, for the inbound policy the remote address is compared with the 
packet's source address.

If you include a ‘sh trace’ output next time that will help us debug.

Regards,
neale

De : <vpp-dev@lists.fd.io> au nom de Varban Metodiev <varban.metod...@gmail.com>
Date : jeudi 4 juillet 2019 à 17:52
À : "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
Objet : [vpp-dev] Cannot configure IPsec in tunnel mode with manual SAs

Dear VPP Team,

This is my first post in the FD.io community, so please excuse me if I have 
addressed my query to an inappropriate group.

Well, recently I have been trying to setup a site-to-site IPsec in tunnel mode 
with manually configured SAs. Unfortunately, I cannot get the traffic encrypted.

Below I am attaching the topology diagram. I have used the following commands 
on the NFVBench<https://wiki.opnfv.org/display/nfvbench/NFVbench> virtual 
machine:

Site A:
vppctl ip route add 30.0.0.0/24<http://30.0.0.0/24> via 192.168.99.2 
GigabitEthernet0/4/0

vppctl ipsec sa add 10 spi 1010 esp crypto-alg aes-cbc-128 crypto-key 
4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 
4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.1 tunnel-dst 
192.168.99.2

vppctl ipsec sa add 20 spi 1020 esp crypto-alg aes-cbc-128 crypto-key 
4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 
4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.1 tunnel-dst 
192.168.99.2

vppctl ipsec sa add 30 spi 1030 esp crypto-alg aes-cbc-128 crypto-key 
4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 
4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.1 tunnel-dst 
192.168.99.2

vppctl ipsec sa add 40 spi 1040 esp crypto-alg aes-cbc-128 crypto-key 
4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 
4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.1 tunnel-dst 
192.168.99.2

vppctl ipsec spd add 1
vppctl set interface ipsec spd GigabitEthernet0/4/0 1

vppctl ipsec policy add spd 1 priority 100 outbound action protect sa 30 
local-ip-range 20.0.0.1 - 20.0.0.254 remote-ip-range 30.0.0.1 - 30.0.0.254
vppctl ipsec policy add spd 1 priority 100 inbound action protect sa 40 
local-ip-range 20.0.0.1 - 20.0.0.254 remote-ip-range 30.0.0.1 - 30.0.0.254

Site B:
vppctl ip route add 20.0.0.0/24<http://20.0.0.0/24> via 192.168.99.1 
GigabitEthernet0/4/0

vppctl ipsec sa add 10 spi 1010 esp crypto-alg aes-cbc-128 crypto-key 
4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 
4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.2 tunnel-dst 
192.168.99.1

vppctl ipsec sa add 20 spi 1020 esp crypto-alg aes-cbc-128 crypto-key 
4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 
4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.2 tunnel-dst 
192.168.99.1


vppctl ipsec sa add 30 spi 1030 esp crypto-alg aes-cbc-128 crypto-key 
4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 
4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.2 tunnel-dst 
192.168.99.1

vppctl ipsec sa add 40 spi 1040 esp crypto-alg aes-cbc-128 crypto-key 
4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 
4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.2 tunnel-dst 
192.168.99.1

vppctl ipsec spd add 1
vppctl set interface ipsec spd GigabitEthernet0/4/0 1

vppctl ipsec policy add spd 1 priority 100 inbound action protect sa 30 
local-ip-range 30.0.0.1 - 30.0.0.254 remote-ip-range 20.0.0.1 - 20.0.0.254
vppctl ipsec policy add spd 1 priority 100 outbound action protect sa 40 
local-ip-range 30.0.0.1 - 30.0.0.254 remote-ip-range 20.0.0.1 - 20.0.0.254

Apart from the pasted lines, I have tried a lot of different combinations for 
the SA formation. However, the only positive result I managed to get was 
incremented counters on the outbound.

Could you please help me with this?

Kind Regards,
Varban


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#13447): https://lists.fd.io/g/vpp-dev/message/13447
Mute This Topic: https://lists.fd.io/mt/32309218/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-