Hi Chuan,
Please remove the SPD config. For tunnels all packets that ingress/egress the
tunnel are decrypted/encrypted, so no policy is required. The presence of the
SPD on the ingress eth0 link could be why it’s not working.
Please provide packet traces when you are reporting packet loss problems, it
helps us debug.
For reference the setup for GRE TEB IPSec can be found in the python UT
TestIpsecGreTebIfEsp.
Regards,
neale
From: <vpp-dev@lists.fd.io> on behalf of "Chuan Han via Lists.Fd.Io"
<chuanhan=google....@lists.fd.io>
Reply to: "chuan...@google.com" <chuan...@google.com>
Date: Friday 4 October 2019 at 02:15
To: "John Lo (loj)" <l...@cisco.com>
Cc: "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08
Hi,
Thanks for information.
I am trying to configure l2 gre over ipsec transport mode.
Here are my startup.cfg files. Can you help check if my configuration is
correct or not?
r230 and r740 are two servers which are directly connected.
eth0 is the phy nic. host-veth1 is one endpoint of veth pair. the other end is
connected to a network namespace with ip address 172.16.1.2.
From the network namespace, I cannot ping the other end 172.16.1.1.
On r230, I can see unknown ip protocol errors.
vpp# sh errors
Count Node Reason
5 null-node blackholed packets
5 ipsec4-output-feature IPSec policy (no match)
1 esp4-decrypt-tun ESP pkts received
1 ipsec4-tun-input good packets received
1 ipsec4-input-feature IPSEC pkts received
1 ip4-input unknown ip protocol
592 gre-encap GRE output packets
encapsulated
592 ipsec4-output-feature IPSec policy bypass
592 esp4-encrypt-tun ESP pkts received
592 l2-output L2 output packets
592 l2-learn L2 learn packets
1 l2-learn L2 learn misses
592 l2-input L2 input packets
592 l2-flood L2 flood packets
vpp# sh int
Name Idx State MTU (L3/IP4/IP6/MPLS)
Counter Count
eth0 1 up 9000/0/0/0 rx packets
1
rx bytes
166
tx packets
592
tx bytes
88816
drops
5
ip4
1
rx-error
1
gre0 3 up 9000/0/0/0 drops
1
ip4
1
host-veth1 2 up 9000/0/0/0 rx packets
592
rx bytes
24892
local0 0 down 0/0/0/0
vpp# sh errors
Count Node Reason
5 null-node blackholed packets
5 ipsec4-output-feature IPSec policy (no match)
1 esp4-decrypt-tun ESP pkts received
1 ipsec4-tun-input good packets received
1 ipsec4-input-feature IPSEC pkts received
1 ip4-input unknown ip protocol
592 gre-encap GRE output packets
encapsulated
592 ipsec4-output-feature IPSec policy bypass
592 esp4-encrypt-tun ESP pkts received
592 l2-output L2 output packets
592 l2-learn L2 learn packets
1 l2-learn L2 learn misses
592 l2-input L2 input packets
592 l2-flood L2 flood packets
vpp#
On r740, I see the same errors:
vpp# sh int
Name Idx State MTU (L3/IP4/IP6/MPLS)
Counter Count
eth0 1 up 9000/0/0/0 rx packets
592
rx bytes
88816
tx packets
1
tx bytes
166
ip4
592
gre0 3 up 9000/0/0/0 drops
592
ip4
592
host-veth1 2 up 9000/0/0/0 rx packets
1
rx bytes
70
local0 0 down 0/0/0/0
vpp# sh errors
Count Node Reason
592 esp4-decrypt-tun ESP pkts received
592 ipsec4-tun-input good packets received
592 ipsec4-input-feature IPSEC pkts received
592 ip4-input unknown ip protocol
1 gre-encap GRE output packets
encapsulated
1 ipsec4-output-feature IPSec policy bypass
1 esp4-encrypt-tun ESP pkts received
1 l2-output L2 output packets
1 l2-learn L2 learn packets
1 l2-learn L2 learn misses
1 l2-input L2 input packets
1 l2-flood L2 flood packets
vpp#
On Wed, Oct 2, 2019 at 9:13 AM John Lo (loj)
<l...@cisco.com<mailto:l...@cisco.com>> wrote:
To create GRE tunnel in L2 mode, you can add “teb” keyword in the create CLI
which makes the GRE tunnel work in transparent ethernet bridging mode:
vpp# create gre ?
create gre tunnel create gre tunnel src <addr> dst
<addr> [instance <n>] [outer-fib-id <fib>] [teb | erspan <session-id>] [del]
In theory, a GRE tunnel can be configured with IPSec, as described by Neale,
irrespective of it being in teb mode or not. Neale, please correct me if it is
not the case.
Regards,
John
From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Chuan Han via
Lists.Fd.Io<http://Lists.Fd.Io>
Sent: Wednesday, October 02, 2019 11:32 AM
To: Neale Ranns (nranns) <nra...@cisco.com<mailto:nra...@cisco.com>>
Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08
Gre is l3 in this case. Right? This limits the possible use cases.
Is there any plan to support l2 gre over ipsec transport mode? It seems vpp 17
support s this feature. Not sure why it is dropped in 19.
On Wed, Oct 2, 2019, 12:18 AM Neale Ranns (nranns)
<nra...@cisco.com<mailto:nra...@cisco.com>> wrote:
Hi Chuan,
IPSec and GRE is supported using the tunnel protection mechanism :
https://wiki.fd.io/view/VPP/IPSec
GRE over IPSec is only support when the SA is in tunnel mode. This means there
is a double encap of the IP header ; once by the SA (in tunnel mode) and once
by the tunnel itself. (Which has always been the case in VPP).
Example config follows :
DBGvpp# ipsec sa add 20 spi 200 crypto-key 6541686776336961656264656f6f6579
crypto-alg aes-cbc-128 tunnel-src 10.10.10.10 tunnel-dst 10.10.10.11
DBGvpp# ipsec sa add 30 spi 300 crypto-key 6541686776336961656264656f6f6579
crypto-alg aes-cbc-128 tunnel-src 10.10.10.11 tunnel-dst 10.10.10.10
DBGvpp# create gre tunnel src 10.10.10.10 dst 10.10.10.11
gre0
DBGvpp# ipsec tunnel protect gre0 sa-in 20 sa-out 30
DBGvpp# sh ipsec protect
gre0
output-sa:
[1] sa 30 (0x1e) spi 300 (0x0000012c) protocol:esp flags:[tunnel ]
input-sa:
[0] sa 20 (0x14) spi 200 (0x000000c8) protocol:esp flags:[tunnel Protect ]
Regards,
neale
From: <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> on behalf of "Chuan Han
via Lists.Fd.Io<http://Lists.Fd.Io>"
<chuanhan=google....@lists.fd.io<mailto:google....@lists.fd.io>>
Reply to: "chuan...@google.com<mailto:chuan...@google.com>"
<chuan...@google.com<mailto:chuan...@google.com>>
Date: Wednesday 2 October 2019 at 02:08
To: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>"
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Cc: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>"
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08
Hi, vpp experts,
I am trying to configure l2 gre over ipsec. I followed the steps here:
https://docs.fd.io/vpp/16.12/ipsec_gre_doc.html
I hit the following error:
create ipsec: unknown input `gre tunnel src 10.10.10.10 dst...'
My vpp version is v19.08.1-release
It seems on this version the "create ipsec gre tunnel" command does not work.
If so, is there any other way of configuring l2 gre over ipsec in 19.08?
Please advise.
Thanks.
Chuan
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14122): https://lists.fd.io/g/vpp-dev/message/14122
Mute This Topic: https://lists.fd.io/mt/34364734/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
