Re: [vpp-dev] VPP IPSec failed to add SA

Thu, 17 Oct 2019 05:36:08 -0700 

Hi Ruoyo,

Possiblly because your loaded crypto engine/backend does not support the 
requested algorithms. Please provide :
  show crypto engine
  show ipsec backend

also whenever asking for assistance:
  sh version

Thanks,
neale

From: <vpp-dev@lists.fd.io> on behalf of "Ying, Ruoyu" <ruoyu.y...@intel.com>
Date: Thursday 17 October 2019 at 10:52
To: "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
Subject: [vpp-dev] VPP IPSec failed to add SA

Hi,

I tried to use vpp to enable IPSec in my environment. And when I tried to 
create a SA, I always got an error for that.
Detailed configs look like this:
Interface details:
vpp# show int
Name                                              Idx    State  MTU 
(L3/IP4/IP6/MPLS)     Counter          Count
VirtualFunctionEthernet0/5/0      1      up          9000/0/0/0
VirtualFunctionEthernet0/6/0      2      up          9000/0/0/0
local0                            0     down          0/0/0/0

IPSec configs:

set interface state VirtualFunctionEthernet0/5/0 up
set interface state VirtualFunctionEthernet0/6/0 up

set interface ip address VirtualFunctionEthernet0/5/0 192.168.70.100/24
set interface ip address VirtualFunctionEthernet0/6/0 192.168.100.3/24

set int promiscuous on VirtualFunctionEthernet0/5/0
set int promiscuous on VirtualFunctionEthernet0/6/0

set ip arp VirtualFunctionEthernet0/6/0 192.168.100.4 fa:16:3e:b3:8b:fd
set ip arp VirtualFunctionEthernet0/5/0 192.168.70.200 fa:16:3e:f5:2f:e9

ip route add count 1 104.0.0.0/32 via 192.168.100.4 VirtualFunctionEthernet0/6/0
ip route add count 1 004.0.0.0/32 via 192.168.70.200 
VirtualFunctionEthernet0/5/0

ipsec spd add 1
set interface ipsec spd VirtualFunctionEthernet0/6/0 1
ipsec sa add 1 spi 1001 esp tunnel-src 192.168.100.3 tunnel-dst 192.168.100.4 
crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 
6867666568676665686766656867666568676669 integ-alg sha1-96  //This line will 
return an error ‘ipsec sa: failed’
ipsec sa add 2 spi 25500128 esp tunnel-src 192.168.100.4 tunnel-dst 
192.168.100.3 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg 
aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
ipsec policy add spd 1 outbound priority 100 action protect sa 1 
remote-ip-range 104.0.0.0-104.0.0.0
ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass
ipsec policy add spd 1 inbound priority 100 action protect sa 1 remote-ip-range 
004.0.0.0-004.0.0.0
ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass

Anyone know the cause for that? Thanks a lot!!

Best Regards,
Ruoyu


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14196): https://lists.fd.io/g/vpp-dev/message/14196
Mute This Topic: https://lists.fd.io/mt/34696319/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Ying, Ruoyu
    • ... Balaji Venkatraman via Lists.Fd.Io
    • ... Neale Ranns via Lists.Fd.Io
      • ... Ying, Ruoyu
        • ... Balaji Venkatraman via Lists.Fd.Io
          • ... Ying, Ruoyu
            • ... Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via Lists.Fd.Io
              • ... Ying, Ruoyu
                • ... Neale Ranns via Lists.Fd.Io
                • ... Ying, Ruoyu
                • ... Balaji Venkatraman via Lists.Fd.Io
                • ... Balaji Venkatraman via Lists.Fd.Io
                • ... Ying, Ruoyu

Reply via email to