Re: [vpp-dev] VPP IPSec failed to add SA

Thu, 17 Oct 2019 18:09:35 -0700 

Attaching the version information also. And I install VPP through apt.
vpp# sh version
vpp v19.08.1-release built by root on a0e0f3d06c53 at Wed Sep 18 18:14:09 UTC 
2019


Best Regards,
Ruoyu

From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Ying, Ruoyu
Sent: Friday, October 18, 2019 9:03 AM
To: nra...@cisco.com; vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] VPP IPSec failed to add SA

Hi Neale,

Thanks for replying. I think you’ve pointed out the root cause. The cmds 
provides the response like this:
vpp# show crypto engine
No crypto engines registered
vpp# show ipsec backend
IPsec AH backends available:
           Name                     Index             Active
  crypto engine backend               0                 yes
IPsec ESP backends available:
           Name                     Index             Active
  crypto engine backend               0                 no
       dpdk backend                   1                 yes

Looks like that no crypto engine is registered. I’m checking the related docs, 
but are the engines registered by default or we need to manually register them? 
Thanks.

Best Regards,
Ruoyu

From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> 
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Neale Ranns via 
Lists.Fd.Io
Sent: Thursday, October 17, 2019 8:36 PM
To: Ying, Ruoyu <ruoyu.y...@intel.com<mailto:ruoyu.y...@intel.com>>; 
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] VPP IPSec failed to add SA

Hi Ruoyo,

Possiblly because your loaded crypto engine/backend does not support the 
requested algorithms. Please provide :
  show crypto engine
  show ipsec backend

also whenever asking for assistance:
  sh version

Thanks,
neale

From: <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> on behalf of "Ying, 
Ruoyu" <ruoyu.y...@intel.com<mailto:ruoyu.y...@intel.com>>
Date: Thursday 17 October 2019 at 10:52
To: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" 
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: [vpp-dev] VPP IPSec failed to add SA

Hi,

I tried to use vpp to enable IPSec in my environment. And when I tried to 
create a SA, I always got an error for that.
Detailed configs look like this:
Interface details:
vpp# show int
Name                                              Idx    State  MTU 
(L3/IP4/IP6/MPLS)     Counter          Count
VirtualFunctionEthernet0/5/0      1      up          9000/0/0/0
VirtualFunctionEthernet0/6/0      2      up          9000/0/0/0
local0                            0     down          0/0/0/0

IPSec configs:

set interface state VirtualFunctionEthernet0/5/0 up
set interface state VirtualFunctionEthernet0/6/0 up

set interface ip address VirtualFunctionEthernet0/5/0 192.168.70.100/24
set interface ip address VirtualFunctionEthernet0/6/0 192.168.100.3/24

set int promiscuous on VirtualFunctionEthernet0/5/0
set int promiscuous on VirtualFunctionEthernet0/6/0

set ip arp VirtualFunctionEthernet0/6/0 192.168.100.4 fa:16:3e:b3:8b:fd
set ip arp VirtualFunctionEthernet0/5/0 192.168.70.200 fa:16:3e:f5:2f:e9

ip route add count 1 104.0.0.0/32 via 192.168.100.4 VirtualFunctionEthernet0/6/0
ip route add count 1 004.0.0.0/32 via 192.168.70.200 
VirtualFunctionEthernet0/5/0

ipsec spd add 1
set interface ipsec spd VirtualFunctionEthernet0/6/0 1
ipsec sa add 1 spi 1001 esp tunnel-src 192.168.100.3 tunnel-dst 192.168.100.4 
crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 
6867666568676665686766656867666568676669 integ-alg sha1-96  //This line will 
return an error ‘ipsec sa: failed’
ipsec sa add 2 spi 25500128 esp tunnel-src 192.168.100.4 tunnel-dst 
192.168.100.3 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg 
aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
ipsec policy add spd 1 outbound priority 100 action protect sa 1 
remote-ip-range 104.0.0.0-104.0.0.0
ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass
ipsec policy add spd 1 inbound priority 100 action protect sa 1 remote-ip-range 
004.0.0.0-004.0.0.0
ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass

Anyone know the cause for that? Thanks a lot!!

Best Regards,
Ruoyu


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14222): https://lists.fd.io/g/vpp-dev/message/14222
Mute This Topic: https://lists.fd.io/mt/34696319/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Balaji Venkatraman via Lists.Fd.Io
    • ... Ying, Ruoyu
      • ... Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via Lists.Fd.Io
        • ... Ying, Ruoyu
          • ... Neale Ranns via Lists.Fd.Io
          • ... Ying, Ruoyu
          • ... Balaji Venkatraman via Lists.Fd.Io
          • ... Balaji Venkatraman via Lists.Fd.Io
          • ... Ying, Ruoyu
          • ... Neale Ranns via Lists.Fd.Io
  • ... Ying, Ruoyu

Reply via email to