Attaching the version information also. And I install VPP through apt. vpp# sh version vpp v19.08.1-release built by root on a0e0f3d06c53 at Wed Sep 18 18:14:09 UTC 2019
Best Regards, Ruoyu From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Ying, Ruoyu Sent: Friday, October 18, 2019 9:03 AM To: nra...@cisco.com; vpp-dev@lists.fd.io Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Neale, Thanks for replying. I think you’ve pointed out the root cause. The cmds provides the response like this: vpp# show crypto engine No crypto engines registered vpp# show ipsec backend IPsec AH backends available: Name Index Active crypto engine backend 0 yes IPsec ESP backends available: Name Index Active crypto engine backend 0 no dpdk backend 1 yes Looks like that no crypto engine is registered. I’m checking the related docs, but are the engines registered by default or we need to manually register them? Thanks. Best Regards, Ruoyu From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Neale Ranns via Lists.Fd.Io Sent: Thursday, October 17, 2019 8:36 PM To: Ying, Ruoyu <ruoyu.y...@intel.com<mailto:ruoyu.y...@intel.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] VPP IPSec failed to add SA Hi Ruoyo, Possiblly because your loaded crypto engine/backend does not support the requested algorithms. Please provide : show crypto engine show ipsec backend also whenever asking for assistance: sh version Thanks, neale From: <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> on behalf of "Ying, Ruoyu" <ruoyu.y...@intel.com<mailto:ruoyu.y...@intel.com>> Date: Thursday 17 October 2019 at 10:52 To: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: [vpp-dev] VPP IPSec failed to add SA Hi, I tried to use vpp to enable IPSec in my environment. And when I tried to create a SA, I always got an error for that. Detailed configs look like this: Interface details: vpp# show int Name Idx State MTU (L3/IP4/IP6/MPLS) Counter Count VirtualFunctionEthernet0/5/0 1 up 9000/0/0/0 VirtualFunctionEthernet0/6/0 2 up 9000/0/0/0 local0 0 down 0/0/0/0 IPSec configs: set interface state VirtualFunctionEthernet0/5/0 up set interface state VirtualFunctionEthernet0/6/0 up set interface ip address VirtualFunctionEthernet0/5/0 192.168.70.100/24 set interface ip address VirtualFunctionEthernet0/6/0 192.168.100.3/24 set int promiscuous on VirtualFunctionEthernet0/5/0 set int promiscuous on VirtualFunctionEthernet0/6/0 set ip arp VirtualFunctionEthernet0/6/0 192.168.100.4 fa:16:3e:b3:8b:fd set ip arp VirtualFunctionEthernet0/5/0 192.168.70.200 fa:16:3e:f5:2f:e9 ip route add count 1 104.0.0.0/32 via 192.168.100.4 VirtualFunctionEthernet0/6/0 ip route add count 1 004.0.0.0/32 via 192.168.70.200 VirtualFunctionEthernet0/5/0 ipsec spd add 1 set interface ipsec spd VirtualFunctionEthernet0/6/0 1 ipsec sa add 1 spi 1001 esp tunnel-src 192.168.100.3 tunnel-dst 192.168.100.4 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 //This line will return an error ‘ipsec sa: failed’ ipsec sa add 2 spi 25500128 esp tunnel-src 192.168.100.4 tunnel-dst 192.168.100.3 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 ipsec policy add spd 1 outbound priority 100 action protect sa 1 remote-ip-range 104.0.0.0-104.0.0.0 ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass ipsec policy add spd 1 inbound priority 100 action protect sa 1 remote-ip-range 004.0.0.0-004.0.0.0 ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass Anyone know the cause for that? Thanks a lot!! Best Regards, Ruoyu
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14222): https://lists.fd.io/g/vpp-dev/message/14222 Mute This Topic: https://lists.fd.io/mt/34696319/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-