What is the current thinking on how IPIP tunnels should be configured (admin state, routes etc) if they are created by IKE.
In the Linux kernel we statically create the tunnel, bring it admin up, route packets over it. But it drops the packets (triggering an IKE acquire) until a valid SA exists. This has advantages and disadvantages. It is great for static point-to- point tunnels in smaller VPN deployments, but requires a lot of duplicated config in VPN concentrator deployments where some form of tunnel template would be better. This change (https://gerrit.fd.io/r/c/vpp/+/23634) allows a mechanism similar to the Linux kernel, but as was pointed out in the review comments, is not complete and possibly not in line with the approach we might want to take to solve the above problem. I think there are 2 options: 1. Provide some form of templating/script trigger for tunnels being established so that configuration can be applied when a tunnel appears [Does a mechanism for this already exist?]. 2. Allow the tunnel to be preconfigured, but ensure traffic does not pass until the SA is ready. Thanks, Carl
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14706): https://lists.fd.io/g/vpp-dev/message/14706 Mute This Topic: https://lists.fd.io/mt/61965522/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
