Dear VPP Team,
I'm trying to config ipsec tunnel in vpp19.08. The configuration of 'ikev2'
and 'create ipsec tunnel ...' both works fine, but it's difficult for me to
config ipsec tunnel via 'ipsec sa...'. There are a lot of issue about ipsec in
vpp-dev mail-list, I still not find the right answer.
My test topology is as follow:
The configuration of each device are as follows:
user1:
ipv4 address: 100.0.0.3/24
gateway address: 100.0.0.1
vpp1:
# basic network
set interface state GigabitEthernet2/0/0 up
set interface state GigabitEthernet2/1/0 up
set interface ip address GigabitEthernet2/0/0 100.0.0.1/24
set interface ip address GigabitEthernet2/1/0 192.168.1.1/24
set interface promiscuous on GigabitEthernet2/0/0
set interface promiscuous on GigabitEthernet2/1/0
# ispec configuration
ipsec sa add 10 spi 1001 esp crypto-key 2b7e151628aed2a6abf7158809cf4f3d
crypto-alg aes-cbc-128 tunnel-src 192.168.1.1 tunnel-dst 192.168.1.2
ipsec sa add 20 spi 1000 esp crypto-key 2b7e151628aed2a6abf7158809cf4f3d
crypto-alg aes-cbc-128 tunnel-src 192.168.1.2 tunnel-dst 192.168.1.1
ipsec spd add 1
set interface ipsec spd GigabitEthernet2/1/0 1
ipsec policy add spd 1 inbound priority 100 protocol 50 action bypass
ipsec policy add spd 1 outbound priority 100 protocol 50 action bypass
ipsec policy add spd 1 inbound priority 10 action protect sa 20 local-ip-range
100.0.0.3 - 100.0.0.3 remote-ip-range 172.168.1.3 - 172.168.1.3
ipsec policy add spd 1 outbound priority 20 action protect sa 10 local-ip-range
100.0.0.3 - 100.0.0.3 remote-ip-range 172.168.1.3 - 172.168.1.3
ip route add 172.168.1.0/24 via 192.168.1.2 GigabitEthernet2/1/0
vpp2:
# basic network
set interface state GigabitEthernet2/1/0 up
set interface state GigabitEthernet2/2/0 up
set interface ip address GigabitEthernet2/1/0 172.168.1.1/24
set interface ip address GigabitEthernet2/2/0 192.168.1.2/24
set interface promiscuous on GigabitEthernet2/1/0
set interface promiscuous on GigabitEthernet2/2/0
# ipsec configuration
ipsec sa add 10 spi 1001 esp crypto-key 2b7e151628aed2a6abf7158809cf4f3d
crypto-alg aes-cbc-128 tunnel-src 192.168.1.1 tunnel-dst 192.168.1.2
ipsec sa add 20 spi 1000 esp crypto-key 2b7e151628aed2a6abf7158809cf4f3d
crypto-alg aes-cbc-128 tunnel-src 192.168.1.2 tunnel-dst 192.168.1.1
ipsec spd add 1
set interface ipsec spd GigabitEthernet2/2/0 1
ipsec policy add spd 1 inbound priority 100 protocol 50 action bypass
ipsec policy add spd 1 outbound priority 100 protocol 50 action bypass
ipsec policy add spd 1 inbound priority 10 action protect sa 10 local-ip-range
172.168.1.3 - 172.168.1.3 remote-ip-range 100.0.0.3 - 100.0.0.3
ipsec policy add spd 1 outbound priority 20 action protect sa 20 local-ip-range
172.168.1.3 - 172.168.1.3 remote-ip-range 100.0.0.3 - 100.0.0.3
ip route add 100.0.0.0/24 via 192.168.1.1 GigabitEthernet2/2/0
user2:
ipv4 address: 172.168.1.3/24
gateway address: 172.168.1.1
After configuration, I tried ping from user1 to user2, the packet dropped by
vpp1, here is the trace info:
DBGvpp# show trace
------------------- Start of thread 0 vpp_main -------------------
No packets in trace buffer
------------------- Start of thread 1 vpp_wk_0 -------------------
Packet 1
00:08:35:264577: dpdk-input
GigabitEthernet2/0/0 rx queue 0
buffer 0x9e330: current data 0, length 98, buffer-pool 0, ref-count 1,
totlen-nifb 0, trace handle 0x1000000
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 0, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x7298cc80
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:50:56:aa:70:e3 -> 00:50:56:aa:53:75
ICMP: 100.0.0.3 -> 172.168.1.3
tos 0x00, ttl 64, length 84, checksum 0x15f0
fragment id 0x130b, flags DONT_FRAGMENT
ICMP echo_request checksum 0x5609
00:08:35:264631: ethernet-input
frame: flags 0x3, hw-if-index 1, sw-if-index 1
IP4: 00:50:56:aa:70:e3 -> 00:50:56:aa:53:75
00:08:35:264650: ip4-input-no-checksum
ICMP: 100.0.0.3 -> 172.168.1.3
tos 0x00, ttl 64, length 84, checksum 0x15f0
fragment id 0x130b, flags DONT_FRAGMENT
ICMP echo_request checksum 0x5609
00:08:35:264673: ip4-lookup
fib 0 dpo-idx 2 flow hash: 0x00000000
ICMP: 100.0.0.3 -> 172.168.1.3
tos 0x00, ttl 64, length 84, checksum 0x15f0
fragment id 0x130b, flags DONT_FRAGMENT
ICMP echo_request checksum 0x5609
00:08:35:264694: ip4-rewrite
tx_sw_if_index 2 dpo-idx 2 : ipv4 via 192.168.1.2 GigabitEthernet2/1/0:
mtu:9000 000c29c781b0005056aa5d190800 flow hash: 0x00000000
00000000: 000c29c781b0005056aa5d19080045000054130b40003f0116f064000003aca8
00000020: 01030800560911580013c609ee5d0000000012510b00000000001011
00:08:35:264701: ipsec4-output-feature
spd 1 policy 3
00:08:35:264711: esp4-encrypt
esp: sa-index 0 spi 1001 (0x000003e9) seq 19 sa-seq-hi 0 crypto aes-cbc-128
integrity none
00:08:35:264731: ip4-load-balance
fib 2 dpo-idx 2 flow hash: 0x00000000
IPSEC_ESP: 192.168.1.1 -> 192.168.1.2
tos 0x00, ttl 254, length 140, checksum 0x38ec
fragment id 0x0000
00:08:35:264746: ip4-rewrite
tx_sw_if_index 2 dpo-idx 2 : ipv4 via 192.168.1.2 GigabitEthernet2/1/0:
mtu:9000 000c29c781b0005056aa5d190800 flow hash: 0x00000000
00000000: 000c29c781b0005056aa5d1908004500008c00000000fd3239ecc0a80101c0a8
00000020: 0102000003e900000013a34fd952bf3f07e1bf7d014e70cb41a41909
00:08:35:264748: ipsec4-output-feature
spd 1 policy -1
00:08:35:264750: error-drop
rx:GigabitEthernet2/0/0
00:08:35:264758: drop
dpdk-input: no error
Packet 2
00:08:36:265009: dpdk-input
GigabitEthernet2/0/0 rx queue 0
buffer 0x9e309: current data 0, length 98, buffer-pool 0, ref-count 1,
totlen-nifb 0, trace handle 0x1000001
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 0, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x7298c2c0
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:50:56:aa:70:e3 -> 00:50:56:aa:53:75
ICMP: 100.0.0.3 -> 172.168.1.3
tos 0x00, ttl 64, length 84, checksum 0x15b3
fragment id 0x1348, flags DONT_FRAGMENT
ICMP echo_request checksum 0xa006
00:08:36:265040: ethernet-input
frame: flags 0x3, hw-if-index 1, sw-if-index 1
IP4: 00:50:56:aa:70:e3 -> 00:50:56:aa:53:75
00:08:36:265058: ip4-input-no-checksum
ICMP: 100.0.0.3 -> 172.168.1.3
tos 0x00, ttl 64, length 84, checksum 0x15b3
fragment id 0x1348, flags DONT_FRAGMENT
ICMP echo_request checksum 0xa006
00:08:36:265069: ip4-lookup
fib 0 dpo-idx 2 flow hash: 0x00000000
ICMP: 100.0.0.3 -> 172.168.1.3
tos 0x00, ttl 64, length 84, checksum 0x15b3
fragment id 0x1348, flags DONT_FRAGMENT
ICMP echo_request checksum 0xa006
00:08:36:265082: ip4-rewrite
tx_sw_if_index 2 dpo-idx 2 : ipv4 via 192.168.1.2 GigabitEthernet2/1/0:
mtu:9000 000c29c781b0005056aa5d190800 flow hash: 0x00000000
00000000: 000c29c781b0005056aa5d19080045000054134840003f0116b364000003aca8
00000020: 01030800a00611580014c709ee5d00000000c7520b00000000001011
00:08:36:265089: ipsec4-output-feature
spd 1 policy 3
00:08:36:265099: esp4-encrypt
esp: sa-index 0 spi 1001 (0x000003e9) seq 20 sa-seq-hi 0 crypto aes-cbc-128
integrity none
00:08:36:265119: ip4-load-balance
fib 2 dpo-idx 2 flow hash: 0x00000000
IPSEC_ESP: 192.168.1.1 -> 192.168.1.2
tos 0x00, ttl 254, length 140, checksum 0x38ec
fragment id 0x0000
00:08:36:265135: ip4-rewrite
tx_sw_if_index 2 dpo-idx 2 : ipv4 via 192.168.1.2 GigabitEthernet2/1/0:
mtu:9000 000c29c781b0005056aa5d190800 flow hash: 0x00000000
00000000: 000c29c781b0005056aa5d1908004500008c00000000fd3239ecc0a80101c0a8
00000020: 0102000003e9000000141d6285d7364ced8543ec6f97aff2744800fb
00:08:36:265137: ipsec4-output-feature
spd 1 policy -1
00:08:36:265139: error-drop
rx:GigabitEthernet2/0/0
00:08:36:265147: drop
dpdk-input: no error
The ipsec information in vpp1 are as follows:
DBGvpp# show ipsec all
[0] sa 10 (0xa) spi 1001 (0x000003e9) protocol:esp flags:[tunnel ]
[1] sa 20 (0x14) spi 1000 (0x000003e8) protocol:esp flags:[tunnel ]
spd 1
ip4-outbound:
[1] priority 100 action bypass type ip4-outbound protocol IPSEC_ESP
local addr range 0.0.0.0 - 0.0.0.0 port range 0 - 65535
remote addr range 0.0.0.0 - 0.0.0.0 port range 0 - 65535
packets 0 bytes 0
[3] priority 20 action protect type ip4-outbound protocol any sa 10
local addr range 100.0.0.3 - 100.0.0.3 port range 0 - 65535
remote addr range 172.168.1.3 - 172.168.1.3 port range 0 - 65535
packets 340 bytes 28560
ip6-outbound:
ip4-inbound-protect:
[2] priority 10 action protect type ip4-inbound-protect protocol any sa 20
local addr range 100.0.0.3 - 100.0.0.3 port range 0 - 65535
remote addr range 172.168.1.3 - 172.168.1.3 port range 0 - 65535
packets 0 bytes 0
ip6-inbound-protect:
ip4-inbound-bypass:
[0] priority 100 action bypass type ip4-inbound-bypass protocol IPSEC_ESP
local addr range 0.0.0.0 - 0.0.0.0 port range 0 - 65535
remote addr range 0.0.0.0 - 0.0.0.0 port range 0 - 65535
packets 0 bytes 0
ip6-inbound-bypass:
SPD Bindings:
1 -> GigabitEthernet2/1/0
Tunnel interfaces
Are there any errors in my configuration? Are the sa id orders applied to
'ipsec policy' right?
It looks like the packet can't find the right policy in spd 1.
Could you please give me some suggestion to get it working?
Your reply will be higly appreciated!
Best regards,
Arvin
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14849): https://lists.fd.io/g/vpp-dev/message/14849
Mute This Topic: https://lists.fd.io/mt/67970551/21656
Group Owner: [email protected]
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
