Hi Satish, if can you share the output of those commands on VPP2:
- 'show err'
- 'sh hard'
- 'sh log'
- a packet trace ('cle tr' then 'sh tr')
Best
ben
> -----Original Message-----
> From: satish amara <satishkam...@gmail.com>
> Sent: mardi 17 août 2021 19:33
> To: vpp-dev@lists.fd.io
> Cc: Damjan Marion (damarion) <damar...@cisco.com>; nra...@cisco.com; Filip
> Tehlar -X (ftehlar - PANTHEON TECH SRO at Cisco) <fteh...@cisco.com>;
> Benoit Ganne (bganne) <bga...@cisco.com>
> Subject: [SUSPECTED SPAM] VPP IPSEC traffic is not passing thru when DPDK
> is enabled.
>
> Hi,
>
> There is an issue when the DPDK is owning the LAN interface for IPSEC
> traffic. I have a network setup of 2 VPP routers connected by the IPSEC
> tunnel on WAN interface and have LAN interface for sending out traffic and
> VPP is acting as IPSEC gateway.. The issue I am seeing traffic encrypted
> by IPSEC policy is traversing from VPP1 to VPP2 but after decryption, the
> packet is sent out on eth3 interface on VPP2 and it's staying there. The
> counters for eth3 interface are updated but DPDK driver is not sending out
> the packet on eth3 interface. DPDK is enabled on the eth1 and eth3
> interfaces. Instead of DPDK owning eth3 interface If I use mem_if or
> veth (ip link) for LAN interface, it works well with no issues.
>
> I am using following DPDK driver for eth3 interface
> ./dpdk-devbind.py --bind=uio_pci_generic
>
> Here is VPP config
>
> eth1 is WAN interface and eth3 is LAN interface.
> IPSEC setup at VPP1
>
> set int state eth1 up
> set int ip address eth1 192.168.1.6/24 <http://192.168.1.6/24>
> ip route add 192.168.2.0/24 <http://192.168.2.0/24> via 192.168.1.1
> ikev2 profile add pr1
> ikev2 profile set pr1 auth shared-key-mic string *****
> ikev2 profile set pr1 id local ip4-addr 192.168.1.6
> ikev2 profile set pr1 id remote ip4-addr 192.168.2.6
> ikev2 profile set pr1 traffic-selector local ip-range 192.168.100.20 -
> 192.168.100.21 port-range 0 - 65535 protocol 0
> ikev2 profile set pr1 traffic-selector remote ip-range 192.168.200.20 -
> 192.168.200.21 port-range 0 - 65535 protocol 0
> ikev2 profile set pr1 responder eth1 192.168.2.6
> ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg sha1-96
> ike-dh modp-2048
> ikev2 profile set pr1 esp-crypto-alg aes-cbc 256 esp-integ-alg sha1-96
> esp-dh ecp-256
> ikev2 profile set pr1 sa-lifetime 3600 10 5 0
> set int state eth3 up
> set int ip address eth3 192.168.100.5/24 <http://192.168.100.5/24>
>
>
> IPSEC setup at VPP2
>
> set int state eth1 up
> set int ip address eth1 192.168.2.6/24 <http://192.168.2.6/24>
> ip route add 192.168.1.0/24 <http://192.168.1.0/24> via 192.168.2.1
> ikev2 profile add pr1
> ikev2 profile set pr1 auth shared-key-mic string *****
> ikev2 profile set pr1 id local ip4-addr 192.168.2.6
> ikev2 profile set pr1 id remote ip4-addr 192.168.1.6
> ikev2 profile set pr1 traffic-selector remote ip-range 192.168.100.20 -
> 192.168.100.21 port-range 0 - 65535 protocol 0
> ikev2 profile set pr1 traffic-selector local ip-range 192.168.200.20 -
> 192.168.200.21 port-range 0 - 65535 protocol 0
>
> set int state eth3 up
> set int ip address eth3 192.168.200.5/24 <http://192.168.200.5/24>
>
>
> Traffic from 192.168.100.20 <->192.168.200.20 is encrypted.
>
> The issue I am seeing is on following VPP image
> vpp# show ver
> vpp v20.09-release built by root on caba6892cb91 at 2020-10-01T03:09:45
>
> Want to know if others are seeing this issue and how to address this. This
> is common use case setup for IPSEC setup.
>
> Regards,
> Satish K Amaara
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19980): https://lists.fd.io/g/vpp-dev/message/19980
Mute This Topic: https://lists.fd.io/mt/84967528/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
