[vpp-dev] vnet ipsec script

[Ray Kinsella]

Folks,

I came across a funny issue with IPSEC, while trying to update the
src/scripts/vnet/ipsec script to use the new cli.

Essentially what is happening is that interface index of the ipsec
tunnel endpoint is being used as the fib index.

To illustrate the issue, you can see a version of the script below.
When I create just two fibs 0 and 1, and assign those to the two ends of
the tunnel, interfaces ipip0 and ipip1. VPP crashes when you enable the
packet generators because it is looking for fib index 9, the interface
index of the ipip1, not fib index.

However when I create a whole bunch of ip tables, it all works,
presumably because fib index 9 is now valid.

-- 
Regards, Ray K

create packet-generator interface pg0
create packet-generator interface pg1

pipe create

ip table add 1
#ip table add 2
#ip table add 3
#ip table add 4
#ip table add 5
#ip table add 6
#ip table add 7
#ip table add 8
#ip table add 9

set int ip table pg1 1
set int ip table pipe0.1 1

set int ip address pg0 192.168.0.1/24
set int ip address pg1 192.168.1.1/24

set int ip address pipe0.0 10.0.0.1/24
set int ip address pipe0.1 10.0.0.2/24

set int state pg0 up
set int state pg1 up
set int state pipe0 up

ipsec sa add 20 spi 1000 crypto-key 4a506a794f574265564551694d653768
crypto-alg aes-gcm-128
ipsec sa add 30 spi 1001 crypto-key 4a506a794f574265564551694d653768
crypto-alg aes-gcm-128

create ipip tunnel src 10.0.0.1 dst 10.0.0.2
ipsec tunnel protect ipip0 sa-in 20 sa-out 30

set int state ipip0 up
set int unnum ipip0 use pg0

create ipip tunnel src 10.0.0.2 dst 10.0.0.1
ipsec tunnel protect ipip1 sa-in 30 sa-out 20

set int state ipip1 up
set int ip table ipip1 1
set int unnum ipip1 use pg1

ip route add 192.168.1.0/24 via ipip0
set ip neighbor pg1 192.168.1.2 00:11:22:33:44:55
ip route add table 1 192.168.0.0/24 via ipip1
set ip neighbor pg0 192.168.0.2 00:11:22:33:44:66

trace add pg-input 100

packet-generator new {
name ipsec1
limit 1
rate 1e4
node ip4-input
interface pg0
size 100-100
data {
UDP: 192.168.0.2 -> 192.168.1.2
UDP: 4321 -> 1234
length 72
incrementing 100
}
}
packet-generator new {
name ipsec2
limit 1
rate 1e4
node ip4-input
interface pg1
size 100-100
data {
UDP: 192.168.1.2 ->
192.168.0.2
UDP: 4321 -> 1234
length 72
incrementing 100
}
}


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20929): https://lists.fd.io/g/vpp-dev/message/20929
Mute This Topic: https://lists.fd.io/mt/89457422/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-