Hi Nilesh, looks like you didn't configure esp-integ-alg (it is not a good idea not to use integrity algorithm) . So, either configure esp-integ-alg, or use crypto algorithm that does integrity check too, like "esp-crypto-alg aes-gcm-16 256"
Filip ________________________________ From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Nilesh Inamdar <nileshinamdar1...@gmail.com> Sent: Friday, August 26, 2022 2:20 PM To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> Subject: [vpp-dev] ipip0 or ipsec0 is not getting created after executing "ikev2 initiate sa-init pr1" Hi Team, I am trying to bringup IPSec session between 2 VPP. After configuring and executing "ikev2 initiate sa-init pr1", the tunnel ipip0 or ipsec0 is not getting created. I see that Child SA is not getting programmed correctly. Topology: vpp-responder (fpeth0) (192.168.4.1) ---------------------- (192.168.4.2) (fpeth0)vpp-initiator Following are the logs: ###################################### Initiator logs ###################################### vpp# vpp# sh version vpp v22.10-rc0~142-gabd566942 built by root on b804503bfc4e at 2022-08-26T09:31:25 vpp# vpp# show plugins Plugin path is: /usr/lib/x86_64-linux-gnu/vpp_plugins Plugin Version Description 1. memif_plugin.so 22.10-rc0~142-gabd566942 Packet Memory Interface (memif) -- Experimental 2. ping_plugin.so 22.10-rc0~142-gabd566942 Ping (ping) 3. dpdk_plugin.so 22.10-rc0~142-gabd566942 Data Plane Development Kit (DPDK) 4. linux_nl_plugin.so 22.10-rc0~142-gabd566942 linux Control Plane - Netlink listener 5. crypto_openssl_plugin.so 22.10-rc0~142-gabd566942 OpenSSL Crypto Engine 6. ikev2_plugin.so 22.10-rc0~142-gabd566942 Internet Key Exchange (IKEv2) Protocol 7. linux_cp_plugin.so 22.10-rc0~142-gabd566942 Linux Control Plane - Interface Mirror vpp# vpp# vpp# set interface state fpeth0 up vpp# set interface ip address fpeth0 192.168.4.2/24<http://192.168.4.2/24> vpp# ikev2 profile add pr1 vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123 vpp# ikev2 profile set pr1 id local fqdn roadwarrior.vpn.example.com<http://roadwarrior.vpn.example.com> vpp# ikev2 profile set pr1 id remote fqdn vpp.home vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0 vpp# vpp# ikev2 profile set pr1 responder fpeth0 192.168.4.1 vpp# ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg sha1-96 ike-dh modp-2048 vpp# ikev2 profile set pr1 esp-crypto-alg aes-cbc 256 vpp# ikev2 profile set pr1 sa-lifetime 3600 10 5 0 vpp# vpp# ikev2 initiate sa-init pr1 vpp# sh ikev2 sa details iip 192.168.4.2 ispi 289ce7c7aaa086d8 rip 192.168.4.1 rspi 47ee71e432475b6a encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048 nonce i:6a5359361129c654db012179b4ba6355ee12c72a10cdc8b176034ba9e0f1de19 r:16b4f3372563fec3241b2f50370ea34c857b9b15304e7592b68ba882ec63d7cb SK_d 5b72bc5a285f4542eda61d3b320c50ddb533f3b5a308141f0f732f7cd9c0499a SK_a i:8d12f619337db39bbbaeb90251707d0dde34321e r:12d35535e8572b519d761341c77e34e0146689d9 SK_e i:b62606f7835aa0bb883e95a9880009e6bdd4e219a5e013d2109daf7417838f4b r:ee42f7a0af25d7a02c93f1d3e902590f08aa1836bf551c4ea9145251ad0feea9 SK_p i:41f65005aa7003e5b7ed52ed23b59c131486a77fe9943968d5ebc06bb59f95e0 r:d03cf04e294af3563504a94f9bcff552bce74e17ba7b2485ae90546098cc00bc identifier (i) id-type fqdn data roadwarrior.vpn.example.com<http://roadwarrior.vpn.example.com> identifier (r) id-type fqdn data vpp.home child sa 0: spi(i) 5714e027 spi(r) 0 SK_e i: r: traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 - 192.168.5.255 port 0 - 65535 traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 - 192.168.3.255 port 0 - 65535 Stats: keepalives :0 rekey :0 SA init :0 (retransmit: 0) retransmit: 0 SA auth :0 vpp# show ipsec show ipsec: unknown input `' vpp# show ipsec all SPD Bindings: IPSec async mode: off vpp# ################################## Responder logs ################################## vpp# sh version vpp v22.10-rc0~142-gabd566942 built by root on b804503bfc4e at 2022-08-26T09:31:25 vpp# vpp# show plugins Plugin path is: /usr/lib/x86_64-linux-gnu/vpp_plugins Plugin Version Description 1. memif_plugin.so 22.10-rc0~142-gabd566942 Packet Memory Interface (memif) -- Experimental 2. ping_plugin.so 22.10-rc0~142-gabd566942 Ping (ping) 3. dpdk_plugin.so 22.10-rc0~142-gabd566942 Data Plane Development Kit (DPDK) 4. linux_nl_plugin.so 22.10-rc0~142-gabd566942 linux Control Plane - Netlink listener 5. crypto_openssl_plugin.so 22.10-rc0~142-gabd566942 OpenSSL Crypto Engine 6. ikev2_plugin.so 22.10-rc0~142-gabd566942 Internet Key Exchange (IKEv2) Protocol 7. linux_cp_plugin.so 22.10-rc0~142-gabd566942 Linux Control Plane - Interface Mirror vpp# set interface state fpeth0 up vpp# set interface ip address fpeth0 192.168.4.1/24<http://192.168.4.1/24> vpp# ikev2 profile add pr1 vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123 vpp# ikev2 profile set pr1 id local fqdn vpp.home vpp# ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com<http://roadwarrior.vpn.example.com> vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0 vpp# vpp# show ikev2 sa iip 192.168.4.2 ispi 289ce7c7aaa086d8 rip 192.168.4.1 rspi 47ee71e432475b6a vpp# show ikev2 sa details iip 192.168.4.2 ispi 289ce7c7aaa086d8 rip 192.168.4.1 rspi 47ee71e432475b6a encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048 nonce i:6a5359361129c654db012179b4ba6355ee12c72a10cdc8b176034ba9e0f1de19 r:16b4f3372563fec3241b2f50370ea34c857b9b15304e7592b68ba882ec63d7cb SK_d 5b72bc5a285f4542eda61d3b320c50ddb533f3b5a308141f0f732f7cd9c0499a SK_a i:8d12f619337db39bbbaeb90251707d0dde34321e r:12d35535e8572b519d761341c77e34e0146689d9 SK_e i:b62606f7835aa0bb883e95a9880009e6bdd4e219a5e013d2109daf7417838f4b r:ee42f7a0af25d7a02c93f1d3e902590f08aa1836bf551c4ea9145251ad0feea9 SK_p i:41f65005aa7003e5b7ed52ed23b59c131486a77fe9943968d5ebc06bb59f95e0 r:d03cf04e294af3563504a94f9bcff552bce74e17ba7b2485ae90546098cc00bc identifier (i) id-type fqdn data roadwarrior.vpn.example.com<http://roadwarrior.vpn.example.com> identifier (r) id-type fqdn data vpp.home child sa 0:encr:aes-cbc-256 esn:yes spi(i) 5714e027 spi(r) 1c518c85 SK_e i: r: traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 - 192.168.5.255 port 0 - 65535 traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 - 192.168.3.255 port 0 - 65535 Stats: keepalives :0 rekey :0 SA init :1 (retransmit: 0) retransmit: 0 SA auth :1 vpp# vpp# vpp# vpp# show ipsec all SPD Bindings: IPSec async mode: off vpp# vpp# vpp# sh ipsec sa vpp# sh ipsec spd vpp# Also i tried by setting "ikev2 set logging level 5". But I did not see any ikev2 logs in "show logging". I also tried configuring the algorithm on the responder side as well. But I'm still getting the same result. Apart from the ikev2 plugin, do we need to add any more plugins ? Can anyone please check if IPSec sessions are coming up in the latest vpp ? Thanks and Regards Nilesh Inamdar
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21830): https://lists.fd.io/g/vpp-dev/message/21830 Mute This Topic: https://lists.fd.io/mt/93268430/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-