Hi Nilesh,
looks like you didn't configure esp-integ-alg (it is not a good idea not to use
integrity algorithm) .
So, either configure esp-integ-alg, or use crypto algorithm that does integrity
check too, like "esp-crypto-alg aes-gcm-16 256"
Filip
________________________________
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Nilesh Inamdar
<nileshinamdar1...@gmail.com>
Sent: Friday, August 26, 2022 2:20 PM
To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
Subject: [vpp-dev] ipip0 or ipsec0 is not getting created after executing
"ikev2 initiate sa-init pr1"
Hi Team,
I am trying to bringup IPSec session between 2 VPP.
After configuring and executing "ikev2 initiate sa-init pr1", the tunnel ipip0
or ipsec0 is not getting created.
I see that Child SA is not getting programmed correctly.
Topology:
vpp-responder (fpeth0) (192.168.4.1) ---------------------- (192.168.4.2)
(fpeth0)vpp-initiator
Following are the logs:
######################################
Initiator logs
######################################
vpp#
vpp# sh version
vpp v22.10-rc0~142-gabd566942 built by root on b804503bfc4e at
2022-08-26T09:31:25
vpp#
vpp# show plugins
Plugin path is: /usr/lib/x86_64-linux-gnu/vpp_plugins
Plugin Version
Description
1. memif_plugin.so 22.10-rc0~142-gabd566942
Packet Memory Interface (memif) -- Experimental
2. ping_plugin.so 22.10-rc0~142-gabd566942
Ping (ping)
3. dpdk_plugin.so 22.10-rc0~142-gabd566942
Data Plane Development Kit (DPDK)
4. linux_nl_plugin.so 22.10-rc0~142-gabd566942
linux Control Plane - Netlink listener
5. crypto_openssl_plugin.so 22.10-rc0~142-gabd566942
OpenSSL Crypto Engine
6. ikev2_plugin.so 22.10-rc0~142-gabd566942
Internet Key Exchange (IKEv2) Protocol
7. linux_cp_plugin.so 22.10-rc0~142-gabd566942
Linux Control Plane - Interface Mirror
vpp#
vpp#
vpp# set interface state fpeth0 up
vpp# set interface ip address fpeth0 192.168.4.2/24<http://192.168.4.2/24>
vpp# ikev2 profile add pr1
vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
vpp# ikev2 profile set pr1 id local fqdn
roadwarrior.vpn.example.com<http://roadwarrior.vpn.example.com>
vpp# ikev2 profile set pr1 id remote fqdn vpp.home
vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 -
192.168.5.255 port-range 0 - 65535 protocol 0
vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 -
192.168.3.255 port-range 0 - 65535 protocol 0
vpp#
vpp# ikev2 profile set pr1 responder fpeth0 192.168.4.1
vpp# ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg sha1-96
ike-dh modp-2048
vpp# ikev2 profile set pr1 esp-crypto-alg aes-cbc 256
vpp# ikev2 profile set pr1 sa-lifetime 3600 10 5 0
vpp#
vpp# ikev2 initiate sa-init pr1
vpp# sh ikev2 sa details
iip 192.168.4.2 ispi 289ce7c7aaa086d8 rip 192.168.4.1 rspi 47ee71e432475b6a
encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
nonce i:6a5359361129c654db012179b4ba6355ee12c72a10cdc8b176034ba9e0f1de19
r:16b4f3372563fec3241b2f50370ea34c857b9b15304e7592b68ba882ec63d7cb
SK_d 5b72bc5a285f4542eda61d3b320c50ddb533f3b5a308141f0f732f7cd9c0499a
SK_a i:8d12f619337db39bbbaeb90251707d0dde34321e
r:12d35535e8572b519d761341c77e34e0146689d9
SK_e i:b62606f7835aa0bb883e95a9880009e6bdd4e219a5e013d2109daf7417838f4b
r:ee42f7a0af25d7a02c93f1d3e902590f08aa1836bf551c4ea9145251ad0feea9
SK_p i:41f65005aa7003e5b7ed52ed23b59c131486a77fe9943968d5ebc06bb59f95e0
r:d03cf04e294af3563504a94f9bcff552bce74e17ba7b2485ae90546098cc00bc
identifier (i) id-type fqdn data
roadwarrior.vpn.example.com<http://roadwarrior.vpn.example.com>
identifier (r) id-type fqdn data vpp.home
child sa 0:
spi(i) 5714e027 spi(r) 0
SK_e i:
r:
traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
192.168.5.255 port 0 - 65535
traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
192.168.3.255 port 0 - 65535
Stats:
keepalives :0
rekey :0
SA init :0 (retransmit: 0)
retransmit: 0
SA auth :0
vpp# show ipsec
show ipsec: unknown input `'
vpp# show ipsec all
SPD Bindings:
IPSec async mode: off
vpp#
##################################
Responder logs
##################################
vpp# sh version
vpp v22.10-rc0~142-gabd566942 built by root on b804503bfc4e at
2022-08-26T09:31:25
vpp#
vpp# show plugins
Plugin path is: /usr/lib/x86_64-linux-gnu/vpp_plugins
Plugin Version
Description
1. memif_plugin.so 22.10-rc0~142-gabd566942
Packet Memory Interface (memif) -- Experimental
2. ping_plugin.so 22.10-rc0~142-gabd566942
Ping (ping)
3. dpdk_plugin.so 22.10-rc0~142-gabd566942
Data Plane Development Kit (DPDK)
4. linux_nl_plugin.so 22.10-rc0~142-gabd566942
linux Control Plane - Netlink listener
5. crypto_openssl_plugin.so 22.10-rc0~142-gabd566942
OpenSSL Crypto Engine
6. ikev2_plugin.so 22.10-rc0~142-gabd566942
Internet Key Exchange (IKEv2) Protocol
7. linux_cp_plugin.so 22.10-rc0~142-gabd566942
Linux Control Plane - Interface Mirror
vpp# set interface state fpeth0 up
vpp# set interface ip address fpeth0 192.168.4.1/24<http://192.168.4.1/24>
vpp# ikev2 profile add pr1
vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
vpp# ikev2 profile set pr1 id local fqdn vpp.home
vpp# ikev2 profile set pr1 id remote fqdn
roadwarrior.vpn.example.com<http://roadwarrior.vpn.example.com>
vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 -
192.168.5.255 port-range 0 - 65535 protocol 0
vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 -
192.168.3.255 port-range 0 - 65535 protocol 0
vpp#
vpp# show ikev2 sa
iip 192.168.4.2 ispi 289ce7c7aaa086d8 rip 192.168.4.1 rspi 47ee71e432475b6a
vpp# show ikev2 sa details
iip 192.168.4.2 ispi 289ce7c7aaa086d8 rip 192.168.4.1 rspi 47ee71e432475b6a
encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
nonce i:6a5359361129c654db012179b4ba6355ee12c72a10cdc8b176034ba9e0f1de19
r:16b4f3372563fec3241b2f50370ea34c857b9b15304e7592b68ba882ec63d7cb
SK_d 5b72bc5a285f4542eda61d3b320c50ddb533f3b5a308141f0f732f7cd9c0499a
SK_a i:8d12f619337db39bbbaeb90251707d0dde34321e
r:12d35535e8572b519d761341c77e34e0146689d9
SK_e i:b62606f7835aa0bb883e95a9880009e6bdd4e219a5e013d2109daf7417838f4b
r:ee42f7a0af25d7a02c93f1d3e902590f08aa1836bf551c4ea9145251ad0feea9
SK_p i:41f65005aa7003e5b7ed52ed23b59c131486a77fe9943968d5ebc06bb59f95e0
r:d03cf04e294af3563504a94f9bcff552bce74e17ba7b2485ae90546098cc00bc
identifier (i) id-type fqdn data
roadwarrior.vpn.example.com<http://roadwarrior.vpn.example.com>
identifier (r) id-type fqdn data vpp.home
child sa 0:encr:aes-cbc-256 esn:yes
spi(i) 5714e027 spi(r) 1c518c85
SK_e i:
r:
traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
192.168.5.255 port 0 - 65535
traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
192.168.3.255 port 0 - 65535
Stats:
keepalives :0
rekey :0
SA init :1 (retransmit: 0)
retransmit: 0
SA auth :1
vpp#
vpp#
vpp#
vpp# show ipsec all
SPD Bindings:
IPSec async mode: off
vpp#
vpp#
vpp# sh ipsec sa
vpp# sh ipsec spd
vpp#
Also i tried by setting "ikev2 set logging level 5".
But I did not see any ikev2 logs in "show logging".
I also tried configuring the algorithm on the responder side as well. But I'm
still getting the same result.
Apart from the ikev2 plugin, do we need to add any more plugins ?
Can anyone please check if IPSec sessions are coming up in the latest vpp ?
Thanks and Regards
Nilesh Inamdar
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21830): https://lists.fd.io/g/vpp-dev/message/21830
Mute This Topic: https://lists.fd.io/mt/93268430/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
