On 9/24/2019 11:35 AM, Drost, MariuszX wrote:
Ipsec-secgw example application fails to initialize when using default
configuration file (ep0.cfg) in library mode (librte_ipsec enabled).
The reason is that two of SP rules in ep0.cfg, one for IPv4 and one
for IPv6, are using the same SPI number. When SA rules are initialized,
their SPI number is checked against SPIs stored in SPD. For library
mode, it is not allowed for the same SA to handle both IPv4 and IPv6.
Solution is to split SAD into two separate parts - one for IPv4 and one
for IPv6. Usage of SAs stays the same. Only change is to pass correct
SAD (IPv4 or IPv6) in places where previously combined database was
passed.
Split of SA entries is done at initialization stage. Most of given SA
entries are checked against SPD. If matching entry is in IPv4 SPD, SA
rule is added to IPv4 SAD (respectively for IPv6). Different splitting
method is used only when SA entry is for tunnel in inbound direction.
In that case if IPv4 tunnel should be used, SA entry is added to IPv4
SAD (respectively for IPv6). Reasoning is that inner IP version can
be different than outer IP version for tunneled traffic.
Bugzilla ID: 239
Fixes: 5a032a71c6d3 ("examples/ipsec-secgw: make app to use IPsec library")
Reported-by: Lukasz Bartosik <lbarto...@marvell.com>
Signed-off-by: Mariusz Drost <mariuszx.dr...@intel.com>
---
Acked-by: Radu Nicolau <radu.nico...@intel.com>
