> Hi Konstantin, > > > > Hi Akhil, > > > > > Adding lookaside IPsec UDP encapsulation support > > > > > for NAT traversal. > > > > > Added --udp-encap option for application to specify > > > > > if UDP encapsulation need to be enabled. > > > > > Example secgw command with UDP encapsultation enabled: > > > > > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg --udp-encap > > > > > > > > Can we have it not as global, but a per SA option? > > > > Add new keyword for SA/SP into ipsec-secgw config file, etc. > > > > Konstantin > > > > > > > > > > Any specific reason to make udp_encap as per SA? > > > UDP encapsulation is a feature which I believe should be application vide. > > > If it supports the feature it should be enabled for all SAs when the UDP > > > port > > > is 4500 which is reserved for it. > > > > Not sure why it has to be application wide? > > Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mode over port > > 0, > > and SA2 with udp encap over port 1? > > Note that in DPDK librte_security it is per SA option. > > UDP encapsulation can be done only if the UDP port is 4500 as per the > specification. > Please correct me if I am wrong. So if UDP port is NOT 4500 and udp-encap is > enabled in the > Command line, UDP encapsulation will not work.
I am not asking you so support multiple UDP ports for IPsec encapsulation. What I am saying: it should be possible to use SAs with UDP encapsulation along with SAs without (plain tunnel/transport mode). As I understand with your patch it is not possible: if user specified --udp-encap all SAs (on all crypto-devs) will be treated as UDP encapsulated. > > Hence it does make sense to make it application vide. It will be tedious for > the user to > Add this in every SA. > > Regards, > Akhil >
