[vpp-dev] Regarding IPsec errors "Integrity failure" and "Unsupported payload"
Hi Neale, I am testing data traffic b/w Strongswan and VPP but sometimes data traffic is dropped in *esp4-decrypt-tun *graph node. Sometimes it is dropped with "Integrity failure" while sometimes it is "Unsupported payload" But if I delete the tunnel and re-establish IPSec SA, then it works fine. I have ensured the configuration w.r.t PSK, Proposals and TS is fine. Also, I confirmed that the adjacencies(routes) for the Strongswan are fine on the VPP side. Version I am using is pasted below. Could I be missing something? These are random issues. vpp# show version *vpp v20.05.1-2*~g44ff05906-dirty built by an-vijay_kumar on 56d1c81f572a at 2021-07-30T15:54:16 Regards. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19883): https://lists.fd.io/g/vpp-dev/message/19883 Mute This Topic: https://lists.fd.io/mt/84569833/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] #ipsec #vnet #vpp #vpp-dev
Hi All, I am facing a problem when IPSEC is enabled on my box. 1) once the packet comes to my box i am decrypting the packet and i am setting the fib index as 1 since my TCP application's listening ip belongs to fib 1. 2)in this scenario SYN has reached to TCP node and then SYN+ACK is formed and it forwarded by TCP node to ip node. where lookup is happening. 3) here at ip layer inside ip4_lookup_inline () it is marking the next node based on dpo object. 4) Now, from IP layer it has to reached to esp4-encrypt () but some times its not reaching. What could be the reason can anyone please shed some light on this? Below are the steps i am performing . 1) creating the IPSEC tunnel at my StrongSwan. 2) creating ipip0 interface using *set interface state ipip0 up * 3)setting this unnumbered ipip0 to vth interface . * set interface unnumbered ipip0 use VirtualFuncEthernet0/6/0.884 4) adding reverse route so that my SYN+ACK can reach to my client. * Thanks, Nikhil * * -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19884): https://lists.fd.io/g/vpp-dev/message/19884 Mute This Topic: https://lists.fd.io/mt/84574890/21656 Mute #vnet:https://lists.fd.io/g/vpp-dev/mutehashtag/vnet Mute #vpp:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp Mute #vpp-dev:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp-dev Mute #ipsec:https://lists.fd.io/g/vpp-dev/mutehashtag/ipsec Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] #ipsec #vnet #vpp #vpp-dev
There’s not enough information here to diagnose what the problem is. Let’s start with a packet trace. #regards /neale From: vpp-dev@lists.fd.io on behalf of nikhil subhedar via lists.fd.io Date: Saturday, 31 July 2021 at 19:49 To: vpp-dev@lists.fd.io Subject: [vpp-dev] #ipsec #vnet #vpp #vpp-dev Hi All, I am facing a problem when IPSEC is enabled on my box. 1) once the packet comes to my box i am decrypting the packet and i am setting the fib index as 1 since my TCP application's listening ip belongs to fib 1. 2)in this scenario SYN has reached to TCP node and then SYN+ACK is formed and it forwarded by TCP node to ip node. where lookup is happening. 3) here at ip layer inside ip4_lookup_inline() it is marking the next node based on dpo object. 4) Now, from IP layer it has to reached to esp4-encrypt () but some times its not reaching. What could be the reason can anyone please shed some light on this? Below are the steps i am performing . 1) creating the IPSEC tunnel at my StrongSwan. 2) creating ipip0 interface using set interface state ipip0 up 3)setting this unnumbered ipip0 to vth interface . set interface unnumbered ipip0 use VirtualFuncEthernet0/6/0.884 4) adding reverse route so that my SYN+ACK can reach to my client. Thanks, Nikhil -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19885): https://lists.fd.io/g/vpp-dev/message/19885 Mute This Topic: https://lists.fd.io/mt/84574890/21656 Mute #vpp:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp Mute #vnet:https://lists.fd.io/g/vpp-dev/mutehashtag/vnet Mute #ipsec:https://lists.fd.io/g/vpp-dev/mutehashtag/ipsec Mute #vpp-dev:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp-dev Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
