[vpp-dev] Cannot add route to ipsec0 interface

[Zdenko Olsovsky -X (zolsovsk - PANTHEON TECHNOLOGIES at Cisco)]

Hi everyone,

I made some tests for IKEv2 functionality which were working about a month ago. 
Unfortunately, today I realized that these are no longer working.

Running this command : exec ip route add 10.0.10.1/24 via ipsec0  -- worked 
fine before
                                             Will result in error: 'via ipsec0' 
parse error.

I suppose there should be some IP in front of the interface name, but I cannot 
directly set an ip to ipsec0 interface.

I can see from the packet that it arrived into ipsec interface and was 
decrypted and sent to loopback, but from that point it doesn't know how to 
forward it back and weird error is in the end of the packet trace.

Packet 3

00:00:15:004763: dpdk-input
  GigabitEthernet0/a/0 rx queue 0
  buffer 0x4db5: current data 0, length 102, free-list 0, totlen-nifb 0, trace 
0x2
  PKT MBUF: port 1, nb_segs 1, pkt_len 102
    buf_len 2176, data_len 102, ol_flags 0x0, data_off 128, phys_addr 0x4e132c40
    packet_type 0x0
  IP4: 08:00:27:7e:6e:2e -> 08:00:27:9b:f1:65
  IPSEC_ESP: 10.0.0.10 -> 10.0.0.5
    tos 0x00, ttl 64, length 88, checksum 0x6665
    fragment id 0x0001
00:00:15:004790: ethernet-input
  IP4: 08:00:27:7e:6e:2e -> 08:00:27:9b:f1:65
00:00:15:004794: ip4-input
  IPSEC_ESP: 10.0.0.10 -> 10.0.0.5
    tos 0x00, ttl 64, length 88, checksum 0x6665
    fragment id 0x0001
00:00:15:004797: ip4-lookup
  fib 0 dpo-idx 6 flow hash: 0x00000000
  IPSEC_ESP: 10.0.0.10 -> 10.0.0.5
    tos 0x00, ttl 64, length 88, checksum 0x6665
    fragment id 0x0001
00:00:15:004800: ip4-local
    IPSEC_ESP: 10.0.0.10 -> 10.0.0.5
      tos 0x00, ttl 64, length 88, checksum 0x6665
      fragment id 0x0001
00:00:15:004803: ipsec-if-input
  IPSec: spi 623421022 seq 1
00:00:15:004804: esp-decrypt
  esp: crypto aes-cbc-192 integrity sha1-96
00:00:15:004865: ip4-input
  ICMP: 10.0.10.1 -> 10.0.5.1
    tos 0x00, ttl 64, length 28, checksum 0x57df
   fragment id 0x0001
  ICMP echo_request checksum 0xf7ff
00:00:15:004866: ip4-lookup
  fib 0 dpo-idx 5 flow hash: 0x00000000
  ICMP: 10.0.10.1 -> 10.0.5.1
    tos 0x00, ttl 64, length 28, checksum 0x57df
    fragment id 0x0001
  ICMP echo_request checksum 0xf7ff
00:00:15:004866: ip4-local
    ICMP: 10.0.10.1 -> 10.0.5.1
      tos 0x00, ttl 64, length 28, checksum 0x57df
      fragment id 0x0001
    ICMP echo_request checksum 0xf7ff
00:00:15:004867: ip4-icmp-input
  ICMP: 10.0.10.1 -> 10.0.5.1
    tos 0x00, ttl 64, length 28, checksum 0x57df
    fragment id 0x0001
  ICMP echo_request checksum 0xf7ff
00:00:15:004869: ip4-icmp-echo-request
  ICMP: 10.0.10.1 -> 10.0.5.1
    tos 0x00, ttl 64, length 28, checksum 0x57df
    fragment id 0x0001
  ICMP echo_request checksum 0xf7ff
00:00:15:004874: ip4-rewrite-local
  tx_sw_if_index 5 adj-idx 1 :  loop0 index:1 flow hash: 0x00000000

00:00:15:004876: ip4-arp
    IP6_HOP_BY_HOP_OPTIONS: 8.6.69.0 -> 0.28.127.62
      version 15, header length 60
      tos 0xff, ttl 0, length 65535, checksum 0x0000 (should be 0x1646)
      fragment id 0xffff offset 62824, flags MORE_FRAGMENTS
00:00:15:004878: error-drop
  ip4-arp: ARPs to non-ARP adjacencies

VPP version : v16.12-rc0~173-gf56b77a~b1196

Is it better to adjust the ipsec implementation so the ipsec interface can be 
set an IP or is there other way I can accomplish this?
Thanks,


Zdeno


_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev