Hi everyone, I am a newbie on vpp. Last sunday I wanted to test the ipsec
tunnel mode.
First I use two VMs (HOST A and HOST B, both have two NICs) which installed
ipsec-tools to test the case, it worked well. Then I installed vpp on HOST
B, and translated the configuration into the vpp systle. It could not work.
I have read the wiki.fd.io, but it only show the transport mode.
I tested it by "ping 192.168.10.10 -I 192.168.11.11" on HOST A.
Did I miss something? Any advice is welcome. Thanks.
HOST A (ubuntu) HOST B (vpp)
enp0s8 172.22.15.88 <--------> enp0s8 172.22.15.77
enp0s9 192.168.11.11 enp0s9 192.168.10.10
The following are my vpp cmds:
vppctl set interface ip address GigabitEthernet0/8/0 172.22.15.77/24
vppctl set interface state GigabitEthernet0/8/0 up
vppctl set interface ip address GigabitEthernet0/9/0 192.168.10.10/24
vppctl set interface state GigabitEthernet0/9/0 up
vppctl ipsec sa add 10 spi 1 esp crypto-alg aes-cbc-128 crypto-key
22222222222222222222222222222222 integ-alg sha1-96 integ-key
1111111111111111111111111111111111111111 tunnel-src 172.22.15.88 tunnel-dst
172.22.15.77
vppctl ipsec sa add 20 spi 2 esp crypto-alg aes-cbc-128 crypto-key
22222222222222222222222222222222 integ-alg sha1-96 integ-key
1111111111111111111111111111111111111111 tunnel-src 172.22.15.77 tunnel-dst
172.22.15.88
vppctl ipsec spd add 1
vppctl set interface ipsec spd GigabitEthernet0/8/0 1
vppctl ipsec policy add spd 1 priority 10 inbound action protect sa 10
local-ip-range 192.168.10.10 - 192.168.10.10 remote-ip-range 192.168.11.11
- 192.168.11.11
vppctl ipsec policy add spd 1 priority 20 outbound action protect sa 20
local-ip-range 192.168.10.10 - 192.168.10.10 remote-ip-range 192.168.11.11
- 192.168.11.11
vppctl ip route add 192.168.11.0/24 via GigabitEthernet0/8/0
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
