Re: [vpp-dev] Query for IPSec support on VPP

[Mukesh Yadav (mukyadav)]

HI Sergio,

As I mentioned that transport mode is working now.
Next I tried tunnel mode.
Here I can see successfully packet decryption. But later inner packet gets 
dropped.


Outer IPSec packet is like 172.28.128.4 -> 172.28.128.5
Inner packet is 1.1.1.1 -> 2.2.2.2
I have added 2.2.2.2 on same interface as is Outer IPSec end-point


vpp# show int address

GigabitEthernet0/8/0 (up):

  172.28.128.5/24

  2.2.2.2/24

local0 (dn):

vpp# q

Above I have configured as below:

set int ip address GigabitEthernet0/8/0 172.28.128.5/24

set int ip address GigabitEthernet0/8/0 2.2.2.2/24

set interface state GigabitEthernet0/8/0 up



Trace looks like:

00:39:17:383051: dpdk-input

  GigabitEthernet0/8/0 rx queue 0

  buffer 0x4a5b: current data 14, length 152, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x0

  PKT MBUF: port 0, nb_segs 1, pkt_len 166

    buf_len 2176, data_len 166, ol_flags 0x0, data_off 128, phys_addr 0x9cf29700

    packet_type 0x0

  IP4: 08:00:27:f5:2b:b9 -> 08:00:27:a9:8e:d4

  IPSEC_ESP: 172.28.128.4 -> 172.28.128.5

    tos 0x00, ttl 64, length 152, checksum 0xf9d5

    fragment id 0xe81b, flags DONT_FRAGMENT

00:39:17:383093: ip4-input

  IPSEC_ESP: 172.28.128.4 -> 172.28.128.5

    tos 0x00, ttl 64, length 152, checksum 0xf9d5

    fragment id 0xe81b, flags DONT_FRAGMENT

00:39:17:383099: ipsec-input-ip4

  esp: sa_id 20 spi 1000 seq 7

00:39:17:383101: dpdk-esp-decrypt

  esp: crypto aes-cbc-128 integrity sha1-96

00:39:17:383105: dpdk-crypto-input

  dpdk_crypto: cryptodev-id 1 queue-pair 0 next-index 2 status 1 sa-idx 1



00:39:17:383115: dpdk-esp-decrypt-post



00:39:17:383116: ip4-input

  ICMP: 1.1.1.1 -> 2.2.2.2

    tos 0x00, ttl 64, length 84, checksum 0x17a6

    fragment id 0x1cfe, flags DONT_FRAGMENT

  ICMP echo_request checksum 0x80dc

00:39:17:383117: ipsec-input-ip4

  esp: no esp packet

00:39:17:383117: ip4-lookup

  fib 0 dpo-idx 7 flow hash: 0x00000000

  ICMP: 1.1.1.1 -> 2.2.2.2

    tos 0x00, ttl 64, length 84, checksum 0x17a6

    fragment id 0x1cfe, flags DONT_FRAGMENT

  ICMP echo_request checksum 0x80dc

00:39:17:383122: ip4-local

    ICMP: 1.1.1.1 -> 2.2.2.2

      tos 0x00, ttl 64, length 84, checksum 0x17a6

      fragment id 0x1cfe, flags DONT_FRAGMENT

    ICMP echo_request checksum 0x80dc

00:39:17:383123: error-drop

  ip4-input: ip4 source lookup miss



Do I have to configure Inner IP in some other way to avoid “ip4 source lookup 
miss”.

Thanks
Mukesh

_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev