Hi,
Protected is only traffic which match SPD entry with action protect, action
bypass skip IPsec encapsulation
https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#SPD_entry_creation
You can specify traffic selectors parameters and priority of entry
Matus
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of xulang
Sent: Sunday, April 8, 2018 12:32 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] IPSEC VPN
Hi all,
Here are the ipsec vpn configuration example.
Does this command "set interface ipsec spd GigabitEthernet0/8/0 1" mean that
all traffic comes through this int will be processed by ipsec?
How cloud I only protect some specific traffic and leave the other traffic to
the normal forwarding procedure?
set int ip address GigabitEthernet0/8/0 192.168.100.3/24
set int state GigabitEthernet0/8/0 up
set ip arp GigabitEthernet0/8/0 192.168.100.2 08:00:27:12:3c:cc
ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key
4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key
4339314b55523947594d6d3547666b45764e6a58
ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key
4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key
4339314b55523947594d6d3547666b45764e6a58
ipsec spd add 1
set interface ipsec spd GigabitEthernet0/8/0 1
ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range
192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2
ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range
192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2
