Neale, et al,
As part of our due diligence I am running a simple soak setup of two boxes with
a fairly simple IKEV2 initiator/responder setup (no NAT in this setup), which
is based on the online examples. This setup has been soaking for six hours. The
original ipsec0 path is still up and running just fine, where I can ping from
host space across the ipsec tunnel between the two boxes. However, I seem to be
acquiring a new ipsecX interface once an hour give or take on both systems. Is
this a known feature/issue? See ipsec1-6 below in “show interface” output.
DBGvpp# show interface
Name Idx State MTU (L3/IP4/IP6/MPLS)
Counter Count
GigabitEthernet5/0/0 3 down 9000/0/0/0
GigabitEthernet5/0/1 4 down 9000/0/0/0
TenGigabitEthernet3/0/0 1 down 9000/0/0/0
TenGigabitEthernet3/0/1 2 up 9000/0/0/0 rx packets
23
rx bytes
4252
tx packets
24
tx bytes
4664
drops
14
ip4
22
ipsec0 6 up 9000/0/0/0 rx packets
8
rx bytes
1056
tx packets
9
tx bytes
1368
ip4
8
ipsec1 7 down 9000/0/0/0
ipsec2 8 down 9000/0/0/0
ipsec3 9 down 9000/0/0/0
ipsec4 10 down 9000/0/0/0
ipsec5 11 down 9000/0/0/0
ipsec6 12 down 9000/0/0/0
local0 0 down 0/0/0/0 drops
2
tap0 5 up 9000/0/0/0 rx packets
22
rx bytes
2124
tx packets
11
tx bytes
1294
drops
10
ip4
9
ip6
10
DBGvpp# show version
vpp v19.04.1-release built by root on X10SDV-4C-TLN4F at Mon Jun 10 16:38:34
UTC 2019
Here is the configuration:
######################
# Test config for Initiator
######################
# host route path to get to initiator
ip route add 192.168.27.0/24 via 192.168.33.1
# vpp configuration
telnet 0 5002
set int state TenGigabitEthernet3/0/1 up
set int ip address TenGigabitEthernet3/0/1 10.0.0.1/24
create tap host-if-name tap0 host-bridge br0
set interface ip address tap0 192.168.27.1/24
set int state tap0 up
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id remote fqdn vpp.home
ikev2 profile set pr1 id local fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 traffic-selector local ip-range 192.168.27.0 -
192.168.27.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.33.0 -
192.168.33.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg sha1-96 ike-dh
modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 256 esp-integ-alg sha1-96 esp-dh
ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 10.0.0.2
######################
# To initiate
######################
ikev2 initiate sa-init pr1
show interface
# may need to run initiate a couple times... looking for ipsec0 to show up on
both systems
######################
# once sa is established configure route
######################
ip route add 192.168.33.0/24 via ipsec0
set interface state ipsec0 up
set interface unnumbered ipsec0 use TenGigabitEthernet3/0/1
######################
# Test config for Responder
######################
# host route path to get to responder
ip route add 192.168.33.0/24 via 192.168.27.1
# vpp configuration
telnet 0 5002
set int state TenGigabitEthernet3/0/1 up
set int ip address TenGigabitEthernet3/0/1 10.0.0.2/24
create tap host-if-name tap0 host-bridge br0
set interface ip address tap0 192.168.33.1/24
set int state tap0 up
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home
ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 traffic-selector local ip-range 192.168.33.0 -
192.168.33.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.27.0 -
192.168.27.255 port-range 0 - 65535 protocol 0
######################
# once sa is established configure route
######################
ip route add 192.168.27.0/24 via ipsec0
set interface state ipsec0 up
set interface unnumbered ipsec0 use TenGigabitEthernet3/0/1
-Mike
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Bly, Mike
Sent: Friday, June 07, 2019 12:42 PM
To: vpp-dev@lists.fd.io
Subject: [**EXTERNAL**] Re: [vpp-dev] ikev2-ipsec-tunnel && NAT-T ?
Are there any updates on this topic? We are playing around with IPSEC/IKEV2
sitting behind NAT and up through v19.04.1 we are not seeing an option to
configure IKEv2 over UDP. I do see CLI support was added for
configuring/enabling IPSEC tunnel to use UDP via "ipsec sa add", but "show
trace" shows IKEv2 is still native IPSEC_ESP instead of IPSEC_ESP over UDP. Is
IKEv2 support still considered PoC?
I have a couple more questions, but I figured it would be best to start with
this one.
-Mike
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#13250): https://lists.fd.io/g/vpp-dev/message/13250
Mute This Topic: https://lists.fd.io/mt/32010411/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
