Hi All,
I'm trying to use IPsec and NAT on the same interface. (not static NAT)
The NAT and Ipsec is using different internal subnet with the same external IP
When I'm enable the "nat44 output feature" on the interface all ESP packets is
getting dropped due to "nat44-out2in: unsupported protocol" (As expected).
I’ve tried to add new Next node in the “nat44-out2in” and succeed to send it to
“ipsec4-input-feature” but it seems that some other parameters in the buffer
need to be changed as well (I saw that b0->current_config_index is different
whether I’m getting to “ipsec4-input-feature” directly or due to my changes
from the NAT – This difference cause wrong SPD ID).
Is there any other way to forward it from “nat44-out2in” to
“ipsec4-input-feature” ?
What am I doing wrong ?
My current code changes:
In *out2in.c* Function *snat_out2in_node_fn* :
/* Create new Next to nat44-out2in – Done only once */
Ipsec_node = vlib_get_node_by_name (vm,(u8 *)"ipsec4-input-feature");
if(Ipsec_node)
ipsecNextNodeNumber =
vlib_node_add_next(vm,snat_out2in_node.index,ipsec->index);
/* Forward packet to ipsec */
if (ip0->protocol == IP_PROTOCOL_IPSEC_ESP) /* After checking
nat_out2in_sm_unknown_proto */
{
next0 = ipsecNextNodeNumber;
goto trace00;
}
Thanks in advance,
Amir.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#13356): https://lists.fd.io/g/vpp-dev/message/13356
Mute This Topic: https://lists.fd.io/mt/32193929/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
