Dear VPP Team, *This is my first post in the FD.io community, so please excuse me if I have addressed my query to an inappropriate group.*
Well, recently I have been trying to setup a site-to-site IPsec in tunnel mode with manually configured SAs. Unfortunately, I cannot get the traffic encrypted. Below I am attaching the topology diagram. I have used the following commands on the NFVBench <https://wiki.opnfv.org/display/nfvbench/NFVbench> virtual machine: *Site A:* vppctl ip route add 30.0.0.0/24 via 192.168.99.2 GigabitEthernet0/4/0 vppctl ipsec sa add 10 spi 1010 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.1 tunnel-dst 192.168.99.2 vppctl ipsec sa add 20 spi 1020 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.1 tunnel-dst 192.168.99.2 vppctl ipsec sa add 30 spi 1030 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.1 tunnel-dst 192.168.99.2 vppctl ipsec sa add 40 spi 1040 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.1 tunnel-dst 192.168.99.2 vppctl ipsec spd add 1 vppctl set interface ipsec spd GigabitEthernet0/4/0 1 vppctl ipsec policy add spd 1 priority 100 outbound action protect sa 30 local-ip-range 20.0.0.1 - 20.0.0.254 remote-ip-range 30.0.0.1 - 30.0.0.254 vppctl ipsec policy add spd 1 priority 100 inbound action protect sa 40 local-ip-range 20.0.0.1 - 20.0.0.254 remote-ip-range 30.0.0.1 - 30.0.0.254 *Site B:* vppctl ip route add 20.0.0.0/24 via 192.168.99.1 GigabitEthernet0/4/0 vppctl ipsec sa add 10 spi 1010 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.2 tunnel-dst 192.168.99.1 vppctl ipsec sa add 20 spi 1020 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.2 tunnel-dst 192.168.99.1 vppctl ipsec sa add 30 spi 1030 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.2 tunnel-dst 192.168.99.1 vppctl ipsec sa add 40 spi 1040 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 tunnel-src 192.168.99.2 tunnel-dst 192.168.99.1 vppctl ipsec spd add 1 vppctl set interface ipsec spd GigabitEthernet0/4/0 1 vppctl ipsec policy add spd 1 priority 100 inbound action protect sa 30 local-ip-range 30.0.0.1 - 30.0.0.254 remote-ip-range 20.0.0.1 - 20.0.0.254 vppctl ipsec policy add spd 1 priority 100 outbound action protect sa 40 local-ip-range 30.0.0.1 - 30.0.0.254 remote-ip-range 20.0.0.1 - 20.0.0.254 Apart from the pasted lines, I have tried a lot of different combinations for the SA formation. However, the only positive result I managed to get was incremented counters on the outbound. Could you please help me with this? Kind Regards, Varban
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13446): https://lists.fd.io/g/vpp-dev/message/13446 Mute This Topic: https://lists.fd.io/mt/32309218/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
