[Edited Message Follows]
Hello again,
My apologies if this is not the correct place for these kinds of question, I'm
relatively new to VPP. I would really appreciate any suggestions as to why the
response to a PING that was received over an IPSec tunnel is not going through
the tunnel as well, configuration and trace are below.
According to the trace: dpdk-input -> ethernet-input -> ip4-input-no-checksum
-> ip4-lookup -> ip4-local -> esp4-decrypt -> ip4-input-no-checksum ->
ip4-lookup -> ip4-local -> ip4-icmp-input -> ip4-icmp-echo-request ->
*ip4-load-balance -> ip4-rewrite -> TenGigabitEthernet5/0/0-output ->
TenGigabitEthernet5/0/0-tx*
In the ip4-load-balance the ICMP response is from 10.0.0.44 to 10.0.0.80, and
the traffic selectors are in the configuration:
*ikev2 profile set pr1 traffic-selector local ip-range 10.0.0.44 - 10.0.0.44
port-range 0 - 65535 protocol 0*
*ikev2 profile set pr1 traffic-selector remote ip-range 10.0.0.80 - 10.0.0.80
port-range 0 - 65535 protocol 0*
Thanks!
------------------------------------------------
Hello devs,
I've been trying to establish an IPSec tunnel between libreswan and VPP using
IKEv2, I'm able to get the tunnel established and packets coming in to VPP
decrypted, but it looks like outbound packets from VPP are not going through
IPSec. The VPP trace is shown below where I can see an ICMP packet coming into
dpdk-input, through ipsec4-if-input, but the response does not seem to go
through IPSec. I've run out of things to try and could really use some help,
any suggestions would be hugely appreciated and I would be happy to contribute
the solution and lessons learned to the wiki / documentation.
The setup is fairly simple:
[ VPP --- TenGigabitEthernet5/0/0 IP: 10.0.0.44] ======== [ Libreswan
10.0.0.80 ]
*VPP configuration commands:*
set interface ip address TenGigabitEthernet5/0/0 10.0.0.44/24
set interface state TenGigabitEthernet5/0/0 up
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string thisisavppconnection
ikev2 profile set pr1 id local ip4-addr 10.0.0.44
ikev2 profile set pr1 id remote ip4-addr 10.0.0.80
ikev2 profile set pr1 traffic-selector local ip-range 10.0.0.44 - 10.0.0.44
port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 10.0.0.80 - 10.0.0.80
port-range 0 - 65535 protocol 0
# The following commands are executed after the IKE negotiation succeeds and
ipsec0 is available on the VPP CLI:
set interface state ipsec0 up
set interface unnumbered ipsec0 use TenGigabitEthernet5/0/0
*On the libreswan side:*
conn conn1
left=10.0.0.80
right=10.0.0.44
authby=secret
auto=start
phase2=esp
phase2alg=aes192-sha1
ike=aes256-sha1
ikev2=yes
pfs=yes
type=tunnel
*From the log file we can see the tunnel is established:*
Aug 12 16:41:18 LCI-ALIS-MF pluto[297281]: "conn1" #1: initiating v2 parent SA
Aug 12 16:41:18 LCI-ALIS-MF pluto[297281]: "conn1" #1: local IKE proposals for
conn1 (IKE SA initiator selecting KE):
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048
2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1536
Aug 12 16:41:18 LCI-ALIS-MF pluto[297281]: "conn1" #1: STATE_PARENT_I1: sent
v2I1, expected v2R1
Aug 12 16:41:19 LCI-ALIS-MF pluto[297281]: "conn1" #1: STATE_PARENT_I1:
retransmission; will wait 0.5 seconds for response
Aug 12 16:41:19 LCI-ALIS-MF pluto[297281]: "conn1" #1: local ESP/AH proposals
for conn1 (IKE SA initiator emitting ESP/AH proposals):
1:ESP:ENCR=AES_CBC_192;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
Aug 12 16:41:19 LCI-ALIS-MF pluto[297281]: "conn1" #2: STATE_PARENT_I2: sent
v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=sha
group=MODP2048}
Aug 12 16:41:19 LCI-ALIS-MF pluto[297281]: "conn1" #2: IKEv2 mode peer ID is
ID_IPV4_ADDR: '10.0.0.44'
Aug 12 16:41:19 LCI-ALIS-MF pluto[297281]: "conn1" #2: Authenticated using
authby=secret
Aug 12 16:41:19 LCI-ALIS-MF pluto[297281]: "conn1" #2: negotiated connection
[10.0.0.80-10.0.0.80:0-65535 0] -> [10.0.0.44-10.0.0.44:0-65535 0]
Aug 12 16:41:19 LCI-ALIS-MF pluto[297281]: "conn1" #2: STATE_V2_IPSEC_I: IPsec
SA established tunnel mode {ESP=>0x8ea10d62 <0xa8304143
xfrm=AES_CBC_192-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
*VPP trace:*
Packet 1
00:03:20:698597: dpdk-input
TenGigabitEthernet5/0/0 rx queue 0
buffer 0x9c15e: current data 0, length 166, buffer-pool 0, ref-count 1,
totlen-nifb 0, trace 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 0, nb_segs 1, pkt_len 166
buf_len 2176, data_len 166, ol_flags 0x182, data_off 128, phys_addr 0xb0f05800
packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x801ce394 fdir.hi 0x0 fdir.lo 0x801ce394
Packet Offload Flags
PKT_RX_RSS_HASH (0x0002) RX packet with RSS hash result
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
IP4: f8:f2:1e:62:9a:10 -> a0:36:9f:be:0c:b4
IPSEC_ESP: 10.0.0.80 -> 10.0.0.44
tos 0x00, ttl 64, length 152, checksum 0x9c13
fragment id 0x89a5, flags DONT_FRAGMENT
00:03:20:698599: ethernet-input
frame: flags 0x3, hw-if-index 1, sw-if-index 1
IP4: f8:f2:1e:62:9a:10 -> a0:36:9f:be:0c:b4
00:03:20:698600: ip4-input-no-checksum
IPSEC_ESP: 10.0.0.80 -> 10.0.0.44
tos 0x00, ttl 64, length 152, checksum 0x9c13
fragment id 0x89a5, flags DONT_FRAGMENT
00:03:20:698601: ip4-lookup
fib 0 dpo-idx 5 flow hash: 0x00000000
IPSEC_ESP: 10.0.0.80 -> 10.0.0.44
tos 0x00, ttl 64, length 152, checksum 0x9c13
fragment id 0x89a5, flags DONT_FRAGMENT
00:03:20:698601: ip4-local
IPSEC_ESP: 10.0.0.80 -> 10.0.0.44
tos 0x00, ttl 64, length 152, checksum 0x9c13
fragment id 0x89a5, flags DONT_FRAGMENT
00:03:20:698602: ipsec4-if-input
IPSec: spi 2392919394 seq 39
00:03:20:698602: esp4-decrypt
esp: crypto aes-cbc-192 integrity sha1-96 seq 39
00:03:20:698606: ip4-input-no-checksum
ICMP: 10.0.0.80 -> 10.0.0.44
tos 0x00, ttl 64, length 84, checksum 0x5cb1
fragment id 0xc97c, flags DONT_FRAGMENT
ICMP echo_request checksum 0xca63
00:03:20:698606: ip4-lookup
fib 0 dpo-idx 5 flow hash: 0x00000000
ICMP: 10.0.0.80 -> 10.0.0.44
tos 0x00, ttl 64, length 84, checksum 0x5cb1
fragment id 0xc97c, flags DONT_FRAGMENT
ICMP echo_request checksum 0xca63
00:03:20:698607: ip4-local
ICMP: 10.0.0.80 -> 10.0.0.44
tos 0x00, ttl 64, length 84, checksum 0x5cb1
fragment id 0xc97c, flags DONT_FRAGMENT
ICMP echo_request checksum 0xca63
00:03:20:698607: ip4-icmp-input
ICMP: 10.0.0.80 -> 10.0.0.44
tos 0x00, ttl 64, length 84, checksum 0x5cb1
fragment id 0xc97c, flags DONT_FRAGMENT
ICMP echo_request checksum 0xca63
00:03:20:698607: ip4-icmp-echo-request
ICMP: 10.0.0.80 -> 10.0.0.44
tos 0x00, ttl 64, length 84, checksum 0x5cb1
fragment id 0xc97c, flags DONT_FRAGMENT
ICMP echo_request checksum 0xca63
00:03:20:698607: ip4-load-balance
fib 0 dpo-idx 1 flow hash: 0x00000000
ICMP: 10.0.0.44 -> 10.0.0.80
tos 0x00, ttl 64, length 84, checksum 0x3283
fragment id 0xf3aa, flags DONT_FRAGMENT
ICMP echo_reply checksum 0xd263
00:03:20:698607: ip4-rewrite
tx_sw_if_index 1 dpo-idx 1 : ipv4 via 10.0.0.80 TenGigabitEthernet5/0/0:
mtu:9000 f8f21e629a10a0369fbe0cb40800 flow hash: 0x00000000
00000000: f8f21e629a10a0369fbe0cb4080045000054f3aa4000400132830a00002c0a00
00000020: 00500000d2638aa100277fdd515d000000000ec60400000000001011
00:03:20:698608: TenGigabitEthernet5/0/0-output
TenGigabitEthernet5/0/0 l4-cksum-computed l4-cksum-correct l2_hdr_offset_valid
l3_hdr_offset_valid
IP4: a0:36:9f:be:0c:b4 -> f8:f2:1e:62:9a:10
ICMP: 10.0.0.44 -> 10.0.0.80
tos 0x00, ttl 64, length 84, checksum 0x3283
fragment id 0xf3aa, flags DONT_FRAGMENT
ICMP echo_reply checksum 0xd263
00:03:20:698611: TenGigabitEthernet5/0/0-tx
TenGigabitEthernet5/0/0 tx queue 0
buffer 0x9c15e: current data 44, length 146, buffer-pool 0, ref-count 1,
totlen-nifb 0, trace 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 58
PKT MBUF: port 0, nb_segs 1, pkt_len 146
buf_len 2176, data_len 146, ol_flags 0x182, data_off 172, phys_addr 0xb0f05800
packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x801ce394 fdir.hi 0x0 fdir.lo 0x801ce394
Packet Offload Flags
PKT_RX_RSS_HASH (0x0002) RX packet with RSS hash result
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
IP4: a0:36:9f:be:0c:b4 -> f8:f2:1e:62:9a:10
ICMP: 10.0.0.44 -> 10.0.0.80
tos 0x00, ttl 64, length 84, checksum 0x3283
fragment id 0xf3aa, flags DONT_FRAGMENT
ICMP echo_reply checksum 0xd263
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#13715): https://lists.fd.io/g/vpp-dev/message/13715
Mute This Topic: https://lists.fd.io/mt/32846595/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
