Re: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08

Wed, 02 Oct 2019 08:32:58 -0700 

Gre is l3 in this case. Right? This limits the possible use cases.

Is there any plan to support l2 gre over ipsec transport mode? It seems vpp
17 support s this feature. Not sure why it is dropped in 19.

On Wed, Oct 2, 2019, 12:18 AM Neale Ranns (nranns) <nra...@cisco.com> wrote:

>
> Hi Chuan,
>
> IPSec and GRE is supported using the tunnel protection mechanism :
>   https://wiki.fd.io/view/VPP/IPSec
>
> GRE over IPSec is only support when the SA is in tunnel mode. This means
> there is a double encap of the IP header ; once by the SA (in tunnel mode)
> and once by the tunnel itself. (Which has always been the case in VPP).
>
> Example config follows :
>
>   DBGvpp# ipsec sa add 20 spi 200 crypto-key
> 6541686776336961656264656f6f6579 crypto-alg aes-cbc-128 tunnel-src
> 10.10.10.10 tunnel-dst 10.10.10.11
>   DBGvpp# ipsec sa add 30 spi 300 crypto-key
> 6541686776336961656264656f6f6579 crypto-alg aes-cbc-128 tunnel-src
> 10.10.10.11 tunnel-dst 10.10.10.10
>   DBGvpp# create gre tunnel src 10.10.10.10 dst 10.10.10.11
>     gre0
>   DBGvpp# ipsec tunnel protect gre0 sa-in 20 sa-out 30
>   DBGvpp# sh ipsec protect
>   gre0
>    output-sa:
>     [1] sa 30 (0x1e) spi 300 (0x0000012c) protocol:esp flags:[tunnel ]
>    input-sa:
>     [0] sa 20 (0x14) spi 200 (0x000000c8) protocol:esp flags:[tunnel
> Protect ]
>
> Regards,
> neale
>
>
> From: <vpp-dev@lists.fd.io> on behalf of "Chuan Han via Lists.Fd.Io"
> <chuanhan=google....@lists.fd.io>
> Reply to: "chuan...@google.com" <chuan...@google.com>
> Date: Wednesday 2 October 2019 at 02:08
> To: "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
> Cc: "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
> Subject: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08
>
> Hi, vpp experts,
>
> I am trying to configure l2 gre over ipsec. I followed the steps here:
> https://docs.fd.io/vpp/16.12/ipsec_gre_doc.html
>
> I hit the following error:
> create ipsec: unknown input `gre tunnel src 10.10.10.10 dst...'
>
> My vpp version is v19.08.1-release
>
> It seems on this version the "create ipsec gre tunnel" command does not
> work. If so, is there any other way of configuring l2 gre over ipsec in
> 19.08?
>
> Please advise.
>
> Thanks.
> Chuan
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14099): https://lists.fd.io/g/vpp-dev/message/14099
Mute This Topic: https://lists.fd.io/mt/34364734/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to