Route Injection VPP IPSec: " Routing traffic through ipsec0 interface on the VPP responder "
*Setup Details:* StrongSwan IPsec client initiator which establishes 250 IPSec tunnels with the VPP head-end responder. *Case # Only one IPSec tunnel:* ipip0 (ipsec00) interface and its straight forward to add a route for remote ip range. *Case # When you have more than two IPSec, the ipsec interface name depends on which tunnels got established first.* ipip0 interface (Can't add route because don't know which remote ip range): Could be remote 1 or 2 ipip1 interface (Can't add route because don't know which remote ip range): Could be remote 1 or 2 This becomes a big issue when you have 250 clients coming in at the same time. It become impossible to decide which route gets injected on which interface!! -Ravin Ref: https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#Routing_traffic_through_ipsec0_interface_on_the_VPP_responder Routing traffic through ipsec0 interface on the VPP responder At this point of the configuration, you still do not have end to end secure connectivity. You need to route traffic through ipsec0 created interface on VPP. There are two ways of doing it. First: using a dummy IP address. set interface state ipsec0 up set interface ip address ipsec0 11.11.11.11/32 ip route add 192.168.3.0/24 via 11.11.11.11 ipsec0 Second: binding logical and physical interfaces You must use tunnel endpoint interface. ip route add 192.168.3.0/24 via ipsec0 set interface state ipsec0 up set interface unnumbered ipsec0 use TenGigabitEthernet4/0/0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#15567): https://lists.fd.io/g/vpp-dev/message/15567 Mute This Topic: https://lists.fd.io/mt/71571955/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
