Hello Im trying to run *route base* ipsec on vpp version *19.04.4* -rc0 while using dpdk backend but i see that the packets are not forwording and not get encrepted / decrepted.
im using this guide here https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#Routing_traffic_through_ipsec0_interface_on_the_VPP_responder but i see since 19.04 things changed , and this is deprecated?? acoording to this https://wiki.fd.io/view/VPP/IPSec#Deprecated_Model ( https://wiki.fd.io/view/VPP/IPSec#Deprecated_Model ) (it used to work on 19.01.2 ....) i still have all those api coomands in this version but no traffic . i dont see that the relevent nodes are "running" - dpdk_crypto_input , dpdk-esp4-encrypt , dpdk-esp4-decrypt. this is the configuration and relevent dump buffers { ## Increase number of buffers allocated, needed only in scenarios with ## large number of interfaces and worker threads. Value is per numa node. ## Default is 16384 (8192 if running unpriviledged) buffers-per-numa 128000 ## Size of buffer data area ## Default is 2048 # default data-size 2048 } dpdk { uio-driver vfio-pci vdev crypto_aesni_mb0,socket_id=0 dev default { num-rx-desc 4096 num-tx-desc 4096 } #num-mbufs 128000 #socket-mem 0,1024 no-multi-seg no-tx-checksum-offload } vpp# show interface address GigabitEthernet5/0/0 (dn): GigabitEthernet5/0/1 (up): L3 192.168.1.10/24 GigabitEthernet5/0/2 (up): L3 100.100.100.1/24 GigabitEthernet5/0/3 (dn): TenGigabitEthernet6/0/0 (dn): TenGigabitEthernet6/0/1 (dn): TenGigabitEthernet7/0/0 (dn): TenGigabitEthernet7/0/1 (dn): ipsec1 (up): L3 60.60.60.1/24 local0 (dn): vpp# show ipsec all [0] sa 0x80000000 spi 0 mode tunnel protocol esp tunnel [1] sa 0xc0000000 spi 0 mode tunnel protocol esp tunnel [2] sa 0x1 spi 3416637075 mode tunnel protocol esp tunnel [3] sa 0x2 spi 3482884703 mode tunnel protocol esp tunnel SPD Bindings: Tunnel interfaces ipsec1 out-bound sa: [3] sa 0x2 spi 3482884703 mode tunnel protocol esp tunnel in-bound sa: [2] sa 0x1 spi 3416637075 mode tunnel protocol esp tunnel show ip fib table 0 ...... ......... .......... 200.200.200.0/24 unicast-ip4-chain [@0]: dpo-load-balance: [proto:ip4 index:28 buckets:1 uRPF:44 to:[0:0]] [0] [@12]: dpo-load-balance: [proto:ip4 index:27 buckets:1 uRPF:40 to:[0:0]] [0] [@6]: ipv4 [features] via 0.0.0.0 ipsec1: mtu:9000 *stacked-on entry:1:* *[@2]: dpo-drop ip4* ..................... vpp# show ipsec backends IPsec AH backends available: Name Index Active default openssl backend 0 yes IPsec ESP backends available: Name Index Active default openssl backend 0 no dpdk backend 1 *yes* vpp# show trace ------------------- Start of thread 0 vpp_main ------------------- Packet 2 00:06:27:420668: dpdk-input GigabitEthernet5/0/2 rx queue 0 buffer 0x49be2b: current data 0, length 74, buffer-pool 0, ref-count 1, totlen-nifb 0, trace 0x1 ext-hdr-valid l4-cksum-computed l4-cksum-correct PKT MBUF: port 2, nb_segs 1, pkt_len 74 buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x126f8b40 packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers IP4: 00:20:d2:53:4c:db -> 08:35:71:ab:99:5f ICMP: 100.100.100.2 -> 200.200.200.2 tos 0x00, ttl 64, length 60, checksum 0x97f0 fragment id 0x899f ICMP echo_request checksum 0x841f 00:06:27:420671: ethernet-input frame: flags 0x3, hw-if-index 3, sw-if-index 3 IP4: 00:20:d2:53:4c:db -> 08:35:71:ab:99:5f 00:06:27:420672: ip4-input-no-checksum ICMP: 100.100.100.2 -> 200.200.200.2 tos 0x00, ttl 64, length 60, checksum 0x97f0 fragment id 0x899f ICMP echo_request checksum 0x841f 00:06:27:420673: ip4-lookup fib 0 dpo-idx 27 flow hash: 0x00000000 ICMP: 100.100.100.2 -> 200.200.200.2 tos 0x00, ttl 64, length 60, checksum 0x97f0 fragment id 0x899f ICMP echo_request checksum 0x841f 00:06:27:420674: ip4-load-balance fib 0 dpo-idx 14 flow hash: 0x00000000 ICMP: 100.100.100.2 -> 200.200.200.2 tos 0x00, ttl 64, length 60, checksum 0x97f0 fragment id 0x899f ICMP echo_request checksum 0x841f fib 0 dpo-idx 14 flow hash: 0x00000000 ICMP: 100.100.100.2 -> 200.200.200.2 tos 0x00, ttl 64, length 60, checksum 0x97f0 fragment id 0x899f ICMP echo_request checksum 0x841f pls advice... PS i saw the new way in the ipsec link with *ipip* port but i dont have the command in the vppctl of " ipsec tunnel protect ipip0 sa-in 20 sa-out 30" for some resone thanks
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16981): https://lists.fd.io/g/vpp-dev/message/16981 Mute This Topic: https://lists.fd.io/mt/75537240/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
