Hi,
I have set up IPSEC SA b/w the Strongswan (initiator) and VPP (responder).
Traffic flows fine but when I explicitly enabled ESN on Strongswan the
IPSEC SA is established fine but traffic fails. I mean the ESP packets are
going out from SS to the VPP but traffic is dropped at VPP.
I had sent 10 packets from SS to VPP. All 10 were dropped. The show
interface (ipip0), show node counters and show errors all point to one
counter that matches the value 10 packets that are dropped ("unknown ip
protocol")
Is this known issue and any fix is available?
I have captured the version details and interface and error counters below:
-
=========================================
vpp# show version
vpp v21.01-rc0~324-g62877029a built by root on ubuntu-10-37-3-75 at
2020-10-30T11:10:45
vpp#
vpp# show ikev2 sa
iip 10.75.1.20 ispi 29734be0bcf0ad74 rip 10.75.1.99 rspi e75e645e3741e754
vpp#
vpp#
vpp# show ipsec sa
[0] sa 2147483648 (0x80000000) spi 3241827758 (0xc13a5dae) protocol:esp
flags:[esn anti-replay ]
[1] sa 3221227520 (0xc0000800) spi 3662743779 (0xda5108e3) protocol:esp
flags:[esn anti-replay inbound ]
vpp#
vpp#
vpp#
vpp# show interface
Name Idx State MTU (L3/IP4/IP6/MPLS)
Counter Count
GigabitEthernetb/0/0 1 up 9000/0/0/0 rx
packets 895
rx
bytes 89264
tx
packets 399
tx
bytes 49762
drops
632
punt
1
ip4
768
ip6
3
ipip0 2 up 9000/0/0/0 rx
packets 10
rx
bytes 1320
drops
10
ip4
10
local0 0 down 0/0/0/0
vpp#
vpp#
vpp#
vpp# show errors
Count Node Reason
Severity
256 ikev2-ip4 IKEv2 packets processed
error
12 dpdk-input no error
error
115 arp-reply ARP replies sent
error
147 ip4-udp-lookup No error
error
41 esp4-decrypt-tun ESP pkts received
error
31 esp4-encrypt-tun ESP pkts received
error
41 ipsec4-tun-input good packets received
error
469 ip4-input Multicast RPF check
failed error
2 ip4-local ip4 source lookup miss
error
10 ip4-local unknown ip protocol
error
1 ip4-icmp-input unknown type
error
31 ip4-icmp-input echo replies sent
error
vpp#
vpp#
vpp# show node counters
Count Node Reason
Severity
256 ikev2-ip4 IKEv2 packets processed
error
12 dpdk-input no error
error
115 arp-reply ARP replies sent
error
147 ip4-udp-lookup No error
error
41 esp4-decrypt-tun ESP pkts received
error
31 esp4-encrypt-tun ESP pkts received
error
41 ipsec4-tun-input good packets received
error
469 ip4-input Multicast RPF check
failed error
2 ip4-local ip4 source lookup miss
error
10 ip4-local unknown ip protocol
error
1 ip4-icmp-input unknown type
error
31 ip4-icmp-input echo replies sent
error
vpp#
vpp#
vpp#
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#18033): https://lists.fd.io/g/vpp-dev/message/18033
Mute This Topic: https://lists.fd.io/mt/78266217/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
