Hi Vijay,
It is not a known issue AFAIK. Can you share more details?
vpp# show ikev2 sa details
vpp# show ipsec all
Also, could you share a packet trace?
vpp# clear trace
vpp# trace add dpdk-input 10
[send traffic and see it being dropped]
vpp# show trace
Thanks
ben
> -----Original Message-----
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Vijay Kumar
> Sent: dimanche 15 novembre 2020 07:56
> To: vpp-dev@lists.fd.io
> Subject: [vpp-dev] IPSEC traffic fails when ESN is enabled
>
> Hi,
>
> I have set up IPSEC SA b/w the Strongswan (initiator) and VPP (responder).
> Traffic flows fine but when I explicitly enabled ESN on Strongswan the
> IPSEC SA is established fine but traffic fails. I mean the ESP packets are
> going out from SS to the VPP but traffic is dropped at VPP.
>
> I had sent 10 packets from SS to VPP. All 10 were dropped. The show
> interface (ipip0), show node counters and show errors all point to one
> counter that matches the value 10 packets that are dropped ("unknown ip
> protocol")
>
>
> Is this known issue and any fix is available?
>
>
> I have captured the version details and interface and error counters
> below: -
> =========================================
> vpp# show version
> vpp v21.01-rc0~324-g62877029a built by root on ubuntu-10-37-3-75 at 2020-
> 10-30T11:10:45
> vpp#
>
>
> vpp# show ikev2 sa
> iip 10.75.1.20 ispi 29734be0bcf0ad74 rip 10.75.1.99 rspi e75e645e3741e754
> vpp#
> vpp#
> vpp# show ipsec sa
> [0] sa 2147483648 (0x80000000) spi 3241827758 (0xc13a5dae) protocol:esp
> flags:[esn anti-replay ]
> [1] sa 3221227520 (0xc0000800) spi 3662743779 (0xda5108e3) protocol:esp
> flags:[esn anti-replay inbound ]
> vpp#
> vpp#
> vpp#
> vpp# show interface
> Name Idx State MTU (L3/IP4/IP6/MPLS)
> Counter Count
> GigabitEthernetb/0/0 1 up 9000/0/0/0 rx
> packets 895
> rx
> bytes 89264
> tx
> packets 399
> tx
> bytes 49762
> drops
> 632
> punt
> 1
> ip4
> 768
> ip6
> 3
> ipip0 2 up 9000/0/0/0 rx
> packets 10
> rx
> bytes 1320
> drops
> 10
> ip4
> 10
> local0 0 down 0/0/0/0
> vpp#
> vpp#
> vpp#
> vpp# show errors
> Count Node Reason
> Severity
> 256 ikev2-ip4 IKEv2 packets processed
> error
> 12 dpdk-input no error
> error
> 115 arp-reply ARP replies sent
> error
> 147 ip4-udp-lookup No error
> error
> 41 esp4-decrypt-tun ESP pkts received
> error
> 31 esp4-encrypt-tun ESP pkts received
> error
> 41 ipsec4-tun-input good packets received
> error
> 469 ip4-input Multicast RPF check
> failed error
> 2 ip4-local ip4 source lookup miss
> error
> 10 ip4-local unknown ip protocol
> error
> 1 ip4-icmp-input unknown type
> error
> 31 ip4-icmp-input echo replies sent
> error
> vpp#
> vpp#
> vpp# show node counters
> Count Node Reason
> Severity
> 256 ikev2-ip4 IKEv2 packets processed
> error
> 12 dpdk-input no error
> error
> 115 arp-reply ARP replies sent
> error
> 147 ip4-udp-lookup No error
> error
> 41 esp4-decrypt-tun ESP pkts received
> error
> 31 esp4-encrypt-tun ESP pkts received
> error
> 41 ipsec4-tun-input good packets received
> error
> 469 ip4-input Multicast RPF check
> failed error
> 2 ip4-local ip4 source lookup miss
> error
> 10 ip4-local unknown ip protocol
> error
> 1 ip4-icmp-input unknown type
> error
> 31 ip4-icmp-input echo replies sent
> error
> vpp#
> vpp#
> vpp#
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#18038): https://lists.fd.io/g/vpp-dev/message/18038
Mute This Topic: https://lists.fd.io/mt/78266217/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
