Hi, I configured VPP as a responder while Strongswan was the initiator. I configured ikev2 profile and tested IPSec. While testing with VPP as responder, I found that for every IPSec created, a logical interface "ipipx" is created in vpp
As the peer network route is added via ipip0 interface, this creates an routing extra hop for every pkt that goes out of VPP in the sense that for all IPSec packets the first route entry would have ipipx as outgoing interface while the 2nd lookup for the ipipx would have another route entry with the physical interface as the outgoing interface. When there are thousands of tunnels, say 100K or more IPSec SAs, I think this would cause performance issues due to the extra route lookup for each packet? Please clarify why the "ipip" tunnel interface creation is required? How can this be avoided for the case where there are many SAs? I think it is better to alter the code to prevent creation of this logical interface and allow IPSec plugin to just do encryption and allow the next node "IP4-lookup" to do the routing (via phy interface) Regards, Vijay Kumar N
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18779): https://lists.fd.io/g/vpp-dev/message/18779 Mute This Topic: https://lists.fd.io/mt/80822509/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
