Hi Benoit, Thank you for pointing to the issue. The vlib_punt registration is missing in my IKE plugin. I will add this now
Regards, Vijay On Fri, May 7, 2021 at 2:01 PM Benoit Ganne (bganne) <bga...@cisco.com> wrote: > Hi Vijay, > > NATT is more complex because it requires IPsec to punt packets to IKE as > IPsec and IKE are sharing the same port - hence IPsec will overwrite your > UDP port registration in this case. See the use of > ipsec_register_udp_port() and vlib_punt_register() in > src/plugins/ikev2/ikev2.c. > > Best > ben > > > -----Original Message----- > > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Vijay Kumar > > Sent: vendredi 7 mai 2021 10:24 > > To: vpp-dev <vpp-dev@lists.fd.io> > > Subject: Re: [vpp-dev] My plugin is not getting IKE packets on port 4500 > > > > Hi experts, > > > > Gentle reminder. > > Has someone faced this issue before > > > > > > > > > > > > On Thu, May 6, 2021 at 6:04 PM Vijay Kumar via lists.fd.io > > <http://lists.fd.io> <vjkumar2003=gmail....@lists.fd.io > > <mailto:gmail....@lists.fd.io> > wrote: > > > > > > Hi team, > > > > I have implemented a new isakmp plugin that will register with udp > > for port 500 and 4500 IKE pkts as shown below (In my cluster, we don't > use > > the default ikev2 plugin of VPP. The IKEv2 plugin is disabled as we are > > using 3rd party IKE stack) > > > > The peer of VPP is Strongswan client. > > > > My plugin is getting only IKE pkts over 500 and able to establish > SA > > successfully but when I tried NAT case (SS is sending AUTH pkt over > 4500), > > the AUTH packet coming over port 4500 is not coming to my IKE graph node > > registered in the udp_register_dst_port() API. > > > > I referred to the code of ikev2 plugin and it does the same for > port > > registration? Could I be missing something? > > > > > > Port registration > > ============== > > udp_register_dst_port (vm, UDP_DST_PORT_IKE, > > an_ppe_isakmpmgr_input_node.index, 1); -----> the 2nd param is port 500 > > > > udp_register_dst_port (vm, UDP_DST_PORT_IKENAT, > > an_ppe_isakmpmgr_input_node.index, 1); ----> the 2nd param is port 4500 > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19358): https://lists.fd.io/g/vpp-dev/message/19358 Mute This Topic: https://lists.fd.io/mt/82628621/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
