Re: [vpp-dev] Regarding Traffic selectors (IP and port range) usage in vnet/ipsec encrypt

Wed, 11 Aug 2021 05:05:29 -0700 

Hi Neale,

Thanks for the clarification.

We are not using the VPP IKEv2 plugin. In our product, we use a different
IKE stack but we program the SA keys and create IPSEC SA by calling
ipsec_sa_add_and_lrock() API of vnet/ipsec.

What is your suggestion If we wanted to implement policy (SPD) based VPN in
future?

 Can we fill the *IPSEC SPD *pool and use the *ipsec-output-feature
*(ipsec-output-node)
graph node which matches the packet with configured SPD (policy)?

On Wed, Aug 11, 2021 at 5:08 PM Neale Ranns <ne...@graphiant.com> wrote:

>
>
> Hi Vijay,
>
>
>
> VPP’s IKE implementation only supports route-based VPNs (where a tunnel
> interface is created) and not policy based (where the SPD is used).
>
>
>
> /neale
>
>
>
>
>
> *From: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Vijay
> Kumar via lists.fd.io <vjkumar2003=gmail....@lists.fd.io>
> *Date: *Wednesday, 11 August 2021 at 13:00
> *To: *vpp-dev <vpp-dev@lists.fd.io>
> *Subject: *[vpp-dev] Regarding Traffic selectors (IP and port range)
> usage in vnet/ipsec encrypt
>
> Hi Neale,
>
>
>
> I was looking at* ipsec_sa_add_and_lock*() function which is called by
> ikev2 to install IPSEC SA but I was NOT able to find anywhere the IKEv2
> negotiated traffic selectors: IP addr range (start, stop) and port range
> (start, stop) being programmed to the vnet/ipsec. In such a case, how does
> the SPD processing happen in case *esp4-encrypt-tun*()?
>
>
>
> Only in the case of ipsec4_output_node() function, I was seeing that the
> function  *ipsec_output_policy_match*() is invoked which will do TS
> matching with the packet addr and port fields. But in the case of
> esp4-encrypt-tun() I do not see this policy (spd) matching happen?
>
>
>
>
>
>
>
> Regards.
>
>
>
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19952): https://lists.fd.io/g/vpp-dev/message/19952
Mute This Topic: https://lists.fd.io/mt/84813588/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to