Re: [vpp-dev] Regarding Traffic selectors (IP and port range) usage in vnet/ipsec encrypt

Wed, 11 Aug 2021 05:22:04 -0700 

Hi Vijay,

Use the APIs in ipsec_spd.h

/neale

From: Vijay Kumar <vjkumar2...@gmail.com>
Date: Wednesday, 11 August 2021 at 14:05
To: Neale Ranns <ne...@graphiant.com>
Cc: vpp-dev <vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] Regarding Traffic selectors (IP and port range) usage in 
vnet/ipsec encrypt
Hi Neale,

Thanks for the clarification.

We are not using the VPP IKEv2 plugin. In our product, we use a different IKE 
stack but we program the SA keys and create IPSEC SA by calling 
ipsec_sa_add_and_lrock() API of vnet/ipsec.

What is your suggestion If we wanted to implement policy (SPD) based VPN in 
future?

 Can we fill the IPSEC SPD pool and use the ipsec-output-feature 
(ipsec-output-node) graph node which matches the packet with configured SPD 
(policy)?

On Wed, Aug 11, 2021 at 5:08 PM Neale Ranns 
<ne...@graphiant.com<mailto:ne...@graphiant.com>> wrote:

Hi Vijay,

VPP’s IKE implementation only supports route-based VPNs (where a tunnel 
interface is created) and not policy based (where the SPD is used).

/neale


From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> 
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> on behalf of Vijay Kumar via 
lists.fd.io<http://lists.fd.io> 
<vjkumar2003=gmail....@lists.fd.io<mailto:gmail....@lists.fd.io>>
Date: Wednesday, 11 August 2021 at 13:00
To: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: [vpp-dev] Regarding Traffic selectors (IP and port range) usage in 
vnet/ipsec encrypt
Hi Neale,

I was looking at ipsec_sa_add_and_lock() function which is called by ikev2 to 
install IPSEC SA but I was NOT able to find anywhere the IKEv2 negotiated 
traffic selectors: IP addr range (start, stop) and port range (start, stop) 
being programmed to the vnet/ipsec. In such a case, how does the SPD processing 
happen in case esp4-encrypt-tun()?

Only in the case of ipsec4_output_node() function, I was seeing that the 
function  ipsec_output_policy_match() is invoked which will do TS matching with 
the packet addr and port fields. But in the case of esp4-encrypt-tun() I do not 
see this policy (spd) matching happen?



Regards.



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19953): https://lists.fd.io/g/vpp-dev/message/19953
Mute This Topic: https://lists.fd.io/mt/84813588/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to