Hi Neale, Thank you for the valuable information.
I shall use the spd header file as reference. Regards. On Wed, Aug 11, 2021 at 5:51 PM Neale Ranns <ne...@graphiant.com> wrote: > Hi Vijay, > > > > Use the APIs in ipsec_spd.h > > > > /neale > > > > *From: *Vijay Kumar <vjkumar2...@gmail.com> > *Date: *Wednesday, 11 August 2021 at 14:05 > *To: *Neale Ranns <ne...@graphiant.com> > *Cc: *vpp-dev <vpp-dev@lists.fd.io> > *Subject: *Re: [vpp-dev] Regarding Traffic selectors (IP and port range) > usage in vnet/ipsec encrypt > > Hi Neale, > > > > Thanks for the clarification. > > > > We are not using the VPP IKEv2 plugin. In our product, we use a different > IKE stack but we program the SA keys and create IPSEC SA by calling > ipsec_sa_add_and_lrock() API of vnet/ipsec. > > > > What is your suggestion If we wanted to implement policy (SPD) based VPN > in future? > > > > Can we fill the *IPSEC SPD * pool and use the *ipsec-output-feature > *(ipsec-output-node) > graph node which matches the packet with configured SPD (policy)? > > > > On Wed, Aug 11, 2021 at 5:08 PM Neale Ranns <ne...@graphiant.com> wrote: > > > > Hi Vijay, > > > > VPP’s IKE implementation only supports route-based VPNs (where a tunnel > interface is created) and not policy based (where the SPD is used). > > > > /neale > > > > > > *From: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Vijay > Kumar via lists.fd.io <vjkumar2003=gmail....@lists.fd.io> > *Date: *Wednesday, 11 August 2021 at 13:00 > *To: *vpp-dev <vpp-dev@lists.fd.io> > *Subject: *[vpp-dev] Regarding Traffic selectors (IP and port range) > usage in vnet/ipsec encrypt > > Hi Neale, > > > > I was looking at* ipsec_sa_add_and_lock*() function which is called by > ikev2 to install IPSEC SA but I was NOT able to find anywhere the IKEv2 > negotiated traffic selectors: IP addr range (start, stop) and port range > (start, stop) being programmed to the vnet/ipsec. In such a case, how does > the SPD processing happen in case *esp4-encrypt-tun*()? > > > > Only in the case of ipsec4_output_node() function, I was seeing that the > function *ipsec_output_policy_match*() is invoked which will do TS > matching with the packet addr and port fields. But in the case of > esp4-encrypt-tun() I do not see this policy (spd) matching happen? > > > > > > > > Regards. > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19954): https://lists.fd.io/g/vpp-dev/message/19954 Mute This Topic: https://lists.fd.io/mt/84813588/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
