Hi, There is an issue when the DPDK is owning the LAN interface for IPSEC traffic. I have a network setup of 2 VPP routers connected by the IPSEC tunnel on WAN interface and have LAN interface for sending out traffic and VPP is acting as IPSEC gateway.. The issue I am seeing traffic encrypted by IPSEC policy is traversing from VPP1 to VPP2 but after decryption, the packet is sent out on eth3 interface on VPP2 and it's staying there. The counters for eth3 interface are updated but DPDK driver is not sending out the packet on eth3 interface. DPDK is enabled on the eth1 and eth3 interfaces. Instead of DPDK owning eth3 interface If I use mem_if or veth (ip link) for LAN interface, it works well with no issues.
I am using following DPDK driver for eth3 interface ./dpdk-devbind.py --bind=uio_pci_generic Here is VPP config eth1 is WAN interface and eth3 is LAN interface. IPSEC setup at VPP1 set int state eth1 up set int ip address eth1 192.168.1.6/24 ip route add 192.168.2.0/24 via 192.168.1.1 ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string ***** ikev2 profile set pr1 id local ip4-addr 192.168.1.6 ikev2 profile set pr1 id remote ip4-addr 192.168.2.6 ikev2 profile set pr1 traffic-selector local ip-range 192.168.100.20 - 192.168.100.21 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.200.20 - 192.168.200.21 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 responder eth1 192.168.2.6 ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg sha1-96 ike-dh modp-2048 ikev2 profile set pr1 esp-crypto-alg aes-cbc 256 esp-integ-alg sha1-96 esp-dh ecp-256 ikev2 profile set pr1 sa-lifetime 3600 10 5 0 set int state eth3 up set int ip address eth3 192.168.100.5/24 IPSEC setup at VPP2 set int state eth1 up set int ip address eth1 192.168.2.6/24 ip route add 192.168.1.0/24 via 192.168.2.1 ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string ***** ikev2 profile set pr1 id local ip4-addr 192.168.2.6 ikev2 profile set pr1 id remote ip4-addr 192.168.1.6 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.100.20 - 192.168.100.21 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector local ip-range 192.168.200.20 - 192.168.200.21 port-range 0 - 65535 protocol 0 set int state eth3 up set int ip address eth3 192.168.200.5/24 Traffic from 192.168.100.20 <->192.168.200.20 is encrypted. The issue I am seeing is on following VPP image vpp# show ver vpp v20.09-release built by root on caba6892cb91 at 2020-10-01T03:09:45 Want to know if others are seeing this issue and how to address this. This is common use case setup for IPSEC setup. Regards, Satish K Amaara
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19978): https://lists.fd.io/g/vpp-dev/message/19978 Mute This Topic: https://lists.fd.io/mt/84953426/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
