Hi Prashant,
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Prashant Upadhyaya
via lists.fd.io <praupadhyaya=gmail....@lists.fd.io>
Date: Monday, 6 September 2021 at 11:05
To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
Subject: [vpp-dev] Regarding VPP IPSec pipeline
Hi,
I am using VPP21.06.
I have successfully created an IPSec tunnel between VPP and a Strong Swan peer.
Packets from VPP are going into ESP towards the peer, the peer is
responding back with ESP as well (inner cleartext packets are ICMP)
Now then, I have a node of my own which is sitting on the ip4-unicast
arc and has a runs before clause like thus --
.runs_before = VNET_FEATURES ("ip4-lookup")
I am expecting that when the ESP packet lands at VPP, it will undergo
decryption and the inner IP packet would go again to ip4-input and
from there hit my node on the ip4-unicast arc. However this does not
happen. It appears that the packet is going to ip4-lookup bypassing my
node.
That does happen. The first time ip4-input is run for the physical interface,
then after decrypt/decap ip4-input is run for the tunnel interface. So your
feature should be enabled on the tunnel interface.
If this is what you have configured and it’s not working, please send a packet
trace and the output of ‘sh int’ and ‘sh int feat YOUR_TUNNEL’
/neale
So the question is how do I get the decrypted inner packet on ESP to my node.
Regards
-Prashant
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20077): https://lists.fd.io/g/vpp-dev/message/20077
Mute This Topic: https://lists.fd.io/mt/85408250/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
