Hi experts, I see that when we use VPP for IPSEC VPN, the outbound packets don't pass through the ipsec4_output_node(*ipsec4_output_feature*) graph node before the esp_encrypt_inline() graph node.
I know that VPP doesn't support policy based IPSEC VPN by default. How can one enable this feature where we can use the ipsec4_output_node to do policy matching? Regards, Vijay Kumar N On Thu, Jan 27, 2022 at 11:20 PM Vijay Kumar <vjkumar2...@gmail.com> wrote: > Hi all, > > I am using fdio vpp stack 20.05 and am using the vnet/ipsec that is > programmed by non-vpp IKEv2 stack. I observe that in the data-path always > "esp4-decrypt-tun" is hit for inbound packets while "esp-encrypt-tun" is > hit for all outbound packets. > > I think these two graph nodes are hit because we create a ipip tunnel > interface for the IPSEC and register the rx_db and tx_db at the SA creation > time. > > I would like to use the SPD matching logic written in the graph node > ipsec4_output_node/ipsec4_output_feature()? > > How to enable the outbound packet to pass through this function? > > > Regards. >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20808): https://lists.fd.io/g/vpp-dev/message/20808 Mute This Topic: https://lists.fd.io/mt/88855433/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
