Hi Benoit, Thank you for the quick response. I have another related question
I see that the ipsec4_output_feature() graph node is part of the ip4-output feature arc (confirmed by the "show features" command). Apart from enabling SPD on an interface, anything else needs to be configured to be able to use ipsec4_output_feature? OR == Is it like enabling SPD on an interface will implicitly enable this feature arc ip4-output===>ipsec4_output_feature()? Regards. On Wed, 2 Feb 2022, 16:07 Benoit Ganne (bganne), <bga...@cisco.com> wrote: > Hi, > > Looks like you must enable SPD on an interface eg. with cli ' set > interface ipsec spd <int> <id>' or API ipsec_interface_add_del_spd. > > ben > > > -----Original Message----- > > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Vijay Kumar > > Sent: mercredi 2 février 2022 11:20 > > To: vpp-dev <vpp-dev@lists.fd.io> > > Subject: Re: [vpp-dev] Regarding the ipsec policy based graph node? > > > > Hi experts, > > > > > > I see that when we use VPP for IPSEC VPN, the outbound packets don't pass > > through the ipsec4_output_node(ipsec4_output_feature) graph node before > > the esp_encrypt_inline() graph node. > > > > I know that VPP doesn't support policy based IPSEC VPN by default. > > How can one enable this feature where we can use the ipsec4_output_node > to > > do policy matching? > > > > > > Regards, > > Vijay Kumar N > > > > On Thu, Jan 27, 2022 at 11:20 PM Vijay Kumar <vjkumar2...@gmail.com > > <mailto:vjkumar2...@gmail.com> > wrote: > > > > > > Hi all, > > > > I am using fdio vpp stack 20.05 and am using the vnet/ipsec that is > > programmed by non-vpp IKEv2 stack. I observe that in the data-path always > > "esp4-decrypt-tun" is hit for inbound packets while "esp-encrypt-tun" is > > hit for all outbound packets. > > > > I think these two graph nodes are hit because we create a ipip > > tunnel interface for the IPSEC and register the rx_db and tx_db at the SA > > creation time. > > > > I would like to use the SPD matching logic written in the graph > node > > ipsec4_output_node/ipsec4_output_feature()? > > > > How to enable the outbound packet to pass through this function? > > > > > > Regards. > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20810): https://lists.fd.io/g/vpp-dev/message/20810 Mute This Topic: https://lists.fd.io/mt/88855433/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
