Hi Sonia, How are you routing into the tunnels, and what changes to that routing do you make when removing and adding tunnels.
/neale From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Sonia Rovner via lists.fd.io <sonia.rovner=oracle....@lists.fd.io> Date: Tuesday, 12 April 2022 at 22:57 To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> Subject: [vpp-dev] User traffic is going down the wrong tunnel when multiple IKEv2/IPsec tunnels are added, removed then added. Hi All, So we are creating multiple (3) IKEv2/IPsec tunnels between two vpp instances. When the setup is clean, vpp restart, all the tunnels come up and traffic flows as it should. So when we make configuration changes by removing two of the tunnels, then make another change by adding the tunnels back. The IPsec tunnels come up. user traffic does not flow correctly on the added IKEv2/IPsec tunnels. From packet trace we can see traffic using credentials for one tunnel but sending it down to the other added tunnel. Below is the diagram of the testbed setup. Start off with 3 IKE/IPsec tunnels. The config change was to remove 2nd and 3rd tunnels below. Then, another config change to add the 2nd and 3rd tunnels back. 192.168.10.6 ==192.168.30.6 192.168.11.6 ==192.168.31.6 192.168.12.6 ==192.168.32.6 [cid:attach_0_16E541AB9E465AA2_11385@groups.io] When traffic does flow, it's always when the ipip_add_tunnel api returns sw_if_index in ascending order for 192.168.31.6==192.168.11.6, sw_if_index is 7, ipip1. for 192.168.32.6==192.168.12.6, sw_if_index is 8, ipip 2. When traffic doesn't flow, it's always when the ipip_add_tunnel api returns sw_if_index out of order. For example on vpp2, when adding ipip tunnel for 192.168.31.6==192.168.11.6, sw_if_index is 8, ipip2. for 192.168.32.6==192.168.12.6, sw_if_index is 7, ipip1. In the attached packet trace, vpp2dpdkbroken.trace, you can see that TCP packets from 192.168.220.20 -> 192.168.200.20 for ipip2 is sent to IPSEC_ESP: 192.168.32.6 -> 192.168.12.6 packet generator is runing from vpp2 Testnode using nping --tcp 192.168.200.20 -p 2001-4000 --rate 100 Regards, -Sonia
dummyfile.0.part
Description: dummyfile.0.part
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21250): https://lists.fd.io/g/vpp-dev/message/21250 Mute This Topic: https://lists.fd.io/mt/90427455/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-