[vpp-dev] ikev2 and nat-t

Thu, 12 May 2022 09:11:09 -0700 

Hello folks,

I have an issue with ikev2 and the host over the nat. IKE_AUTH packet goes
to ikev2-ip4 node instead of ikev2-ip4-natt and it causes
IKEV2_ERROR_BAD_LENGTH.

I'm not an expert in ike, but are there the right nodes specified below?

      udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip4.index, 1);
      udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip6.index, 0);
      udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip4.index, 1);
      udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip6.index, 0);

Shouldn't it be ikev2_node_ip4_natt instead of ikev2_node_ip4 for
IKEV2_PORT_NATT?

Errors:
        12             ikev2-ip4                      packets processed
       info
         6             ikev2-ip4                      Bad packet length
       error
         6             ikev2-ip4              IKE EXCHANGE SA requests
received    info

The trace
06:19:16:980290: dpdk-input
  GigabitEthernet5/0/0 rx queue 0
  buffer 0x84923: current data 0, length 290, buffer-pool 0, ref-count 1,
trace handle 0x1
                  ext-hdr-valid
  PKT MBUF: port 0, nb_segs 1, pkt_len 290
    buf_len 2176, data_len 290, ol_flags 0x180, data_off 128, phys_addr
0x59124940
    packet_type 0x211 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt.
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt.
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 10:0e:7e:bb:78:40 -> 38:ea:a7:37:59:90 802.1q vlan 1191
  UDP: X.X.X.X -> Y.Y.Y.Y
    tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
    fragment id 0x0000
  UDP: 23911 -> 4500
    length 252, checksum 0x0000
06:19:16:980294: bond-input
  src 10:0e:7e:bb:78:40, dst 38:ea:a7:37:59:90, GigabitEthernet5/0/0 ->
BondEthernet10
06:19:16:980294: ethernet-input
  IP4: 10:0e:7e:bb:78:40 -> 38:ea:a7:37:59:90 802.1q vlan 1191
06:19:16:980295: ip4-input
  UDP: X.X.X.X -> Y.Y.Y.Y
    tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
    fragment id 0x0000
  UDP: 23911 -> 4500
    length 252, checksum 0x0000
06:19:16:980296: ip4-lookup
  fib 0 dpo-idx 6 flow hash: 0x00000000
  UDP: X.X.X.X -> Y.Y.Y.Y
    tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
    fragment id 0x0000
  UDP: 23911 -> 4500
    length 252, checksum 0x0000
06:19:16:980296: ip4-receive
    UDP: X.X.X.X -> Y.Y.Y.Y
      tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
      fragment id 0x0000
    UDP: 23911 -> 4500
      length 252, checksum 0x0000
06:19:16:980297: ip4-udp-lookup
  UDP: src-port 23911 dst-port 4500
06:19:16:980300: ikev2-ip4
  ikev2: sw_if_index 10, next index 1
06:19:16:980301: error-drop
  rx:BondEthernet10.1191
06:19:16:980301: drop
  ip4-udp-lookup: none

-- 
Best regards
Stanislav Zaikin

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21407): https://lists.fd.io/g/vpp-dev/message/21407
Mute This Topic: https://lists.fd.io/mt/91061656/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Stanislav Zaikin
    • ... Benoit Ganne (bganne) via lists.fd.io
      • ... Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
        • ... Stanislav Zaikin
          • ... Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
            • ... Stanislav Zaikin

Reply via email to