I'm not entirely sure that's the case - the reason being that default port 4500 is used for both nat traversal and encrypted dataplane traffic. The way to distinguish between those two is having SPI=0 in case of NATT. For this there is punt mechanism in vpp, which forwards 4500 IKE packets to natt-node. Since this isn't happening judging from your packet trace I wonder if you maybe have responder behind nat? Such case isn't supported
Filip ________________________________ From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Benoit Ganne (bganne) via lists.fd.io <bganne=cisco....@lists.fd.io> Sent: Friday, May 13, 2022 10:26 AM To: Stanislav Zaikin <zsta...@gmail.com>; vpp-dev <vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] ikev2 and nat-t Hmm good catch, I wonder why we did not catch it - maybe the unit tests use only non-standard port... Can you try to patch it accordingly and if it solves the issue, push it on gerrit for review? If you can update the unit tests to reproduce the issue and verify the fix fixes it it would be ideal of course. Best Ben > -----Original Message----- > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Stanislav > Zaikin > Sent: Thursday, May 12, 2022 18:11 > To: vpp-dev <vpp-dev@lists.fd.io> > Subject: [vpp-dev] ikev2 and nat-t > > Hello folks, > > I have an issue with ikev2 and the host over the nat. IKE_AUTH packet goes > to ikev2-ip4 node instead of ikev2-ip4-natt and it causes > IKEV2_ERROR_BAD_LENGTH. > > > I'm not an expert in ike, but are there the right nodes specified below? > > udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip4.index, 1); > udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip6.index, 0); > udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip4.index, > 1); > udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip6.index, > 0); > > Shouldn't it be ikev2_node_ip4_natt instead of ikev2_node_ip4 for > IKEV2_PORT_NATT? > > Errors: > > 12 ikev2-ip4 packets processed > info > 6 ikev2-ip4 Bad packet length > error > 6 ikev2-ip4 IKE EXCHANGE SA requests > received info > > > The trace > 06:19:16:980290: dpdk-input > GigabitEthernet5/0/0 rx queue 0 > buffer 0x84923: current data 0, length 290, buffer-pool 0, ref-count 1, > trace handle 0x1 > ext-hdr-valid > PKT MBUF: port 0, nb_segs 1, pkt_len 290 > buf_len 2176, data_len 290, ol_flags 0x180, data_off 128, phys_addr > 0x59124940 > packet_type 0x211 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 > rss 0x0 fdir.hi 0x0 fdir.lo 0x0 > Packet Offload Flags > PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid > PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. > PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid > PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt. > Packet Types > RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet > RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers > RTE_PTYPE_L4_UDP (0x0200) UDP packet > IP4: 10:0e:7e:bb:78:40 -> 38:ea:a7:37:59:90 802.1q vlan 1191 > UDP: X.X.X.X -> Y.Y.Y.Y > tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN > fragment id 0x0000 > UDP: 23911 -> 4500 > length 252, checksum 0x0000 > 06:19:16:980294: bond-input > src 10:0e:7e:bb:78:40, dst 38:ea:a7:37:59:90, GigabitEthernet5/0/0 -> > BondEthernet10 > 06:19:16:980294: ethernet-input > IP4: 10:0e:7e:bb:78:40 -> 38:ea:a7:37:59:90 802.1q vlan 1191 > 06:19:16:980295: ip4-input > UDP: X.X.X.X -> Y.Y.Y.Y > tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN > fragment id 0x0000 > UDP: 23911 -> 4500 > length 252, checksum 0x0000 > 06:19:16:980296: ip4-lookup > fib 0 dpo-idx 6 flow hash: 0x00000000 > UDP: X.X.X.X -> Y.Y.Y.Y > tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN > fragment id 0x0000 > UDP: 23911 -> 4500 > length 252, checksum 0x0000 > 06:19:16:980296: ip4-receive > UDP: X.X.X.X -> Y.Y.Y.Y > tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN > fragment id 0x0000 > UDP: 23911 -> 4500 > length 252, checksum 0x0000 > 06:19:16:980297: ip4-udp-lookup > UDP: src-port 23911 dst-port 4500 > 06:19:16:980300: ikev2-ip4 > ikev2: sw_if_index 10, next index 1 > 06:19:16:980301: error-drop > rx:BondEthernet10.1191 > 06:19:16:980301: drop > ip4-udp-lookup: none > > -- > > Best regards > Stanislav Zaikin
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21410): https://lists.fd.io/g/vpp-dev/message/21410 Mute This Topic: https://lists.fd.io/mt/91061656/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
