Re: [vpp-dev] ikev2 and nat-t

Tue, 17 May 2022 13:34:11 -0700 

Hi Filip,
Hi Benoit,

The issue was in linux-cp plugin (which punt ipsec to the host). But it
looks like there's reversed ip addresses in IPSec SA. Could you please
review the patch[0]?
Also, I wanted to add a unit test, but can't figure out how to test it with
the current test case logic. Any input would be appreciated.

[0] https://gerrit.fd.io/r/c/vpp/+/36157

On Fri, 13 May 2022 at 12:53, Filip Tehlar -X (ftehlar - PANTHEON TECH SRO
at Cisco) <fteh...@cisco.com> wrote:

> Hi Stanislav,
>
> punt-dispatch should be doing it; below is an example of packet trace from
> my test env:
>
> ...
> 00:00:11:655232: ip4-receive
>     UDP: 192.168.10.1 -> 10.0.0.2
>       tos 0x00, ttl 63, length 280, checksum 0xc2c9 dscp CS0 ecn NON_ECN
>       fragment id 0xa360, flags DONT_FRAGMENT
>     UDP: 4500 -> 4500
>       length 260, checksum 0x209f
> 00:00:11:655236: ip4-udp-lookup
>   UDP: src-port 4500 dst-port 4500
> 00:00:11:655243: ipsec4-tun-input
>   IPSec: remote:192.168.10.1 spi:0 (0x00000000) sa:218136463 tun:5 seq
> 4260287868 sa 1
> 00:00:11:655258: punt-dispatch
>   reason: [1] ipsec4-spi-o-udp-0 flags: ip4-packet
> 00:00:11:655268: ikev2-ip4-natt
>   ikev2: sw_if_index 5, next index 0
>
> Filip
>
> ------------------------------
> *From:* vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Stanislav
> Zaikin <zsta...@gmail.com>
> *Sent:* Friday, May 13, 2022 11:17 AM
> *To:* Filip Tehlar -X (ftehlar - PANTHEON TECH SRO at Cisco) <
> fteh...@cisco.com>
> *Cc:* vpp-dev <vpp-dev@lists.fd.io>; Benoit Ganne (bganne) <
> bga...@cisco.com>
> *Subject:* Re: [vpp-dev] ikev2 and nat-t
>
> Hi Filip,
>
> In my case an initiator is behind NAT while a responder has a public IP.
> What node should check for SPI=0? I also have LCP enabled on some
> interfaces, maybe it breaks the default punt behaviour.
>
> On Fri, 13 May 2022 at 10:54, Filip Tehlar -X (ftehlar - PANTHEON TECH SRO
> at Cisco) <fteh...@cisco.com> wrote:
>
> I'm not entirely sure that's the case - the reason being that default port
> 4500 is used for both nat traversal and encrypted dataplane traffic. The
> way to distinguish between those two is having SPI=0 in case of NATT. For
> this there is punt mechanism in vpp, which forwards 4500 IKE packets to
> natt-node. Since this isn't happening judging from your packet trace I
> wonder if you maybe have responder behind nat? Such case isn't supported
>
> Filip
> ------------------------------
> *From:* vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Benoit
> Ganne (bganne) via lists.fd.io <bganne=cisco....@lists.fd.io>
> *Sent:* Friday, May 13, 2022 10:26 AM
> *To:* Stanislav Zaikin <zsta...@gmail.com>; vpp-dev <vpp-dev@lists.fd.io>
> *Subject:* Re: [vpp-dev] ikev2 and nat-t
>
> Hmm good catch, I wonder why we did not catch it - maybe the unit tests
> use only non-standard port...
> Can you try to patch it accordingly and if it solves the issue, push it on
> gerrit for review?
> If you can update the unit tests to reproduce the issue and verify the fix
> fixes it it would be ideal of course.
>
> Best
> Ben
>
> > -----Original Message-----
> > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Stanislav
> > Zaikin
> > Sent: Thursday, May 12, 2022 18:11
> > To: vpp-dev <vpp-dev@lists.fd.io>
> > Subject: [vpp-dev] ikev2 and nat-t
> >
> > Hello folks,
> >
> > I have an issue with ikev2 and the host over the nat. IKE_AUTH packet
> goes
> > to ikev2-ip4 node instead of ikev2-ip4-natt and it causes
> > IKEV2_ERROR_BAD_LENGTH.
> >
> >
> > I'm not an expert in ike, but are there the right nodes specified below?
> >
> >       udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip4.index, 1);
> >       udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip6.index, 0);
> >       udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip4.index,
> > 1);
> >       udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip6.index,
> > 0);
> >
> > Shouldn't it be ikev2_node_ip4_natt instead of ikev2_node_ip4 for
> > IKEV2_PORT_NATT?
> >
> > Errors:
> >
> >         12             ikev2-ip4                      packets processed
> > info
> >          6             ikev2-ip4                      Bad packet length
> > error
> >          6             ikev2-ip4              IKE EXCHANGE SA requests
> > received    info
> >
> >
> > The trace
> > 06:19:16:980290: dpdk-input
> >   GigabitEthernet5/0/0 rx queue 0
> >   buffer 0x84923: current data 0, length 290, buffer-pool 0, ref-count 1,
> > trace handle 0x1
> >                   ext-hdr-valid
> >   PKT MBUF: port 0, nb_segs 1, pkt_len 290
> >     buf_len 2176, data_len 290, ol_flags 0x180, data_off 128, phys_addr
> > 0x59124940
> >     packet_type 0x211 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
> >     rss 0x0 fdir.hi 0x0 fdir.lo 0x0
> >     Packet Offload Flags
> >       PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
> >       PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt.
> >       PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
> >       PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt.
> >     Packet Types
> >       RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
> >       RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
> >       RTE_PTYPE_L4_UDP (0x0200) UDP packet
> >   IP4: 10:0e:7e:bb:78:40 -> 38:ea:a7:37:59:90 802.1q vlan 1191
> >   UDP: X.X.X.X -> Y.Y.Y.Y
> >     tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
> >     fragment id 0x0000
> >   UDP: 23911 -> 4500
> >     length 252, checksum 0x0000
> > 06:19:16:980294: bond-input
> >   src 10:0e:7e:bb:78:40, dst 38:ea:a7:37:59:90, GigabitEthernet5/0/0 ->
> > BondEthernet10
> > 06:19:16:980294: ethernet-input
> >   IP4: 10:0e:7e:bb:78:40 -> 38:ea:a7:37:59:90 802.1q vlan 1191
> > 06:19:16:980295: ip4-input
> >   UDP: X.X.X.X -> Y.Y.Y.Y
> >     tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
> >     fragment id 0x0000
> >   UDP: 23911 -> 4500
> >     length 252, checksum 0x0000
> > 06:19:16:980296: ip4-lookup
> >   fib 0 dpo-idx 6 flow hash: 0x00000000
> >   UDP: X.X.X.X -> Y.Y.Y.Y
> >     tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
> >     fragment id 0x0000
> >   UDP: 23911 -> 4500
> >     length 252, checksum 0x0000
> > 06:19:16:980296: ip4-receive
> >     UDP: X.X.X.X -> Y.Y.Y.Y
> >       tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn
> NON_ECN
> >       fragment id 0x0000
> >     UDP: 23911 -> 4500
> >       length 252, checksum 0x0000
> > 06:19:16:980297: ip4-udp-lookup
> >   UDP: src-port 23911 dst-port 4500
> > 06:19:16:980300: ikev2-ip4
> >   ikev2: sw_if_index 10, next index 1
> > 06:19:16:980301: error-drop
> >   rx:BondEthernet10.1191
> > 06:19:16:980301: drop
> >   ip4-udp-lookup: none
> >
> > --
> >
> > Best regards
> > Stanislav Zaikin
>
>
>
> --
> Best regards
> Stanislav Zaikin
>


-- 
Best regards
Stanislav Zaikin

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21415): https://lists.fd.io/g/vpp-dev/message/21415
Mute This Topic: https://lists.fd.io/mt/91061656/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Stanislav Zaikin
    • ... Benoit Ganne (bganne) via lists.fd.io
      • ... Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
        • ... Stanislav Zaikin
          • ... Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
            • ... Stanislav Zaikin

Reply via email to