Hi Team,
I am new to VPP. I am trying to bringup IPSec session between 2 VPP using
IKEv2 plugin.
I followed this link : https://wiki.fd.io/view/VPP/IPSec_and_IKEv2
After doing all the configuration and executing "ikev2 initiate sa-init
pr1",
I am guessing that child SA is not getting installed properly on the
Initiator side. (And ipip0 tunnel interface is not getting created.)
Following is the topology:
vpp-responder (fpeth0) (192.168.4.1) ---------------------- (192.168.4.2)
(fpeth0)vpp-initiator
Following are Initiator side logs:
#######################################
Initiator side logs :
#######################################
vpp# sh version
vpp v22.06-rc0~419-g3bad8b62d built by root on 621e087e9003 at
2022-08-23T09:42:28
vpp#
vpp#
vpp# ikev2 profile add pr1
vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
vpp# ikev2 profile set pr1 id local fqdn roadwarrior.vpn.example.com
vpp# ikev2 profile set pr1 id remote fqdn vpp.home
vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 -
192.168.5.255 port-range 0 - 65535 protocol 0
vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 -
192.168.3.255 port-range 0 - 65535 protocol 0
vpp#
vpp#
vpp# ikev2 profile set pr1 responder fpeth0 192.168.4.1
vpp# ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg
sha1-96 ike-dh modp-2048
vpp# ikev2 profile set pr1 esp-crypto-alg aes-cbc 256
vpp# ikev2 profile set pr1 sa-lifetime 3600 10 5 0
vpp#
vpp#
vpp#
vpp# ikev2 initiate sa-init pr1
vpp#
vpp# sh ikev2 sa
iip 192.168.4.2 ispi e59b30749fdb90e9 rip 192.168.4.1 rspi 23083f242006bd44
vpp#
vpp# sh ikev2 sa details
iip 192.168.4.2 ispi e59b30749fdb90e9 rip 192.168.4.1 rspi 23083f242006bd44
encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
nonce i:b0f1ff98f782298f24adacd8f44bb239bab2715c94d11e64e5e10dc448749701
r:556eb695f2d950b9a96b76a5f159063f8e9af37834bfd2a0f0dce85f81b47a4b
SK_d 5834ae92d682b541a517062cf92e85fd34c1400732c1269eedb8e097db335fae
SK_a i:3b13c1603645860190751759274be0d04f036403
r:9d30918c5fde614ec883cc1a889b549733deac04
SK_e i:d4323c469246648d98b3b4432d4e4f4c64cd9e94f434c3af24d5af71c455ed6c
r:75717e36023e71401916f2e3d2a6a7bc21d6a9410c8548058f268036498dd5c1
SK_p i:bdda78f8c65cd043a102864c26ee0ad7db4af6a602c7c38e4e0a51be75169ebf
r:e1e88dbd92d97eee689433d2d33a926c398082b229d0d8e1d21f2662cf649056
identifier (i) id-type fqdn data roadwarrior.vpn.example.com
identifier (r) id-type fqdn data vpp.home
child sa 0:
spi(i) 858968d7 *spi(r) 0*
SK_e i:
r:
traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
192.168.5.255 port 0 - 65535
traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
192.168.3.255 port 0 - 65535
Stats:
keepalives :0
rekey :0
SA init :0 (retransmit: 0)
retransmit: 0
SA auth :0
vpp#
###########################################
Responder side logs :
###########################################
vpp# sh version
vpp v22.06-rc0~419-g3bad8b62d built by root on 621e087e9003 at
2022-08-23T09:42:28
vpp#
vpp# sh interface fpeth0 addr
fpeth0 (up):
L3 192.168.4.1/24
vpp# ping 192.168.4.2
116 bytes from 192.168.4.2: icmp_seq=2 ttl=64 time=.1323 ms
116 bytes from 192.168.4.2: icmp_seq=3 ttl=64 time=.0256 ms
116 bytes from 192.168.4.2: icmp_seq=4 ttl=64 time=.0228 ms
116 bytes from 192.168.4.2: icmp_seq=5 ttl=64 time=.0259 ms
Statistics: 5 sent, 4 received, 20% packet loss
vpp#
vpp# ikev2 profile add pr1
vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
vpp# ikev2 profile set pr1 id local fqdn vpp.home
vpp# ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 -
192.168.5.255 port-range 0 - 65535 protocol 0
vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 -
192.168.3.255 port-range 0 - 65535 protocol 0
vpp#
vpp#
vpp# sh ikev2 sa details
iip 192.168.4.2 ispi e59b30749fdb90e9 rip 192.168.4.1 rspi 23083f242006bd44
encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
nonce i:b0f1ff98f782298f24adacd8f44bb239bab2715c94d11e64e5e10dc448749701
r:556eb695f2d950b9a96b76a5f159063f8e9af37834bfd2a0f0dce85f81b47a4b
SK_d 5834ae92d682b541a517062cf92e85fd34c1400732c1269eedb8e097db335fae
SK_a i:3b13c1603645860190751759274be0d04f036403
r:9d30918c5fde614ec883cc1a889b549733deac04
SK_e i:d4323c469246648d98b3b4432d4e4f4c64cd9e94f434c3af24d5af71c455ed6c
r:75717e36023e71401916f2e3d2a6a7bc21d6a9410c8548058f268036498dd5c1
SK_p i:bdda78f8c65cd043a102864c26ee0ad7db4af6a602c7c38e4e0a51be75169ebf
r:e1e88dbd92d97eee689433d2d33a926c398082b229d0d8e1d21f2662cf649056
identifier (i) id-type fqdn data roadwarrior.vpn.example.com
identifier (r) id-type fqdn data vpp.home
child sa 0:encr:aes-cbc-256 esn:yes
spi(i) 858968d7 spi(r) ded8f883
SK_e i:
r:
traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
192.168.5.255 port 0 - 65535
traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
192.168.3.255 port 0 - 65535
Stats:
keepalives :0
rekey :0
SA init :1 (retransmit: 0)
retransmit: 0
SA auth :1
vpp#
########################
Plugins used in vpp.conf
########################
plugins {
plugin default { disable }
plugin dpdk_plugin.so { enable }
plugin ping_plugin.so { enable }
plugin memif_plugin.so { enable }
plugin linux_cp_plugin.so {enable}
plugin linux_nl_plugin.so {enable}
plugin ikev2_plugin.so {enable}
}
Can anyone please help with what I am missing here ?
Let me know if you need any more logs/debugs.
Thanks
Nilesh Inamdar
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21822): https://lists.fd.io/g/vpp-dev/message/21822
Mute This Topic: https://lists.fd.io/mt/93252927/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
