Re: [vpp-dev] Help needed to bringup IPSec session between 2 VPP using IKEv2 plugin

Xiaodong Xu Thu, 25 Aug 2022 10:36:34 -0700

Did you make sure the algorithms (for both encryption and authentication)
used for initiator and responder match? It looks like you didn't configure
the algorithms for either IKE SA or IPsec SA the responder, I don't know if
the default setting will work.
If you are unsure about it either, I'd suggest you specify the parameters
explicitly like:


# ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg
hmac-sha2-256-128 ike-dh modp-2048
# ikev2 profile set pr1 esp-crypto-alg aes-cbc 256 esp-integ-alg
hmac-sha2-256-128

Shelton

On Thu, Aug 25, 2022 at 10:13 AM Nilesh Inamdar <nileshinamdar1...@gmail.com>
wrote:

> Hi Team,
>
> I am new to VPP. I am trying to bringup IPSec session between 2 VPP using
> IKEv2 plugin.
> I followed this link : https://wiki.fd.io/view/VPP/IPSec_and_IKEv2
>
> After doing all the configuration and executing "ikev2 initiate sa-init
> pr1",
> I am guessing that child SA is not getting installed properly on the
> Initiator side. (And ipip0 tunnel interface is not getting created.)
>
> Following is the topology:
> vpp-responder (fpeth0) (192.168.4.1) ---------------------- (192.168.4.2)
> (fpeth0)vpp-initiator
>
> Following are Initiator side logs:
>
> #######################################
> Initiator side logs :
> #######################################
> vpp# sh version
> vpp v22.06-rc0~419-g3bad8b62d built by root on 621e087e9003 at
> 2022-08-23T09:42:28
> vpp#
> vpp#
> vpp# ikev2 profile add pr1
> vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
> vpp# ikev2 profile set pr1 id local fqdn roadwarrior.vpn.example.com
> vpp# ikev2 profile set pr1 id remote fqdn vpp.home
> vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 -
> 192.168.5.255 port-range 0 - 65535 protocol 0
> vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 -
> 192.168.3.255 port-range 0 - 65535 protocol 0
> vpp#
> vpp#
> vpp# ikev2 profile set pr1 responder fpeth0 192.168.4.1
> vpp# ikev2 profile set pr1 ike-crypto-alg aes-cbc 256  ike-integ-alg
> sha1-96  ike-dh modp-2048
> vpp# ikev2 profile set pr1 esp-crypto-alg aes-cbc 256
> vpp# ikev2 profile set pr1 sa-lifetime 3600 10 5 0
> vpp#
> vpp#
> vpp#
> vpp# ikev2 initiate sa-init pr1
> vpp#
> vpp# sh ikev2 sa
> iip 192.168.4.2 ispi e59b30749fdb90e9 rip 192.168.4.1 rspi 23083f242006bd44
> vpp#
> vpp# sh ikev2 sa details
> iip 192.168.4.2 ispi e59b30749fdb90e9 rip 192.168.4.1 rspi 23083f242006bd44
>  encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
>  nonce i:b0f1ff98f782298f24adacd8f44bb239bab2715c94d11e64e5e10dc448749701
>        r:556eb695f2d950b9a96b76a5f159063f8e9af37834bfd2a0f0dce85f81b47a4b
>  SK_d    5834ae92d682b541a517062cf92e85fd34c1400732c1269eedb8e097db335fae
>  SK_a  i:3b13c1603645860190751759274be0d04f036403
>        r:9d30918c5fde614ec883cc1a889b549733deac04
>  SK_e  i:d4323c469246648d98b3b4432d4e4f4c64cd9e94f434c3af24d5af71c455ed6c
>        r:75717e36023e71401916f2e3d2a6a7bc21d6a9410c8548058f268036498dd5c1
>  SK_p  i:bdda78f8c65cd043a102864c26ee0ad7db4af6a602c7c38e4e0a51be75169ebf
>        r:e1e88dbd92d97eee689433d2d33a926c398082b229d0d8e1d21f2662cf649056
>  identifier (i) id-type fqdn data roadwarrior.vpn.example.com
>  identifier (r) id-type fqdn data vpp.home
>    child sa 0:
>     spi(i) 858968d7 *spi(r) 0*
>     SK_e  i:
>           r:
>     traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
> 192.168.5.255 port 0 - 65535
>     traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
> 192.168.3.255 port 0 - 65535
> Stats:
>  keepalives :0
>  rekey :0
>  SA init :0 (retransmit: 0)
>  retransmit: 0
>  SA auth :0
>
> vpp#
>
>
> ###########################################
> Responder side logs :
> ###########################################
> vpp# sh version
> vpp v22.06-rc0~419-g3bad8b62d built by root on 621e087e9003 at
> 2022-08-23T09:42:28
> vpp#
> vpp# sh interface fpeth0 addr
> fpeth0 (up):
>   L3 192.168.4.1/24
> vpp# ping 192.168.4.2
> 116 bytes from 192.168.4.2: icmp_seq=2 ttl=64 time=.1323 ms
> 116 bytes from 192.168.4.2: icmp_seq=3 ttl=64 time=.0256 ms
> 116 bytes from 192.168.4.2: icmp_seq=4 ttl=64 time=.0228 ms
> 116 bytes from 192.168.4.2: icmp_seq=5 ttl=64 time=.0259 ms
>
> Statistics: 5 sent, 4 received, 20% packet loss
> vpp#
> vpp# ikev2 profile add pr1
> vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
> vpp# ikev2 profile set pr1 id local fqdn vpp.home
> vpp# ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
> vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 -
> 192.168.5.255 port-range 0 - 65535 protocol 0
> vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 -
> 192.168.3.255 port-range 0 - 65535 protocol 0
> vpp#
> vpp#
> vpp# sh ikev2 sa details
> iip 192.168.4.2 ispi e59b30749fdb90e9 rip 192.168.4.1 rspi 23083f242006bd44
>  encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
>  nonce i:b0f1ff98f782298f24adacd8f44bb239bab2715c94d11e64e5e10dc448749701
>        r:556eb695f2d950b9a96b76a5f159063f8e9af37834bfd2a0f0dce85f81b47a4b
>  SK_d    5834ae92d682b541a517062cf92e85fd34c1400732c1269eedb8e097db335fae
>  SK_a  i:3b13c1603645860190751759274be0d04f036403
>        r:9d30918c5fde614ec883cc1a889b549733deac04
>  SK_e  i:d4323c469246648d98b3b4432d4e4f4c64cd9e94f434c3af24d5af71c455ed6c
>        r:75717e36023e71401916f2e3d2a6a7bc21d6a9410c8548058f268036498dd5c1
>  SK_p  i:bdda78f8c65cd043a102864c26ee0ad7db4af6a602c7c38e4e0a51be75169ebf
>        r:e1e88dbd92d97eee689433d2d33a926c398082b229d0d8e1d21f2662cf649056
>  identifier (i) id-type fqdn data roadwarrior.vpn.example.com
>  identifier (r) id-type fqdn data vpp.home
>    child sa 0:encr:aes-cbc-256  esn:yes
>     spi(i) 858968d7 spi(r) ded8f883
>     SK_e  i:
>           r:
>     traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
> 192.168.5.255 port 0 - 65535
>     traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
> 192.168.3.255 port 0 - 65535
> Stats:
>  keepalives :0
>  rekey :0
>  SA init :1 (retransmit: 0)
>  retransmit: 0
>  SA auth :1
>
> vpp#
>
>
> ########################
> Plugins used in vpp.conf
> ########################
> plugins {
>     plugin default { disable }
>     plugin dpdk_plugin.so  { enable }
>     plugin ping_plugin.so  { enable }
>     plugin memif_plugin.so  { enable }
>     plugin linux_cp_plugin.so {enable}
>     plugin linux_nl_plugin.so {enable}
>     plugin ikev2_plugin.so {enable}
> }
>
> Can anyone please help with what I am missing here ?
> Let me know if you need any more logs/debugs.
>
> Thanks
> Nilesh Inamdar
>
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21823): https://lists.fd.io/g/vpp-dev/message/21823
Mute This Topic: https://lists.fd.io/mt/93252927/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Help needed to bringup IPSec session between 2 VPP using IKEv2 plugin

Reply via email to