Hi Shelton,
Thanks for looking into it.
I tried configuring algorithms on the Responder side as well.
But I'm still getting same issue.
Following are new logs after configuring algorithms on the Responder side.
#################################################
Initiator logs
#################################################
vpp# sh version
vpp v22.06-rc0~419-g3bad8b62d built by root on 621e087e9003 at
2022-08-23T09:42:28
vpp#
vpp#
vpp# sh ikev2 sa details
iip 192.168.4.2 ispi fcc61beef0453f0b rip 192.168.4.1 rspi 9e829dfd7459e1e2
encr:aes-cbc-256 prf:hmac-sha2-256 integ:hmac-sha2-256-128
dh-group:modp-2048
nonce i:c27f0db96d146a3341234e44175b5c22bd99003568445b5ab1efc0ae7a9d1cad
r:8fda6a237bad68f5634bc726af060a1de519917f4697b52dd8b436ade609d3b3
SK_d 955729e2b56f7bcd1ea6fc90dc9a3578000e64383f77d1c427155b8bd10f63ec
SK_a i:213fc1a783dfa9676d67f574c33269506524629158b19f710223bf1235266050
r:dc5bcc89e2db45c75e3384db276af9fb92b56f408aceebcdb47e07f8e6ee0211
SK_e i:be8e5d171d0259bfc1a0256a38ec8583bfcfc23a16c60eae9ac7ff8bcf6df459
r:c59a59b1f07e6d4342585d2906f990253fcb6ba8ae75b399c29568a64620a91d
SK_p i:7c215210e7e405345d73341c8049b55227d49a1ecf1dbd77967f61e5c3565936
r:55776381aa80c244ce4e80e00479ce9142db34ec7abed697f1109c24bf66e457
identifier (i) id-type fqdn data roadwarrior.vpn.example.com
identifier (r) id-type fqdn data vpp.home
child sa 0:
spi(i) 92d8eaad spi(r) 0
SK_e i:
r:
traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
192.168.5.255 port 0 - 65535
traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
192.168.3.255 port 0 - 65535
Stats:
keepalives :0
rekey :0
SA init :0 (retransmit: 0)
retransmit: 0
SA auth :0
vpp#
vpp#
vpp# sh ikev2 profile
profile pr1
auth-method shared-key-mic auth data Vpp123
local id-type fqdn data roadwarrior.vpn.example.com
remote id-type fqdn data vpp.home
local traffic-selector addr 192.168.5.0 - 192.168.5.255 port 0 - 65535
protocol 0
remote traffic-selector addr 192.168.3.0 - 192.168.3.255 port 0 - 65535
protocol 0
responder fpeth0 192.168.4.1
ike-crypto-alg aes-cbc 256 ike-integ-alg hmac-sha2-256-128 ike-dh
modp-2048
esp-crypto-alg aes-cbc 256 esp-integ-alg none
lifetime 3600 jitter 10 handover 5 maxdata 0
vpp#
vpp#
vpp#
vpp# sh interface fpeth0
Name Idx State MTU (L3/IP4/IP6/MPLS)
Counter Count
fpeth0 1 up 9000/0/0/0 rx
packets 7
rx
bytes 1208
tx
packets 7
tx
bytes 1270
drops
3
ip4
6
vpp#
#################################################
Responder logs
#################################################
vpp#
vpp# set interface state fpeth0 up
vpp# set interface ip address fpeth0 192.168.4.1/24
vpp#
vpp# ikev2 profile add pr1
vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
vpp# ikev2 profile set pr1 id local fqdn vpp.home
vpp# ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 -
192.168.5.255 port-range 0 - 65535 protocol 0
vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 -
192.168.3.255 port-range 0 - 65535 protocol 0
vpp#
vpp# ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg
hmac-sha2-256-128 ike-dh modp-2048
vpp# ikev2 profile set pr1 esp-crypto-alg aes-cbc 256
vpp# ikev2 profile set pr1 sa-lifetime 3600 10 5 0
vpp#
vpp# sh ikev2 sa
iip 192.168.4.2 ispi fcc61beef0453f0b rip 192.168.4.1 rspi 9e829dfd7459e1e2
vpp# sh ikev2 sa details
iip 192.168.4.2 ispi fcc61beef0453f0b rip 192.168.4.1 rspi 9e829dfd7459e1e2
encr:aes-cbc-256 prf:hmac-sha2-256 integ:hmac-sha2-256-128
dh-group:modp-2048
nonce i:c27f0db96d146a3341234e44175b5c22bd99003568445b5ab1efc0ae7a9d1cad
r:8fda6a237bad68f5634bc726af060a1de519917f4697b52dd8b436ade609d3b3
SK_d 955729e2b56f7bcd1ea6fc90dc9a3578000e64383f77d1c427155b8bd10f63ec
SK_a i:213fc1a783dfa9676d67f574c33269506524629158b19f710223bf1235266050
r:dc5bcc89e2db45c75e3384db276af9fb92b56f408aceebcdb47e07f8e6ee0211
SK_e i:be8e5d171d0259bfc1a0256a38ec8583bfcfc23a16c60eae9ac7ff8bcf6df459
r:c59a59b1f07e6d4342585d2906f990253fcb6ba8ae75b399c29568a64620a91d
SK_p i:7c215210e7e405345d73341c8049b55227d49a1ecf1dbd77967f61e5c3565936
r:55776381aa80c244ce4e80e00479ce9142db34ec7abed697f1109c24bf66e457
identifier (i) id-type fqdn data roadwarrior.vpn.example.com
identifier (r) id-type fqdn data vpp.home
child sa 0:encr:aes-cbc-256 esn:yes
spi(i) 92d8eaad spi(r) dc01af31
SK_e i:
r:
traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
192.168.5.255 port 0 - 65535
traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
192.168.3.255 port 0 - 65535
Stats:
keepalives :0
rekey :0
SA init :1 (retransmit: 0)
retransmit: 0
SA auth :1
vpp#
vpp#
vpp#
vpp# sh ikev2 profile
profile pr1
auth-method shared-key-mic auth data Vpp123
local id-type fqdn data vpp.home
remote id-type fqdn data roadwarrior.vpn.example.com
local traffic-selector addr 192.168.3.0 - 192.168.3.255 port 0 - 65535
protocol 0
remote traffic-selector addr 192.168.5.0 - 192.168.5.255 port 0 - 65535
protocol 0
ike-crypto-alg aes-cbc 256 ike-integ-alg hmac-sha2-256-128 ike-dh
modp-2048
esp-crypto-alg aes-cbc 256 esp-integ-alg none
lifetime 3600 jitter 10 handover 5 maxdata 0
vpp#
Anything else that needs to be checked ?
Thanks
Nilesh Inamdar
On Thu, Aug 25, 2022 at 11:06 PM Xiaodong Xu <stid.s...@gmail.com> wrote:
> Did you make sure the algorithms (for both encryption and authentication)
> used for initiator and responder match? It looks like you didn't configure
> the algorithms for either IKE SA or IPsec SA the responder, I don't know if
> the default setting will work.
> If you are unsure about it either, I'd suggest you specify the parameters
> explicitly like:
>
> # ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg
> hmac-sha2-256-128 ike-dh modp-2048
> # ikev2 profile set pr1 esp-crypto-alg aes-cbc 256 esp-integ-alg
> hmac-sha2-256-128
>
> Shelton
>
> On Thu, Aug 25, 2022 at 10:13 AM Nilesh Inamdar <
> nileshinamdar1...@gmail.com> wrote:
>
>> Hi Team,
>>
>> I am new to VPP. I am trying to bringup IPSec session between 2 VPP using
>> IKEv2 plugin.
>> I followed this link : https://wiki.fd.io/view/VPP/IPSec_and_IKEv2
>>
>> After doing all the configuration and executing "ikev2 initiate sa-init
>> pr1",
>> I am guessing that child SA is not getting installed properly on the
>> Initiator side. (And ipip0 tunnel interface is not getting created.)
>>
>> Following is the topology:
>> vpp-responder (fpeth0) (192.168.4.1) ---------------------- (192.168.4.2)
>> (fpeth0)vpp-initiator
>>
>> Following are Initiator side logs:
>>
>> #######################################
>> Initiator side logs :
>> #######################################
>> vpp# sh version
>> vpp v22.06-rc0~419-g3bad8b62d built by root on 621e087e9003 at
>> 2022-08-23T09:42:28
>> vpp#
>> vpp#
>> vpp# ikev2 profile add pr1
>> vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
>> vpp# ikev2 profile set pr1 id local fqdn roadwarrior.vpn.example.com
>> vpp# ikev2 profile set pr1 id remote fqdn vpp.home
>> vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 -
>> 192.168.5.255 port-range 0 - 65535 protocol 0
>> vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 -
>> 192.168.3.255 port-range 0 - 65535 protocol 0
>> vpp#
>> vpp#
>> vpp# ikev2 profile set pr1 responder fpeth0 192.168.4.1
>> vpp# ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg
>> sha1-96 ike-dh modp-2048
>> vpp# ikev2 profile set pr1 esp-crypto-alg aes-cbc 256
>> vpp# ikev2 profile set pr1 sa-lifetime 3600 10 5 0
>> vpp#
>> vpp#
>> vpp#
>> vpp# ikev2 initiate sa-init pr1
>> vpp#
>> vpp# sh ikev2 sa
>> iip 192.168.4.2 ispi e59b30749fdb90e9 rip 192.168.4.1 rspi
>> 23083f242006bd44
>> vpp#
>> vpp# sh ikev2 sa details
>> iip 192.168.4.2 ispi e59b30749fdb90e9 rip 192.168.4.1 rspi
>> 23083f242006bd44
>> encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
>> nonce i:b0f1ff98f782298f24adacd8f44bb239bab2715c94d11e64e5e10dc448749701
>> r:556eb695f2d950b9a96b76a5f159063f8e9af37834bfd2a0f0dce85f81b47a4b
>> SK_d 5834ae92d682b541a517062cf92e85fd34c1400732c1269eedb8e097db335fae
>> SK_a i:3b13c1603645860190751759274be0d04f036403
>> r:9d30918c5fde614ec883cc1a889b549733deac04
>> SK_e i:d4323c469246648d98b3b4432d4e4f4c64cd9e94f434c3af24d5af71c455ed6c
>> r:75717e36023e71401916f2e3d2a6a7bc21d6a9410c8548058f268036498dd5c1
>> SK_p i:bdda78f8c65cd043a102864c26ee0ad7db4af6a602c7c38e4e0a51be75169ebf
>> r:e1e88dbd92d97eee689433d2d33a926c398082b229d0d8e1d21f2662cf649056
>> identifier (i) id-type fqdn data roadwarrior.vpn.example.com
>> identifier (r) id-type fqdn data vpp.home
>> child sa 0:
>> spi(i) 858968d7 *spi(r) 0*
>> SK_e i:
>> r:
>> traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
>> 192.168.5.255 port 0 - 65535
>> traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
>> 192.168.3.255 port 0 - 65535
>> Stats:
>> keepalives :0
>> rekey :0
>> SA init :0 (retransmit: 0)
>> retransmit: 0
>> SA auth :0
>>
>> vpp#
>>
>>
>> ###########################################
>> Responder side logs :
>> ###########################################
>> vpp# sh version
>> vpp v22.06-rc0~419-g3bad8b62d built by root on 621e087e9003 at
>> 2022-08-23T09:42:28
>> vpp#
>> vpp# sh interface fpeth0 addr
>> fpeth0 (up):
>> L3 192.168.4.1/24
>> vpp# ping 192.168.4.2
>> 116 bytes from 192.168.4.2: icmp_seq=2 ttl=64 time=.1323 ms
>> 116 bytes from 192.168.4.2: icmp_seq=3 ttl=64 time=.0256 ms
>> 116 bytes from 192.168.4.2: icmp_seq=4 ttl=64 time=.0228 ms
>> 116 bytes from 192.168.4.2: icmp_seq=5 ttl=64 time=.0259 ms
>>
>> Statistics: 5 sent, 4 received, 20% packet loss
>> vpp#
>> vpp# ikev2 profile add pr1
>> vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
>> vpp# ikev2 profile set pr1 id local fqdn vpp.home
>> vpp# ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
>> vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 -
>> 192.168.5.255 port-range 0 - 65535 protocol 0
>> vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 -
>> 192.168.3.255 port-range 0 - 65535 protocol 0
>> vpp#
>> vpp#
>> vpp# sh ikev2 sa details
>> iip 192.168.4.2 ispi e59b30749fdb90e9 rip 192.168.4.1 rspi
>> 23083f242006bd44
>> encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
>> nonce i:b0f1ff98f782298f24adacd8f44bb239bab2715c94d11e64e5e10dc448749701
>> r:556eb695f2d950b9a96b76a5f159063f8e9af37834bfd2a0f0dce85f81b47a4b
>> SK_d 5834ae92d682b541a517062cf92e85fd34c1400732c1269eedb8e097db335fae
>> SK_a i:3b13c1603645860190751759274be0d04f036403
>> r:9d30918c5fde614ec883cc1a889b549733deac04
>> SK_e i:d4323c469246648d98b3b4432d4e4f4c64cd9e94f434c3af24d5af71c455ed6c
>> r:75717e36023e71401916f2e3d2a6a7bc21d6a9410c8548058f268036498dd5c1
>> SK_p i:bdda78f8c65cd043a102864c26ee0ad7db4af6a602c7c38e4e0a51be75169ebf
>> r:e1e88dbd92d97eee689433d2d33a926c398082b229d0d8e1d21f2662cf649056
>> identifier (i) id-type fqdn data roadwarrior.vpn.example.com
>> identifier (r) id-type fqdn data vpp.home
>> child sa 0:encr:aes-cbc-256 esn:yes
>> spi(i) 858968d7 spi(r) ded8f883
>> SK_e i:
>> r:
>> traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
>> 192.168.5.255 port 0 - 65535
>> traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
>> 192.168.3.255 port 0 - 65535
>> Stats:
>> keepalives :0
>> rekey :0
>> SA init :1 (retransmit: 0)
>> retransmit: 0
>> SA auth :1
>>
>> vpp#
>>
>>
>> ########################
>> Plugins used in vpp.conf
>> ########################
>> plugins {
>> plugin default { disable }
>> plugin dpdk_plugin.so { enable }
>> plugin ping_plugin.so { enable }
>> plugin memif_plugin.so { enable }
>> plugin linux_cp_plugin.so {enable}
>> plugin linux_nl_plugin.so {enable}
>> plugin ikev2_plugin.so {enable}
>> }
>>
>> Can anyone please help with what I am missing here ?
>> Let me know if you need any more logs/debugs.
>>
>> Thanks
>> Nilesh Inamdar
>>
>>
>>
>>
>>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21828): https://lists.fd.io/g/vpp-dev/message/21828
Mute This Topic: https://lists.fd.io/mt/93252927/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
