Re: [vpp-dev] ipip0 or ipsec0 is not getting created after executing "ikev2 initiate sa-init pr1"

Mon, 29 Aug 2022 03:17:29 -0700 

Hi Filip,

Thank you for helping.
You were right. After adding the right esp encryption algorithm that does
integrity as well, it worked.

I had one more query.
I wanted to see ikev2 debugs.
So I had set "ikev2 set logging level 5".

But I do know where the debugs will get dumped.
Can you please help ?

Thanks
Nilesh Inamdar

On Fri, Aug 26, 2022 at 6:14 PM Filip Tehlar -X (ftehlar - PANTHEON
TECHNOLOGIES at Cisco) via lists.fd.io <ftehlar=cisco....@lists.fd.io>
wrote:

> Hi Nilesh,
>
> looks like you didn't configure esp-integ-alg (it is not a good idea not
> to use integrity algorithm) .
> So, either configure esp-integ-alg, or use crypto algorithm that does
> integrity check too, like "esp-crypto-alg aes-gcm-16 256"
>
> Filip
> ------------------------------
> *From:* vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Nilesh
> Inamdar <nileshinamdar1...@gmail.com>
> *Sent:* Friday, August 26, 2022 2:20 PM
> *To:* vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
> *Subject:* [vpp-dev] ipip0 or ipsec0 is not getting created after
> executing "ikev2 initiate sa-init pr1"
>
> Hi Team,
>
> I am trying to bringup IPSec session between 2 VPP.
> After configuring and executing "ikev2 initiate sa-init pr1", the tunnel
> ipip0 or ipsec0 is not getting created.
> I see that Child SA is not getting programmed correctly.
>
> Topology:
> vpp-responder (fpeth0) (192.168.4.1) ---------------------- (192.168.4.2)
> (fpeth0)vpp-initiator
>
> Following are the logs:
> ######################################
> Initiator logs
> ######################################
>
> vpp#
> vpp# sh version
> vpp v22.10-rc0~142-gabd566942 built by root on b804503bfc4e at
> 2022-08-26T09:31:25
> vpp#
> vpp# show plugins
>  Plugin path is: /usr/lib/x86_64-linux-gnu/vpp_plugins
>
>      Plugin                                   Version
>      Description
>   1. memif_plugin.so                          22.10-rc0~142-gabd566942
>     Packet Memory Interface (memif) -- Experimental
>   2. ping_plugin.so                           22.10-rc0~142-gabd566942
>     Ping (ping)
>   3. dpdk_plugin.so                           22.10-rc0~142-gabd566942
>     Data Plane Development Kit (DPDK)
>   4. linux_nl_plugin.so                       22.10-rc0~142-gabd566942
>     linux Control Plane - Netlink listener
>   5. crypto_openssl_plugin.so                 22.10-rc0~142-gabd566942
>     OpenSSL Crypto Engine
>   6. ikev2_plugin.so                          22.10-rc0~142-gabd566942
>     Internet Key Exchange (IKEv2) Protocol
>   7. linux_cp_plugin.so                       22.10-rc0~142-gabd566942
>     Linux Control Plane - Interface Mirror
> vpp#
> vpp#
> vpp# set interface state fpeth0 up
> vpp# set interface ip address fpeth0 192.168.4.2/24
> vpp# ikev2 profile add pr1
> vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
> vpp# ikev2 profile set pr1 id local fqdn roadwarrior.vpn.example.com
> vpp# ikev2 profile set pr1 id remote fqdn vpp.home
> vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 -
> 192.168.5.255 port-range 0 - 65535 protocol 0
> vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 -
> 192.168.3.255 port-range 0 - 65535 protocol 0
> vpp#
> vpp# ikev2 profile set pr1 responder fpeth0 192.168.4.1
> vpp# ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg
> sha1-96 ike-dh modp-2048
> vpp# ikev2 profile set pr1 esp-crypto-alg aes-cbc 256
> vpp# ikev2 profile set pr1 sa-lifetime 3600 10 5 0
> vpp#
> vpp# ikev2 initiate sa-init pr1
> vpp# sh ikev2 sa details
> iip 192.168.4.2 ispi 289ce7c7aaa086d8 rip 192.168.4.1 rspi 47ee71e432475b6a
>  encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
>  nonce i:6a5359361129c654db012179b4ba6355ee12c72a10cdc8b176034ba9e0f1de19
>        r:16b4f3372563fec3241b2f50370ea34c857b9b15304e7592b68ba882ec63d7cb
>  SK_d    5b72bc5a285f4542eda61d3b320c50ddb533f3b5a308141f0f732f7cd9c0499a
>  SK_a  i:8d12f619337db39bbbaeb90251707d0dde34321e
>        r:12d35535e8572b519d761341c77e34e0146689d9
>  SK_e  i:b62606f7835aa0bb883e95a9880009e6bdd4e219a5e013d2109daf7417838f4b
>        r:ee42f7a0af25d7a02c93f1d3e902590f08aa1836bf551c4ea9145251ad0feea9
>  SK_p  i:41f65005aa7003e5b7ed52ed23b59c131486a77fe9943968d5ebc06bb59f95e0
>        r:d03cf04e294af3563504a94f9bcff552bce74e17ba7b2485ae90546098cc00bc
>  identifier (i) id-type fqdn data roadwarrior.vpn.example.com
>  identifier (r) id-type fqdn data vpp.home
>    child sa 0:
>     spi(i) 5714e027 spi(r) 0
>     SK_e  i:
>           r:
>     traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
> 192.168.5.255 port 0 - 65535
>     traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
> 192.168.3.255 port 0 - 65535
> Stats:
>  keepalives :0
>  rekey :0
>  SA init :0 (retransmit: 0)
>  retransmit: 0
>  SA auth :0
>
> vpp# show ipsec
> show ipsec: unknown input `'
> vpp# show ipsec all
> SPD Bindings:
> IPSec async mode: off
> vpp#
>
>
> ##################################
> Responder logs
> ##################################
>
> vpp# sh version
> vpp v22.10-rc0~142-gabd566942 built by root on b804503bfc4e at
> 2022-08-26T09:31:25
> vpp#
> vpp# show plugins
>  Plugin path is: /usr/lib/x86_64-linux-gnu/vpp_plugins
>
>      Plugin                                   Version
>      Description
>   1. memif_plugin.so                          22.10-rc0~142-gabd566942
>     Packet Memory Interface (memif) -- Experimental
>   2. ping_plugin.so                           22.10-rc0~142-gabd566942
>     Ping (ping)
>   3. dpdk_plugin.so                           22.10-rc0~142-gabd566942
>     Data Plane Development Kit (DPDK)
>   4. linux_nl_plugin.so                       22.10-rc0~142-gabd566942
>     linux Control Plane - Netlink listener
>   5. crypto_openssl_plugin.so                 22.10-rc0~142-gabd566942
>     OpenSSL Crypto Engine
>   6. ikev2_plugin.so                          22.10-rc0~142-gabd566942
>     Internet Key Exchange (IKEv2) Protocol
>   7. linux_cp_plugin.so                       22.10-rc0~142-gabd566942
>     Linux Control Plane - Interface Mirror
> vpp# set interface state fpeth0 up
> vpp# set interface ip address fpeth0 192.168.4.1/24
> vpp# ikev2 profile add pr1
> vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123
> vpp# ikev2 profile set pr1 id local fqdn vpp.home
> vpp# ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
> vpp# ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 -
> 192.168.5.255 port-range 0 - 65535 protocol 0
> vpp# ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 -
> 192.168.3.255 port-range 0 - 65535 protocol 0
> vpp#
> vpp# show ikev2 sa
> iip 192.168.4.2 ispi 289ce7c7aaa086d8 rip 192.168.4.1 rspi 47ee71e432475b6a
> vpp# show ikev2 sa details
> iip 192.168.4.2 ispi 289ce7c7aaa086d8 rip 192.168.4.1 rspi 47ee71e432475b6a
>  encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
>  nonce i:6a5359361129c654db012179b4ba6355ee12c72a10cdc8b176034ba9e0f1de19
>        r:16b4f3372563fec3241b2f50370ea34c857b9b15304e7592b68ba882ec63d7cb
>  SK_d    5b72bc5a285f4542eda61d3b320c50ddb533f3b5a308141f0f732f7cd9c0499a
>  SK_a  i:8d12f619337db39bbbaeb90251707d0dde34321e
>        r:12d35535e8572b519d761341c77e34e0146689d9
>  SK_e  i:b62606f7835aa0bb883e95a9880009e6bdd4e219a5e013d2109daf7417838f4b
>        r:ee42f7a0af25d7a02c93f1d3e902590f08aa1836bf551c4ea9145251ad0feea9
>  SK_p  i:41f65005aa7003e5b7ed52ed23b59c131486a77fe9943968d5ebc06bb59f95e0
>        r:d03cf04e294af3563504a94f9bcff552bce74e17ba7b2485ae90546098cc00bc
>  identifier (i) id-type fqdn data roadwarrior.vpn.example.com
>  identifier (r) id-type fqdn data vpp.home
>    child sa 0:encr:aes-cbc-256  esn:yes
>     spi(i) 5714e027 spi(r) 1c518c85
>     SK_e  i:
>           r:
>     traffic selectors (i):0 type 7 protocol_id 0 addr 192.168.5.0 -
> 192.168.5.255 port 0 - 65535
>     traffic selectors (r):0 type 7 protocol_id 0 addr 192.168.3.0 -
> 192.168.3.255 port 0 - 65535
> Stats:
>  keepalives :0
>  rekey :0
>  SA init :1 (retransmit: 0)
>  retransmit: 0
>  SA auth :1
>
> vpp#
> vpp#
> vpp#
> vpp# show ipsec all
> SPD Bindings:
> IPSec async mode: off
> vpp#
> vpp#
> vpp# sh ipsec sa
> vpp# sh ipsec spd
> vpp#
>
> Also i tried by setting "ikev2 set logging level 5".
> But I did not see any ikev2 logs in "show logging".
>
> I also tried configuring the algorithm on the responder side as well. But
> I'm still getting the same result.
>
> Apart from the ikev2 plugin, do we need to add any more plugins ?
>
> Can anyone please check if IPSec sessions are coming up in the latest vpp ?
>
> Thanks and Regards
> Nilesh Inamdar
>
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21831): https://lists.fd.io/g/vpp-dev/message/21831
Mute This Topic: https://lists.fd.io/mt/93268430/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Nilesh Inamdar
    • ... Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io
      • ... Nilesh Inamdar
        • ... Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io

Reply via email to