Hi all,
We want to run IPSec over vpp and used the IPsec plugin. It did work fine as
long as we don’t use routing tables in VPP. Are routing tables with IPSec
generally not supported in VPP or is there an error in our configuration?
Any help is appreciated!
VPP Version: vpp v22.06.0-2~gc6257e753 built by suse on SUSE at
2022-08-30T10:55:22
Plugins:
plugin dpdk_plugin.so { enable }
plugin ioam_plugin.so { enable }
plugin perfmon_plugin.so { enable }
plugin tracedump_plugin.so { enable }
plugin l3xc_plugin.so { enable }
plugin ping_plugin.so { enable }
plugin avf_plugin.so { enable }
plugin acl_plugin.so { enable }
plugin svs_plugin.so { enable }
plugin vrrp_plugin.so { enable }
plugin dhcp_plugin.so { enable }
plugin nat_plugin.so { enable }
plugin abf_plugin.so { enable }
plugin lacp_plugin.so { enable }
plugin flowprobe_plugin.so { enable }
plugin ikev2_plugin.so { enable }
plugin dns_plugin.so { enable }
plugin crypto_openssl_plugin.so { enable }
plugin tlsopenssl_plugin.so { enable }
plugin crypto_ipsecmb_plugin.so { enable }
plugin crypto_native_plugin.so {enable }
plugin crypto_sw_scheduler_plugin.so {enable }
plugin tlsmbedtls_plugin.so {enable }
plugin tlspicotls_plugin.so {enable }
This is working fine:
Responder:
set interface state RAN-NC up
set interface state RAN-Dallas up
set interface ip address RAN-NC 10.23.202.33/27
set interface ip address RAN-Dallas 10.23.102.34/24
ip route add 192.168.32.0/24 via 192.168.32.164 RAN-Dallas
ip route add 172.1.0.0/16 via 10.23.102.33 RAN-Dallas
ip route add 172.2.0.0/16 via 10.23.102.33 RAN-Dallas
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local ip4-addr 10.23.202.33
ikev2 profile set pr1 id remote ip4-addr 10.23.202.34
ikev2 profile set pr1 traffic-selector remote ip-range 0.0.0.0 -
255.255.255.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 0.0.0.0 - 255.255.255.255
port-range 0 - 65535 protocol 0
set interface state ipip0 up
set interface ip address ipip0 1.1.1.1/32
ip route add 0.0.0.0/0 via 1.1.1.1 ipip0
ip route add 10.23.202.100/32 via 1.1.1.1 ipip0
ip route add 10.23.202.101/32 via 1.1.1.1 ipip0
ip route add 10.23.202.98/32 via 1.1.1.1 ipip0
Initiator:
set interface state Ext-0 up
set interface state Radio-0 up
set interface ip address Radio-0 10.23.202.34/27
set interface ip address Ext-0 10.23.202.100/27
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local ip4-addr 10.23.202.34
ikev2 profile set pr1 id remote ip4-addr 10.23.202.33
ikev2 profile set pr1 traffic-selector remote ip-range 0.0.0.0 -
255.255.255.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 0.0.0.0 - 255.255.255.255
port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder Radio-0 10.23.202.33
ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh
modp-1024
ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh
modp-1024
ikev2 initiate sa-init pr1
set interface state ipip0 up
set interface ip address ipip0 1.1.1.2/32
ip route add 0.0.0.0/0 via 1.1.1.2 ipip0
But when we change the initiator config so that Ext-0 and Radio-0 are in table
1, it fails:
set interface state Ext-0 up
set interface state Radio-0 up
ip table add 1
set interface ip table Radio-0 1
set interface ip table Ext-0 1
set interface ip address Radio-0 10.23.202.34/27
set interface ip address Ext-0 10.23.202.100/27
Thank you,
BR/Mechthild
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21898): https://lists.fd.io/g/vpp-dev/message/21898
Mute This Topic: https://lists.fd.io/mt/93725814/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
