Re: [vpp-dev] IPSec with tables is not working

Mon, 19 Sep 2022 03:24:01 -0700 

I suspect the issue is that you let the IKEv2 plugin create the ipip0 interface 
automatically for you: by default it will use table 0 to reach its peer.
When you set Radio-0 in table 1, ipip0 can no longer reach its peer by looking 
up the next hop in table 0.
Instead, try to create the ipip interface beforehand specifying the nexthop 
lookup should happen in table 1 and tell ikev2 to use it:
vpp# create ipip tunnel src 10.23.202.34 dst 10.23.202.33 outer-table-id 1
vpp# ikev2 profile set pr1 tunnel ipip0

ben

> -----Original Message-----
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Mechthild
> Buescher via lists.fd.io
> Sent: Friday, September 16, 2022 18:09
> To: vpp-dev@lists.fd.io
> Cc: Erik Sjödin <erik.sjo...@ericsson.com>
> Subject: [vpp-dev] IPSec with tables is not working
> 
> Hi all,
> 
> 
> 
> We want to run IPSec over vpp and used the IPsec plugin. It did work fine
> as long as we don’t use routing tables in VPP. Are routing tables with
> IPSec generally not supported in VPP or is there an error in our
> configuration?
> Any help is appreciated!
> 
> 
> 
> VPP Version: vpp v22.06.0-2~gc6257e753 built by suse on SUSE at 2022-08-
> 30T10:55:22
> Plugins:
>     plugin dpdk_plugin.so       { enable }
>     plugin ioam_plugin.so       { enable }
>     plugin perfmon_plugin.so    { enable }
>     plugin tracedump_plugin.so  { enable }
>     plugin l3xc_plugin.so       { enable }
>     plugin ping_plugin.so       { enable }
>     plugin avf_plugin.so        { enable }
>     plugin acl_plugin.so        { enable }
>     plugin svs_plugin.so        { enable }
>     plugin vrrp_plugin.so       { enable }
>     plugin dhcp_plugin.so       { enable }
>     plugin nat_plugin.so        { enable }
>     plugin abf_plugin.so        { enable }
>     plugin lacp_plugin.so       { enable }
>     plugin flowprobe_plugin.so  { enable }
>     plugin ikev2_plugin.so      { enable }
>     plugin dns_plugin.so      { enable }
>     plugin crypto_openssl_plugin.so  { enable }
>     plugin tlsopenssl_plugin.so  { enable }
>     plugin crypto_ipsecmb_plugin.so { enable }
>     plugin crypto_native_plugin.so {enable }
>     plugin crypto_sw_scheduler_plugin.so {enable }
>     plugin tlsmbedtls_plugin.so {enable }
>     plugin tlspicotls_plugin.so {enable }
> 
> 
> 
> This is working fine:
>        Responder:
> 
> set interface state RAN-NC up
> 
> set interface state RAN-Dallas up
> 
> set interface ip address RAN-NC 10.23.202.33/27
> 
> set interface ip address RAN-Dallas 10.23.102.34/24
> 
> 
> 
> ip route add 192.168.32.0/24 via 192.168.32.164 RAN-Dallas
> 
> ip route add 172.1.0.0/16 via 10.23.102.33 RAN-Dallas
> 
> ip route add 172.2.0.0/16 via 10.23.102.33 RAN-Dallas
> 
> 
> 
> ikev2 profile add pr1
> 
> ikev2 profile set pr1 auth shared-key-mic string Vpp123
> 
> ikev2 profile set pr1 id local ip4-addr 10.23.202.33
> 
> ikev2 profile set pr1 id remote ip4-addr 10.23.202.34
> 
> ikev2 profile set pr1 traffic-selector remote ip-range 0.0.0.0 -
> 255.255.255.255 port-range 0 - 65535 protocol 0
> 
> ikev2 profile set pr1 traffic-selector local ip-range 0.0.0.0 -
> 255.255.255.255 port-range 0 - 65535 protocol 0
> 
> set interface state ipip0 up
> 
> set interface ip address ipip0 1.1.1.1/32
> 
> ip route add 0.0.0.0/0 via 1.1.1.1 ipip0
> 
> ip route add 10.23.202.100/32 via 1.1.1.1 ipip0
> 
> ip route add 10.23.202.101/32 via 1.1.1.1 ipip0
> 
> ip route add 10.23.202.98/32 via 1.1.1.1 ipip0
> 
>        Initiator:
> 
> set interface state Ext-0 up
> 
> set interface state Radio-0 up
> 
> set interface ip address Radio-0 10.23.202.34/27
> 
> set interface ip address Ext-0 10.23.202.100/27
> 
> 
> 
> ikev2 profile add pr1
> 
> ikev2 profile set pr1 auth shared-key-mic string Vpp123
> 
> ikev2 profile set pr1 id local ip4-addr 10.23.202.34
> 
> ikev2 profile set pr1 id remote ip4-addr 10.23.202.33
> 
> ikev2 profile set pr1 traffic-selector remote ip-range 0.0.0.0 -
> 255.255.255.255 port-range 0 - 65535 protocol 0
> 
> ikev2 profile set pr1 traffic-selector local ip-range 0.0.0.0 -
> 255.255.255.255 port-range 0 - 65535 protocol 0
> 
> ikev2 profile set pr1 responder Radio-0 10.23.202.33
> 
> ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96
> ike-dh modp-1024
> 
> ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96
> esp-dh modp-1024
> 
> ikev2 initiate sa-init pr1
> 
> set interface state ipip0 up
> 
> set interface ip address ipip0 1.1.1.2/32
> 
> ip route add 0.0.0.0/0 via 1.1.1.2 ipip0
> 
> 
> 
> But when we change the initiator config so that Ext-0 and Radio-0 are in
> table 1, it fails:
> set interface state Ext-0 up
> set interface state Radio-0 up
> ip table add 1
> 
> set interface ip table Radio-0 1
> set interface ip table Ext-0 1
> 
> set interface ip address Radio-0 10.23.202.34/27
> set interface ip address Ext-0 10.23.202.100/27
> 
> 
> 
> Thank you,
> 
> BR/Mechthild


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21901): https://lists.fd.io/g/vpp-dev/message/21901
Mute This Topic: https://lists.fd.io/mt/93725814/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to