Hi Dave,
Long back you asked below question.
Hi VPP Experts,
I got a route issue(VPP 19.01), need your suggestion, thanks a lot!
There have a ipsec tunnel between VM1 and VPP :
*sa 1 spi 3693429 mode tunnel protocol esp tunnel src 172.16.3.1 dst
172.16.3.15sa 2 spi 3380458875 mode tunnel protocol esp tunnel src
172.16.3.15 dst 172.16.3.1 outbound policies*
* sp 1 priority 1920 action protect protocol any sa 2*
* local addr range 173.0.0.0 - 173.255.255.255 port range 0 - 65535*
* remote addr range 173.2.0.1 - 173.2.0.1 port range 0 - 65535*
* inbound policies*
* sp 1 priority 1680 action protect protocol any sa 1*
* local addr range 173.0.0.0 - 173.255.255.255 port range 0 - 65535*
* remote addr range 173.2.0.1 - 173.2.0.1 port range 0 - 65535*
send a ping packet : ping 173.2.0.1 -I 173.10.10.10
this packet will be routed to VPP interface GigabitEthernet0/b/0, we want
this packet go through ipsec tunnel, so add below route in VPP
vpp# ip route add 173.2.0.0/24 via 172.16.3.1 GigabitEthernet0/a/0
then this packet will be routed to GigabitEthernet0/a/0, and go to ipsec
output handle node ipsec-output-ip4, encrypt and add ipsec tunnel IP then
send out, everything is fine.
but I want to add route by below way:
vpp# ip route add 173.2.0.0/24 via GigabitEthernet0/a/0
because there may have many ipsec tunnels which connect with VPP from
different VMs, each have different IP, like 172.16.4.1, 172.16.5.1,
172.16.6.1,I can't sure which VM will have this ip 173.2.0.1
what I want is the packet could be routed to GigabitEthernet0/a/0, so it
could run into ipsec-output-ip4 node, which will find a correct SA tunnel
inside, then the packet will be forwarded correctly by the ipsec tunnel IP.
but from the trace, it send a ARP request to ask 173.2.0.1 directly
ip4-lookup -> ip4-glean -> GigabitEthernet0/a/0-output -> ip4-glean: ARP
requests sent
how could I avoid this ARP request, like ?
ip4-lookup -> ip4-rewrite (GigabitEthernet0/a/0) -> ipsec-output-ip4
Best Regards
Dave
After some days you suggested that you found the following solution. Can
you pls help us with how it solved the problem? I believe you have applied
IPSec policy on GigabitEthernet0/a/0 so where have you used svti interface?
Hi Neale,
I found a solution recently, create a virtual interface
by VNET_HW_INTERFACE_CLASS (svti_hw_class), and add route like this:
vpp# show interface
Name Idx State MTU (L3/IP4/IP6/MPLS)
Counter Count
GigabitEthernet0/a/0 1 up 9000/0/0/0 rx
packets 1058
rx
bytes 59654
tx
packets 7
tx
bytes 530
drops
879
ip4
174
ip6
5
GigabitEthernet0/b/0 2 up 9000/0/0/0 rx
packets 1053
rx
bytes 59304
tx
packets 7
tx
bytes 530
drops
876
ip4
174
ip6
2
local0 0 down 0/0/0/0
svti 3 up 0/0/0/0
vpp# ip route add 173.2.0.0/24 via svti
Best Rregards
Dave
Regards
Ashish
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22463): https://lists.fd.io/g/vpp-dev/message/22463
Mute This Topic: https://lists.fd.io/mt/96243236/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
