*Hi Devs, * *I’m facing an issue when both IPsec (AH) and NAT44 features are enabled.*
Observed behavior: -------------------------------------------------- In ip4-unicast-arc: 1) nat44-in2out -> ipsec (ah4-encrypt) In ip4-output-arc: 2) nat44-out2in -> ipsec (ah4-decrypt) *Problem:* -------------------------------------------------- In the second case, NAT44 is placed "before" IPsec decryption, so it receives encrypted packets. As a result, packets are dropped since NAT expects plain (non-encrypted) IP packets. *Expected behavior:* -------------------------------------------------- The IPsec decrypt node should run "before" NAT44 (so NAT operates on decrypted packets). *Question:* -------------------------------------------------- Is there any CLI or configuration option to modify feature ordering in the ip4-output-arc at runtime (e.g., move NAT44 after IPsec)? Or must this be changed in the feature arc registration order at compile time?
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#26506): https://lists.fd.io/g/vpp-dev/message/26506 Mute This Topic: https://lists.fd.io/mt/116218472/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/14379924/21656/631435203/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
