locked #ipsec #vnet #vpp #vpp-dev #vnet #vpp #vpp-dev #ipsec


nikhil subhedar
 

Hi All,

I am facing a problem when IPSEC is enabled on my  box.
1) once the packet comes to my box i am decrypting the packet and i am setting the fib index as 1 since my TCP application's listening ip belongs to fib 1.
2)in this scenario  SYN has reached to TCP node and then SYN+ACK is formed and it forwarded by TCP node to ip node. where lookup is happening.
3) here at ip layer inside ip4_lookup_inline() it is marking the next node based on dpo object. 
4) Now, from IP layer it has to reached to esp4-encrypt () but  some times its not reaching.
What could be the reason can anyone please shed some light on this?

Below are the steps i am performing .
1) creating the IPSEC tunnel at my StrongSwan.
2) creating ipip0 interface using
set interface state ipip0  up
3)setting this unnumbered ipip0 to vth interface .
set interface unnumbered ipip0 use VirtualFuncEthernet0/6/0.884
4) adding reverse route so that my SYN+ACK can reach to my client.

Thanks,
Nikhil


Neale Ranns
 

 

There’s not enough information here to diagnose what the problem is. Let’s start with a packet trace.

 

#regards

/neale

 

 

From: vpp-dev@... <vpp-dev@...> on behalf of nikhil subhedar via lists.fd.io <subhedarnikhil=gmail.com@...>
Date: Saturday, 31 July 2021 at 19:49
To: vpp-dev@... <vpp-dev@...>
Subject: [vpp-dev] #ipsec #vnet #vpp #vpp-dev

Hi All,

I am facing a problem when IPSEC is enabled on my  box.
1) once the packet comes to my box i am decrypting the packet and i am setting the fib index as 1 since my TCP application's listening ip belongs to fib 1.
2)in this scenario  SYN has reached to TCP node and then SYN+ACK is formed and it forwarded by TCP node to ip node. where lookup is happening.
3) here at ip layer inside ip4_lookup_inline() it is marking the next node based on dpo object. 
4) Now, from IP layer it has to reached to esp4-encrypt () but  some times its not reaching.
What could be the reason can anyone please shed some light on this?

Below are the steps i am performing .
1) creating the IPSEC tunnel at my StrongSwan.
2) creating ipip0 interface using
set interface state ipip0  up
3)setting this unnumbered ipip0 to vth interface .
set interface unnumbered ipip0 use VirtualFuncEthernet0/6/0.884
4) adding reverse route so that my SYN+ACK can reach to my client.

Thanks,
Nikhil