Re: [vpp-dev] multipoint ipsec!!

Fri, 11 Feb 2022 06:51:31 -0800 

Hi Sagar,

You protection needs to be for the peer on the tunnel (44.44.44.44) not the 
peer on the Ethernet.

/neale

From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of sagar g via 
lists.fd.io <sagargadher=gmail....@lists.fd.io>
Date: Friday, 11 February 2022 at 12:44
To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
Subject: [vpp-dev] multipoint ipsec!!
Hi All,

Am currently working on supporting the multipoint ipsec interface(p2mp) feature 
on our product.

Issue is that packets are sent out without being encrypted.

Packets are taking following graph nodes path "tcp4-output ---> 
ipv4-lookup--->ip4-midchain---> adj-midchain-tx"

But i want my packets to take "tcp4-output ---> ipv4-lookup--->ip4-midchain---> 
esp4_encrypt_tun-->"

Below is the fib entry,
=======================
inner packet destination = 44.44.44.44
outer packet(tunnel) destination = 20.20.99.215

44.44.44.44/32<http://44.44.44.44/32>
  unicast-ip4-chain
  [@0]: dpo-load-balance: [proto:ip4 index:14 buckets:1 uRPF:16 to:[12:720]]
    [0] [@6]: ipv4 via 44.44.44.44 ipip0: mtu:9000 next:12 
45000000000000004004626f50505050141463d7
        stacked-on entry:13:
          [@2]: dpo-load-balance: [proto:ip4 index:15 buckets:1 uRPF:19 
to:[6:1324] via:[12:960]]
            [0] [@5]: ipv4 via 20.20.99.215 VirtualFuncEthernet0/7/0.1556: 
mtu:1500 next:11 fa163e4b6b42fa163eeb7f86810006140800


vpp# show adj nbr
[@16]  ipv4 via 44.44.44.44 ipip0: mtu:9000 next:12 
45000000000000004004626f50505050141463d7
  stacked-on entry:13:
    [@2]: dpo-load-balance: [proto:ip4 index:15 buckets:1 uRPF:19 to:[8:1540] 
via:[15:1200]]
      [0] [@5]: ipv4 via 20.20.99.215 VirtualFuncEthernet0/7/0.1556: mtu:1500 
next:11 fa163e4b6b42fa163eeb7f86810006140800



ipsec protect output.
====================
vpp# show ipsec protect
ipip0: 20.20.99.215
 output-sa:
  [0] sa 68092 (0x109fc) spi 3249629366 (0xc1b168b6) protocol:esp 
flags:[anti-replay ]
 input-sa:
  [1] sa 68093 (0x109fd) spi 12413 (0x0000307d) protocol:esp flags:[anti-replay 
inbound ]


Can you please point out any basic issue with my routing or any issue here?

Thanks,
Sagar

--
Regards,
sagar g

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20861): https://lists.fd.io/g/vpp-dev/message/20861
Mute This Topic: https://lists.fd.io/mt/89069167/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to