Re: [vpp-dev] User traffic is going down the wrong tunnel when multiple IKEv2/IPsec tunnels are added, removed then added.

Wed, 13 Apr 2022 02:49:19 -0700 

Hi Sonia,

How are you routing into the tunnels, and what changes to that routing do you 
make when removing and adding tunnels.

/neale

From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Sonia Rovner via 
lists.fd.io <sonia.rovner=oracle....@lists.fd.io>
Date: Tuesday, 12 April 2022 at 22:57
To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
Subject: [vpp-dev] User traffic is going down the wrong tunnel when multiple 
IKEv2/IPsec tunnels are added, removed then added.

Hi All,

So we are creating multiple (3) IKEv2/IPsec tunnels between two vpp instances. 
When the setup is clean, vpp restart, all the tunnels come up and traffic flows 
as it should.
So when we make configuration changes by removing two of the tunnels, then make 
another change by adding the tunnels back. The IPsec tunnels come up.  user 
traffic does not flow correctly on the added IKEv2/IPsec tunnels. From packet 
trace we can see traffic using credentials for one tunnel but sending it down 
to the other added tunnel.

Below is the diagram of the testbed setup.  Start off with 3 IKE/IPsec tunnels. 
 The config change was to remove 2nd and 3rd tunnels below.  Then, another 
config change to add the 2nd and 3rd tunnels back.

192.168.10.6 ==192.168.30.6
192.168.11.6 ==192.168.31.6
192.168.12.6 ==192.168.32.6
[cid:attach_0_16E541AB9E465AA2_11385@groups.io]

When traffic does flow, it's always when the ipip_add_tunnel api returns 
sw_if_index in ascending order
for 192.168.31.6==192.168.11.6, sw_if_index is 7, ipip1.
for 192.168.32.6==192.168.12.6, sw_if_index is 8, ipip 2.

When traffic doesn't flow, it's always when the ipip_add_tunnel api returns 
sw_if_index out of order.
For example on vpp2, when adding ipip tunnel
for 192.168.31.6==192.168.11.6, sw_if_index is 8, ipip2.
for 192.168.32.6==192.168.12.6, sw_if_index is 7, ipip1.

In the attached packet trace, vpp2dpdkbroken.trace, you can see that TCP 
packets from 192.168.220.20 -> 192.168.200.20 for ipip2 is sent to IPSEC_ESP: 
192.168.32.6 -> 192.168.12.6

packet generator is runing from vpp2 Testnode using
             nping --tcp 192.168.200.20 -p 2001-4000 --rate 100

Regards,
-Sonia

Attachment: dummyfile.0.part
Description: dummyfile.0.part

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21250): https://lists.fd.io/g/vpp-dev/message/21250
Mute This Topic: https://lists.fd.io/mt/90427455/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to