Hi Vijay, It sounds like the SA you programme did not install. As you say, DES is insecure, so we don’t even test it anymore. I would suggest you start with a UT in VPP and go from there. Maybe extend the algos in MyParameters in test/test_ipsec_esp.py
/neale From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Vijay Kumar via lists.fd.io <vjkumar2003=gmail....@lists.fd.io> Date: Thursday, 26 May 2022 at 21:52 To: vpp-dev <vpp-dev@lists.fd.io> Subject: [vpp-dev] Regarding DES support in VPP Hi Neale/Benoit, I know we must not talk about DES and MD5 these days as they are insecure and must not be configured. My QA has raised an issue that DES is not working. I have myself not tested it as the customers would never configure it. The QA says the "show ipsec sa" command does not show anything if DES is configured. Also the show node counters had this counter incremented for DES. "4 ipsec4-tun-input no matching tunnel" Not sure if I am missing something. NOTE: ====== 1) We don't use the vpp ikev2 plugin. We have our own IKE stack that programs the VPP with IPSEC SA. Basically our application receives the SA and calls the ipsec_sa_add_and_lock() API to install the SA. 2) We have tested AES128, ASE256, 3DES and they were working fine. The code to receive keys from IKE stack and program the vnet/ipsec is the same. Regards, Vijay Kumar N.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21473): https://lists.fd.io/g/vpp-dev/message/21473 Mute This Topic: https://lists.fd.io/mt/91352430/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
