Re: [vpp-dev] All UDP packet being dropped at “ipsec4_input_node” when IPSEC policy configured

2023-03-13 Thread Varun Tewari 
Thank you for bringing this to the fore.
I am noticing something interesting along the same lines as well during my 
investigation.
I am using strongswan as the initiator and VPP Ikev2 as the responder.

My observations are:
1. Strongswan initiator forceencap=yes and VPP responder ikev2 profile set 
udp-encap, my tunnels do not come up. Ike gets established but CHILD_SA fails.
2. Strongswan initiator forceencap=no and VPP responder ikev2 profile set 
udp-encap, my tunnels come up. Traffic drops with 
ESP_DECRYPT_ERROR_TUN_NO_PROTO (all traffic)
3. Strongswan initiator forceencap=yes and VPP responder udp-encap not set in 
profile, my tunnels do come up and traffic flows.

Let me know as well if these are expected observations.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22696): https://lists.fd.io/g/vpp-dev/message/22696
Mute This Topic: https://lists.fd.io/mt/97576487/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] VPP IPsec queries

2023-03-02 Thread Varun Tewari 
Thank you Ashish/Zhang/All for your comments, they are very helpful for me to 
take the stride forward.
I will check ABF and vpp-swan in more depth to support my use-case.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22648): https://lists.fd.io/g/vpp-dev/message/22648
Mute This Topic: https://lists.fd.io/mt/97230775/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] VPP IPsec queries

2023-02-25 Thread Varun Tewari 
Hello Team,

I am new to VPP and probing this technology to build an IPSec responder for our 
use-cases.
Our initial tests do show the performance might of VPP.
However on probing this further in depth, I noticed a few limitations and I am 
dropping this rider seeking clarification around these.
All my observations are for VPP 23.02 and am using VPP’s Ikev2 plugin.I am 
using a linux with strongswan as the peer for my tests.

My observations:

1.
VPP seems doesn’t support multiple child-sa (phase 2 sa, ipsec sa) within the 
same tunnel.
Single IPsec SA works fine. An interface ipip0 gets created and SPD shows the 
correct binding (show ipsec all).
However ,when I bring up the second child-sa for a different TS, I se the SPD 
gets overwritten for the interface and the new child-sa gets installed 
overwriting the previous one.
For sure this is leading to traffic drop for the traffic hitting the first TS.

Q: Is this by design or have I got my config wrong in some way.

Here the quick output from the VPP and strongswan
sudo swanctl --list-sas
net-1: #11, ESTABLISHED, IKEv2, abb046c62a60c38a_i* dc95e079629854ca_r
  local  'roadwarrior.vpn.example.com' @ 17.17.17.1[500]
  remote 'vpp.home' @ 17.17.17.2[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 848s ago, reauth in 84486s
  net-1: #16, reqid 16, INSTALLED, TUNNEL, ESP:AES_CBC-192/HMAC_SHA1_96/ESN
installed 848s ago, rekeying in 84690s, expires in 85552s
in  cec3d263,  24717 bytes,   107 packets,   687s ago
out a1816d8f, 179718 bytes,   778 packets, 0s ago
local  16.16.16.0/24
remote 18.18.18.0/24
  net-2: #17, reqid 17, INSTALLED, TUNNEL, ESP:AES_CBC-192/HMAC_SHA1_96/ESN
installed 686s ago, rekeying in 84831s, expires in 85714s
in  cd14add0, 122199 bytes,   529 packets, 2s ago
out de989d78, 122199 bytes,   529 packets, 2s ago
local  16.16.15.0/24
remote 18.18.18.0/24

vpp# show ipsec all
[0] sa 2181038080 (0x8200) spi 3468939875 (0xcec3d263) protocol:esp 
flags:[esn anti-replay ]
[1] sa 3254779904 (0xc200) spi 2709613967 (0xa1816d8f) protocol:esp 
flags:[esn anti-replay inbound ]
[2] sa 2181038081 (0x8201) spi 3440684496 (0xcd14add0) protocol:esp 
flags:[esn anti-replay ]
[3] sa 3254779905 (0xc201) spi 3734543736 (0xde989d78) protocol:esp 
flags:[esn anti-replay inbound ]
SPD Bindings:
ipip0 flags:[none]
 output-sa:
  [2] sa 2181038081 (0x8201) spi 3440684496 (0xcd14add0) protocol:esp 
flags:[esn anti-replay ]
 input-sa:
  [3] sa 3254779905 (0xc201) spi 3734543736 (0xde989d78) protocol:esp 
flags:[esn anti-replay inbound ]
IPSec async mode: off
vpp#

All 4 SAs exist, however the SPD binding shows the latest 2, that overwrote the 
SAs for the previous TS leading to traffic drop.


2.
Overlapping subnets between different Ipsec tunnel

When Ikev2 completes, I see, it creates an pip interface and relevant Child-SAs 
and ties them to the interface to protect traffic.
So far all is good.
Now, we add an route into VPP to route the traffic via this ipip interface for 
each of the source subnet that are expected to be protected by the tunnel.
This works fine as long as I keep the subnets distinct.

Q: What’s the usual strategy when we have overlapping subnets in two distinct 
tunnels ?
T1: SrcSubnet1 DestinationSubnet1
T2: SrcSubnet1 DestinationSubnet2

When T1 is brought up, we add a FIB entry for SrcSubnet1 via ipipT1 and things 
works fine.
When T2 comes up, ipipT2 is created and now I need to add FIB entry for 
SrcSubnet1 via ipipT2 and as expected things break here.


3.
IpIp vs Ipsec interface
For Route based VPP IPsec, I see two options as per the documentation.
The doc says, Ikev2 will create an ipsec interface, however it creates an ipip 
interface. Is this expected ?
The interface works okay for me, but wasn’t sure why the difference.
Further on probing the code, I do see Ikev2 plugin is creating an ipip 
interface not ipsec interface as the doc says.


Thank you in advance for all your comments here.

शुभ कामनाएँ,
Varun Tewari


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22626): https://lists.fd.io/g/vpp-dev/message/22626
Mute This Topic: https://lists.fd.io/mt/97230775/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-