[vpp-dev] Add ip route without next-hop-address

Thu, 22 Aug 2019 05:42:47 -0700 

Hi VPP Experts,

I got a route issue(VPP 19.01), need your suggestion, thanks a lot!

[cid:e8858049-107c-477f-ba58-05a6b20bdc30]

There have a ipsec tunnel between VM1 and VPP :

sa 1 spi 3693429 mode tunnel protocol esp
      tunnel src 172.16.3.1 dst 172.16.3.15
sa 2 spi 3380458875 mode tunnel protocol esp
      tunnel src 172.16.3.15 dst 172.16.3.1

 outbound policies
  sp 1 priority 1920 action protect protocol any sa 2
   local addr range 173.0.0.0 - 173.255.255.255 port range 0 - 65535
   remote addr range 173.2.0.1 - 173.2.0.1 port range 0 - 65535

 inbound policies
  sp 1 priority 1680 action protect protocol any sa 1
   local addr range 173.0.0.0 - 173.255.255.255 port range 0 - 65535
   remote addr range 173.2.0.1 - 173.2.0.1 port range 0 - 65535


send a ping packet : ping 173.2.0.1 -I 173.10.10.10
this packet will be routed to VPP interface GigabitEthernet0/b/0, we want this 
packet go through ipsec tunnel, so add below route in VPP

vpp# ip route add 173.2.0.0/24 via 172.16.3.1 GigabitEthernet0/a/0

then this packet will be routed to GigabitEthernet0/a/0, and go to ipsec output 
handle node ipsec-output-ip4, encrypt and add ipsec tunnel IP then send out, 
everything is fine.

but I want to add route by below way:
vpp# ip route add 173.2.0.0/24 via GigabitEthernet0/a/0

because there may have many ipsec tunnels which connect with VPP from different 
VMs, each have different IP, like 172.16.4.1, 172.16.5.1, 172.16.6.1,I can't 
sure which VM will have this ip 173.2.0.1

what I want is the packet could be routed to GigabitEthernet0/a/0, so it could 
run into ipsec-output-ip4 node, which will find a correct SA tunnel inside, 
then the packet will be forwarded correctly by the ipsec tunnel IP.


but from the trace, it send a ARP request to ask 173.2.0.1 directly

ip4-lookup -> ip4-glean -> GigabitEthernet0/a/0-output -> ip4-glean: ARP 
requests sent

how could I avoid this ARP request, like ?
ip4-lookup -> ip4-rewrite (GigabitEthernet0/a/0) -> ipsec-output-ip4




Best Regards

Dave

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#13811): https://lists.fd.io/g/vpp-dev/message/13811
Mute This Topic: https://lists.fd.io/mt/32989367/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to