Re: [vpp-dev] VPP IPSec failed to add SA

Thu, 17 Oct 2019 05:13:37 -0700 

Hi Ruoyu,
Could you please post the ipsec error message on create?
SA create usually indicates an issue with hardware. You might want to try if 
rebooting the instance resolves it?

--
Regards,
Balaji.


From: <vpp-dev@lists.fd.io> on behalf of "Ying, Ruoyu" <ruoyu.y...@intel.com>
Date: Thursday, October 17, 2019 at 1:51 AM
To: "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
Subject: [vpp-dev] VPP IPSec failed to add SA

Hi,

I tried to use vpp to enable IPSec in my environment. And when I tried to 
create a SA, I always got an error for that.
Detailed configs look like this:
Interface details:
vpp# show int
Name                                              Idx    State  MTU 
(L3/IP4/IP6/MPLS)     Counter          Count
VirtualFunctionEthernet0/5/0      1      up          9000/0/0/0
VirtualFunctionEthernet0/6/0      2      up          9000/0/0/0
local0                            0     down          0/0/0/0

IPSec configs:

set interface state VirtualFunctionEthernet0/5/0 up
set interface state VirtualFunctionEthernet0/6/0 up

set interface ip address VirtualFunctionEthernet0/5/0 192.168.70.100/24
set interface ip address VirtualFunctionEthernet0/6/0 192.168.100.3/24

set int promiscuous on VirtualFunctionEthernet0/5/0
set int promiscuous on VirtualFunctionEthernet0/6/0

set ip arp VirtualFunctionEthernet0/6/0 192.168.100.4 fa:16:3e:b3:8b:fd
set ip arp VirtualFunctionEthernet0/5/0 192.168.70.200 fa:16:3e:f5:2f:e9

ip route add count 1 104.0.0.0/32 via 192.168.100.4 VirtualFunctionEthernet0/6/0
ip route add count 1 004.0.0.0/32 via 192.168.70.200 
VirtualFunctionEthernet0/5/0

ipsec spd add 1
set interface ipsec spd VirtualFunctionEthernet0/6/0 1
ipsec sa add 1 spi 1001 esp tunnel-src 192.168.100.3 tunnel-dst 192.168.100.4 
crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 
6867666568676665686766656867666568676669 integ-alg sha1-96  //This line will 
return an error ‘ipsec sa: failed’
ipsec sa add 2 spi 25500128 esp tunnel-src 192.168.100.4 tunnel-dst 
192.168.100.3 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg 
aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
ipsec policy add spd 1 outbound priority 100 action protect sa 1 
remote-ip-range 104.0.0.0-104.0.0.0
ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass
ipsec policy add spd 1 inbound priority 100 action protect sa 1 remote-ip-range 
004.0.0.0-004.0.0.0
ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass

Anyone know the cause for that? Thanks a lot!!

Best Regards,
Ruoyu


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14194): https://lists.fd.io/g/vpp-dev/message/14194
Mute This Topic: https://lists.fd.io/mt/34696319/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Ying, Ruoyu
    • ... Balaji Venkatraman via Lists.Fd.Io
    • ... Neale Ranns via Lists.Fd.Io
      • ... Ying, Ruoyu
        • ... Balaji Venkatraman via Lists.Fd.Io
          • ... Ying, Ruoyu
            • ... Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) via Lists.Fd.Io
              • ... Ying, Ruoyu
                • ... Neale Ranns via Lists.Fd.Io
                • ... Ying, Ruoyu
                • ... Balaji Venkatraman via Lists.Fd.Io
                • ... Balaji Venkatraman via Lists.Fd.Io

Reply via email to