Thanks Neale, That is similar to my thinking as well. I think there is a good case for both approaches.
For the use cases we have: 1) IKE responder - commonly a central site with no statically configured tunnels - possibly some enhancements to reduce the static config for remote peers - requires development of an API for requesting notification of tunnel/sa creation - leave it to an agent to manage all other config for the new tunnel 2) IKE initiator - commonly a branch office with a single statically configured tunnel to the central site - static config for tunnels - requires some development for triggering bringing the tunnel up on demand Neale, the last point might be a difference to what you were thinking. To me admin-down, means the admin wants to disable the tunnel. We want the tunnel to be admin-up, but unable to pass traffic until it is protected by a valid sa. Perhaps reusing the "ipsec tunnel protect" command might be an option. And at least notify an agent an SA is needed, if there is no internal mechanism (i.e. Linux acquire). create ipip tunnel instance 0 ... ipsec tunnel protect ipip0 set interface state ipip0 up ... I still wonder how others are actually using VPP's IKE (or Strongswan) with the VPP data-plane at the moment. Can anyone suggest how they configure IKE managed VTIs? Thanks, Carl
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14730): https://lists.fd.io/g/vpp-dev/message/14730 Mute This Topic: https://lists.fd.io/mt/61965522/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
