Re: [vpp-dev] vpp19.08 ipsec issue

[Neale Ranns via Lists.Fd.Io]

From: Terry <zenghao...@163.com>
Date: Monday 6 January 2020 at 23:51
To: "Neale Ranns (nranns)" <nra...@cisco.com>
Cc: "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
Subject: Re:Re:Re: [vpp-dev] vpp19.08 ipsec issue

[trim]

And when I ping 192.168.1.2 from 100.0.0.3(user1), the TRACE packet information 
is as follows:
Packet 1

00:38:45:983763: handoff_trace
  HANDED-OFF: from thread 1 trace index 0
00:38:45:983763: nat44-in2out
  NAT44_IN2OUT_FAST_PATH: sw_if_index 1, next index 3, session -1
00:38:45:983767: nat44-in2out-slowpath
  NAT44_IN2OUT_SLOW_PATH: sw_if_index 1, next index 0, session 6
00:38:45:983772: ip4-lookup
  fib 0 dpo-idx 3 flow hash: 0x00000000
  ICMP: 192.168.1.1 -> 192.168.1.2

which SPD policy does/should this packet match ?

/neale

    tos 0x00, ttl 64, length 84, checksum 0x080c
    fragment id 0xaf49, flags DONT_FRAGMENT
  ICMP echo_request checksum 0x8943
00:38:45:983775: ip4-rewrite
  tx_sw_if_index 2 dpo-idx 3 : ipv4 via 192.168.1.2 GigabitEthernet2/1/0: 
mtu:9000 000c29f77626000c29347e990800 flow hash: 0x00000000
  00000000: 000c29f77626000c29347e99080045000054af4940003f01090cc0a80101c0a8
  00000020: 010208008943ad4e00095427135e000000008f0c0c00000000001011
00:38:45:983778: ipsec4-output-feature
  spd 1 policy -1
00:38:45:983780: error-drop
  rx:GigabitEthernet2/0/0
00:38:45:983783: drop
  dpdk-input: no error

Packet 2

00:38:47:007175: handoff_trace
  HANDED-OFF: from thread 1 trace index 1
00:38:47:007175: nat44-in2out
  NAT44_IN2OUT_FAST_PATH: sw_if_index 1, next index 3, session -1
00:38:47:007184: nat44-in2out-slowpath
  NAT44_IN2OUT_SLOW_PATH: sw_if_index 1, next index 0, session 6
00:38:47:007193: ip4-lookup
  fib 0 dpo-idx 3 flow hash: 0x00000000
  ICMP: 192.168.1.1 -> 192.168.1.2
    tos 0x00, ttl 64, length 84, checksum 0x07f5
    fragment id 0xaf60, flags DONT_FRAGMENT
  ICMP echo_request checksum 0xc1e4
00:38:47:007197: ip4-rewrite
  tx_sw_if_index 2 dpo-idx 3 : ipv4 via 192.168.1.2 GigabitEthernet2/1/0: 
mtu:9000 000c29f77626000c29347e990800 flow hash: 0x00000000
  00000000: 000c29f77626000c29347e99080045000054af6040003f0108f5c0a80101c0a8
  00000020: 01020800c1e4ad4e000a5527135e00000000556a0c00000000001011
00:38:47:007202: ipsec4-output-feature
  spd 1 policy -1
00:38:47:007206: error-drop
  rx:GigabitEthernet2/0/0
00:38:47:007209: drop
  dpdk-input: no error

It looks like there are no rules for the traffic get throuth.
When I config this command:
# set interface ipsec spd GigabitEthernet2/1/0 1
All the packets can not get throuth GigabitEthernet2/1/0 interface.
How can I config the IPSec policy to only protect the IPSec traffic and leave 
other traffic to the normal forwarding?
In general, the user1 can access user2 with IPSec tunnel and can also access 
the public network with NAT in VPP1.





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#15067): https://lists.fd.io/g/vpp-dev/message/15067
Mute This Topic: https://lists.fd.io/mt/67970551/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-