Hi Ravin, I would suggest two things:
1. In your application you should maintain an association between strongswan’s client and the tunnel you create in VPP for it. Then, since the routes are associated with the client they can easily be matched to the tunnel. You’ll need this sort of association when the client is deleted and so the tunnel is too. 2. Both the [soon to be depreceated] ipsec tunnel and ipip tunnel create APIs allow you to choose the instance number of the tunnel. So the X in ipipX is your choice and not a counter. /neale From: <vpp-dev@lists.fd.io> on behalf of "ravinder.ya...@hughes.com" <ravinder.ya...@hughes.com> Date: Wednesday 26 February 2020 at 20:28 To: "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io> Subject: [vpp-dev] VPP IPSec Responder Server (VPN Server) VPP Route injection Route Injection VPP IPSec: "Routing traffic through ipsec0 interface on the VPP responder" Setup Details: StrongSwan IPsec client initiator which establishes 250 IPSec tunnels with the VPP head-end responder. Case # Only one IPSec tunnel: ipip0 (ipsec00) interface and its straight forward to add a route for remote ip range. Case # When you have more than two IPSec, the ipsec interface name depends on which tunnels got established first. ipip0 interface (Can't add route because don't know which remote ip range): Could be remote 1 or 2 ipip1 interface (Can't add route because don't know which remote ip range): Could be remote 1 or 2 This becomes a big issue when you have 250 clients coming in at the same time. It become impossible to decide which route gets injected on which interface!! -Ravin Ref: https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#Routing_traffic_through_ipsec0_interface_on_the_VPP_responder Routing traffic through ipsec0 interface on the VPP responder At this point of the configuration, you still do not have end to end secure connectivity. You need to route traffic through ipsec0 created interface on VPP. There are two ways of doing it. First: using a dummy IP address. set interface state ipsec0 up set interface ip address ipsec0 11.11.11.11/32 ip route add 192.168.3.0/24 via 11.11.11.11 ipsec0 Second: binding logical and physical interfaces You must use tunnel endpoint interface. ip route add 192.168.3.0/24 via ipsec0 set interface state ipsec0 up set interface unnumbered ipsec0 use TenGigabitEthernet4/0/0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#15580): https://lists.fd.io/g/vpp-dev/message/15580 Mute This Topic: https://lists.fd.io/mt/71571955/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-