Hi Vijay, VPP’s IKE implementation only supports route-based VPNs (where a tunnel interface is created) and not policy based (where the SPD is used).
/neale From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Vijay Kumar via lists.fd.io <vjkumar2003=gmail....@lists.fd.io> Date: Wednesday, 11 August 2021 at 13:00 To: vpp-dev <vpp-dev@lists.fd.io> Subject: [vpp-dev] Regarding Traffic selectors (IP and port range) usage in vnet/ipsec encrypt Hi Neale, I was looking at ipsec_sa_add_and_lock() function which is called by ikev2 to install IPSEC SA but I was NOT able to find anywhere the IKEv2 negotiated traffic selectors: IP addr range (start, stop) and port range (start, stop) being programmed to the vnet/ipsec. In such a case, how does the SPD processing happen in case esp4-encrypt-tun()? Only in the case of ipsec4_output_node() function, I was seeing that the function ipsec_output_policy_match() is invoked which will do TS matching with the packet addr and port fields. But in the case of esp4-encrypt-tun() I do not see this policy (spd) matching happen? Regards.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19951): https://lists.fd.io/g/vpp-dev/message/19951 Mute This Topic: https://lists.fd.io/mt/84813588/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-