[vpp-dev] VPP IPSEC traffic is not passing thru when DPDK is enabled.

Tue, 17 Aug 2021 10:33:39 -0700 

Hi,
  There is an issue when the DPDK is owning the LAN  interface for IPSEC
traffic. I have a network setup of 2 VPP routers connected by the IPSEC
tunnel on WAN interface and have LAN interface for sending out traffic and
VPP is acting as IPSEC gateway..  The issue I am seeing traffic encrypted
by IPSEC policy is traversing from VPP1 to VPP2 but after decryption, the
packet is sent out on eth3 interface on VPP2 and it's staying there. The
counters for eth3 interface are updated but DPDK driver is not sending out
the packet on eth3 interface. DPDK is enabled on the eth1 and eth3
interfaces.  Instead of DPDK owning eth3 interface If  I use mem_if or veth
(ip link) for LAN interface, it works well with no issues.

I am using following  DPDK driver for eth3 interface
 ./dpdk-devbind.py  --bind=uio_pci_generic

Here is VPP config

eth1 is WAN interface and eth3 is LAN interface.
IPSEC setup at VPP1

set int state  eth1 up
set int ip address eth1 192.168.1.6/24
ip route add 192.168.2.0/24 via 192.168.1.1
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string *****
ikev2 profile set pr1 id local ip4-addr 192.168.1.6
ikev2 profile set pr1 id remote ip4-addr  192.168.2.6
ikev2 profile set pr1 traffic-selector local ip-range 192.168.100.20 -
192.168.100.21  port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.200.20 -
192.168.200.21 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder eth1 192.168.2.6
ikev2 profile set pr1 ike-crypto-alg aes-cbc 256  ike-integ-alg sha1-96
 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 256  esp-integ-alg sha1-96
 esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
set int state eth3 up
set int ip address eth3 192.168.100.5/24


IPSEC setup at VPP2

set int state  eth1 up
set int ip address eth1 192.168.2.6/24
ip route add 192.168.1.0/24 via 192.168.2.1
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string *****
ikev2 profile set pr1 id local ip4-addr 192.168.2.6
ikev2 profile set pr1 id remote ip4-addr 192.168.1.6
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.100.20 -
192.168.100.21 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.200.20 -
192.168.200.21 port-range 0 - 65535 protocol 0

set int state eth3 up
set int ip address eth3 192.168.200.5/24


Traffic from 192.168.100.20 <->192.168.200.20 is encrypted.

The issue I am seeing is on following VPP image
vpp# show ver
vpp v20.09-release built by root on caba6892cb91 at 2020-10-01T03:09:45

Want to know if others are seeing this issue and how to address this. This
is common use case setup for IPSEC setup.

Regards,
Satish K Amaara

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19978): https://lists.fd.io/g/vpp-dev/message/19978
Mute This Topic: https://lists.fd.io/mt/84953426/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to