*Regards*, Mrityunjay Kumar. Mobile: +91 - 9731528504
On Mon, Sep 6, 2021 at 2:35 PM Prashant Upadhyaya <praupadhy...@gmail.com> wrote: > Hi, > > I am using VPP21.06. > I have successfully created an IPSec tunnel between VPP and a Strong Swan > peer. > Packets from VPP are going into ESP towards the peer, the peer is > responding back with ESP as well (inner cleartext packets are ICMP) > > Now then, I have a node of my own which is sitting on the ip4-unicast > arc and has a runs before clause like thus -- > .runs_before = VNET_FEATURES ("ip4-lookup") > > I am expecting that when the ESP packet lands at VPP, it will undergo > decryption and the inner IP packet would go again to ip4-input and > from there hit my node on the ip4-unicast arc. However this does not > happen. It appears that the packet is going to ip4-lookup bypassing my > node. > > [MJ] : IPsec decryption usually happens after IP4/IP6 protocol lookup. Protocol lookup should hit after , ip4_input /ip6_input. If you are trying to hijack the packet just after ip4_ipput/ip6_input. then probably you will shee ESP packet in your custom node. > So the question is how do I get the decrypted inner packet on ESP to my > node. > [MJ]: Probably this is not a good idea to hijack inner packets based on > IP4/IP6 input. > Just an input, you can try like, ip4_register_protocol(udp/tcp/sctp/, > your_node_index) . then after the decryption, you will get a packet and can > do anything as u need. > > Regards > -Prashant > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20078): https://lists.fd.io/g/vpp-dev/message/20078 Mute This Topic: https://lists.fd.io/mt/85408250/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-