*Regards*,
Mrityunjay Kumar.
Mobile: +91 - 9731528504
On Mon, Sep 6, 2021 at 2:35 PM Prashant Upadhyaya <praupadhy...@gmail.com>
wrote:
> Hi,
>
> I am using VPP21.06.
> I have successfully created an IPSec tunnel between VPP and a Strong Swan
> peer.
> Packets from VPP are going into ESP towards the peer, the peer is
> responding back with ESP as well (inner cleartext packets are ICMP)
>
> Now then, I have a node of my own which is sitting on the ip4-unicast
> arc and has a runs before clause like thus --
> .runs_before = VNET_FEATURES ("ip4-lookup")
>
> I am expecting that when the ESP packet lands at VPP, it will undergo
> decryption and the inner IP packet would go again to ip4-input and
> from there hit my node on the ip4-unicast arc. However this does not
> happen. It appears that the packet is going to ip4-lookup bypassing my
> node.
>
> [MJ] : IPsec decryption usually happens after IP4/IP6 protocol lookup.
Protocol lookup should hit after , ip4_input /ip6_input. If you are trying
to hijack the packet just after ip4_ipput/ip6_input. then probably you will
shee ESP packet in your custom node.
> So the question is how do I get the decrypted inner packet on ESP to my
> node.
> [MJ]: Probably this is not a good idea to hijack inner packets based on
> IP4/IP6 input.
> Just an input, you can try like, ip4_register_protocol(udp/tcp/sctp/,
> your_node_index) . then after the decryption, you will get a packet and can
> do anything as u need.
>
> Regards
> -Prashant
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20078): https://lists.fd.io/g/vpp-dev/message/20078
Mute This Topic: https://lists.fd.io/mt/85408250/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
