Hi Stanislav,
punt-dispatch should be doing it; below is an example of packet trace from my
test env:
...
00:00:11:655232: ip4-receive
UDP: 192.168.10.1 -> 10.0.0.2
tos 0x00, ttl 63, length 280, checksum 0xc2c9 dscp CS0 ecn NON_ECN
fragment id 0xa360, flags DONT_FRAGMENT
UDP: 4500 -> 4500
length 260, checksum 0x209f
00:00:11:655236: ip4-udp-lookup
UDP: src-port 4500 dst-port 4500
00:00:11:655243: ipsec4-tun-input
IPSec: remote:192.168.10.1 spi:0 (0x00000000) sa:218136463 tun:5 seq
4260287868 sa 1
00:00:11:655258: punt-dispatch
reason: [1] ipsec4-spi-o-udp-0 flags: ip4-packet
00:00:11:655268: ikev2-ip4-natt
ikev2: sw_if_index 5, next index 0
Filip
________________________________
From: [email protected] <[email protected]> on behalf of Stanislav Zaikin
<[email protected]>
Sent: Friday, May 13, 2022 11:17 AM
To: Filip Tehlar -X (ftehlar - PANTHEON TECH SRO at Cisco) <[email protected]>
Cc: vpp-dev <[email protected]>; Benoit Ganne (bganne) <[email protected]>
Subject: Re: [vpp-dev] ikev2 and nat-t
Hi Filip,
In my case an initiator is behind NAT while a responder has a public IP.
What node should check for SPI=0? I also have LCP enabled on some interfaces,
maybe it breaks the default punt behaviour.
On Fri, 13 May 2022 at 10:54, Filip Tehlar -X (ftehlar - PANTHEON TECH SRO at
Cisco) <[email protected]<mailto:[email protected]>> wrote:
I'm not entirely sure that's the case - the reason being that default port 4500
is used for both nat traversal and encrypted dataplane traffic. The way to
distinguish between those two is having SPI=0 in case of NATT. For this there
is punt mechanism in vpp, which forwards 4500 IKE packets to natt-node. Since
this isn't happening judging from your packet trace I wonder if you maybe have
responder behind nat? Such case isn't supported
Filip
________________________________
From: [email protected]<mailto:[email protected]>
<[email protected]<mailto:[email protected]>> on behalf of Benoit Ganne
(bganne) via lists.fd.io<http://lists.fd.io>
<[email protected]<mailto:[email protected]>>
Sent: Friday, May 13, 2022 10:26 AM
To: Stanislav Zaikin <[email protected]<mailto:[email protected]>>; vpp-dev
<[email protected]<mailto:[email protected]>>
Subject: Re: [vpp-dev] ikev2 and nat-t
Hmm good catch, I wonder why we did not catch it - maybe the unit tests use
only non-standard port...
Can you try to patch it accordingly and if it solves the issue, push it on
gerrit for review?
If you can update the unit tests to reproduce the issue and verify the fix
fixes it it would be ideal of course.
Best
Ben
> -----Original Message-----
> From: [email protected]<mailto:[email protected]>
> <[email protected]<mailto:[email protected]>> On Behalf Of Stanislav
> Zaikin
> Sent: Thursday, May 12, 2022 18:11
> To: vpp-dev <[email protected]<mailto:[email protected]>>
> Subject: [vpp-dev] ikev2 and nat-t
>
> Hello folks,
>
> I have an issue with ikev2 and the host over the nat. IKE_AUTH packet goes
> to ikev2-ip4 node instead of ikev2-ip4-natt and it causes
> IKEV2_ERROR_BAD_LENGTH.
>
>
> I'm not an expert in ike, but are there the right nodes specified below?
>
> udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip4.index, 1);
> udp_register_dst_port (vm, IKEV2_PORT, ikev2_node_ip6.index, 0);
> udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip4.index,
> 1);
> udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip6.index,
> 0);
>
> Shouldn't it be ikev2_node_ip4_natt instead of ikev2_node_ip4 for
> IKEV2_PORT_NATT?
>
> Errors:
>
> 12 ikev2-ip4 packets processed
> info
> 6 ikev2-ip4 Bad packet length
> error
> 6 ikev2-ip4 IKE EXCHANGE SA requests
> received info
>
>
> The trace
> 06:19:16:980290: dpdk-input
> GigabitEthernet5/0/0 rx queue 0
> buffer 0x84923: current data 0, length 290, buffer-pool 0, ref-count 1,
> trace handle 0x1
> ext-hdr-valid
> PKT MBUF: port 0, nb_segs 1, pkt_len 290
> buf_len 2176, data_len 290, ol_flags 0x180, data_off 128, phys_addr
> 0x59124940
> packet_type 0x211 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
> rss 0x0 fdir.hi 0x0 fdir.lo 0x0
> Packet Offload Flags
> PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
> PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt.
> PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
> PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt.
> Packet Types
> RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
> RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
> RTE_PTYPE_L4_UDP (0x0200) UDP packet
> IP4: 10:0e:7e:bb:78:40 -> 38:ea:a7:37:59:90 802.1q vlan 1191
> UDP: X.X.X.X -> Y.Y.Y.Y
> tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
> fragment id 0x0000
> UDP: 23911 -> 4500
> length 252, checksum 0x0000
> 06:19:16:980294: bond-input
> src 10:0e:7e:bb:78:40, dst 38:ea:a7:37:59:90, GigabitEthernet5/0/0 ->
> BondEthernet10
> 06:19:16:980294: ethernet-input
> IP4: 10:0e:7e:bb:78:40 -> 38:ea:a7:37:59:90 802.1q vlan 1191
> 06:19:16:980295: ip4-input
> UDP: X.X.X.X -> Y.Y.Y.Y
> tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
> fragment id 0x0000
> UDP: 23911 -> 4500
> length 252, checksum 0x0000
> 06:19:16:980296: ip4-lookup
> fib 0 dpo-idx 6 flow hash: 0x00000000
> UDP: X.X.X.X -> Y.Y.Y.Y
> tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
> fragment id 0x0000
> UDP: 23911 -> 4500
> length 252, checksum 0x0000
> 06:19:16:980296: ip4-receive
> UDP: X.X.X.X -> Y.Y.Y.Y
> tos 0x28, ttl 216, length 272, checksum 0xe170 dscp AF11 ecn NON_ECN
> fragment id 0x0000
> UDP: 23911 -> 4500
> length 252, checksum 0x0000
> 06:19:16:980297: ip4-udp-lookup
> UDP: src-port 23911 dst-port 4500
> 06:19:16:980300: ikev2-ip4
> ikev2: sw_if_index 10, next index 1
> 06:19:16:980301: error-drop
> rx:BondEthernet10.1191
> 06:19:16:980301: drop
> ip4-udp-lookup: none
>
> --
>
> Best regards
> Stanislav Zaikin
--
Best regards
Stanislav Zaikin
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21413): https://lists.fd.io/g/vpp-dev/message/21413
Mute This Topic: https://lists.fd.io/mt/91061656/21656
Group Owner: [email protected]
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
