hi team I have a strong-swan running as an initiator in linux and vpp, version 21.10, as a IPSEC IKEv2 responder. When IKEv2 auth request reached vpp, we see that it is getting dropped sayin that ispi is not found though initiator spi is proper in both ikey SA INIT and SA AUTH REQ messages from the initator.
The initiator configuration looks like [root@83afb4b1f677 /]# cat /nic/etc/ipsec.conf config setup strictcrlpolicy=no conn %default ike=aes256-sha1-modp2048! esp=aes192-sha1-esn! mobike=no keyexchange=ikev2 ikelifetime=24h lifetime=24h conn net-net right=50.50.50.2 rightsubnet=10.10.11.1/24 rightauth=psk rightid=10.10.11.2 left=50.50.50.1 leftsubnet=10.10.10.1/24 leftauth=psk leftid=10.10.10.2 auto=start [root@83afb4b1f677 /]# cat /nic/etc/ipsec.secrets # ipsec.secrets - strongSwan IPsec secrets file : PSK "Vpp123" [root@83afb4b1f677 /]# The responder vpp IKEv2 profile is vpp# show ikev2 profile profile pr1 auth-method shared-key-mic auth data Vpp123 local id-type ip4-addr data 50.50.50.2 remote id-type ip4-addr data 50.50.50.1 local traffic-selector addr 10.10.11.2 - 10.10.11.2 port 0 - 65535 protocol 0 remote traffic-selector addr 10.10.10.2 - 10.10.10.2 port 0 - 65535 protocol 0 lifetime 0 jitter 0 handover 0 maxdata 0 vpp# show version vpp v21.10.1-2~g0a485f517~b14 built by root on f88a2dff472e at 2021-12-03T23:56:33 vpp# The vpp logs are:- vpp# show event-logger 0 of 131072 events in buffer, logger running vpp# show event-logger 8 of 131072 events in buffer, logger running 11179.616307058: ikev2: ispi 19deb5ceddc15186 rspi 0 IKE_INIT request received from 50.50.50.1 11179.616326773: ikev2: ispi 19deb5ceddc15186 SA state changed to IKEV2_STATE_SA_INIT 11179.996070904: ikev2: ispi 19deb5ceddc15186 rspi c8f85b26a682ded7 EXCHANGE_IKE_AUTH received from 50.50.50.1 11179.996096902: ikev2 [debug] integrity checking with sha1 11179.996114739: ikev2: authentication failed, no matching profile found! ispi 19deb5ceddc15186 11179.996114888: ikev2: ispi 19deb5ceddc15186 SA state changed to IKEV2_STATE_AUTH_FAILED 11179.996116152: ikev2: ispi 19deb5ceddc15186 SA state changed to IKEV2_STATE_NOTIFY_AND_DELETE 11179.996128561: ikev2 [debug] integrity checking with sha1 vpp# show err Count Node Reason Severity 2 ikev2-ip4 processed info 1 ikev2-ip4 init_sa_req info 1 ikev2-ip4 ike_auth_req info vpp# Initiator is started [root@83afb4b1f677 /]# /nic/sbin/ipsec restart Stopping strongSwan IPsec... Starting strongSwan 5.9.7 IPsec [starter]... [root@83afb4b1f677 /]# could someone please help me on what i could be missing possibly, here ? Regards Loganathan
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22546): https://lists.fd.io/g/vpp-dev/message/22546 Mute This Topic: https://lists.fd.io/mt/96780044/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
