-
Bug
-
Resolution: Open
-
Medium
-
None
-
None
-
None
Hi,
I just configured an endpoint to endpoint ipsec transmission. But a fragment error happened when sending a big ICMP packet. From wireshark log we can see the IP fragment flag did not set correctly although it was fragmented.
The configuration lists below:
DBGvpp# set int state GigabitEthernet3/0/0 up
DBGvpp# set dhcp client intfc GigabitEthernet3/0/0
DBGvpp# ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58
DBGvpp# ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58
DBGvpp# ipsec spd add 1
DBGvpp# set interface ipsec spd GigabitEthernet3/0/0 1
DBGvpp# ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
DBGvpp# ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
DBGvpp# ipsec policy add spd 1 priority 10 inbound action protect sa 10 local-ip-range 192.168.1.100 - 192.168.1.100 remote-ip-range 192.168.1.113 - 192.168.1.113
DBGvpp# ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range 192.168.1.100 - 192.168.1.100 remote-ip-range 192.168.1.113 - 192.168.1.113
DBGvpp# ping ipv4 192.168.1.113 source GigabitEthernet3/0/0 size 1600 repeat 1
Statistics: 1 sent, 0 received, 100% packet loss
DBGvpp# sh err
Count Node Reason
2 ipsec-output-ip4 IPSec policy protect
2 esp-encrypt ESP pkts received
20 arp-input ARP replies sent
11 arp-input ARP request IP4 source address learned
2 ip4-frag number of sent fragments
New update: If we use packet generator to generate and trace UDP packets, we can find the ip4-frag occurs before esp-encrypt which should be incorrect.
packet-generator new {
name udp
limit 10
node ip4-input
size 1500-1500
interface TenGigabitEthernet6/0/0
no-recycle
data
}
Packet 1
01:01:18:719948: pg-input
stream udp, 1520 bytes, 1 sw_if_index
current data 0, length 1520, free-list 0, clone-count 0, trace 0x0
UDP: 192.168.1.100 -> 192.168.1.113
tos 0x00, ttl 64, length 1520, checksum 0xf0d7
fragment id 0x0000
UDP: 4321 -> 1234
length 1500, checksum 0xf30e
01:01:18:719955: ip4-input
UDP: 192.168.1.100 -> 192.168.1.113
tos 0x00, ttl 64, length 1520, checksum 0xf0d7
fragment id 0x0000
UDP: 4321 -> 1234
length 1500, checksum 0xf30e
01:01:18:719958: ipsec-input-ip4
esp: no sa spi 66051 seq 67438087
01:01:18:719963: ip4-lookup
fib 0 dpo-idx 2 flow hash: 0x00000000
UDP: 192.168.1.100 -> 192.168.1.113
tos 0x00, ttl 64, length 1520, checksum 0xf0d7
fragment id 0x0000
UDP: 4321 -> 1234
length 1500, checksum 0xf30e
01:01:18:719965: ip4-rewrite
tx_sw_if_index 0 dpo-idx 2 : ipv4 via 192.168.1.113 TenGigabitEthernet6/0/0: m
tu:1500 cc2f716ee272ac1f6b46d6c40800 flow hash: 0x000005dc
00000000: 450005f0000000003f11f1d7c0a80164c0a8017110e104d205dcf30e00010203
00000020: 0405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
01:01:18:719967: ip4-frag
IPv4 mtu: 1500 fragments: 2
01:01:18:719971: ip4-rewrite
tx_sw_if_index 1 dpo-idx 2 : ipv4 via 192.168.1.113 TenGigabitEthernet6/0/0: m
tu:1500 cc2f716ee272ac1f6b46d6c40800 flow hash: 0x00000000
00000000: cc2f716ee272ac1f6b46d6c40800450005dc020020003e11d0ebc0a80164c0a8
00000020: 017110e104d205dcf30e000102030405060708090a0b0c0d0e0f1011
tx_sw_if_index 1 dpo-idx 2 : ipv4 via 192.168.1.113 TenGigabitEthernet6/0/0: m
tu:1500 cc2f716ee272ac1f6b46d6c40800 flow hash: 0x00000000
00000000: cc2f716ee272ac1f6b46d6c4080045000028020000b93e11f5e6c0a80164c0a8
00000020: 0171c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3000000000000
01:01:18:719972: ipsec-output-ip4
spd 1
spd 1
01:01:18:719973: esp-encrypt
esp: spi 1000 seq 0 crypto aes-cbc-128 integrity sha1-96
esp: spi 1000 seq 1 crypto aes-cbc-128 integrity sha1-96