-
Bug
-
Resolution: Done
-
Medium
-
None
-
None
-
None
Hi,
I got an IPSec receive packet error in transport mode with udp encapsulated. The configuration list below:
VPP1:
create tap host-if-name tap0 rx-ring-size 1024 tx-ring-size 1024
set int state tap0 up
set int ip addr tap0 192.168.1.201/24
ip route add 0.0.0.0/0 via 192.168.1.1 tap0
ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap
ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap
ipsec spd add 1
set interface ipsec spd tap0 1
ipsec policy add spd 1 priority 10 inbound action protect sa 10 local-ip-range 192.168.1.201 - 192.168.1.201 remote-ip-range 192.168.1.200 - 192.168.1.200
ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range 192.168.1.201 - 192.168.1.201 remote-ip-range 192.168.1.200 - 192.168.1.200
VPP2:
create tap host-if-name tap0 rx-ring-size 1024 tx-ring-size 1024
set int state tap0 up
set int ip addr tap0 192.168.1.200/24
ip route add 0.0.0.0/0 via 192.168.1.1 tap0
ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap
ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap
ipsec spd add 1
set interface ipsec spd tap0 1
ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 192.168.1.200 - 192.168.1.200 remote-ip-range 192.168.1.201 - 192.168.1.201
ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 192.168.1.200 - 192.168.1.200 remote-ip-range 192.168.1.201 - 192.168.1.201
00:00:31:550011: virtio-input
virtio: hw_if_index 1 next-index 4 vring 0 len 158
hdr: flags 0x02 gso_type 0x00 hdr_len 0 gso_size 0 csum_start 0 csum_offset 0 num_buffers 1
00:00:31:550021: ethernet-input
IP4: cc:2f:71:6e:e2:72 -> 02:fe:9a:9c:6a:d0
00:00:31:550028: ip4-input
UDP: 192.168.1.201 -> 192.168.1.200
tos 0x00, ttl 254, length 144, checksum 0x377b
fragment id 0x0000
UDP: 4500 -> 4500
length 124, checksum 0x0000
00:00:31:550040: ipsec4-input
esp: sa_id 20 spd 1 spi 1000 seq 1
00:00:31:550047: esp4-decrypt
esp: crypto aes-cbc-128 integrity sha1-96
00:00:31:550151: ip4-input
ICMP: 192.168.1.201 -> 192.168.1.200
tos 0x00, ttl 254, length 88, checksum 0x37c3
fragment id 0x0000
ICMP unknown 0x4a checksum 0x19be
00:00:31:550156: ip4-lookup
fib 0 dpo-idx 5 flow hash: 0x00000000
ICMP: 192.168.1.201 -> 192.168.1.200
tos 0x00, ttl 254, length 88, checksum 0x37c3
fragment id 0x0000
ICMP unknown 0x4a checksum 0x19be
00:00:31:550172: ip4-local
ICMP: 192.168.1.201 -> 192.168.1.200
tos 0x00, ttl 254, length 88, checksum 0x37c3
fragment id 0x0000
ICMP unknown 0x4a checksum 0x19be
00:00:31:550179: ip4-icmp-input
ICMP: 192.168.1.201 -> 192.168.1.200
tos 0x00, ttl 254, length 88, checksum 0x37c3
fragment id 0x0000
ICMP unknown 0x4a checksum 0x19be
00:00:31:550183: ip4-punt
ICMP: 192.168.1.201 -> 192.168.1.200
tos 0x00, ttl 254, length 88, checksum 0x37c3
fragment id 0x0000
ICMP unknown 0x4a checksum 0x19be
00:00:31:550185: error-punt
ip4-icmp-input: unknown type
BR
Chen Xiaobo