Uploaded image for project: 'vpp'
  1. vpp
  2. VPP-1519

IPSec receive packet error in tunnel mode with udp encap

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • None
    • IPsec
    • None

      Hi,

      I got an IPSec receive packet error in transport mode with udp encapsulated. The configuration list below:
      VPP1:
      create tap host-if-name GigabitEthernet3/0/0 rx-ring-size 1024 tx-ring-size 1024
      set int state GigabitEthernet3/0/0 up
      set int ip addr tap0 192.168.1.201/24
      ip route add 0.0.0.0/0 via 192.168.1.1 GigabitEthernet3/0/0
      create ipsec tunnel local-ip 192.168.1.201 local-spi 1031 remote-ip 192.168.1.200 remote-spi 1030 udp-encap
      set int ipsec key ipsec0 local crypto aes-cbc-128 4339314b55523947594d6d3547666b45
      set int ipsec key ipsec0 remote crypto aes-cbc-128 4339314b55523947594d6d3547666b45
      set int ipsec key ipsec0 local integ sha1-96 4339314b55523947594d6d3547666b45
      set int ipsec key ipsec0 remote integ sha1-96 4339314b55523947594d6d3547666b45
      set int state ipsec0 up
      ip route add 192.168.20.0/24 via 192.168.1.200 ipsec0
      set int unnumbered ipsec0 use GigabitEthernet3/0/0
      create tap host-if-name tap1 rx-ring-size 1024 tx-ring-size 1024
      set int state tap1 up
      set int ip addr tap1 192.168.10.1/24

      Linux1:
      ip netns add vpp1
      ip link set tap1 up netns vpp1
      ip netns exec vpp1 ifconfig tap1 192.168.10.100/24
      ip netns exec vpp1 ip route add default via 192.168.10.1

      VPP2:
      set int state GigabitEthernet3/0/0 up
      set int ip addr GigabitEthernet3/0/0 192.168.1.200/24
      ip route add 0.0.0.0/0 via 192.168.1.1 GigabitEthernet3/0/0
      create ipsec tunnel local-ip 192.168.1.200 local-spi 1030 remote-ip 192.168.1.201 remote-spi 1031 udp-encap
      set int ipsec key ipsec0 local crypto aes-cbc-128 4339314b55523947594d6d3547666b45
      set int ipsec key ipsec0 remote crypto aes-cbc-128 4339314b55523947594d6d3547666b45
      set int ipsec key ipsec0 local integ sha1-96 4339314b55523947594d6d3547666b45
      set int ipsec key ipsec0 remote integ sha1-96 4339314b55523947594d6d3547666b45
      set int state ipsec0 up
      ip route add 192.168.10.0/24 via 192.168.1.201 ipsec0
      set int unnumbered ipsec0 use GigabitEthernet3/0/0
      create tap host-if-name tap1 rx-ring-size 1024 tx-ring-size 1024
      set int state tap1 up
      set int ip addr tap1 192.168.20.1/24

      Linux2:
      ip netns add vpp1
      ip link set tap1 up netns vpp1
      ip netns exec vpp1 ifconfig tap1 192.168.20.100/24
      ip netns exec vpp1 ip route add default via 192.168.20.1

      If you try a ping from Linux1 to Linux2, icmp unreachable happens. The following trace shows that UDP port 4500 no listener, but actually IPSEC UDP encap should register 4500 to ip4-udp-lookup node, then UDP can forward packet to ipsec-if-input node to process.
      Packet 1

      00:01:21:751932: virtio-input
      virtio: hw_if_index 1 next-index 4 vring 0 len 174
      hdr: flags 0x02 gso_type 0x00 hdr_len 0 gso_size 0 csum_start 0 csum_offset 0 num_buffers 1
      00:01:21:751946: ethernet-input
      IP4: cc:2f:71:6e:e2:72 -> 02:fe:69:76:a4:82
      00:01:21:751954: ip4-input
      UDP: 192.168.1.201 -> 192.168.1.200
      tos 0x00, ttl 253, length 160, checksum 0x386b
      fragment id 0x0000
      UDP: 4500 -> 4500
      length 140, checksum 0x0000
      00:01:21:751971: ip4-lookup
      fib 0 dpo-idx 5 flow hash: 0x00000000
      UDP: 192.168.1.201 -> 192.168.1.200
      tos 0x00, ttl 253, length 160, checksum 0x386b
      fragment id 0x0000
      UDP: 4500 -> 4500
      length 140, checksum 0x0000
      00:01:21:751980: ip4-local
      UDP: 192.168.1.201 -> 192.168.1.200
      tos 0x00, ttl 253, length 160, checksum 0x386b
      fragment id 0x0000
      UDP: 4500 -> 4500
      length 140, checksum 0x0000
      00:01:21:751986: ip4-udp-lookup
      UDP: src-port 4500 dst-port 4500 (no listener)
      00:01:21:751991: ip4-icmp-error
      UDP: 192.168.1.201 -> 192.168.1.200
      tos 0x00, ttl 253, length 160, checksum 0x386b
      fragment id 0x0000
      UDP: 4500 -> 4500
      length 140, checksum 0x0000
      00:01:21:751995: ip4-lookup
      fib 0 dpo-idx 4 flow hash: 0x00000000
      ICMP: 192.168.1.200 -> 192.168.1.201
      tos 0x00, ttl 255, length 188, checksum 0x365f
      fragment id 0x0000
      ICMP destination_unreachable port_unreachable checksum 0x83fd
      00:01:21:751997: ip4-rewrite
      tx_sw_if_index 1 dpo-idx 4 : ipv4 via 192.168.1.201 tap0: mtu:9000 02fe01dccdb202fe6976a4820800 flow hash: 0x00000000
      00000000: 02fe01dccdb202fe6976a4820800450000bc00000000fe01375fc0a801c8c0a8
      00000020: 01c9030383fd00000000450000a000000000fd11386bc0a801c9c0a8
      00:01:21:752000: tap0-output
      tap0
      IP4: 02:fe:69:76:a4:82 -> 02:fe:01:dc:cd:b2
      ICMP: 192.168.1.200 -> 192.168.1.201
      tos 0x00, ttl 254, length 188, checksum 0x375f
      fragment id 0x0000
      ICMP destination_unreachable port_unreachable checksum 0x83fd

      BR
      Chen Xiaobo

            jackiechen1985 Xiaobo Chen
            jackiechen1985 Xiaobo Chen
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: