-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
None
-
None
Hi,
I am now trying to test IPSec data transmission in transport mode with QAT. Unfortunately the test is failed with the following configuration:
ICMP:
packet-generator new {
name icmp
limit 1
node ip4-input
size 64-64
interface TenGigabitEthernet7/0/0
no-recycle
data
}
VPP1:
set int state TenGigabitEthernet7/0/0 up
set int ip addr TenGigabitEthernet7/0/0 192.168.2.201/24
ip route add 0.0.0.0/0 via 192.168.2.1 TenGigabitEthernet7/0/0
ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap
ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap
ipsec spd add 1
set interface ipsec spd TenGigabitEthernet7/0/0 1
ipsec policy add spd 1 priority 10 inbound action protect sa 10 local-ip-range 192.168.2.201 - 192.168.2.201 remote-ip-range 192.168.2.200 - 192.168.2.200
ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range 192.168.2.201 - 192.168.2.201 remote-ip-range 192.168.2.200 - 192.168.2.200
clear trace
trace add pg-input 10
show trace
VPP2:
set int state TenGigabitEthernet7/0/0 up
set int ip addr TenGigabitEthernet7/0/0 192.168.2.200/24
ip route add 0.0.0.0/0 via 192.168.2.1 TenGigabitEthernet7/0/0
ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap
ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap
ipsec spd add 1
set interface ipsec spd TenGigabitEthernet7/0/0 1
ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 192.168.2.200 - 192.168.2.200 remote-ip-range 192.168.2.201 - 192.168.2.201
ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 192.168.2.200 - 192.168.2.200 remote-ip-range 192.168.2.201 - 192.168.2.201
From the trace below, we can see the UDP port number and length are incorrect.
Packet 1
00:22:54:613427: pg-input
stream icmp, 64 bytes, 2 sw_if_index
current data 0, length 64, free-list 0, clone-count 0, trace 0x0
ICMP: 192.168.2.201 -> 192.168.2.200
tos 0x00, ttl 64, length 64, checksum 0xf3db
fragment id 0x0000
ICMP echo_request checksum 0x7a6e
00:22:54:613486: ip4-input
ICMP: 192.168.2.201 -> 192.168.2.200
tos 0x00, ttl 64, length 64, checksum 0xf3db
fragment id 0x0000
ICMP echo_request checksum 0x7a6e
00:22:54:613518: ip4-lookup
fib 0 dpo-idx 2 flow hash: 0x00000000
ICMP: 192.168.2.201 -> 192.168.2.200
tos 0x00, ttl 64, length 64, checksum 0xf3db
fragment id 0x0000
ICMP echo_request checksum 0x7a6e
00:22:54:613531: ip4-rewrite
tx_sw_if_index 2 dpo-idx 2 : ipv4 via 192.168.2.200 TenGigabitEthernet7/0/0: mtu:9000 ac1f6b4875daac1f6b46d6c60800 flow hash: 0x00000000
00000000: ac1f6b4875daac1f6b46d6c6080045000040000000003f01f4dbc0a802c9c0a8
00000020: 02c808007a6e000102030405060708090a0b0c0d0e0f101112131415
00:22:54:613542: ipsec4-output
spd 1
00:22:54:613552: dpdk-esp4-encrypt
cipher aes-cbc-128 auth sha1-96
UDP: 192.168.2.201 -> 192.168.2.200
tos 0x00, ttl 63, length 112, checksum 0xf49b
fragment id 0x0000
UDP: 27464 -> 30170
length 44063, checksum 0x6b46
ESP: spi 1799910874, seq 2887740230
00:22:56:172165: dpdk-crypto-input
status: success
00:22:56:172193: TenGigabitEthernet7/0/0-output
TenGigabitEthernet7/0/0
IP4: ac:1f:6b:46:d6:c6 -> ac:1f:6b:48:75:da
UDP: 192.168.2.201 -> 192.168.2.200
tos 0x00, ttl 63, length 112, checksum 0xf49b
fragment id 0x0000
UDP: 27464 -> 30170
length 44063, checksum 0x6b46
00:22:56:172228: TenGigabitEthernet7/0/0-tx
TenGigabitEthernet7/0/0 tx queue 0
buffer 0xeb1c: current data -46, length 126, free-list 0, clone-count 0, totlen-nifb 0, trace 0x0
ip4
PKT MBUF: port 65535, nb_segs 1, pkt_len 126
buf_len 2176, data_len 126, ol_flags 0x0, data_off 82, phys_addr 0xeafac780
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: ac:1f:6b:46:d6:c6 -> ac:1f:6b:48:75:da
UDP: 192.168.2.201 -> 192.168.2.200
tos 0x00, ttl 63, length 112, checksum 0xf49b
fragment id 0x0000
UDP: 27464 -> 30170
length 44063, checksum 0x6b46
BR
Chen Xiaobo