Uploaded image for project: 'vpp'
  1. vpp
  2. VPP-1527

IPSec transmit data failed in transport mode with QAT

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • None
    • IPsec
    • None

      Hi,

      I am now trying to test IPSec data transmission in transport mode with QAT. Unfortunately the test is failed with the following configuration:

      ICMP:
      packet-generator new {
      name icmp
      limit 1
      node ip4-input
      size 64-64
      interface TenGigabitEthernet7/0/0
      no-recycle
      data

      { ICMP: 192.168.2.201 -> 192.168.2.200 ICMP echo_request incrementing 100 }

      }

      VPP1:
      set int state TenGigabitEthernet7/0/0 up
      set int ip addr TenGigabitEthernet7/0/0 192.168.2.201/24
      ip route add 0.0.0.0/0 via 192.168.2.1 TenGigabitEthernet7/0/0

      ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap
      ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap

      ipsec spd add 1
      set interface ipsec spd TenGigabitEthernet7/0/0 1

      ipsec policy add spd 1 priority 10 inbound action protect sa 10 local-ip-range 192.168.2.201 - 192.168.2.201 remote-ip-range 192.168.2.200 - 192.168.2.200
      ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range 192.168.2.201 - 192.168.2.201 remote-ip-range 192.168.2.200 - 192.168.2.200

      clear trace
      trace add pg-input 10
      show trace

      VPP2:
      set int state TenGigabitEthernet7/0/0 up
      set int ip addr TenGigabitEthernet7/0/0 192.168.2.200/24
      ip route add 0.0.0.0/0 via 192.168.2.1 TenGigabitEthernet7/0/0

      ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap
      ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 udp-encap

      ipsec spd add 1
      set interface ipsec spd TenGigabitEthernet7/0/0 1

      ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 192.168.2.200 - 192.168.2.200 remote-ip-range 192.168.2.201 - 192.168.2.201
      ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 192.168.2.200 - 192.168.2.200 remote-ip-range 192.168.2.201 - 192.168.2.201

      From the trace below, we can see the UDP port number and length are incorrect.
      Packet 1

      00:22:54:613427: pg-input
      stream icmp, 64 bytes, 2 sw_if_index
      current data 0, length 64, free-list 0, clone-count 0, trace 0x0
      ICMP: 192.168.2.201 -> 192.168.2.200
      tos 0x00, ttl 64, length 64, checksum 0xf3db
      fragment id 0x0000
      ICMP echo_request checksum 0x7a6e
      00:22:54:613486: ip4-input
      ICMP: 192.168.2.201 -> 192.168.2.200
      tos 0x00, ttl 64, length 64, checksum 0xf3db
      fragment id 0x0000
      ICMP echo_request checksum 0x7a6e
      00:22:54:613518: ip4-lookup
      fib 0 dpo-idx 2 flow hash: 0x00000000
      ICMP: 192.168.2.201 -> 192.168.2.200
      tos 0x00, ttl 64, length 64, checksum 0xf3db
      fragment id 0x0000
      ICMP echo_request checksum 0x7a6e
      00:22:54:613531: ip4-rewrite
      tx_sw_if_index 2 dpo-idx 2 : ipv4 via 192.168.2.200 TenGigabitEthernet7/0/0: mtu:9000 ac1f6b4875daac1f6b46d6c60800 flow hash: 0x00000000
      00000000: ac1f6b4875daac1f6b46d6c6080045000040000000003f01f4dbc0a802c9c0a8
      00000020: 02c808007a6e000102030405060708090a0b0c0d0e0f101112131415
      00:22:54:613542: ipsec4-output
      spd 1
      00:22:54:613552: dpdk-esp4-encrypt
      cipher aes-cbc-128 auth sha1-96
      UDP: 192.168.2.201 -> 192.168.2.200
      tos 0x00, ttl 63, length 112, checksum 0xf49b
      fragment id 0x0000
      UDP: 27464 -> 30170
      length 44063, checksum 0x6b46
      ESP: spi 1799910874, seq 2887740230
      00:22:56:172165: dpdk-crypto-input
      status: success
      00:22:56:172193: TenGigabitEthernet7/0/0-output
      TenGigabitEthernet7/0/0
      IP4: ac:1f:6b:46:d6:c6 -> ac:1f:6b:48:75:da
      UDP: 192.168.2.201 -> 192.168.2.200
      tos 0x00, ttl 63, length 112, checksum 0xf49b
      fragment id 0x0000
      UDP: 27464 -> 30170
      length 44063, checksum 0x6b46
      00:22:56:172228: TenGigabitEthernet7/0/0-tx
      TenGigabitEthernet7/0/0 tx queue 0
      buffer 0xeb1c: current data -46, length 126, free-list 0, clone-count 0, totlen-nifb 0, trace 0x0
      ip4
      PKT MBUF: port 65535, nb_segs 1, pkt_len 126
      buf_len 2176, data_len 126, ol_flags 0x0, data_off 82, phys_addr 0xeafac780
      packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
      rss 0x0 fdir.hi 0x0 fdir.lo 0x0
      IP4: ac:1f:6b:46:d6:c6 -> ac:1f:6b:48:75:da
      UDP: 192.168.2.201 -> 192.168.2.200
      tos 0x00, ttl 63, length 112, checksum 0xf49b
      fragment id 0x0000
      UDP: 27464 -> 30170
      length 44063, checksum 0x6b46

      BR
      Chen Xiaobo

            jackiechen1985 Xiaobo Chen
            jackiechen1985 Xiaobo Chen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: