Loading...

XML

Word

Printable

Type: Bug
Resolution: Open
Priority: High
Fix Version/s: None
Affects Version/s: None
Component/s: IPsec
Labels:
None
Environment:

Hide

This is with a 2 node setup, configured as follows. The host interfaces are attached to a bridge on the linux side with IPs 192.168.30.166 and 192.168.32.167 respectively. The nodes are connected by their GigabitEthernet0/e/0 interfaces.

node1:

create host-interface name veth30vpp
set interface ip address host-veth30vpp 192.168.30.66/24
set interface state host-veth30vpp upset interface ip address GigabitEthernet0/e/0 192.168.25.66/24
set interface state GigabitEthernet0/e/0 up
set ip arp GigabitEthernet0/e/0 192.168.25.67 52:54:00:8d:12:11ipsec sa add 20 spi 2030 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.25.66 tunnel-dst 192.168.25.67
ipsec sa add 30 spi 3020 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.25.67 tunnel-dst 192.168.25.66ipsec spd add 1
set interface ipsec spd GigabitEthernet0/e/0 1
ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range 192.168.30.0 - 192.168.30.255 remote-ip-range 192.168.32.0 - 192.168.32.255
ipsec policy add spd 1 priority 10 inbound action protect sa 30 local-ip-range 192.168.30.0 - 192.168.30.255 remote-ip-range 192.168.32.0 - 192.168.32.255ip route add 192.168.32.0/24 via 192.168.25.67

node2:

create host-interface name veth32vpp
set interface ip address host-veth32vpp 192.168.32.67/24
set interface state host-veth32vpp upset interface ip address GigabitEthernet0/e/0 192.168.25.67/24
set interface state GigabitEthernet0/e/0 up
set ip arp GigabitEthernet0/e/0 192.168.25.66 52:54:00:a8:1d:d8ipsec sa add 20 spi 2030 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.25.66 tunnel-dst 192.168.25.67
ipsec sa add 30 spi 3020 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.25.67 tunnel-dst 192.168.25.66ipsec spd add 1
set interface ipsec spd GigabitEthernet0/e/0 1
ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 10 outbound action protect sa 30 local-ip-range 192.168.32.0 - 192.168.32.255 remote-ip-range 192.168.30.0 - 192.168.30.255
ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 192.168.32.0 - 192.168.32.255 remote-ip-range 192.168.30.0 - 192.168.30.255ip route add 192.168.30.0/24 via 192.168.25.66

Show
This is with a 2 node setup, configured as follows. The host interfaces are attached to a bridge on the linux side with IPs 192.168.30.166 and 192.168.32.167 respectively. The nodes are connected by their GigabitEthernet0/e/0 interfaces. node1: create host-interface name veth30vpp set interface ip address host-veth30vpp 192.168.30.66/24 set interface state host-veth30vpp up set interface ip address GigabitEthernet0/e/0 192.168.25.66/24 set interface state GigabitEthernet0/e/0 up set ip arp GigabitEthernet0/e/0 192.168.25.67 52:54:00:8d:12:11 ipsec sa add 20 spi 2030 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.25.66 tunnel-dst 192.168.25.67 ipsec sa add 30 spi 3020 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.25.67 tunnel-dst 192.168.25.66 ipsec spd add 1 set interface ipsec spd GigabitEthernet0/e/0 1 ipsec policy add spd 1 priority 100 outbound action bypass protocol 50 ipsec policy add spd 1 priority 100 inbound action bypass protocol 50 ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range 192.168.30.0 - 192.168.30.255 remote-ip-range 192.168.32.0 - 192.168.32.255 ipsec policy add spd 1 priority 10 inbound action protect sa 30 local-ip-range 192.168.30.0 - 192.168.30.255 remote-ip-range 192.168.32.0 - 192.168.32.255 ip route add 192.168.32.0/24 via 192.168.25.67 node2: create host-interface name veth32vpp set interface ip address host-veth32vpp 192.168.32.67/24 set interface state host-veth32vpp up set interface ip address GigabitEthernet0/e/0 192.168.25.67/24 set interface state GigabitEthernet0/e/0 up set ip arp GigabitEthernet0/e/0 192.168.25.66 52:54:00:a8:1d:d8 ipsec sa add 20 spi 2030 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.25.66 tunnel-dst 192.168.25.67 ipsec sa add 30 spi 3020 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.25.67 tunnel-dst 192.168.25.66 ipsec spd add 1 set interface ipsec spd GigabitEthernet0/e/0 1 ipsec policy add spd 1 priority 100 outbound action bypass protocol 50 ipsec policy add spd 1 priority 100 inbound action bypass protocol 50 ipsec policy add spd 1 priority 10 outbound action protect sa 30 local-ip-range 192.168.32.0 - 192.168.32.255 remote-ip-range 192.168.30.0 - 192.168.30.255 ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 192.168.32.0 - 192.168.32.255 remote-ip-range 192.168.30.0 - 192.168.30.255 ip route add 192.168.30.0/24 via 192.168.25.66

Recent changes in master (post stable/1904) seem to have broken policy based ipsec (i.e., no explicit tunnel interface configured). This configuration/test case works in 1904.

A ping is done from the host side of node1 (source ip will be 192.168.30.166 routed to VPP interface 192.168.30.66) to 192.168.32.67 (which should be encapsulated in ipsec to node2.

The backtrace looks like this (with some debug printfs I added, seems to maybe be looping?):

Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:223: ipsec_output_inline: START: packet received current_data 0 -pre_data_size -128
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:231: ipsec_output_inline: packet received from 192.168.30.166 to 192.168.32.67
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:234: ipsec_output_inline: last_sw_if_index 4294967295 sw_if_index0 4
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:245: ipsec_output_inline: p 0
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:281: packet received from 192.168.30.166 to 192.168.32.67 port 33505
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:283: sw_if_index0 4 spd_index0 0 spd_id 1
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:399: ipsec_output_inline: END next_node_index dpdk-esp4-encrypt (197)
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:223: ipsec_output_inline: START: packet received current_data -44 -pre_data_size -128
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:231: ipsec_output_inline: packet received from 192.168.25.66 to 192.168.25.67
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:234: ipsec_output_inline: last_sw_if_index 4294967295 sw_if_index0 4
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:245: ipsec_output_inline: p 0
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:281: packet received from 192.168.25.66 to 192.168.25.67 port 2030
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:283: sw_if_index0 4 spd_index0 0 spd_id 1
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:399: ipsec_output_inline: END next_node_index dpdk-esp4-encrypt (197)
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:223: ipsec_output_inline: START: packet received current_data -88 -pre_data_size -128
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:231: ipsec_output_inline: packet received from 192.168.25.66 to 192.168.25.67
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:234: ipsec_output_inline: last_sw_if_index 4294967295 sw_if_index0 4
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:245: ipsec_output_inline: p 0
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:281: packet received from 192.168.25.66 to 192.168.25.67 port 2030
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:283: sw_if_index0 4 spd_index0 0 spd_id 1
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:399: ipsec_output_inline: END next_node_index dpdk-esp4-encrypt (197)
Jul 09 13:46:02 dpdk2 vnet[2968]: ipsec_output_inline:223: ipsec_output_inline: START: packet received current_data -132 -pre_data_size -128
Jul 09 13:46:02 dpdk2 vnet[2968]: /home/chopps/net/w/vpp/src/vlib/buffer.h:232 (vlib_buffer_get_current) assertion `(signed) b->current_data >= (signed) -VLIB_BUFFER_PRE_DATA_SIZE' fails
Jul 09 13:46:02 dpdk2 vnet[2968]: received signal SIGABRT, PC 0x7fcaf32cee97
Jul 09 13:46:02 dpdk2 vnet[2968]: #0 0x00007fcaf3c98c73 unix_signal_handler + 0x25b
Jul 09 13:46:02 dpdk2 vnet[2968]: #1 0x00007fcaf39a6890 0x7fcaf39a6890
Jul 09 13:46:02 dpdk2 vnet[2968]: #2 0x00007fcaf32cee97 gsignal + 0xc7
Jul 09 13:46:02 dpdk2 vnet[2968]: #3 0x00007fcaf32d0801 abort + 0x141
Jul 09 13:46:02 dpdk2 vnet[2968]: #4 0x00005647559dd05d 0x5647559dd05d
Jul 09 13:46:02 dpdk2 vnet[2968]: #5 0x00007fcaf36b4d53 debugger + 0x9
Jul 09 13:46:02 dpdk2 vnet[2968]: #6 0x00007fcaf36b5122 _clib_error + 0x2c0
Jul 09 13:46:02 dpdk2 vnet[2968]: #7 0x00007fcaf48ad611 vlib_buffer_get_current + 0x56
Jul 09 13:46:02 dpdk2 vnet[2968]: #8 0x00007fcaf48aec70 ipsec_output_inline + 0x221
Jul 09 13:46:02 dpdk2 vnet[2968]: #9 0x00007fcaf48af995 ipsec4_output_node_fn + 0x2d
Jul 09 13:46:02 dpdk2 vnet[2968]: #10 0x00007fcaf3c3138c dispatch_node + 0x328
Jul 09 13:46:02 dpdk2 vnet[2968]: #11 0x00007fcaf3c31b44 dispatch_pending_node + 0x363
Jul 09 13:46:02 dpdk2 vnet[2968]: #12 0x00007fcaf3c337c4 vlib_main_or_worker_loop + 0xa31
Jul 09 13:46:02 dpdk2 vnet[2968]: #13 0x00007fcaf3c34027 vlib_main_loop + 0x1d
Jul 09 13:46:02 dpdk2 vnet[2968]: #14 0x00007fcaf3c34c3e vlib_main + 0x931

is duplicated by

VPP-1720 Policy based ipsec failing.

Complete

Assignee:: Neale Ranns

Reporter:: Christian Hopps

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 09/Jul/19 2:17 PM

Updated:: 11/Jul/19 11:43 AM

Resolved:: 09/Jul/19 2:17 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates