Loading...

Type: Bug
Resolution: Done
Priority: Medium
Fix Version/s: 20.01
Affects Version/s: None
Component/s: IPsec
Labels:
- func

I can see gre teb without ipsec in BD works fine. Here is the config:

=================================================

create tap host-ns isp host-if-name tap2
set int state tap0 up
set int ip address tap0 10.10.10.10/24

create loopback interface
set int ip address loop0 1.1.1.1/32
set int state loop0 up
ip route add 2.2.2.2/32 via 10.10.10.11

create tap host-ns ns1 host-if-name tap3
set int state tap1 up
create sub tap1 100
set int l2 tag-rewrite tap1.100 pop 1
set int state tap1.100 up
create sub-interfaces tap1 200
set int ip address tap1.200 3.3.3.3/24
set int state tap1.200 up

create gre tunnel src 1.1.1.1 dst 2.2.2.2 teb
set int state gre0 up

create bridge-domain 1
set interface l2 bridge gre0 1
set interface l2 bridge tap1.100 1

==============================================================

I also added ipsec config. Then, gre teb with ipsec did not work.

Trace log:

Packet 2

00:05:00:933369: virtio-input
virtio: hw_if_index 1 next-index 4 vring 0 len 114
hdr: flags 0x00 gso_type 0x00 hdr_len 0 gso_size 0 csum_start 0 csum_offset 0 num_buffers 1
00:05:00:933370: ethernet-input
IP4: 02:fe:83:9b:28:1b -> 02:fe:29:ef:20:8f
00:05:00:933371: ip4-input
IPSEC_ESP: 2.2.2.2 -> 1.1.1.1
tos 0x00, ttl 253, length 100, checksum 0xb762 dscp CS0 ecn NON_ECN
fragment id 0x0000
00:05:00:933375: ip4-lookup
fib 0 dpo-idx 6 flow hash: 0x00000000
IPSEC_ESP: 2.2.2.2 -> 1.1.1.1
tos 0x00, ttl 253, length 100, checksum 0xb762 dscp CS0 ecn NON_ECN
fragment id 0x0000
00:05:00:933376: ip4-local
IPSEC_ESP: 2.2.2.2 -> 1.1.1.1
tos 0x00, ttl 253, length 100, checksum 0xb762 dscp CS0 ecn NON_ECN
fragment id 0x0000
00:05:00:933376: ipsec4-tun-input
IPSec: remote:2.2.2.2 spi:255128 (0x0003e498) seq 35 sa 1
00:05:00:933377: esp4-decrypt-tun
esp: crypto aes-gcm-256 integrity none pkt-seq 35 sa-seq 0 sa-seq-hi 0
00:05:00:933377: l2-input
l2-input: sw_if_index 6 dst 02:fe:77:de:51:cf src 02:fe:43:f9:92:b9
00:05:00:933378: l2-learn
l2-learn: sw_if_index 6 dst 02:fe:77:de:51:cf src 02:fe:43:f9:92:b9 bd_index 1
00:05:00:933378: l2-fwd
l2-fwd: sw_if_index 6 dst 02:fe:77:de:51:cf src 02:fe:43:f9:92:b9 bd_index 1 result [0x1010000000004, 4] none
00:05:00:933380: l2-output
l2-output: sw_if_index 4 dst 02:fe:77:de:51:cf src 02:fe:43:f9:92:b9 data 08 06 00 01 08 00 06 04 00 02 02 fe
00:05:00:933380: error-drop
rx:gre0
00:05:00:933381: drop
l2-output: L2 output tag rewrite drops <=== The same error happened as ixia testbed.

Conf file:

create tap host-ns isp host-if-name tap2
set int state tap0 up
set int ip address tap0 10.10.10.10/24

create loopback interface
set int ip address loop0 1.1.1.1/32
set int state loop0 up
ip route add 2.2.2.2/32 via 10.10.10.11

create tap host-ns ns1 host-if-name tap3
set int state tap1 up
create sub tap1 100
set int l2 tag-rewrite tap1.100 pop 1
set int state tap1.100 up
create sub-interfaces tap1 200
set int ip address tap1.200 3.3.3.3/24
set int state tap1.200 up

create gre tunnel src 1.1.1.1 dst 2.2.2.2 teb
set int state gre0 up

create bridge-domain 1
set interface l2 bridge gre0 1
set interface l2 bridge tap1.100 1

ipsec sa add 1 spi 255129 esp crypto-key 0123456789012345678901234567890101234567890123456789012345678901 crypto-alg aes-gcm-256 salt 0x12345678 <== This is the additional ipsec conf.
ipsec sa add 2 spi 255128 esp crypto-key 0123456789012345678901234567890101234567890123456789012345678901 crypto-alg aes-gcm-256 salt 0x12345678
ipsec tunnel protect gre0 sa-in 2 sa-out 1

Details

Description

Attachments

Activity

People

Dates