-
Notifications
You must be signed in to change notification settings - Fork 718
VPP IPSec_and_IKEv2
This page describes the support in the VPP platform for IPSec and IKEv2.
- 1 IPSec
-
2 IKEv2
- 2.1 Features
- 2.2 Configuration
-
2.3 Use cases
- 2.3.1 IKEv2 negotiation between a VPP responder and a strongSwan initiator, using Pre-Shared Key authentication method
- 2.3.2 IKEv2 negotiation between a VPP responder and a VPP initiator, using RSA signature authentication method
- 2.4 Example configuration
This implementation of support for IPSec in the VPP engine includes the following features:
- ESP - Encapsulating Security Payload protocol
- Tunnel mode - encapsulates the entire IP packet
- Transport mode - encapsulates IP payload
- IPv4 and IPv6
Supported cryptographic algorithms for authentication:
- sha1
- sha-256-96
- sha-256-128
- sha-384-192
- sha-512-256
Supported cryptographic algorithms for encryption:
- aes-cbc-128
- aes-cbc-192
- aes-cbc-256
- aes-ctr-128
- aes-ctr-192
- aes-ctr-256
- aes-gcm-128 (128 bit ICV)
- aes-gcm-192 (128 bit ICV)
- aes-gcm-256 (128 bit ICV)
- des-cbc
- 3des-cbc
The following example command shows the configuration sequence to create a Security Policy Database (SPD):
CLI commands
ipsec spd add 1
VAT commands
ipsec_spd_add_del spd_id 1
The following example command shows the configuration sequence to enable SPD on an interface:
CLI commands
set interface ipsec spd GigabitEthernet0/6/0 1
VAT commands
ipsec_interface_add_del_spd GigabitEthernet0/5/0 spd_id 1
The following example command shows the configuration sequence to create a Security Association (SA) for Tunnel mode:
CLI commands
ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel src 192.168.100.3 dst 192.168.100.2
VAT commands
ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58 tunnel_src 192.168.100.3 tunnel_dst 192.168.100.2
The following example command shows the configuration sequence to create a SA for Transport mode:
CLI commands
ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96
VAT commands
ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58
Parameters:
- spd - SPD identifier
- priority - policy order in SPD, signed integer
- inbound|outbound - policy is for inbound or outbound traffic
- action bypass|discard|protect - policy action, protect action needs aditional parameter "sa "
Traffic selectors (optional parameters):
- local-ip-range <start_ip_addr> - <end_ip_addr>
- remote-ip-range <start_ip_addr> - <end_ip_addr>
- protocol
- local-port-range <start_port> - <end_port> (only for TCP/UDP protocol)
- remote-port-range <start_port> - <end_port> (only for TCP/UDP protocol)
The following example commands show the configuration sequence to create a SPD entry:
CLI commands
ipsec policy add spd 1 inbound priority 10 action protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 remote-ip-range 192.168.3.3 - 192.168.3.3
VAT commands
ipsec_spd_add_del_entry spd_id 1 priority 10 inbound action protectsa_id 20 laddr_start 192.168.4.4 laddr_stop 192.168.4.4 raddr_start 192.168.3.3 raddr_stop 192.168.3.3
You can display IPSec SA a SPD using:
show ipsec
sa 10 spi 1001 mode transport protocol esp
crypto alg aes-cbc-128 key 4a506a794f574265564551694d653768 integrity alg sha1-96 key 4339314b55523947594d6d3547666b45764e6a58
sa 20 spi 1000 mode transport protocol esp
crypto alg aes-cbc-128 key 4a506a794f574265564551694d653768 integrity alg sha1-96 key 4339314b55523947594d6d3547666b45764e6a58
spd 1
outbound policies
priority 100 action bypass protocol IPSEC_ESP
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remte addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
priority 100 action bypass protocol IPSEC_ESP
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remte addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
priority 10 action protect protocol any sa 10
local addr range 192.168.100.3 - 192.168.100.3 port range 0 - 65535
remte addr range 192.168.100.2 - 192.168.100.2 port range 0 - 65535
packets 9 bytes 756
priority 100 action bypass protocol IPSEC_ESP
local addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535
remote addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535
packets 0 bytes 0
priority 100 action bypass protocol IPSEC_ESP
local addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535
remote addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535
packets 0 bytes 0
inbound policies
priority 10 action protect protocol any sa 20
local addr range 192.168.100.3 - 192.168.100.3 port range 0 - 65535
remte addr range 192.168.100.2 - 192.168.100.2 port range 0 - 65535
packets 9 bytes 1224
priority 100 action bypass protocol IPSEC_ESP
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remte addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
priority 100 action bypass protocol IPSEC_ESP
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remte addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
priority 100 action bypass protocol IPSEC_ESP
local addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535
remote addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535
packets 0 bytes 0
priority 100 action bypass protocol IPSEC_ESP
local addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535
remote addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535
packets 0 bytes 0
The following example command shows the configuration sequence to update a Security Association (SA) keys:
CLI commands
set ipsec sa 10 crypto-key 4a506a794f574265564551694d653768 integ-key 4339314b55523947594d6d3547666b45764e6a58
VAT commands
ipsec_sa_set_key sa_id 10 crypto_key 4a506a794f574265564551694d653768 integ_key 4339314b55523947594d6d3547666b45764e6a58
This section covers using manually-keyed IPSec connections between VPP and native IPSec stack in the 2.6 kernel series (Ubuntu 14.04) in ESP transport mode.
Install ipsec-tools on Ubuntu:
$ sudo apt-get install ipsec-tools
+--------------------+ +-------------------------+
|Ubuntu | +------------+ | VPP|
| eth3|---|IPSec tunnel|---|GigabitEthernet0/8/0 |
| 192.168.100.2| +------------+ |192.168.100.3 |
| | | |
+--------------------+ +-------------------------+
CLI commands
set int ip address GigabitEthernet0/8/0 192.168.100.3/24
set int state GigabitEthernet0/8/0 up
set ip arp GigabitEthernet0/8/0 192.168.100.2 08:00:27:12:3c:cc
ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58
ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58
ipsec spd add 1
set interface ipsec spd GigabitEthernet0/8/0 1
ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2
ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2
VAT commands
sw_interface_add_del_address sw_if_index 1 192.168.100.3/24
sw_interface_set_flags sw_if_index 1 admin-up
ip_neighbor_add_del sw_if_index 1 dst 192.168.100.2 mac 08:00:27:12:3c:cc
ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58
ipsec_sad_add_del_entry esp sad_id 20 spi 1000 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58
ipsec_spd_add_del spd_id 1
ipsec_interface_add_del_spd sw_if_index 1 spd_id 1
ipsec_spd_add_del_entry spd_id 1 priority 100 inbound action bypass protocol 50
ipsec_spd_add_del_entry spd_id 1 priority 100 outbound action bypass protocol 50
ipsec_spd_add_del_entry spd_id 1 priority 10 inbound action protectsa_id 20 laddr_start 192.168.100.3 laddr_stop 192.168.100.3 raddr_start 192.168.100.2 raddr_stop 192.168.100.2
ipsec_spd_add_del_entry spd_id 1 priority 10 outbound action protectsa_id 10 laddr_start 192.168.100.3 laddr_stop 192.168.100.3 raddr_start 192.168.100.2 raddr_stop 192.168.100.2
Edit /etc/ipsec-tools.conf file:
# Configuration for 192.168.100.2
# Flush the SAD and SPD
flush;
spdflush;
# ESP SAs
add 192.168.100.2 192.168.100.3 esp 0x000003e8 -E rijndael-cbc
0x4a506a794f574265564551694d653768
-A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58;
add 192.168.100.3 192.168.100.2 esp 0x000003e9 -E rijndael-cbc
0x4a506a794f574265564551694d653768
-A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58;
# Security policies
spdadd 192.168.100.2 192.168.100.3 any -P out ipsec
esp/transport//require;
spdadd 192.168.100.3 192.168.100.2 any -P in ipsec
esp/transport//require;
Set interface, static ARP and start IPSec:
$ sudo ifconfig eth3 192.168.100.2 netmask 255.255.255.0 up
$ sudo arp -s 192.168.100.3 08:00:27:43:a9:5b
$ sudo /etc/init.d/setkey start
ping output:
$ ping 192.168.100.3 -c 2
PING 192.168.100.3 (192.168.100.3) 56(84) bytes of data.
64 bytes from 192.168.100.3: icmp_seq=1 ttl=254 time=0.368 ms
64 bytes from 192.168.100.3: icmp_seq=2 ttl=254 time=0.284 ms
--- 192.168.100.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.284/0.326/0.368/0.042 ms
tcpdump output:
$ sudo tcpdump -vvn -i eth3
tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
04:12:02.197589 IP (tos 0x0, ttl 64, id 19395, offset 0, flags [DF], proto ESP (50), length 136)
192.168.100.2 > 192.168.100.3: ESP(spi=0x000003e8,seq=0x6), length 116
04:12:02.197939 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto ESP (50), length 136)
192.168.100.3 > 192.168.100.2: ESP(spi=0x000003e9,seq=0x6), length 116
04:12:03.198067 IP (tos 0x0, ttl 64, id 19641, offset 0, flags [DF], proto ESP (50), length 136)
192.168.100.2 > 192.168.100.3: ESP(spi=0x000003e8,seq=0x7), length 116
04:12:03.198325 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto ESP (50), length 136)
192.168.100.3 > 192.168.100.2: ESP(spi=0x000003e9,seq=0x7), length 116
VPP error counters:
vpp# show error
Count Node Reason
2 ipsec-output IPSec policy protect
2 esp-decrypt ESP pkts received
2 esp-encrypt ESP pkts received
2 ipsec-input-ip4 IPSEC pkts received
2 ip4-icmp-input echo replies sent
In this section, we configure IPv6 IPSec between VPP peers, using SPD.
The topology is as follows:
+------------------+ +------------------+ +------------------+ +------------------+
| Local Subnet | | VPP Peer (local) +--------+ VPP Peer (remote)| | Remote Subnet |
| 172.16.0.0/16 +--+ 172.16.0.2/16 | IPSec | 10.16.0.2/16 +---+ 10.6.0.0/16 |
| | | 2001::1 +--------+ 2001::2 | | |
+------------------+ +------------------+ +------------------+ +------------------+
The local subnet should reach the remote subnet and vice versa, through the VPP gateways on either side. The communication will be encrypted using IPSec.
The servers on both sides need to be configured as follows, in order to route the traffic to the VPP peers.
ip route add 10.6.0.0/16 via 172.16.0.2
For remote side,
ip route add 172.16.0.0/16 via 10.6.0.2
We create a loopback interface and assign it an address as follows.
loopback create
set int state loop0 up
set int ip address loop0 11.11.11.11/31
set ip neighbor loop0 11.11.11.10 24:6e:96:9c:e5:df
The reason we set 11.11.11.10 ARP entry is because the IPSec SPD runs as an output feature, but not for packets that hit the glean adjacency.
Next we add the SA using the VPP CLI as follows:
set interface lan0 up
set interface ip address lan0 172.16.0.2/16
set interface wan0 up
set interface ip address wan0 2001::1/48
ipsec sa add 10 spi 1000 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4a506a794f574265564551694d653768 sha1-96 tunnel src 2001::1 dst 2001::2
ipsec sa add 20 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4a506a794f574265564551694d653768 sha1-96 tunnel src 2001::1 dst 2001::2
ipsec spd add 1
set interface ipsec spd loop0 1
ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 172.16.0.0 - 172.16.255.255 remote-ip-range 10.6.0.0 - 10.6.255.255
ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 172.16.0.0 - 172.16.255.255 remote-ip-range 10.6.0.0 - 10.6.255.255
ip route add 10.6.0.0/16 via 11.11.11.10 loop0
ipsec spd add 2
ipsec sa add 30 spi 1000 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4a506a794f574265564551694d653768 sha1-96 tunnel src 2001::1 dst 2001::2
ipsec policy add spd 2 ip6 priority 200 outbound action bypass protocol 50
ipsec policy add spd 2 priority 100 inbound action protect sa 30 local-ip-range 2001::1 - 2001::1 remote-ip-range 2001::2 - 2001::2
set interface ipsec spd wan0 2
On the remote side, we do the same.
loopback create
set int state loop0 up
set int ip address loop0 11.11.11.10/31
set ip neighbor loop0 11.11.11.11 24:6e:96:9c:e5:de
set interface lan0 up
set interface ip address lan0 10.6.0.2/16
set interface wan0 up
set interface ip address wan0 2001::2/48
ipsec sa add 10 spi 1000 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4a506a794f574265564551694d653768 sha1-96 tunnel src 2001::2 dst 2001::1
ipsec sa add 20 spi 1000 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4a506a794f574265564551694d653768 sha1-96 tunnel src 2001::2 dst 2001::1
ipsec spd add 1
set interface ipsec spd loop0 1
ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 10.6.0.0 - 10.6.255.255 remote-ip-range 172.16.0.0 - 172.16.255.255
ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range 10.6.0.0 - 10.6.255.255 remote-ip-range 172.16.0.0 - 172.16.255.255
ip route add 172.16.0.0/16 via 11.11.11.11 loop0
ipsec spd add 2
ipsec sa add 30 spi 1000 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4a506a794f574265564551694d653768 sha1-96 tunnel src 2001::2 dst 2001::1
ipsec policy add spd 2 ip6 priority 200 outbound action bypass protocol 50
ipsec policy add spd 2 priority 100 inbound action protect sa 30 local-ip-range 2001::2 - 2001::2 remote-ip-range 2001::1 - 2001::1
set interface ipsec spd wan0 2
Now the traffic is encrypted between the two subnets.
VPP engine IKEv2 implementation also works as initiator since 17.04.
This implementation of support for IKEv2 in the VPP engine includes the following features:
Exchange Types
| Number | Name | | 34 | IKE SA init | | 35 | IKE auth | | 36 | Create child SA | | 37 | Informational |
Payload Types
| Number | Name | | 0 | No next payload | | 33 | Security Association (SA) | | 34 | Key Exchange (KE) | | 35 | Identification - Initiator (IDi) | | 36 | Identification - Responder (IDr) | | 39 | Authentication (AUTH) | | 40 | Nonce (Ni, Nr) | | 41 | Notify (N) | | 42 | Delete (D) | | 43 | Vendor ID (V) | | 44 | Traffic Selector - Initiator (TSi) | | 45 | Traffic Selector - Responder (TSr) | | 46 | Encrypted and Authenticated (SK) |
Transform Type Values
| Number | Name | | 1 | Encryption Algorithm (ENCR) | | 2 | Pseudo-random Function (PRF) | | 3 | Integrity Algorithm (INTEG) | | 4 | Diffie-Hellman Group (D-H) | | 5 | Extended Sequence Numbers (ESN) |
Encryption Algorithm
| Number | Name | | 2 | DES | | 3 | 3DES | | 12 | AES-CBC (128/192/256) | | 13 | AES-CBC (128/192/256) | | 20 | AES-GCM-16 (128/192/256) |
Pseudo-random Function
| Number | Name | | 1 | HMAC-SHA1 |
Integrity Algorithm
| Number | Name | | 2 | HMAC-SHA1-96 | | 12 | HMAC_SHA2_256_128 | | 13 | HMAC_SHA2_384_192 | | 14 | HMAC_SHA2_512_256 |
Diffie-Hellman Group
| Number | Name | | 1 | 768bit MODP | | 2 | 1024bit MODP | | 5 | 1536bit MODP | | 14 | 2048bit MODP | | 15 | 3072bit MODP | | 16 | 4096bit MODP | | 17 | 6144bit MODP | | 18 | 8192bit MODP | | 19 | 256bit random ECP | | 20 | 384bit random ECP | | 21 | 521bit random ECP | | 22 | 1024bit MODP with 160bit prime order group | | 23 | 2048bit MODP with 224bit prime order group | | 24 | 2048bit MODP with 256bit prime order group | | 25 | 192bit random ECP |
Extended Sequence Numbers
| Number | Name | | 0 | No ESN | | 1 | ESN |
ID Types
| Number | Name | | 1 | IPv4 address | | 2 | FQDN | | 3 | RFC822 | | 11 | Key ID |
Authentication Method
| Number | Name | | 1 | RSA digital signature | | 2 | Shared key message integrity code |
Traffic Selector Types
| Number | Name | | 7 | IPv4 address range |
Security Protocol Identifiers
| Number | Name | | 1 | IKE | | 3 | ESP |
The following example command shows the configuration sequence to create a IKEv2 profile:
CLI commands
ikev2 profile add profile1
VAT commands
ikev2_profile_add_del name profile1
The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic string format:
CLI commands
ikev2 profile set profile1 auth shared-key-mic string Vpp123
VAT commands
ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data Vpp123
The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic hex format:
CLI commands
ikev2 profile set profile1 auth shared-key-mic hex abcd1234
VAT commands
ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data 0xabcd1234
The following example command shows the configuration sequence to set a IKEv2 profile authentication rsa-sig:
CLI commands
ikev2 profile set profile1 auth rsa-sig cert-file /home/localadmin/certs/server-cert.pem
set ikev2 local key /home/localadmin/certs/client-key.pem
VAT commands
ikev2_profile_set_auth name profile1 auth_method rsa-sig auth_data /home/localadmin/certs/server-cert.pem
ikev2_set_local_key file /home/localadmin/certs/client-key.pem
The following example command shows the configuration sequence to set a IKEv2 profile remote ID IPv4 address:
CLI commands
ikev2 profile set profile1 id remote ip4-addr 192.168.123.20
VAT commands
ikev2_profile_set_id name profile1 id_type ip4-addr id_data 192.168.123.20 remote
The following example command shows the configuration sequence to set a IKEv2 profile local ID FQDN:
CLI commands
ikev2 profile set profile1 id local fqdn vpp.home
VAT commands
ikev2_profile_set_id name profile1 id_type fqdn id_data vpp.home local
The following example command shows the configuration sequence to set a IKEv2 profile local ID key-id:
CLI commands
ikev2 profile set profile1 id local key-id 0xabcd
VAT commands
ikev2_profile_set_id name profile2 id_type key-id id_data 0xabcd local
The following example command shows the configuration sequence to set a IKEv2 profile local ID rfc822 (email address):
CLI commands
ikev2 profile set profile1 id local rfc822 [email protected]
VAT commands
ikev2_profile_set_id name profile2 id_type rfc822 id_data [email protected] local
The following example command shows the configuration sequence to set a IKEv2 profile traffic selector:
CLI commands
ikev2 profile set profile1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set profile1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
VAT commands
ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.124.0 end_addr 192.168.124.255 local
ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.125.0 end_addr 192.168.125.255 remote
You can display IKEv2 profiles using:
show ikev2 sa
profile pr1
auth-method shared-key-mic auth data Vpp123
local id-type fqdn data vpp.home
remote id-type fqdn data roadwarrior.vpn.example.com
local traffic-selector addr 192.168.124.0 - 192.168.124.255 port 0 - 65535 protocol 0
remote traffic-selector addr 192.168.125.0 - 192.168.125.255 port 0 - 65535 protocol 0
IKEv2 negotiation between a VPP responder and a strongSwan initiator, using Pre-Shared Key authentication method
In this section, we configure VPP as an IKEv2 responder, then we initiate the exchange with strongSwan as an initiator.
Here is the topology we use in this example:
-------------- ------------- -------------
| | 192.168.4.0/24 | | 192.168.5.0/24 | |
192.168.3.1 X strongSwan X================X VPP X=================X HTTP |
| Initiator |.1 .2| Responder |.2 .1| Server |
-------------- ------------- -------------
strongSwan client will reach the HTTP Server going through the VPP gateway securely. The communication will be encrypted between strongSwan initiator and VPP responder.
First, you need to have a server with a web server installed and on.
Then set an IP address to interface enp5s0f0 (root privileges required): (Here enp5s0f0 is the name of my interface, you should probably adapt the command lines to yours)
ip link set dev enp5s0f0 up
ip address add 192.168.5.1/24 dev enp5s0f0
Finally you must create a route to 192.168.3.0/24 network.
ip route add 192.168.3.0/24 via 192.168.5.2
On the client we will create a loopback interface and set an IP address to it (this require the dummy kernel module):
ip link add name loop1 type dummy
ip link set dev loop1 up
ip address add 192.168.3.1/24 dev loop1
Then we will configure the interface connected to the VPP IPsec responder:
ip link set dev enp5s0f0 up
ip address add 192.168.4.1/24 dev enp5s0f0
Create route to distant network:
ip route add 192.168.5.0/24 via 192.168.4.2
Warning: this configuration is an example and is not recommended for real purpose communications. (weak ciphersuite)
We will set authentication using pre-shared key (PSK). Traffic selectors are from 192.168.3.0/24 to 192.168.5.0/24 for all protocols.
/etc/ipsec.conf
config setup
strictcrlpolicy=no
conn %default
ike=aes256-sha1-modp2048!
esp=aes192-sha1-esn!
mobike=no
keyexchange=ikev2
ikelifetime=24h
lifetime=24h
conn net-net
right=192.168.4.2
rightsubnet=192.168.5.0/24
rightauth=psk
[email protected]
left=192.168.4.1
leftsubnet=192.168.3.0/24
leftauth=psk
[email protected]
auto=start
/etc/ipsec.secrets
: PSK "Vpp123"
First you have to turn interfaces on, and to set addresses to them:
set interface state TenGigabitEthernet4/0/0 up
set interface ip address TenGigabitEthernet4/0/0 192.168.4.2/24
set interface state TenGigabitEthernet5/0/0 up
set interface ip address TenGigabitEthernet5/0/0 192.168.5.2/24
Then, create an IKEv2 profile (must match initiator parameters):
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home
ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
You can check the profile list using the following command:
vpp# show ikev2 profile
profile pr1
auth-method shared-key-mic auth data Vpp123
local id-type fqdn data vpp.home
remote id-type fqdn data roadwarrior.vpn.example.com
local traffic-selector addr 192.168.5.0 - 192.168.5.255 port 0 - 65535 protocol 0
remote traffic-selector addr 192.168.3.0 - 192.168.3.255 port 0 - 65535 protocol 0
Once everything is configured properly you can initiate IKEv2 negotiation on the machine running strongSwan:
ipsec restart
If the negotiation ended up successfully, you should observe this output on VPP responder instance:
vpp# show interface
Name Idx State Counter Count
TenGigabitEthernet4/0/0 1 up rx packets 5
rx bytes 1426
tx packets 4
tx bytes 766
drops 2
ip4 3
TenGigabitEthernet5/0/0 5 up
ipsec0 9 down
local0 0 down
vpp# show ikev2 sa
iip 192.168.4.1 ispi f40329997e6563dd rip 192.168.4.2 rspi 984e52c554274bc6
encr:aes-cbc-256 prf:hmac-sha1 integ:sha1-96 dh-group:modp-2048
nonce i:255224a51f9466c127a38dbc8a02d26aef126b761cffd226ce50e913fc924401
r:5b753c202b6e3ea60f0bfe10bf0bee86fb882c4fd686934de4e19053b9c17e57
SK_d bee5291d974f8119af474620f9ec70a51704a422
SK_a i:54cee37b588e7a91c3ddac4b28eae7cd02ca3592
r:e236ab21a5403cbb381d0f33431600ad1fe1cc6e
SK_e i:dca8461456b9b02050d5fa5d73ec57d5159e6f3dade91aac57c2a4c2a6c95b48
r:d477f31b2d7befc557b8b14aea7101aedd43eb90cc028ab540f03dce762fda42
SK_p i:1f169c5abc7fef5e863bbc8f9aa2d973548ead8f
r:07fb9076ad5a47bd715677c60e1dadf7831c5af0
identifier (i) fqdn roadwarrior.vpn.example.com
identifier (r) fqdn vpp.home
child sa 0:
encr:aes-cbc-192 integ:sha1-96 esn:yes
spi(i) c0b24047 spi(r) 63199535
SK_e i:7ee71f3b1168b19b656e39575e985466fa86a71f802d55e6
r:2e43283551a2408a1b8ebf16769d748118e439f2591ab562
SK_a i:ab331c5718cc21811e8bd35313a17c6149d0a7f4
r:6111429868ff314520d43c12523b23f06e6f9e7d
traffic selectors (i):
0 type 7 protocol_id 0 addr 192.168.3.0 - 192.168.3.255 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 192.168.5.0 - 192.168.5.255 port 0 - 65535
iip 192.168.4.1 ispi f40329997e6563dd rip 192.168.4.2 rspi 984e52c554274bc6
vpp# show ipsec
tunnel interfaces
ipsec0 seq
seq 0 seq-hi 0 esn 1 anti-replay 1
local-spi 3232907335 local-ip 192.168.4.2
local-crypto aes-cbc-192 2e43283551a2408a1b8ebf16769d748118e439f2591ab562
local-integrity sha1-96 6111429868ff314520d43c12523b23f06e6f9e7d
last-seq 0 last-seq-hi 0 esn 1 anti-replay 1 window 0000000000000000000000000000000000000000000000000000000000000000
remote-spi 1662620981 remote-ip 192.168.4.1
remote-crypto aes-cbc-192 7ee71f3b1168b19b656e39575e985466fa86a71f802d55e6
remote-integrity sha1-96 ab331c5718cc21811e8bd35313a17c6149d0a7f4
As you can see a new interface called ipsec0 was created.
At this point of the configuration, you still do not have end to end secure connectivity. You need to route traffic through ipsec0 created interface on VPP. There are two ways of doing it.
First: using a dummy IP address.
set interface state ipsec0 up
set interface ip address ipsec0 11.11.11.11/32
ip route add 192.168.3.0/24 via 11.11.11.11 ipsec0
Second: binding logical and physical interfaces
You must use tunnel endpoint interface.
ip route add 192.168.3.0/24 via ipsec0
set interface state ipsec0 up
set interface unnumbered ipsec0 use TenGigabitEthernet4/0/0
To verify connectivity you can use the following command:
wget --bind-address=192.168.3.1 192.168.5.1/index.html
In order to check that frames are encrypted, run tcpdump on the strongSwan client. You should observe ESP frames.
IKEv2 negotiation between a VPP responder and a VPP initiator, using RSA signature authentication method
In this section, you learn how to negotiate an IPsec tunnel between two VPP processes (one initiator and one responder). We use the digital signature authentication method documented in RFC 7427.
The following topology is used in this tutorial:
--------------- ---------------
| | 192.168.4.0/24 | |
192.168.3.1 X VPP X================X VPP X 192.168.5.1
| responder |.1 .2| initiator |
--------------- ---------------
For the digital signature authentication, you need two certificates. There is no need to create a full-blown PKI, because this is not a real X509 certificate verification.
NB: You must use PEM format.
You may generate them using strongSwan CLI:
ipsec pki --gen > server-key.der
ipsec pki --self --in server-key.der --dn "CN=vpp.home" > server-cert.der
ipsec pki --gen > client-key.der
ipsec pki --self --in client-key.der --dn "CN=roadwarrior.vpn.example.com" > client-cert.der
Then you can convert them to PEM format with openssl:
openssl x509 -inform DER -in client-cert.der -out client-cert.pem
openssl rsa -inform DER -in client-key.der -out client-key.pem
openssl x509 -inform DER -in server-cert.der -out server-cert.pem
openssl rsa -inform DER -in server-key.der -out server-key.pem
Finally, you need to copy each certificate on each machine.
First we turn interfaces on, and we set IP addresses to them:
(In this example we use TenGigabitEthernet5/0/1, but this could be replaced with a loopback interface)
set interface state TenGigabitEthernet5/0/0 up
set interface ip address TenGigabitEthernet5/0/0 192.168.4.1/24
set interface state TenGigabitEthernet5/0/1 up
set interface ip address TenGigabitEthernet5/0/1 192.168.3.1/24
Then we create the IKEv2 profile specifying the authentication method, the IDs and the traffic selector.
ikev2 profile add pr1
ikev2 profile set pr1 auth rsa-sig cert-file /home/xxxxx/certs/client-cert.pem
set ikev2 local key /home/xxxxx/certs/server-key.pem
ikev2 profile set pr1 id remote fqdn vpp.home
ikev2 profile set pr1 id local fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
Setting up interfaces:
set interface state TenGigabitEthernet5/0/0 up
set interface ip address TenGigabitEthernet5/0/0 192.168.5.1/24
set interface state TenGigabitEthernet4/0/0 up
set interface ip address TenGigabitEthernet4/0/0 192.168.4.2/24
Creating IKEv2 profile (must match responder profile):
ikev2 profile add pr1
ikev2 profile set pr1 auth rsa-sig cert-file /home/xxxxx/certs/server-cert.pem
set ikev2 local key /home/xxxxx/certs/client-key.pem
ikev2 profile set pr1 id local fqdn vpp.home
ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
Then we need to set parameters that are related to the initiator part.
We tell VPP where the responder is reachable, we provide the ciphersuite that whould be used for IKEv2 and IPsec and set the lifetime parameters.
ikev2 profile set pr1 responder TenGigabitEthernet4/0/0 192.168.4.1
ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg sha1-96 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 256 esp-integ-alg sha1-96 esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
This command is used to launch to IKEv2 negotiation:
ikev2 initiate sa-init pr1
An IPsec interface (here it is ipsec0) should appear after the negotiation succeeded.
vpp# show interface
Name Idx State Counter Count
TenGigabitEthernet4/0/0 1 up
TenGigabitEthernet5/0/0 5 up
ipsec0 9 down
local0 0 down
You can check if the IKEv2 negotiate succeeded using the following commands:
vpp# show ikev2 sa
iip 192.168.4.2 ispi ec950648b69dec3c rip 192.168.4.1 rspi f1a9f9f7e5d63956
encr:aes-cbc-256 prf:hmac-sha1 integ:sha1-96 dh-group:modp-2048
nonce i:05fe57abefe1b0b4d2dc5d74f8aebaa230e7ec81d7ca37f25321236631dc463b
r:83ac5b9853f9323c1ee162da97e777a6f5919e20ea1da7c671ac3df5f53c1ba0
SK_d bb9a49c2e66fc2c5680a20a2eb7c5d4ca7a32a4a
SK_a i:6d20df7814eb4884072f649a1512c0909efe0ce3
r:ad789964e81d5a0c6f8049986119300ddc816abb
SK_e i:53dcde06992e85c5018bc9cf8bdd35729fe6212a46158ac46ecfda52307c29e0
r:ea0758919c6ee34b031666652a6c0ade2a1ce02acaa021ef4b105de171b2ce25
SK_p i:a3027f2472237f2d15155901c311378d91dc4212
r:bd3cb0bfd9efedc45616b241aa4681cede63f572
identifier (i) fqdn vpp.home
identifier (r) fqdn roadwarrior.vpn.example.com
child sa 0:
encr:aes-cbc-256 integ:sha1-96 esn:yes
spi(i) 93784997 spi(r) 11b09095
SK_e i:34c4c60c0b5e34217f37e97ddb3a0254d1f854811707980f5d4a463068df01c3
r:9fc168defbe2c8934657b78ad42b02933421d05822ebd11fff8d945fac65f7af
SK_a i:133d30c34d874230ddc99ca06f855ea154004b30
r:96d5301bdb3fc80594908a18fafd8efadedbc063
traffic selectors (i):
0 type 7 protocol_id 0 addr 192.168.5.0 - 192.168.5.255 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 192.168.3.0 - 192.168.3.255 port 0 - 65535
iip 192.168.4.2 ispi ec950648b69dec3c rip 192.168.4.1 rspi f1a9f9f7e5d63956
vpp# show ipsec
tunnel interfaces
ipsec0 seq
seq 0 seq-hi 0 esn 1 anti-replay 1
local-spi 2474133911 local-ip 192.168.4.1
local-crypto aes-cbc-256 9fc168defbe2c8934657b78ad42b02933421d05822ebd11fff8d945fac65f7af
local-integrity sha1-96 96d5301bdb3fc80594908a18fafd8efadedbc063
last-seq 0 last-seq-hi 0 esn 1 anti-replay 1 window 0000000000000000000000000000000000000000000000000000000000000000
remote-spi 296784021 remote-ip 192.168.4.2
remote-crypto aes-cbc-256 34c4c60c0b5e34217f37e97ddb3a0254d1f854811707980f5d4a463068df01c3
remote-integrity sha1-96 133d30c34d874230ddc99ca06f855ea154004b30
After the negotiation succeeded, you need to route the traffic through the ipsec0 interface that was created. There are two ways of doing it.
First: you can use dummy IP addresses as it follows.
On the responder:
set interface state ipsec0 up
set interface ip address ipsec0 10.10.10.1/24
ip route add 192.168.5.0/24 via 10.10.10.1 ipsec0
On the initiator:
set interface state ipsec0 up
set interface ip address ipsec0 10.10.10.2/24
ip route add 192.168.3.0/24 via 10.10.10.2 ipsec0
Second: you can bind the virtual interface to a physical one.
You have to select the physical interface that is used as a tunnel endpoint.
On the responder:
ip route add 192.168.5.0/24 via ipsec0
set interface state ipsec0 up
set interface unnumbered ipsec0 use TenGigabitEthernet5/0/0
On the initiator:
ip route add 192.168.3.0/24 via ipsec0
set interface state ipsec0 up
set interface unnumbered ipsec0 use TenGigabitEthernet4/0/0
On the responder you can execute the following command to generate traffic that will be encapsulated with IPsec:
vpp# ping 192.168.5.1 source TenGigabitEthernet5/0/1
64 bytes from 192.168.5.1: icmp_seq=1 ttl=64 time=.1456 ms
64 bytes from 192.168.5.1: icmp_seq=2 ttl=64 time=.0363 ms
64 bytes from 192.168.5.1: icmp_seq=3 ttl=64 time=.0349 ms
64 bytes from 192.168.5.1: icmp_seq=4 ttl=64 time=.0365 ms
64 bytes from 192.168.5.1: icmp_seq=5 ttl=64 time=.0363 ms
Then the sequence number should increment (seq 5):
vpp# show ipsec
tunnel interfaces
ipsec0 seq
seq 5 seq-hi 0 esn 1 anti-replay 1
local-spi 2474133911 local-ip 192.168.4.1
local-crypto aes-cbc-256 9fc168defbe2c8934657b78ad42b02933421d05822ebd11fff8d945fac65f7af
local-integrity sha1-96 96d5301bdb3fc80594908a18fafd8efadedbc063
last-seq 5 last-seq-hi 0 esn 1 anti-replay 1 window 1111100000000000000000000000000000000000000000000000000000000000
remote-spi 296784021 remote-ip 192.168.4.2
remote-crypto aes-cbc-256 34c4c60c0b5e34217f37e97ddb3a0254d1f854811707980f5d4a463068df01c3
remote-integrity sha1-96 133d30c34d874230ddc99ca06f855ea154004b30
This section covers IKEv2 connection between VPP and strongswan.
Install strongswan on Ubuntu:
$ sudo apt-get install strongswan
CLI commands
set int state GigabitEthernet0/8/0 up
set int ip address GigabitEthernet0/8/0 192.168.100.3/24
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home
ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
VAT commands
sw_interface_add_del_address sw_if_index 1 192.168.100.3/24
sw_interface_set_flags sw_if_index 1 admin-up
ikev2_profile_add_del name pr1
ikev2_profile_set_auth name pr1 auth_method shared-key-mic auth_data Vpp123
ikev2_profile_set_id name pr1 id_type fqdn id_data vpp.home local
ikev2_profile_set_id name pr1 id_type fqdn id_data roadwarrior.vpn.example.com remote
ikev2_profile_set_ts name pr1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.124.0 end_addr 192.168.124.255 local
ikev2_profile_set_ts name pr1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.125.0 end_addr 192.168.125.255 remote
Set interface address:
$ sudo ifconfig eth3 192.168.100.2 netmask 255.255.255.0 up
Edit /etc/ipsec.conf file:
config setup
strictcrlpolicy=no
conn %default
ike=aes256-sha1-modp2048!
esp=aes192-sha1-esn!
mobike=no
keyexchange=ikev2
ikelifetime=24h
lifetime=24h
conn net-net
right=192.168.100.3
rightsubnet=192.168.124.0/24
rightauth=psk
[email protected]
left=192.168.100.2
leftsubnet=192.168.125.0/24
leftauth=psk
[email protected]
auto=start
Edit /etc/ipsec.secrets file:
: PSK "Vpp123"
Start strongswan:
$ sudo ipsec start
Show strongswan status:
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.16.0-30-generic, x86_64):
uptime: 98 seconds, since Aug 01 05:49:29 2016
malloc: sbrk 2162688, mmap 0, used 343648, free 1819040
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Listening IP addresses:
10.0.2.15
192.168.100.2
192.168.3.3
Connections:
net-net: 192.168.100.2...192.168.100.3 IKEv2
net-net: local: [roadwarrior.vpn.example.com] uses pre-shared key authentication
net-net: remote: [vpp.home] uses pre-shared key authentication
net-net: child: 192.168.125.0/24 === 192.168.124.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 98 seconds ago, 192.168.100.2[roadwarrior.vpn.example.com]...192.168.100.3[vpp.home]
net-net[1]: IKEv2 SPIs: 0f67b83d6e53310a_i* b0bfbfe3b873c7af_r, pre-shared key reauthentication in 23 hours
net-net[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: cbf74e7b_i 117dc2e1_o
net-net{1}: AES_CBC_192/HMAC_SHA1_96/ESN, 0 bytes_i, 0 bytes_o, rekeying in 23 hours
net-net{1}: 192.168.125.0/24 === 192.168.124.0/24
VPP IKEv2 status:
vpp# show ikev2 sa
iip 192.168.100.2 ispi a31536e3db8670f rip 192.168.100.3 rspi afc773b8e3bfbfb0
encr:aes-cbc-256 prf:hmac-sha1 integ:sha1-96 dh-group:modp-2048
nonce i:91ce22374a5eb57903ce3c7accab6a697b7c77edabee71d0f8d4933fa5be36de
r:78e83bf1889891d07e5aef522568f84d9ba2feee94f6a0c8e93c4c0b6cf3fdc7
SK_d 9e731d25b49d4586b9ee029040af1c53d3b0a463
SK_a i:a65a66517ba183e5afe10a3f437462033907fe81
r:a3ee4af9abb8ea87ebd2d36c9f92b56cae0adc51
SK_e i:245203c55c2c1d476e4977351ac5aacab995420bd4f4a5bae36530c0b481c2d5
r:8f4a1d4d50bb7152bad52f59719e3764d55d72aa9765f02f5496b115dc3bc7f1
SK_p i:3182ff3e52efaf3c951114b949d8751d491b0f09
r:431e2453cc8fe5accbbdd3efcb44642c961f60a8
identifier (i) fqdn roadwarrior.vpn.example.com
identifier (r) fqdn vpp.home
child sa 0:
encr:aes-cbc-192 integ:sha1-96 esn:yes
spi(i) cbf74e7b spi(r) 117dc2e1
SK_e i:5dad89b09ddcb6ef62b08e390c8cccec4fadbd81fdfee6df
r:4ec5b4adb6a27ef95bd9281c4090c0a6a131f574d4ed3a9d
SK_a i:45fa72c50b05517f744651b2e236e38651f54407
r:71e6dabf7d8325f3bae7e42ca40b4a491a2a1d84
traffic selectors (i):
0 type 7 protocol_id 0 addr 192.168.125.0 - 192.168.125.255 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 192.168.124.0 - 192.168.124.255 port 0 - 65535
iip 192.168.100.2 ispi a31536e3db8670f rip 192.168.100.3 rspi afc773b8e3bfbfb0
VPP create ipsec tunnel interface when IKEv2 connection is established and child SA created.
vpp# show interface
Name Idx State Counter Count
GigabitEthernet0/8/0 1 up rx packets 8
rx bytes 1318
tx packets 7
tx bytes 1098
drops 1
ip4 7
GigabitEthernet0/9/0 2 down
ipsec0 3 down
You can see ipsec tunnel interface details:
vpp# show ipsec
tunnel interfaces
ipsec0 seq
seq 1 seq-hi 0 esn 1 anti-replay 1
local-spi 3421982331 local-ip 192.168.100.3
local-crypto aes-cbc-192 4ec5b4adb6a27ef95bd9281c4090c0a6a131f574d4ed3a9d
local-integrity sha1-96 71e6dabf7d8325f3bae7e42ca40b4a491a2a1d84
last-seq 0 last-seq-hi 0 esn 1 anti-replay 1 window 0000000000000000000000000000000000000000000000000000000000000000
remote-spi 293454561 remote-ip 192.168.100.2
remote-crypto aes-cbc-192 5dad89b09ddcb6ef62b08e390c8cccec4fadbd81fdfee6df
remote-integrity sha1-96 45fa72c50b05517f744651b2e236e38651f54407
- VPP-ABF
- VPP API Concepts
- VPP API Versioning
- VPP-ApiChangeProcess
- VPP-ArtifactVersioning
- VPP-BIER
- VPP-Bihash
- VPP-BugReports
- VPP Build System Deep Dive
- VPP Build, Install, And Test Images
- VPP-BuildArtifactRetentionPolicy
- VPP-c2cpel
- VPP-CodingTips
- VPP Command Line Arguments
- VPP Command Line Interface CLI Guide
- VPP-CommitMessages
- VPP-CommitterTasks-ApiFreeze
- VPP CommitterTasks Compare API Changes
- VPP-CommitterTasks-CutPointRelease
- VPP-CommitterTasks-CutRelease
- VPP-CommitterTasks-FinalReleaseCandidate
- VPP-CommitterTasks-PullThrottleBranch
- VPP-CommitterTasks-ReleasePlan
- VPP Configure An LW46 MAP E Terminator
- VPP Configure VPP As A Router Between Namespaces
- VPP Configure VPP TAP Interfaces For Container Routing
- VPP-CoreFileMismatch
- VPP-cpel
- VPP-cpeldump
- VPP-DHCPv6
- VPP-DistributedOwnership
- VPP DPOs And Feature Arcs
- VPP EC2 Instance With SRIOV
- VPP-elog
- VPP-FAQ
- VPP Feature Arcs
- VPP-g2
- VPP-HA
- VPP-HostStack
- VPP-HostStack-BuiltinEchoClientServer
- VPP-HostStack-EchoClientServer
- VPP-HostStack-ExternalEchoClientServer
- VPP HostStack Hs Test
- VPP-HostStack-LDP-iperf
- VPP-HostStack-LDP-nginx
- VPP-HostStack-LDP-sshd
- VPP-HostStack-nginx
- VPP-HostStack-SessionLayerArchitecture
- VPP-HostStack-TestHttpServer
- VPP-HostStack-TestProxy
- VPP-HostStack-TLS
- VPP-HostStack-VCL
- VPP-HostStack-VclEchoClientServer
- VPP How To Add A Tunnel Encapsulation
- VPP How To Build The Sample Plugin
- VPP How To Connect A PCI Interface To VPP
- VPP How To Create A VPP Binary Control Plane API
- VPP How To Deploy VPP In EC2 Instance And Use It To Connect Two Different VPCs
- VPP How To Optimize Performance %28System Tuning%29
- VPP How To Use The API Trace Tools
- VPP How To Use The C API
- VPP How To Use The Packet Generator And Packet Tracer
- VPP-Howtos
- VPP Installing VPP Binaries From Packages
- VPP Interconnecting vRouters With VPP
- VPP Introduction To IP Adjacency
- VPP Introduction To N Tuple Classifiers
- VPP-IPFIX
- VPP-IPSec
- VPP IPSec And IKEv2
- VPP-Macswapplugin
- VPP-Meeting
- VPP-MFIB
- VPP Missing Prefetches
- VPP Modifying The Packet Processing Directed Graph
- VPP MPLS FIB
- VPP-NAT
- VPP Per Feature Notes
- VPP Performance Analysis Tools
- VPP-perftop
- VPP Project Meeting Minutes
- VPP Pulling, Building, Running, Hacking And Pushing VPP Code
- VPP Pure L3 Between Namespaces With 32s
- VPP Pure L3 Container Networking
- VPP Pushing And Testing A Tag
- VPP Python API
- VPP-QuickTrexSetup
- VPP Random Hints And Kinks For KVM Usage
- VPP Release Plans Release Plan 26.06
- VPP-RM
- VPP-SecurityGroups
- VPP Segment Routing For IPv6
- VPP Segment Routing For MPLS
- VPP Setting Up Your Dev Environment
- VPP-SNAT
- VPP Software Architecture
- VPP STN Testing
- VPP The VPP API
- VPP Training Events
- VPP-Troubleshooting
- VPP-Troubleshooting-BuildIssues
- VPP-Troubleshooting-Vagrant
- VPP Tutorial DPDK And MacSwap
- VPP-Tutorials
- VPP Use VPP To Chain VMs Using Vhost User Interface
- VPP Use VPP To Connect VMs Using Vhost User Interface
- VPP Using mTCP User Mode TCP Stack With VPP
- VPP Using VPP As A VXLAN Tunnel Terminator
- VPP VPP BFD Nexus
- VPP VPP Home Gateway
- VPP-VPPCommunicationsLibrary
- VPP What Is VPP
- VPP Working With The 16.06 Throttle Branch