Policy-based IPsec mode does not work in VPP Dataplane
Open, HighPublicBUG
Actions

Assigned To

None

Authored By

	zsdc
	Sep 2 2025, 5:42 PM

Description

So far, we are using only route-based IPsec in linux-cp plugin, but it has important overlaps with route synchronization and is not very useful for one of the most common cases - VTI with 0.0.0.0/0 traffic selectors.

We could use this policy-based variant instead, but it seems to be broken.

An example of the configuration that is expected to work:

set interfaces ethernet eth1 address '192.168.99.1/24'
set interfaces ethernet eth2 address '192.168.102.1/24'
set interfaces vti vti1
set protocols static route 192.168.202.0/24 interface vti1
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer B authentication local-id 'A'
set vpn ipsec site-to-site peer B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer B authentication remote-id 'B'
set vpn ipsec site-to-site peer B connection-type 'none'
set vpn ipsec site-to-site peer B default-esp-group 'esp1'
set vpn ipsec site-to-site peer B ike-group 'ike1'
set vpn ipsec site-to-site peer B local-address '192.168.99.1'
set vpn ipsec site-to-site peer B remote-address '192.168.99.3'
set vpn ipsec site-to-site peer B vti bind 'vti1'
set vpp settings buffers buffers-per-numa '1024'
set vpp settings buffers data-size '1700'
set vpp settings buffers page-size '2M'
set vpp settings interface eth1 driver 'dpdk'
set vpp settings interface eth2 driver 'dpdk'
set vpp settings memory default-hugepage-size '2M'
set vpp settings memory main-heap-page-size '2M'
set vpp settings memory main-heap-size '1G'
set vpp settings statseg page-size '2M'
set vpp settings statseg size '128M'
set vpp settings unix poll-sleep-usec '500'

After the IPsec connection is established, SAs and policies seem to be installed in VPP, but binding to the interface looks broken:

vpp# show ipsec all 
[0] sa 3325216296 (0xc632c628) spi 3344017626 (0xc751a8da) protocol:esp flags:[anti-replay tunnel udp-encap Protect inbound ]
[1] sa 3419275047 (0xcbcdff27) spi 3366886442 (0xc8ae9c2a) protocol:esp flags:[tunnel udp-encap Protect ]
spd 3325216296
 ip4-outbound:
   [4] priority 399999 action protect type ip4-outbound protocol any sa 3419275047
     local addr range 0.0.0.0 - 0.0.0.0 port range 0 - 65535
     remote addr range 0.0.0.0 - 0.0.0.0 port range 0 - 65535
     packets 0 bytes 0
   [3] priority 399999 action protect type ip4-outbound protocol any sa 3419275047
     local addr range 0.0.0.0 - 0.0.0.0 port range 0 - 65535
     remote addr range 0.0.0.0 - 0.0.0.0 port range 0 - 65535
     packets 0 bytes 0
   [1] priority 0 action bypass type ip4-outbound protocol any
     local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
     remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
     packets 141 bytes 22966
 
 ip6-outbound:
 
 ip4-inbound-protect:                                                          
   [2] priority 9999 action protect type ip4-inbound-protect protocol any sa 3325216296
     local addr range 192.168.99.3 - 192.168.99.3 port range 0 - 65535
     remote addr range 192.168.99.1 - 192.168.99.1 port range 0 - 65535
     packets 136 bytes 22304
 
 ip6-inbound-protect:
 
 ip4-inbound-bypass:
   [0] priority 0 action bypass type ip4-inbound-bypass protocol any
     local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
     remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
     packets 4 bytes 340
 
 ip6-inbound-bypass:
 
 ip4-inbound-discard:
 
 ip6-inbound-discard:
 
SPD Bindings:
  -969751000 -> eth1
IPSec async mode: off

We should fix this to untie from the VPP FIB used in route-based IPsec mode. That would give more flexibility in available configuration combinations.

Details

Version: 2025.09.01-0023-rolling
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open	BUG	None	T7070 VPP related bugs the root task
		Open	BUG	None	T7778 Policy-based IPsec mode does not work in VPP Dataplane

Event Timeline

zsdc created this task.Sep 2 2025, 5:42 PM

zsdc added a parent task: T7070: VPP related bugs the root task.

pasik subscribed.Sep 2 2025, 6:13 PM

Unknown Object (User) triaged this task as High priority.Sep 5 2025, 8:31 AM

Policy-based IPsec mode does not work in VPP DataplaneOpen, HighPublicBUGActions

Description

Details

Related ObjectsSearch...

Event Timeline

Policy-based IPsec mode does not work in VPP Dataplane
Open, HighPublicBUG
Actions

Related Objects
Search...