Summary
Add an opt‑in processing mode to VPP (exposed via config/API) so that, for tunnel‑mode IPsec SAs synchronized from the Linux kernel, IPsec policy/SA lookup occurs before generic FIB lookup. As an alternative (or complementary) option, allow a mode that performs a FIB lookup only for the peer’s address (instead original unencrypted packet's destination).
Use case
Many deployments using VTI interfaces with 0.0.0.0/0 and ::/0 traffic selectors on both sides. With always enabled route mode (enable-route-mode-ipsec) today, VPP for such connections installs a default route via the IPsec peer after ingesting the kernel SAs/SPDs synchronized from the kernel. This causes unintended "default‑through‑tunnel" forwarding, sending unrelated traffic to the peer. If route‑mode is disabled, VPP installs no routes, so protected traffic is dropped when there is no other default route, even though only peer reachability is required for tunnel mode.
Typical config example:
set interfaces ethernet eth1 address '192.168.99.1/24' set interfaces ethernet eth2 address '192.168.102.1/24' set interfaces vti vti1 set protocols static route 192.168.202.0/24 interface vti1 set system option kernel cpu disable-nmi-watchdog set system option kernel cpu isolate-cpus '2-3' set system option kernel cpu nohz-full '2-3' set system option kernel cpu rcu-no-cbs '2-3' set system option kernel disable-hpet set system option kernel disable-mce set system option kernel disable-power-saving set system option kernel disable-softlockup set system option kernel memory hugepage-size 2M hugepage-count '1536' set system option reboot-on-upgrade-failure '5' set vpn ipsec authentication psk psk1 id 'A' set vpn ipsec authentication psk psk1 id 'B' set vpn ipsec authentication psk psk1 secret 'AB' set vpn ipsec esp-group esp1 mode 'tunnel' set vpn ipsec esp-group esp1 pfs 'disable' set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256' set vpn ipsec esp-group esp1 proposal 10 hash 'sha256' set vpn ipsec ike-group ike1 close-action 'none' set vpn ipsec ike-group ike1 dead-peer-detection action 'clear' set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96' set vpn ipsec ike-group ike1 proposal 10 hash 'sha256' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer B authentication local-id 'A' set vpn ipsec site-to-site peer B authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer B authentication remote-id 'B' set vpn ipsec site-to-site peer B connection-type 'none' set vpn ipsec site-to-site peer B default-esp-group 'esp1' set vpn ipsec site-to-site peer B ike-group 'ike1' set vpn ipsec site-to-site peer B local-address '192.168.99.1' set vpn ipsec site-to-site peer B remote-address '192.168.99.3' set vpn ipsec site-to-site peer B vti bind 'vti1' set vpp settings buffers buffers-per-numa 'auto' set vpp settings buffers data-size '1700' set vpp settings buffers page-size '2M' set vpp settings interface eth1 dpdk-options num-rx-desc '8192' set vpp settings interface eth1 driver 'dpdk' set vpp settings interface eth2 driver 'dpdk' set vpp settings ipsec netlink rx-buffer-size '102400' set vpp settings lcp ignore-kernel-routes set vpp settings memory main-heap-page-size '2M' set vpp settings memory main-heap-size '2G' set vpp settings statseg page-size '2M' set vpp settings statseg size '128M' set vpp settings unix poll-sleep-usec '500'
With such a config now:
- If a route-mode is enabled:
- 192.168.102.2 -> 192.168.202.2: OK
- 192.168.202.2 -> 192.168.102.2: OK
- 192.168.102.2 -> 1.1.1.1: will be sent to an IPsec peer, because there is an active 0.0.0.0/0 FIB route in VPP.
- If a route-mode is disabled (not available via CLI now, needs to be done manually in VPP config or a template):
- 192.168.102.2 -> 192.168.202.2: dropped because there is no 192.168.202.2 in VPP FIB
- 192.168.202.2 -> 192.168.102.2: OK
Additional information
To solve the issue, it is suggested to implement one (or both) of the following configurable behaviors:
- perform a FIB lookup for the peer address instead of an unencrypted packet's destination to avoid encrypting when the peer is unroutable, and then encrypt (same order as now, different IP in a FIB lookup);
- If a packet matches a policy/SA, encrypt it and only then perform a FIB lookup to forward a packet (swap IPSec and FIB order).