Change Details

Currently, there are two conditions in the configuration templates: - https://github.com/vyos/vyos-1x/blob/b1b4545cb7984cd3cdf42554ab2b28acd1ecb6cb/data/templates/vpp/startup.conf.j2#L195-L209 - https://github.com/vyos/vyos-1x/blob/b1b4545cb7984cd3cdf42554ab2b28acd1ecb6cb/data/templates/vpp/startup.conf.j2#L112-L116 The idea is to enable IPsec offload only if it is configured in the CLI. However, this does not work as intended because the `linux-cp` plugin copies SAs and policies from the kernel even if the feature is not configured. What actually happens is: - without `enable-route-mode-ipsec` config, the default policy-based mode is used by `linux-cp` - SAs and policies are installed into VPP - Policy-based IPsec does not work, and traffic cannot pass through the router properly We need to add an option to `linux-cp` that will allow us to enable/disable IPsec offload in a proper way (probably, by ignoring netlink XFRM messages).

Currently, there are two conditions in the configuration templates: - https://github.com/vyos/vyos-1x/blob/b1b4545cb7984cd3cdf42554ab2b28acd1ecb6cb/data/templates/vpp/startup.conf.j2#L195-L209 - https://github.com/vyos/vyos-1x/blob/b1b4545cb7984cd3cdf42554ab2b28acd1ecb6cb/data/templates/vpp/startup.conf.j2#L112-L116 The idea is to enable IPsec offload only if it is configured in the CLI. However, this does not work as intended because the `linux-cp` plugin copies SAs and policies from the kernel even if the feature is not configured. What actually happens is: - without `enable-route-mode-ipsec` config, the default policy-based mode is used by `linux-cp` - SAs and policies are installed into VPP - Policy-based IPsec does not work, and traffic cannot pass through the router properly We need to add an option to `linux-cp` that will allow us to enable/disable IPsec offload in a proper way (probably, by ignoring netlink XFRM messages). I don't think we need to enable/disable this dynamically - the ability to control this from the VPP configuration file should be sufficient.

Currently, there are two conditions in the configuration templates: - https://github.com/vyos/vyos-1x/blob/b1b4545cb7984cd3cdf42554ab2b28acd1ecb6cb/data/templates/vpp/startup.conf.j2#L195-L209 - https://github.com/vyos/vyos-1x/blob/b1b4545cb7984cd3cdf42554ab2b28acd1ecb6cb/data/templates/vpp/startup.conf.j2#L112-L116 The idea is to enable IPsec offload only if it is configured in the CLI. However, this does not work as intended because the `linux-cp` plugin copies SAs and policies from the kernel even if the feature is not configured. What actually happens is: - without `enable-route-mode-ipsec` config, the default policy-based mode is used by `linux-cp` - SAs and policies are installed into VPP - Policy-based IPsec does not work, and traffic cannot pass through the router properly We need to add an option to `linux-cp` that will allow us to enable/disable IPsec offload in a proper way (probably, by ignoring netlink XFRM messages). I don't think we need to enable/disable this dynamically - the ability to control this from the VPP configuration file should be sufficient.