IPsec didn't work like explained in README
JGGoncalves opened this issue · comments
Hello everyone, I'm newbie on ODP, I've found the ipsec program (on /examples/ipsec/ipsec) and read it's readme, after a few times reading it I've created 3 containers on docker and tried to follow the step by step, now I have 3 VMs and 2 networks like on readme example and recreated the steps with my machine and networks, but it didn't work, I ran the odp_ipsec in the middle of the 2 netwoks, and one ipsec configuration on one of my machines with the setkey (ipsec-tools I guess), the odp_ipsec just run de executable and exit the program, without anything explaining what to do, and the packets are sended like the odp is disabled (if I disable the ipsec in the other machine), can someone help me with that? Sorry about my english, thank you all
Hi,
I took a quick look at the IPSec example code and found a simple bug. It should be fixed by this PR #984. Does this fix the problem you are seeing?
If you are still having problems please provide the output logs from the applications. Also, to minimize variables you could first try to run odp_ipsec_run_simple.sh test, which uses loopback interfaces and can be run on a single host.
Hello,
I've tested the patch, but still have the same problems,
My start command :
./odp_ipsec -i eth0,eth1 \
-r 172.18.0.2/16:eth0:02.42.ac.12.00.02 \
-r 172.19.0.3/16:eth1:02.42.ac.13.00.03 \
-p 172.18.0.0/16:172.19.0.0/16:out:both \
-e 172.18.0.2:172.19.0.3:3des:201:656c8523255ccc23a66c1917aa0cf30991fce83532a4b224 \
-a 172.18.0.2:172.19.0.3:md5:200:a731649644c5dee92cbd9c2e7e188ee6 \
-p 172.19.0.0/16:172.18.0.0/16:in:both \
-e 172.19.0.3:172.18.0.2:3des:301:c966199f24d095f3990a320d749056401e82b26570320292 \
-a 172.19.0.3:172.18.0.2:md5:300:27f6d123d7077b361662fc6e451f65d8 \
-c 2 -m 0
Here's my output:
Pool config:
pool.local_cache_size: 256
pool.burst_size: 32
pool.pkt.max_num: 262143
pool.pkt.base_align: 64
pool.buf.min_align: 64
Queue config:
queue_basic.max_queue_size: 8192
queue_basic.default_queue_size: 4096
Using scheduler 'basic'
Scheduler config:
sched_basic.prio_spread: 4
sched_basic.prio_spread_weight: 63
sched_basic.burst_size_default[] = 32 32 32 32 32 16 8 4
sched_basic.burst_size_max[] = 255 255 255 255 255 16 16 8
sched_basic.group_enable.all: 1
sched_basic.group_enable.worker: 1
sched_basic.group_enable.control: 1
Packet IO config:
pktio.pktin_frame_offset: 0
PKTIO: initialized loop interface.
PKTIO: initialized null interface.
PKTIO: initialized socket mmap, use export ODP_PKTIO_DISABLE_SOCKET_MMAP=1 to disable.
PKTIO: initialized socket mmsg,use export ODP_PKTIO_DISABLE_SOCKET_MMSG=1 to disable.
Parsing command line options
ODP system info
---------------
ODP API version: 1.23.6
ODP impl name: odp-linux
ODP impl details: odp-linux 1.23.6-0 (v1.23.6) 1.23.6.0
CPU model: Intel(R) Core(TM)2 Duo CPU T6600
CPU freq (hz): 2200000000
Cache line size: 64
CPU count: 2
CPU mask: 0x3
CPU features supported:
SSE3 DTES64 MONITOR DS_CPL EIST TM2 SSSE3 CMPXCHG16B XTPR PDCM SSE4_1 XSAVE OSXSAVE FPU VME DE PSE TSC MSR PAE MCE CX8 APIC SEP MTRR PGE MCA CMOV PAT PSE36 CLFSH DS ACPI MMX FXSR SSE SSE2 SS HTT TM PBE DIGTEMP MPERF_APERF_MSR ACNT2 LAHF_SAHF SYSCALL XD EM64T
CPU features NOT supported:
PCLMULQDQ VMX SMX CNXT_ID FMA PCID DCA SSE4_2 X2APIC MOVBE POPCNT TSC_DEADLINE AES AVX F16C RDRAND PSN TRBOBST ARAT PLN ECMD PTM ENERGY_EFF FSGSBASE BMI1 HLE AVX2 SMEP BMI2 ERMS INVPCID RTM AVX512F LZCNT 1GB_PG RDTSCP INVTSC
Running ODP appl: "odp_ipsec"
-----------------
IF-count: 2
Using IFs: eth0 eth1
Routing table
-------------
172.019.000.003/16 eth1 02.42.AC.13.00.03
172.018.000.002/16 eth0 02.42.AC.12.00.02
Security policy table
---------------------
172.019.000.000/16 172.018.000.000/16 in esp:ah
172.018.000.000/16 172.019.000.000/16 out esp:ah
Security association table
--------------------------
ah 172.019.000.003 172.018.000.002 300 1 27F6D123D7077B361662FC6E451F65D8
esp 172.019.000.003 172.018.000.002 301 2 C966199F24D095F3990A320D749056401E82B26570320292
ah 172.018.000.002 172.019.000.003 200 1 A731649644C5DEE92CBD9C2E7E188EE6
esp 172.018.000.002 172.019.000.003 201 2 656C8523255CCC23A66C1917AA0CF30991FCE83532A4B224
Tunnel table
--------------------------
num worker threads: 1
first CPU: 1
cpu mask: 0x2
Using SYNC mode for crypto API
Created pktio:01, queue mode (ATOMIC queues)
default pktio01-INPUT queue:139989705487104
source mac address 02.42.AC.12.00.03
Created pktio:02, queue mode (ATOMIC queues)
default pktio02-INPUT queue:139989705487488
source mac address 02.42.AC.13.00.02
Pktio thread [01] starts
Exit
And then it closes with no sign of running,
Thanks.
Hi @JGGoncalves,
Sorry for taking so long with this, I was on vacation. I found another problem in the example and after this fix the application should at least run properly. Does this fix the problem you are seeing?
Hello @MatiasElo ,
The application don't close anymore, that's nice, but the ipsec didn't work yet.
Hi @JGGoncalves,
I followed the instructions in README file and the IPsec tunnel is working for me. I used VirtualBox VMs (internal networks used to connect the VMs). VM0 and VM1 were running Ubuntu 20.04 and VM2 Fedora 32. On VM2 I had to install ipsec-tools package to get setkey tool.
You have to be careful when configuring the interface MAC/IP addresses and adding the necessary route and ARP entries. Have you made sure the basic connectivity is working? E.g. you should be able to ping from VM0 to VM1 (both IPs) and from VM2 to VM1 (again both IPs) without the IPsec application.