Difference between revisions of "VPP/IPSec and IKEv2"
(→SA key update) |
(→SA key update) |
||
Line 162: | Line 162: | ||
==== SA key update ==== | ==== SA key update ==== | ||
+ | The following example command shows the configuration sequence to update a Security Association (SA) keys: | ||
+ | |||
CLI commands | CLI commands | ||
<pre> | <pre> |
Revision as of 07:58, 30 September 2016
This page describes the support in the VPP platform for IPSec and IKEv2.
IPSec
Features
This implementation of support for IPSec in the VPP engine includes the following features:
- ESP - Encapsulating Security Payload protocol
- Tunnel mode - encapsulates the entire IP packet
- Transport mode - encapsulates IP payload
- IPv4 and IPv6
Supported cryptographic algorithms for authentication:
- sha1
- sha-256-96
- sha-256-128
- sha-384-192
- sha-512-256
Supported cryptographic algorithms for encryption:
- aes-cbc-128
- aes-cbc-192
- aes-cbc-256
Configuration
SPD creation
The following example command shows the configuration sequence to create a Security Policy Database (SPD):
CLI commands
ipsec spd add 1
VAT commands
ipsec_spd_add_del spd_id 1
Enable SPD on an interface
The following example command shows the configuration sequence to enable SPD on an interface:
CLI commands
set interface ipsec spd GigabitEthernet0/6/0 1
VAT commands
ipsec_interface_add_del_spd GigabitEthernet0/5/0 spd_id 1
SA creation
The following example command shows the configuration sequence to create a Security Association (SA) for Tunnel mode:
CLI commands
ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.100.3 tunnel-dst 192.168.100.2
VAT commands
ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58 tunnel_src 192.168.100.3 tunnel_dst 192.168.100.2
The following example command shows the configuration sequence to create a SA for Transport mode:
CLI commands
ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96
VAT commands
ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58
SPD entry creation
Parameters:
- spd <id> - SPD identifier
- priority - policy order in SPD, signed integer
- inbound|outbound - policy is for inbound or outbound traffic
- action bypass|discard|protect - policy action, protect action needs aditional parameter "sa <id>"
Traffic selectors (optional parameters):
- local-ip-range <start_ip_addr> - <end_ip_addr>
- remote-ip-range <start_ip_addr> - <end_ip_addr>
- protocol <n>
- local-port-range <start_port> - <end_port> (only for TCP/UDP protocol)
- remote-port-range <start_port> - <end_port> (only for TCP/UDP protocol)
The following example commands show the configuration sequence to create a SPD entry:
CLI commands
ipsec policy add spd 1 inbound priority 10 action protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 remote-ip-range 192.168.3.3 - 192.168.3.3
VAT commands
ipsec_spd_add_del_entry spd_id 1 priority 10 inbound action protectsa_id 20 laddr_start 192.168.4.4 laddr_stop 192.168.4.4 raddr_start 192.168.3.3 raddr_stop 192.168.3.3
show ipsec
You can display IPSec SA a SPD using:
show ipsec sa 10 spi 1001 mode transport protocol esp crypto alg aes-cbc-128 key 4a506a794f574265564551694d653768 integrity alg sha1-96 key 4339314b55523947594d6d3547666b45764e6a58 sa 20 spi 1000 mode transport protocol esp crypto alg aes-cbc-128 key 4a506a794f574265564551694d653768 integrity alg sha1-96 key 4339314b55523947594d6d3547666b45764e6a58 spd 1 outbound policies priority 100 action bypass protocol IPSEC_ESP local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535 remte addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535 packets 0 bytes 0 priority 100 action bypass protocol IPSEC_ESP local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535 remte addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535 packets 0 bytes 0 priority 10 action protect protocol any sa 10 local addr range 192.168.100.3 - 192.168.100.3 port range 0 - 65535 remte addr range 192.168.100.2 - 192.168.100.2 port range 0 - 65535 packets 9 bytes 756 priority 100 action bypass protocol IPSEC_ESP local addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535 remote addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535 packets 0 bytes 0 priority 100 action bypass protocol IPSEC_ESP local addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535 remote addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535 packets 0 bytes 0 inbound policies priority 10 action protect protocol any sa 20 local addr range 192.168.100.3 - 192.168.100.3 port range 0 - 65535 remte addr range 192.168.100.2 - 192.168.100.2 port range 0 - 65535 packets 9 bytes 1224 priority 100 action bypass protocol IPSEC_ESP local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535 remte addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535 packets 0 bytes 0 priority 100 action bypass protocol IPSEC_ESP local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535 remte addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535 packets 0 bytes 0 priority 100 action bypass protocol IPSEC_ESP local addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535 remote addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535 packets 0 bytes 0 priority 100 action bypass protocol IPSEC_ESP local addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535 remote addr range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff port range 0 - 65535 packets 0 bytes 0
SA key update
The following example command shows the configuration sequence to update a Security Association (SA) keys:
CLI commands
set ipsec sa 10 crypto-key 4a506a794f574265564551694d653768 integ-key 4339314b55523947594d6d3547666b45764e6a58
VAT commands
ipsec_sa_set_key sad_id 10 spi 1001 crypto_key 4a506a794f574265564551694d653768 integ_key 4339314b55523947594d6d3547666b45764e6a58
Example configuration
This section covers using manually-keyed IPSec connections between VPP and native IPSec stack in the 2.6 kernel series (Ubuntu 14.04) in ESP transport mode.
Prerequisite
Install ipsec-tools on Ubuntu:
$ sudo apt-get install ipsec-tools
Network Topology
+--------------------+ +-------------------------+ |Ubuntu | +------------+ | VPP| | eth3|---|IPSec tunnel|---|GigabitEthernet0/8/0 | | 192.168.100.2| +------------+ |192.168.100.3 | | | | | +--------------------+ +-------------------------+
VPP configuration
CLI commands
set int ip address GigabitEthernet0/8/0 192.168.100.3/24 set int state GigabitEthernet0/8/0 up set ip arp GigabitEthernet0/8/0 192.168.100.2 08:00:27:12:3c:cc ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58 ipsec spd add 1 set interface ipsec spd GigabitEthernet0/8/0 1 ipsec policy add spd 1 priority 100 inbound action bypass protocol 50 ipsec policy add spd 1 priority 100 outbound action bypass protocol 50 ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2 ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2
VAT commands
sw_interface_add_del_address sw_if_index 1 192.168.100.3/24 sw_interface_set_flags sw_if_index 1 admin-up ip_neighbor_add_del sw_if_index 1 dst 192.168.100.2 mac 08:00:27:12:3c:cc ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58 ipsec_sad_add_del_entry esp sad_id 20 spi 1000 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58 ipsec_spd_add_del spd_id 1 ipsec_interface_add_del_spd sw_if_index 1 spd_id 1 ipsec_spd_add_del_entry spd_id 1 priority 100 inbound action bypass protocol 50 ipsec_spd_add_del_entry spd_id 1 priority 100 outbound action bypass protocol 50 ipsec_spd_add_del_entry spd_id 1 priority 10 inbound action protectsa_id 20 laddr_start 192.168.100.3 laddr_stop 192.168.100.3 raddr_start 192.168.100.2 raddr_stop 192.168.100.2 ipsec_spd_add_del_entry spd_id 1 priority 10 outbound action protectsa_id 10 laddr_start 192.168.100.3 laddr_stop 192.168.100.3 raddr_start 192.168.100.2 raddr_stop 192.168.100.2
Ubuntu configuration
Edit /etc/ipsec-tools.conf file:
# Configuration for 192.168.100.2 # Flush the SAD and SPD flush; spdflush; # ESP SAs add 192.168.100.2 192.168.100.3 esp 0x000003e8 -E rijndael-cbc 0x4a506a794f574265564551694d653768 -A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58; add 192.168.100.3 192.168.100.2 esp 0x000003e9 -E rijndael-cbc 0x4a506a794f574265564551694d653768 -A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58; # Security policies spdadd 192.168.100.2 192.168.100.3 any -P out ipsec esp/transport//require; spdadd 192.168.100.3 192.168.100.2 any -P in ipsec esp/transport//require;
Set interface, static ARP and start IPSec:
$ sudo ifconfig eth3 192.168.100.2 netmask 255.255.255.0 up $ sudo arp -s 192.168.100.3 08:00:27:43:a9:5b $ sudo /etc/init.d/setkey start
Verification
ping output:
$ ping 192.168.100.3 -c 2 PING 192.168.100.3 (192.168.100.3) 56(84) bytes of data. 64 bytes from 192.168.100.3: icmp_seq=1 ttl=254 time=0.368 ms 64 bytes from 192.168.100.3: icmp_seq=2 ttl=254 time=0.284 ms --- 192.168.100.3 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.284/0.326/0.368/0.042 ms
tcpdump output:
$ sudo tcpdump -vvn -i eth3 tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes 04:12:02.197589 IP (tos 0x0, ttl 64, id 19395, offset 0, flags [DF], proto ESP (50), length 136) 192.168.100.2 > 192.168.100.3: ESP(spi=0x000003e8,seq=0x6), length 116 04:12:02.197939 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto ESP (50), length 136) 192.168.100.3 > 192.168.100.2: ESP(spi=0x000003e9,seq=0x6), length 116 04:12:03.198067 IP (tos 0x0, ttl 64, id 19641, offset 0, flags [DF], proto ESP (50), length 136) 192.168.100.2 > 192.168.100.3: ESP(spi=0x000003e8,seq=0x7), length 116 04:12:03.198325 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto ESP (50), length 136) 192.168.100.3 > 192.168.100.2: ESP(spi=0x000003e9,seq=0x7), length 116
VPP error counters:
vpp# show error Count Node Reason 2 ipsec-output IPSec policy protect 2 esp-decrypt ESP pkts received 2 esp-encrypt ESP pkts received 2 ipsec-input-ip4 IPSEC pkts received 2 ip4-icmp-input echo replies sent
IKEv2
VPP engine IKEv2 implmentation works only as responder.
Features
This implementation of support for IKEv2 in the VPP engine includes the following features:
Number | Name |
---|---|
34 | IKE SA init |
35 | IKE auth |
36 | Create child SA |
37 | Informational |
Number | Name |
---|---|
0 | No next payload |
33 | Security Association (SA) |
34 | Key Exchange (KE) |
35 | Identification - Initiator (IDi) |
36 | Identification - Responder (IDr) |
39 | Authentication (AUTH) |
40 | Nonce (Ni, Nr) |
41 | Notify (N) |
42 | Delete (D) |
43 | Vendor ID (V) |
44 | Traffic Selector - Initiator (TSi) |
45 | Traffic Selector - Responder (TSr) |
46 | Encrypted and Authenticated (SK) |
Number | Name |
---|---|
1 | Encryption Algorithm (ENCR) |
2 | Pseudo-random Function (PRF) |
3 | Integrity Algorithm (INTEG) |
4 | Diffie-Hellman Group (D-H) |
5 | Extended Sequence Numbers (ESN) |
Number | Name |
---|---|
12 | AES-CBC (128/192/256) |
Number | Name |
---|---|
1 | HMAC-SHA1 |
Number | Name |
---|---|
2 | HMAC-SHA1-96 |
Number | Name |
---|---|
1 | 768bit MODP |
2 | 1024bit MODP |
5 | 1536bit MODP |
14 | 2048bit MODP |
15 | 3072bit MODP |
16 | 4096bit MODP |
17 | 6144bit MODP |
18 | 8192bit MODP |
19 | 256bit random ECP |
20 | 384bit random ECP |
21 | 521bit random ECP |
22 | 1024bit MODP with 160bit prime order group |
23 | 2048bit MODP with 224bit prime order group |
24 | 2048bit MODP with 256bit prime order group |
25 | 192bit random ECP |
Number | Name |
---|---|
0 | No ESN |
1 | ESN |
Number | Name |
---|---|
1 | IPv4 address |
2 | FQDN |
3 | RFC822 |
11 | Key ID |
Number | Name |
---|---|
1 | RSA digital signature |
2 | Shared key message integrity code |
Number | Name |
---|---|
7 | IPv4 address range |
Number | Name |
---|---|
1 | IKE |
3 | ESP |
Configuration
Profile creation
The following example command shows the configuration sequence to create a IKEv2 profile:
CLI commands
ikev2 profile add profile1
VAT commands
ikev2_profile_add_del name profile1
Authentication
The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic string format:
CLI commands
ikev2 profile set profile1 auth shared-key-mic string Vpp123
VAT commands
ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data Vpp123
The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic hex format:
CLI commands
ikev2 profile set profile1 auth shared-key-mic hex abcd1234
VAT commands
ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data 0xabcd1234
The following example command shows the configuration sequence to set a IKEv2 profile authentication rsa-sig:
CLI commands
ikev2 profile set profile1 auth rsa-sig cert-file /home/localadmin/certs/server-cert.pem set ikev2 local key /home/localadmin/certs/client-key.pem
VAT commands
ikev2_profile_set_auth name profile1 auth_method rsa-sig auth_data /home/localadmin/certs/server-cert.pem ikev2_set_local_key file /home/localadmin/certs/client-key.pem
ID
The following example command shows the configuration sequence to set a IKEv2 profile remote ID IPv4 address:
CLI commands
ikev2 profile set profile1 id remote ip4-addr 192.168.123.20
VAT commands
ikev2_profile_set_id name profile1 id_type ip4-addr id_data 192.168.123.20 remote
The following example command shows the configuration sequence to set a IKEv2 profile local ID FQDN:
CLI commands
ikev2 profile set profile1 id local fqdn vpp.home
VAT commands
ikev2_profile_set_id name profile1 id_type fqdn id_data vpp.home local
The following example command shows the configuration sequence to set a IKEv2 profile local ID key-id:
CLI commands
ikev2 profile set profile1 id local key-id 0xabcd
VAT commands
ikev2_profile_set_id name profile2 id_type key-id id_data 0xabcd local
The following example command shows the configuration sequence to set a IKEv2 profile local ID rfc822 (email address):
CLI commands
ikev2 profile set profile1 id local rfc822 vpp@vvp.home
VAT commands
ikev2_profile_set_id name profile2 id_type rfc822 id_data vpp@vvp.home local
Traffic Selector
The following example command shows the configuration sequence to set a IKEv2 profile traffic selector:
CLI commands
ikev2 profile set profile1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set profile1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
VAT commands
ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.124.0 end_addr 192.168.124.255 local ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.125.0 end_addr 192.168.125.255 remote
show ikev2 sa
You can display IKEv2 profiles using:
show ikev2 sa profile pr1 auth-method shared-key-mic auth data Vpp123 local id-type fqdn data vpp.home remote id-type fqdn data roadwarrior.vpn.example.com local traffic-selector addr 192.168.124.0 - 192.168.124.255 port 0 - 65535 protocol 0 remote traffic-selector addr 192.168.125.0 - 192.168.125.255 port 0 - 65535 protocol 0
Example configuration
This section covers IKEv2 connection between VPP and strongswan.
Prerequisite
Install strongswan on Ubuntu:
$ sudo apt-get install strongswan
VPP configuration
CLI commands
set int state GigabitEthernet0/8/0 up set int ip address GigabitEthernet0/8/0 192.168.100.3/24 ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
VAT commands
sw_interface_add_del_address sw_if_index 1 192.168.100.3/24 sw_interface_set_flags sw_if_index 1 admin-up ikev2_profile_add_del name pr1 ikev2_profile_set_auth name pr1 auth_method shared-key-mic auth_data Vpp123 ikev2_profile_set_id name pr1 id_type fqdn id_data vpp.home local ikev2_profile_set_id name pr1 id_type fqdn id_data roadwarrior.vpn.example.com remote ikev2_profile_set_ts name pr1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.124.0 end_addr 192.168.124.255 local ikev2_profile_set_ts name pr1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.125.0 end_addr 192.168.125.255 remote
Strongswan configuration
Set interface address:
$ sudo ifconfig eth3 192.168.100.2 netmask 255.255.255.0 up
Edit /etc/ipsec.conf file:
config setup strictcrlpolicy=no conn %default ike=aes256-sha1-modp2048! esp=aes192-sha1-esn! mobike=no keyexchange=ikev2 ikelifetime=24h lifetime=24h conn net-net right=192.168.100.3 rightsubnet=192.168.124.0/24 rightauth=psk rightid=@vpp.home left=192.168.100.2 leftsubnet=192.168.125.0/24 leftauth=psk leftid=@roadwarrior.vpn.example.com auto=start
Edit /etc/ipsec.secrets file:
: PSK "Vpp123"
Verification
Start strongswan:
$ sudo ipsec start
Show strongswan status:
$ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.16.0-30-generic, x86_64): uptime: 98 seconds, since Aug 01 05:49:29 2016 malloc: sbrk 2162688, mmap 0, used 343648, free 1819040 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock Listening IP addresses: 10.0.2.15 192.168.100.2 192.168.3.3 Connections: net-net: 192.168.100.2...192.168.100.3 IKEv2 net-net: local: [roadwarrior.vpn.example.com] uses pre-shared key authentication net-net: remote: [vpp.home] uses pre-shared key authentication net-net: child: 192.168.125.0/24 === 192.168.124.0/24 TUNNEL Security Associations (1 up, 0 connecting): net-net[1]: ESTABLISHED 98 seconds ago, 192.168.100.2[roadwarrior.vpn.example.com]...192.168.100.3[vpp.home] net-net[1]: IKEv2 SPIs: 0f67b83d6e53310a_i* b0bfbfe3b873c7af_r, pre-shared key reauthentication in 23 hours net-net[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 net-net{1}: INSTALLED, TUNNEL, ESP SPIs: cbf74e7b_i 117dc2e1_o net-net{1}: AES_CBC_192/HMAC_SHA1_96/ESN, 0 bytes_i, 0 bytes_o, rekeying in 23 hours net-net{1}: 192.168.125.0/24 === 192.168.124.0/24
VPP IKEv2 status:
vpp# show ikev2 sa iip 192.168.100.2 ispi a31536e3db8670f rip 192.168.100.3 rspi afc773b8e3bfbfb0 encr:aes-cbc-256 prf:hmac-sha1 integ:sha1-96 dh-group:modp-2048 nonce i:91ce22374a5eb57903ce3c7accab6a697b7c77edabee71d0f8d4933fa5be36de r:78e83bf1889891d07e5aef522568f84d9ba2feee94f6a0c8e93c4c0b6cf3fdc7 SK_d 9e731d25b49d4586b9ee029040af1c53d3b0a463 SK_a i:a65a66517ba183e5afe10a3f437462033907fe81 r:a3ee4af9abb8ea87ebd2d36c9f92b56cae0adc51 SK_e i:245203c55c2c1d476e4977351ac5aacab995420bd4f4a5bae36530c0b481c2d5 r:8f4a1d4d50bb7152bad52f59719e3764d55d72aa9765f02f5496b115dc3bc7f1 SK_p i:3182ff3e52efaf3c951114b949d8751d491b0f09 r:431e2453cc8fe5accbbdd3efcb44642c961f60a8 identifier (i) fqdn roadwarrior.vpn.example.com identifier (r) fqdn vpp.home child sa 0: encr:aes-cbc-192 integ:sha1-96 esn:yes spi(i) cbf74e7b spi(r) 117dc2e1 SK_e i:5dad89b09ddcb6ef62b08e390c8cccec4fadbd81fdfee6df r:4ec5b4adb6a27ef95bd9281c4090c0a6a131f574d4ed3a9d SK_a i:45fa72c50b05517f744651b2e236e38651f54407 r:71e6dabf7d8325f3bae7e42ca40b4a491a2a1d84 traffic selectors (i): 0 type 7 protocol_id 0 addr 192.168.125.0 - 192.168.125.255 port 0 - 65535 traffic selectors (r): 0 type 7 protocol_id 0 addr 192.168.124.0 - 192.168.124.255 port 0 - 65535 iip 192.168.100.2 ispi a31536e3db8670f rip 192.168.100.3 rspi afc773b8e3bfbfb0
VPP create ipsec tunnel interface when IKEv2 connection is established and child SA created.
vpp# show interface Name Idx State Counter Count GigabitEthernet0/8/0 1 up rx packets 8 rx bytes 1318 tx packets 7 tx bytes 1098 drops 1 ip4 7 GigabitEthernet0/9/0 2 down ipsec0 3 down
You can see ipsec tunnel interface details:
vpp# show ipsec tunnel interfaces ipsec0 seq seq 1 seq-hi 0 esn 1 anti-replay 1 local-spi 3421982331 local-ip 192.168.100.3 local-crypto aes-cbc-192 4ec5b4adb6a27ef95bd9281c4090c0a6a131f574d4ed3a9d local-integrity sha1-96 71e6dabf7d8325f3bae7e42ca40b4a491a2a1d84 last-seq 0 last-seq-hi 0 esn 1 anti-replay 1 window 0000000000000000000000000000000000000000000000000000000000000000 remote-spi 293454561 remote-ip 192.168.100.2 remote-crypto aes-cbc-192 5dad89b09ddcb6ef62b08e390c8cccec4fadbd81fdfee6df remote-integrity sha1-96 45fa72c50b05517f744651b2e236e38651f54407