Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipsec: T7242: Add a check for encryption algorithms that do not work with VPP #4389

Merged
merged 1 commit into from
Mar 13, 2025
Merged

ipsec: T7242: Add a check for encryption algorithms that do not work with VPP #4389

merged 1 commit into from
Mar 13, 2025

Conversation

natali-rs1985
Copy link
Contributor

Change summary

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

How to test / Smoketest result

set interfaces ethernet eth0 address '192.0.2.1/30'
set interfaces ethernet eth1 address '203.0.113.1/30'
set system host-name 'vpp-left'
set vpn ipsec authentication psk PSK id '192.0.2.1'
set vpn ipsec authentication psk PSK id '192.0.2.2'
set vpn ipsec authentication psk PSK secret 'vyos-vpp'
set vpn ipsec esp-group ESP-group pfs 'enable'
set vpn ipsec esp-group ESP-group proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-group proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-group key-exchange 'ikev2'
set vpn ipsec ike-group IKE-group proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-group proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-group proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer VPP authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer VPP authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer VPP authentication remote-id '192.0.2.2'
set vpn ipsec site-to-site peer VPP connection-type 'initiate'
set vpn ipsec site-to-site peer VPP ike-group 'IKE-group'
set vpn ipsec site-to-site peer VPP local-address '192.0.2.1'
set vpn ipsec site-to-site peer VPP remote-address '192.0.2.2'
set vpn ipsec site-to-site peer VPP tunnel 1 esp-group 'ESP-group'
set vpn ipsec site-to-site peer VPP tunnel 1 local prefix '203.0.113.0/30'
set vpn ipsec site-to-site peer VPP tunnel 1 remote prefix '203.0.113.100/30'
set vpp settings interface eth0 driver 'dpdk'
set vpp settings interface eth1 driver 'dpdk'
set vpp settings unix poll-sleep-usec '12'
set vpp settings ipsec

vyos@vyos# commit
[ vpn ipsec ]
Encryption algorithm blowfish128 cannot be used for ESP proposal 1 on
tunnel 1 for site-to-site peer VPP with VPP
[[vpn ipsec]] failed
Commit failed
[edit]
vyos@vyos# set vpn ipsec esp-group ESP-group proposal 1 encryption 'aes128'
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# sudo vppctl show ipsec sa
[0] sa 3232599195 (0xc0ad8c9b) spi 3249491190 (0xc1af4cf6) protocol:esp flags:[anti-replay tunnel Protect inbound ]
[1] sa 3244965492 (0xc16a3e74) spi 3278438366 (0xc368ffde) protocol:esp flags:[tunnel Protect no-algo-no-drop ]
[edit]
vyos@vyos# sudo ip xfrm state
src 192.0.2.1 dst 192.0.2.2
        proto esp spi 0xc368ffde reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha1) 0x7737b97161ce08968e00d93304042e7f060d0423 96
        enc cbc(aes) 0xd2160e64d0067ee99c3cefc4eef7d6c9
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 192.0.2.2 dst 192.0.2.1
        proto esp spi 0xc1af4cf6 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0xf372ad0cb917e84b97517b8d4367bc91076623a9 96
        enc cbc(aes) 0xb492b55990f9a271428c24081bb67c25
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@natali-rs1985 natali-rs1985 requested a review from a team as a code owner March 13, 2025 12:34
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 13, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

@github-actions GitHub Actions
Copy link

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

@dmbaturin dmbaturin changed the title ipsec: T7242: Add check for encryption algorithms that do not work with VPP ipsec: T7242: Add a check for encryption algorithms that do not work with VPP Mar 13, 2025
@dmbaturin dmbaturin merged commit 42f33f0 into vyos:current Mar 13, 2025
16 of 17 checks passed
@vyosbot vyosbot added mirror-initiated This PR initiated for mirror sync workflow mirror-completed and removed mirror-initiated This PR initiated for mirror sync workflow labels Mar 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@sarthurdev sarthurdev sarthurdev approved these changes

@sever-sever sever-sever sever-sever approved these changes

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@c-po c-po Awaiting requested review from c-po c-po is a code owner automatically assigned from vyos/reviewers

Assignees

@natali-rs1985 natali-rs1985

Labels
current mirror-completed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@natali-rs1985 @dmbaturin @sarthurdev @sever-sever @vyosbot