Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 074f3970c6d68d30878e5a2a3a80904182f15e89 / . / docs / usecases / ikev2 / 2_vpp.rst
blob: 2c6fe6b88e4a7e1043233c3c535aedd88d33195d [file] [log] [blame]
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200[diff] [blame]1How to connect VPP instances using IKEv2
2========================================
3
4This section describes how to initiate IKEv2 session between two VPP
5instances using Linux veth interfaces and namespaces.
6
7Create veth interfaces and namespaces and configure it:
8
9::
10
11 sudo ip link add ifresp type veth peer name ifinit
12 sudo ip link set dev ifresp up
13 sudo ip link set dev ifinit up
14
15 sudo ip netns add clientns
16 sudo ip netns add serverns
17 sudo ip link add veth_client type veth peer name client
18 sudo ip link add veth_server type veth peer name server
19 sudo ip link set dev veth_client up netns clientns
20 sudo ip link set dev veth_server up netns serverns
21
22 sudo ip netns exec clientns \
23 bash -c "
24 ip link set dev lo up
25 ip addr add 192.168.5.2/24 dev veth_client
26 ip addr add fec5::2/16 dev veth_client
27 ip route add 192.168.3.0/24 via 192.168.5.1
28 ip route add fec3::0/16 via fec5::1
29 "
30
31 sudo ip netns exec serverns \
32 bash -c "
33 ip link set dev lo up
34 ip addr add 192.168.3.2/24 dev veth_server
35 ip addr add fec3::2/16 dev veth_server
36 ip route add 192.168.5.0/24 via 192.168.3.1
37 ip route add fec5::0/16 via fec3::1
38 "
39
40Run responder VPP:
41
42::
43
44 sudo /usr/bin/vpp unix { \
45 cli-listen /tmp/vpp_resp.sock \
46 gid $(id -g) } \
47 api-segment { prefix vpp } \
48 plugins { plugin dpdk_plugin.so { disable } }
49
50Configure the responder
51
52::
53
54 create host-interface name ifresp
55 set interface ip addr host-ifresp 192.168.10.2/24
56 set interface state host-ifresp up
57
58 create host-interface name server
59 set interface ip addr host-server 192.168.3.1/24
60 set interface state host-server up
61
62 ikev2 profile add pr1
63 ikev2 profile set pr1 auth shared-key-mic string Vpp123
64 ikev2 profile set pr1 id local ipv4 192.168.10.2
65 ikev2 profile set pr1 id remote ipv4 192.168.10.1
66
67 ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
68 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
69
70 create ipip tunnel src 192.168.10.2 dst 192.168.10.1
71 ikev2 profile set pr1 tunnel ipip0
72 ip route add 192.168.5.0/24 via 192.168.10.1 ipip0
73 set interface unnumbered ipip0 use host-ifresp
74
75Run initiator VPP:
76
77::
78
79 sudo /usr/bin/vpp unix { \
80 cli-listen /tmp/vpp_init.sock \
81 gid $(id -g) } \
82 api-segment { prefix vpp } \
83 plugins { plugin dpdk_plugin.so { disable } }
84
85Configure initiator:
86
87::
88
89 create host-interface name ifinit
90 set interface ip addr host-ifinit 192.168.10.1/24
91 set interface state host-ifinit up
92
93 create host-interface name client
94 set interface ip addr host-client 192.168.5.1/24
95 set interface state host-client up
96
97 ikev2 profile add pr1
98 ikev2 profile set pr1 auth shared-key-mic string Vpp123
99 ikev2 profile set pr1 id local ipv4 192.168.10.1
100 ikev2 profile set pr1 id remote ipv4 192.168.10.2
101
102 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
103 ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
104
105 ikev2 profile set pr1 responder host-ifinit 192.168.10.2
106 ikev2 profile set pr1 ike-crypto-alg aes-gcm-16 256 ike-dh modp-2048
107 ikev2 profile set pr1 esp-crypto-alg aes-gcm-16 256
108
109 create ipip tunnel src 192.168.10.1 dst 192.168.10.2
110 ikev2 profile set pr1 tunnel ipip0
111 ip route add 192.168.3.0/24 via 192.168.10.2 ipip0
112 set interface unnumbered ipip0 use host-ifinit
113
114Initiate the IKEv2 connection:
115
116::
117
118 vpp# ikev2 initiate sa-init pr1
119
120Responders and initiators private networks are now connected with
121IPSEC tunnel:
122
123::
124
125 $ sudo ip netns exec clientns ping 192.168.3.1
126 PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
127 64 bytes from 192.168.3.1: icmp_seq=1 ttl=63 time=1.64 ms
128 64 bytes from 192.168.3.1: icmp_seq=2 ttl=63 time=7.24 ms