DPDK usage discussions
 help / color / mirror / Atom feed
From: "Das, Surajit" <Surajit.Das@commscope.com>
To: "users@dpdk.org" <users@dpdk.org>
Subject: [dpdk-users] ipsec-secgw sample app not seem to be able to decode ESP packets whose keys were generated by strongswan
Date: Mon, 5 Apr 2021 15:22:53 +0000
Message-ID: <DM6PR14MB3757CF17CF1243878A746445E9779@DM6PR14MB3757.namprd14.prod.outlook.com> (raw)


I tried decoding ESP packets using ipsec-secgw.
Security association was done using strongswan.
Some issues I noticed was that the security key (aes) was 192 bit (not 128 of 256)
Similarly the authentication key (hmac sha) was 384 instead of 128 or 256.
Is this sample app capable of decrypting and authenticating ESP packets with such keys?

This is what SA looked like:

src dst
        proto esp spi 0xcaa695f2 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha384) 0x55a470aaa48e5100494ce02cdbea1856436b8f88b9daf1072469dc5ab5ae6056be4eaa574254b1667b418e977c92ea74 192
        enc cbc(aes) 0x43ed51b8bf2ab8f3d9a7477e9c542dae7ab8fe2bf404a1ad
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

This is the configuration I pushed to file for decoding:

#SP IPv4 rules
#Decryption rule
sp ipv4 in esp protect 3399914994 pri 3 dst sport 0:65535 dport 0:65535

sa  in  3399914994 cipher_algo aes-256-cbc cipher_key  00:00:00:00:00:00:00:00:43:ED:51:B8:BF:2A:B8:F3:D9:A7:47:7E:9C:54:2D:AE:7A:B8:FE:2B:F4:04:A1:AD \
auth_algo null \
mode ipv4-tunnel src dst \
port_id 1 \
type no-offload \

#Routing rules
rt ipv4 dst port 0
#Neighbour rule syntax
neigh port 0 f2:e0:f6:21:e0:70


                 reply	other threads:[~2021-04-05 15:22 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DM6PR14MB3757CF17CF1243878A746445E9779@DM6PR14MB3757.namprd14.prod.outlook.com \
    --to=surajit.das@commscope.com \
    --cc=users@dpdk.org \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

DPDK usage discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/users/0 users/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 users users/ https://inbox.dpdk.org/users \
	public-inbox-index users

Example config snippet for mirrors.
Newsgroup available over NNTP:

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git