DPDK usage discussions
 help / color / mirror / Atom feed
From: "Das, Surajit" <Surajit.Das@commscope.com>
To: "users@dpdk.org" <users@dpdk.org>
Subject: [dpdk-users] ipsec-secgw sample app not seem to be able to decode ESP packets whose keys were generated by strongswan
Date: Mon, 5 Apr 2021 15:22:53 +0000
Message-ID: <DM6PR14MB3757CF17CF1243878A746445E9779@DM6PR14MB3757.namprd14.prod.outlook.com> (raw)

Hi,

I tried decoding ESP packets using ipsec-secgw.
Security association was done using strongswan.
Some issues I noticed was that the security key (aes) was 192 bit (not 128 of 256)
Similarly the authentication key (hmac sha) was 384 instead of 128 or 256.
Is this sample app capable of decrypting and authenticating ESP packets with such keys?

This is what SA looked like:

src 30.30.20.11 dst 30.30.30.10
        proto esp spi 0xcaa695f2 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha384) 0x55a470aaa48e5100494ce02cdbea1856436b8f88b9daf1072469dc5ab5ae6056be4eaa574254b1667b418e977c92ea74 192
        enc cbc(aes) 0x43ed51b8bf2ab8f3d9a7477e9c542dae7ab8fe2bf404a1ad
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000


This is the configuration I pushed to file for decoding:

#SP IPv4 rules
#Decryption rule
sp ipv4 in esp protect 3399914994 pri 3 dst 10.220.42.0/24 sport 0:65535 dport 0:65535

sa  in  3399914994 cipher_algo aes-256-cbc cipher_key  00:00:00:00:00:00:00:00:43:ED:51:B8:BF:2A:B8:F3:D9:A7:47:7E:9C:54:2D:AE:7A:B8:FE:2B:F4:04:A1:AD \
auth_algo null \
mode ipv4-tunnel src 30.30.20.11 dst 30.30.30.10 \
port_id 1 \
type no-offload \

#Routing rules
rt ipv4 dst 10.220.42.0/24 port 0
#Neighbour rule syntax
neigh port 0 f2:e0:f6:21:e0:70

Regards,
Surajit

                 reply	other threads:[~2021-04-05 15:22 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DM6PR14MB3757CF17CF1243878A746445E9779@DM6PR14MB3757.namprd14.prod.outlook.com \
    --to=surajit.das@commscope.com \
    --cc=users@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

DPDK usage discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/users/0 users/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 users users/ https://inbox.dpdk.org/users \
		users@dpdk.org
	public-inbox-index users

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.users


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git