1 How to connect VPP instances using IKEv2
2 ========================================
4 This section describes how to initiate IKEv2 session between two VPP
5 instances using Linux veth interfaces and namespaces.
7 Create veth interfaces and namespaces and configure it:
11 sudo ip link add ifresp type veth peer name ifinit
12 sudo ip link set dev ifresp up
13 sudo ip link set dev ifinit up
15 sudo ip netns add clientns
16 sudo ip netns add serverns
17 sudo ip link add veth_client type veth peer name client
18 sudo ip link add veth_server type veth peer name server
19 sudo ip link set dev veth_client up netns clientns
20 sudo ip link set dev veth_server up netns serverns
22 sudo ip netns exec clientns \
25 ip addr add 192.168.5.2/24 dev veth_client
26 ip addr add fec5::2/16 dev veth_client
27 ip route add 192.168.3.0/24 via 192.168.5.1
28 ip route add fec3::0/16 via fec5::1
31 sudo ip netns exec serverns \
34 ip addr add 192.168.3.2/24 dev veth_server
35 ip addr add fec3::2/16 dev veth_server
36 ip route add 192.168.5.0/24 via 192.168.3.1
37 ip route add fec5::0/16 via fec3::1
44 sudo /usr/bin/vpp unix { \
45 cli-listen /tmp/vpp_resp.sock \
47 api-segment { prefix vpp } \
48 plugins { plugin dpdk_plugin.so { disable } }
50 Configure the responder
54 create host-interface name ifresp
55 set interface ip addr host-ifresp 192.168.10.2/24
56 set interface state host-ifresp up
58 create host-interface name server
59 set interface ip addr host-server 192.168.3.1/24
60 set interface state host-server up
63 ikev2 profile set pr1 auth shared-key-mic string Vpp123
64 ikev2 profile set pr1 id local ipv4 192.168.10.2
65 ikev2 profile set pr1 id remote ipv4 192.168.10.1
67 ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
68 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
70 create ipip tunnel src 192.168.10.2 dst 192.168.10.1
71 ikev2 profile set pr1 tunnel ipip0
72 ip route add 192.168.5.0/24 via 192.168.10.1 ipip0
73 set interface unnumbered ipip0 use host-ifresp
79 sudo /usr/bin/vpp unix { \
80 cli-listen /tmp/vpp_init.sock \
82 api-segment { prefix vpp } \
83 plugins { plugin dpdk_plugin.so { disable } }
89 create host-interface name ifinit
90 set interface ip addr host-ifinit 192.168.10.1/24
91 set interface state host-ifinit up
93 create host-interface name client
94 set interface ip addr host-client 192.168.5.1/24
95 set interface state host-client up
98 ikev2 profile set pr1 auth shared-key-mic string Vpp123
99 ikev2 profile set pr1 id local ipv4 192.168.10.1
100 ikev2 profile set pr1 id remote ipv4 192.168.10.2
102 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
103 ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
105 ikev2 profile set pr1 responder host-ifinit 192.168.10.2
106 ikev2 profile set pr1 ike-crypto-alg aes-gcm-16 256 ike-dh modp-2048
107 ikev2 profile set pr1 esp-crypto-alg aes-gcm-16 256
109 create ipip tunnel src 192.168.10.1 dst 192.168.10.2
110 ikev2 profile set pr1 tunnel ipip0
111 ip route add 192.168.3.0/24 via 192.168.10.2 ipip0
112 set interface unnumbered ipip0 use host-ifinit
114 Initiate the IKEv2 connection:
118 vpp# ikev2 initiate sa-init pr1
120 Responder’s and initiator’s private networks are now connected with
125 $ sudo ip netns exec clientns ping 192.168.3.1
126 PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
127 64 bytes from 192.168.3.1: icmp_seq=1 ttl=63 time=1.64 ms
128 64 bytes from 192.168.3.1: icmp_seq=2 ttl=63 time=7.24 ms
Code Review / vpp.git / blob