Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
vlib: improve code coverage in src/vlib
[vpp.git] / test / test_ipsec_tun_if_esp.py
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index 1b8aca9..dee4af4 100644 (file)
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -2,13 +2,13 @@ import unittest
 import socket
 import copy
 
 import socket
 import copy
 
-from scapy.layers.ipsec import ESP
+from scapy.layers.ipsec import SecurityAssociation, ESP
 from scapy.layers.l2 import Ether, Raw, GRE
 from scapy.layers.inet import IP, UDP
 from scapy.layers.inet6 import IPv6
 from scapy.layers.l2 import Ether, Raw, GRE
 from scapy.layers.inet import IP, UDP
 from scapy.layers.inet6 import IPv6
-from framework import VppTestRunner, is_skip_aarch64_set, is_platform_aarch64
+from framework import VppTestRunner
 from template_ipsec import TemplateIpsec, IpsecTun4Tests, IpsecTun6Tests, \
 from template_ipsec import TemplateIpsec, IpsecTun4Tests, IpsecTun6Tests, \
-    IpsecTun4, IpsecTun6,  IpsecTcpTests,  config_tun_params
+    IpsecTun4, IpsecTun6,  IpsecTcpTests, mk_scapy_crypt_key
 from vpp_ipsec_tun_interface import VppIpsecTunInterface
 from vpp_gre_interface import VppGreInterface
 from vpp_ipip_tun_interface import VppIpIpTunInterface
 from vpp_ipsec_tun_interface import VppIpsecTunInterface
 from vpp_gre_interface import VppGreInterface
 from vpp_ipip_tun_interface import VppIpIpTunInterface
@@ -19,6 +19,33 @@ from util import ppp
 from vpp_papi import VppEnum
 
 
 from vpp_papi import VppEnum
 
 
+def config_tun_params(p, encryption_type, tun_if):
+    ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
+    use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
+                              IPSEC_API_SAD_FLAG_USE_ESN))
+    crypt_key = mk_scapy_crypt_key(p)
+    p.scapy_tun_sa = SecurityAssociation(
+        encryption_type, spi=p.vpp_tun_spi,
+        crypt_algo=p.crypt_algo,
+        crypt_key=crypt_key,
+        auth_algo=p.auth_algo, auth_key=p.auth_key,
+        tunnel_header=ip_class_by_addr_type[p.addr_type](
+            src=tun_if.remote_ip,
+            dst=tun_if.local_ip),
+        nat_t_header=p.nat_header,
+        use_esn=use_esn)
+    p.vpp_tun_sa = SecurityAssociation(
+        encryption_type, spi=p.scapy_tun_spi,
+        crypt_algo=p.crypt_algo,
+        crypt_key=crypt_key,
+        auth_algo=p.auth_algo, auth_key=p.auth_key,
+        tunnel_header=ip_class_by_addr_type[p.addr_type](
+            dst=tun_if.remote_ip,
+            src=tun_if.local_ip),
+        nat_t_header=p.nat_header,
+        use_esn=use_esn)
+
+
 class TemplateIpsec4TunIfEsp(TemplateIpsec):
     """ IPsec tunnel interface tests """
 
 class TemplateIpsec4TunIfEsp(TemplateIpsec):
     """ IPsec tunnel interface tests """
 
@@ -48,6 +75,7 @@ class TemplateIpsec4TunIfEsp(TemplateIpsec):
         p.tun_if.admin_up()
         p.tun_if.config_ip4()
         p.tun_if.config_ip6()
         p.tun_if.admin_up()
         p.tun_if.config_ip4()
         p.tun_if.config_ip6()
+        config_tun_params(p, self.encryption_type, p.tun_if)
 
         r = VppIpRoute(self, p.remote_tun_if_host, 32,
                        [VppRoutePath(p.tun_if.remote_ip4,
 
         r = VppIpRoute(self, p.remote_tun_if_host, 32,
                        [VppRoutePath(p.tun_if.remote_ip4,
@@ -63,20 +91,70 @@ class TemplateIpsec4TunIfEsp(TemplateIpsec):
         super(TemplateIpsec4TunIfEsp, self).tearDown()
 
 
         super(TemplateIpsec4TunIfEsp, self).tearDown()
 
 
+class TemplateIpsec4TunIfEspUdp(TemplateIpsec):
+    """ IPsec UDP tunnel interface tests """
+
+    tun4_encrypt_node_name = "esp4-encrypt-tun"
+    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    encryption_type = ESP
+
+    @classmethod
+    def setUpClass(cls):
+        super(TemplateIpsec4TunIfEspUdp, cls).setUpClass()
+
+    @classmethod
+    def tearDownClass(cls):
+        super(TemplateIpsec4TunIfEspUdp, cls).tearDownClass()
+
+    def setUp(self):
+        super(TemplateIpsec4TunIfEspUdp, self).setUp()
+
+        self.tun_if = self.pg0
+
+        p = self.ipv4_params
+        p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
+                   IPSEC_API_SAD_FLAG_UDP_ENCAP)
+        p.nat_header = UDP(sport=5454, dport=4500)
+
+        p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
+                                        p.scapy_tun_spi, p.crypt_algo_vpp_id,
+                                        p.crypt_key, p.crypt_key,
+                                        p.auth_algo_vpp_id, p.auth_key,
+                                        p.auth_key, udp_encap=True)
+        p.tun_if.add_vpp_config()
+        p.tun_if.admin_up()
+        p.tun_if.config_ip4()
+        p.tun_if.config_ip6()
+        config_tun_params(p, self.encryption_type, p.tun_if)
+
+        r = VppIpRoute(self, p.remote_tun_if_host, 32,
+                       [VppRoutePath(p.tun_if.remote_ip4,
+                                     0xffffffff)])
+        r.add_vpp_config()
+        r = VppIpRoute(self, p.remote_tun_if_host6, 128,
+                       [VppRoutePath(p.tun_if.remote_ip6,
+                                     0xffffffff,
+                                     proto=DpoProto.DPO_PROTO_IP6)])
+        r.add_vpp_config()
+
+    def tearDown(self):
+        super(TemplateIpsec4TunIfEspUdp, self).tearDown()
+
+
 class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
     """ Ipsec ESP - TUN tests """
     tun4_encrypt_node_name = "esp4-encrypt-tun"
 class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
     """ Ipsec ESP - TUN tests """
     tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt"
+    tun4_decrypt_node_name = "esp4-decrypt-tun"
 
     def test_tun_basic64(self):
         """ ipsec 6o4 tunnel basic test """
 
     def test_tun_basic64(self):
         """ ipsec 6o4 tunnel basic test """
-        self.tun4_encrypt_node_name = "esp6-encrypt-tun"
+        self.tun4_encrypt_node_name = "esp4-encrypt-tun"
 
         self.verify_tun_64(self.params[socket.AF_INET], count=1)
 
     def test_tun_burst64(self):
         """ ipsec 6o4 tunnel basic test """
 
         self.verify_tun_64(self.params[socket.AF_INET], count=1)
 
     def test_tun_burst64(self):
         """ ipsec 6o4 tunnel basic test """
-        self.tun4_encrypt_node_name = "esp6-encrypt-tun"
+        self.tun4_encrypt_node_name = "esp4-encrypt-tun"
 
         self.verify_tun_64(self.params[socket.AF_INET], count=257)
 
 
         self.verify_tun_64(self.params[socket.AF_INET], count=257)
 
@@ -94,6 +172,16 @@ class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
                                        [9000, 0, 0, 0])
 
 
                                        [9000, 0, 0, 0])
 
 
+class TestIpsec4TunIfEspUdp(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
+    """ Ipsec ESP UDP tests """
+
+    tun4_input_node = "ipsec4-tun-input"
+
+    def test_keepalive(self):
+        """ IPSEC NAT Keepalive """
+        self.verify_keepalive(self.ipv4_params)
+
+
 class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
     """ Ipsec ESP - TCP tests """
     pass
 class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
     """ Ipsec ESP - TCP tests """
     pass
@@ -110,23 +198,24 @@ class TemplateIpsec6TunIfEsp(TemplateIpsec):
         self.tun_if = self.pg0
 
         p = self.ipv6_params
         self.tun_if = self.pg0
 
         p = self.ipv6_params
-        tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
-                                      p.scapy_tun_spi, p.crypt_algo_vpp_id,
-                                      p.crypt_key, p.crypt_key,
-                                      p.auth_algo_vpp_id, p.auth_key,
-                                      p.auth_key, is_ip6=True)
-        tun_if.add_vpp_config()
-        tun_if.admin_up()
-        tun_if.config_ip6()
-        tun_if.config_ip4()
+        p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
+                                        p.scapy_tun_spi, p.crypt_algo_vpp_id,
+                                        p.crypt_key, p.crypt_key,
+                                        p.auth_algo_vpp_id, p.auth_key,
+                                        p.auth_key, is_ip6=True)
+        p.tun_if.add_vpp_config()
+        p.tun_if.admin_up()
+        p.tun_if.config_ip6()
+        p.tun_if.config_ip4()
+        config_tun_params(p, self.encryption_type, p.tun_if)
 
         r = VppIpRoute(self, p.remote_tun_if_host, 128,
 
         r = VppIpRoute(self, p.remote_tun_if_host, 128,
-                       [VppRoutePath(tun_if.remote_ip6,
+                       [VppRoutePath(p.tun_if.remote_ip6,
                                      0xffffffff,
                                      proto=DpoProto.DPO_PROTO_IP6)])
         r.add_vpp_config()
         r = VppIpRoute(self, p.remote_tun_if_host4, 32,
                                      0xffffffff,
                                      proto=DpoProto.DPO_PROTO_IP6)])
         r.add_vpp_config()
         r = VppIpRoute(self, p.remote_tun_if_host4, 32,
-                       [VppRoutePath(tun_if.remote_ip4,
+                       [VppRoutePath(p.tun_if.remote_ip4,
                                      0xffffffff)])
         r.add_vpp_config()
 
                                      0xffffffff)])
         r.add_vpp_config()
 
@@ -137,16 +226,16 @@ class TemplateIpsec6TunIfEsp(TemplateIpsec):
 class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp, IpsecTun6Tests):
     """ Ipsec ESP - TUN tests """
     tun6_encrypt_node_name = "esp6-encrypt-tun"
 class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp, IpsecTun6Tests):
     """ Ipsec ESP - TUN tests """
     tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt"
+    tun6_decrypt_node_name = "esp6-decrypt-tun"
 
     def test_tun_basic46(self):
         """ ipsec 4o6 tunnel basic test """
 
     def test_tun_basic46(self):
         """ ipsec 4o6 tunnel basic test """
-        self.tun6_encrypt_node_name = "esp4-encrypt-tun"
+        self.tun6_encrypt_node_name = "esp6-encrypt-tun"
         self.verify_tun_46(self.params[socket.AF_INET6], count=1)
 
     def test_tun_burst46(self):
         """ ipsec 4o6 tunnel burst test """
         self.verify_tun_46(self.params[socket.AF_INET6], count=1)
 
     def test_tun_burst46(self):
         """ ipsec 4o6 tunnel burst test """
-        self.tun6_encrypt_node_name = "esp4-encrypt-tun"
+        self.tun6_encrypt_node_name = "esp6-encrypt-tun"
         self.verify_tun_46(self.params[socket.AF_INET6], count=257)
 
 
         self.verify_tun_46(self.params[socket.AF_INET6], count=257)
 
 
@@ -155,7 +244,7 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec, IpsecTun4):
 
     encryption_type = ESP
     tun4_encrypt_node_name = "esp4-encrypt-tun"
 
     encryption_type = ESP
     tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt"
+    tun4_decrypt_node_name = "esp4-decrypt-tun"
 
     def setUp(self):
         super(TestIpsec4MultiTunIfEsp, self).setUp()
 
     def setUp(self):
         super(TestIpsec4MultiTunIfEsp, self).setUp()
@@ -163,6 +252,8 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec, IpsecTun4):
         self.tun_if = self.pg0
 
         self.multi_params = []
         self.tun_if = self.pg0
 
         self.multi_params = []
+        self.pg0.generate_remote_hosts(10)
+        self.pg0.configure_ipv4_neighbors()
 
         for ii in range(10):
             p = copy.copy(self.ipv4_params)
 
         for ii in range(10):
             p = copy.copy(self.ipv4_params)
@@ -178,18 +269,18 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec, IpsecTun4):
             p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
             p.vpp_tra_spi = p.vpp_tra_spi + ii
 
             p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
             p.vpp_tra_spi = p.vpp_tra_spi + ii
 
-            config_tun_params(p, self.encryption_type, self.tun_if)
-            self.multi_params.append(p)
-
             p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
                                             p.scapy_tun_spi,
                                             p.crypt_algo_vpp_id,
                                             p.crypt_key, p.crypt_key,
                                             p.auth_algo_vpp_id, p.auth_key,
             p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
                                             p.scapy_tun_spi,
                                             p.crypt_algo_vpp_id,
                                             p.crypt_key, p.crypt_key,
                                             p.auth_algo_vpp_id, p.auth_key,
-                                            p.auth_key)
+                                            p.auth_key,
+                                            dst=self.pg0.remote_hosts[ii].ip4)
             p.tun_if.add_vpp_config()
             p.tun_if.admin_up()
             p.tun_if.config_ip4()
             p.tun_if.add_vpp_config()
             p.tun_if.admin_up()
             p.tun_if.config_ip4()
+            config_tun_params(p, self.encryption_type, p.tun_if)
+            self.multi_params.append(p)
 
             VppIpRoute(self, p.remote_tun_if_host, 32,
                        [VppRoutePath(p.tun_if.remote_ip4,
 
             VppIpRoute(self, p.remote_tun_if_host, 32,
                        [VppRoutePath(p.tun_if.remote_ip4,
@@ -213,10 +304,9 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
 
     encryption_type = ESP
     tun4_encrypt_node_name = "esp4-encrypt-tun"
 
     encryption_type = ESP
     tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt"
+    tun4_decrypt_node_name = "esp4-decrypt-tun"
 
     def config_network(self, p):
 
     def config_network(self, p):
-        config_tun_params(p, self.encryption_type, self.tun_if)
 
         p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
                                         p.scapy_tun_spi,
 
         p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
                                         p.scapy_tun_spi,
@@ -228,6 +318,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
         p.tun_if.add_vpp_config()
         p.tun_if.admin_up()
         p.tun_if.config_ip4()
         p.tun_if.add_vpp_config()
         p.tun_if.admin_up()
         p.tun_if.config_ip4()
+        config_tun_params(p, self.encryption_type, p.tun_if)
         self.logger.info(self.vapi.cli("sh ipsec sa 0"))
         self.logger.info(self.vapi.cli("sh ipsec sa 1"))
 
         self.logger.info(self.vapi.cli("sh ipsec sa 0"))
         self.logger.info(self.vapi.cli("sh ipsec sa 1"))
 
@@ -253,7 +344,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
         #
         # change the key and the SPI
         #
         #
         # change the key and the SPI
         #
-        p.crypt_key = 'X' + p.crypt_key[1:]
+        p.crypt_key = b'X' + p.crypt_key[1:]
         p.scapy_tun_spi += 1
         p.scapy_tun_sa_id += 1
         p.vpp_tun_spi += 1
         p.scapy_tun_spi += 1
         p.scapy_tun_sa_id += 1
         p.vpp_tun_spi += 1
@@ -261,7 +352,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
         p.tun_if.local_spi = p.vpp_tun_spi
         p.tun_if.remote_spi = p.scapy_tun_spi
 
         p.tun_if.local_spi = p.vpp_tun_spi
         p.tun_if.remote_spi = p.scapy_tun_spi
 
-        config_tun_params(p, self.encryption_type, self.tun_if)
+        config_tun_params(p, self.encryption_type, p.tun_if)
 
         p.tun_sa_in = VppIpsecSA(self,
                                  p.scapy_tun_sa_id,
 
         p.tun_sa_in = VppIpsecSA(self,
                                  p.scapy_tun_sa_id,
@@ -271,8 +362,6 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
                                  p.crypt_algo_vpp_id,
                                  p.crypt_key,
                                  self.vpp_esp_protocol,
                                  p.crypt_algo_vpp_id,
                                  p.crypt_key,
                                  self.vpp_esp_protocol,
-                                 self.tun_if.local_addr[p.addr_type],
-                                 self.tun_if.remote_addr[p.addr_type],
                                  flags=p.flags,
                                  salt=p.salt)
         p.tun_sa_out = VppIpsecSA(self,
                                  flags=p.flags,
                                  salt=p.salt)
         p.tun_sa_out = VppIpsecSA(self,
@@ -283,8 +372,6 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
                                   p.crypt_algo_vpp_id,
                                   p.crypt_key,
                                   self.vpp_esp_protocol,
                                   p.crypt_algo_vpp_id,
                                   p.crypt_key,
                                   self.vpp_esp_protocol,
-                                  self.tun_if.remote_addr[p.addr_type],
-                                  self.tun_if.local_addr[p.addr_type],
                                   flags=p.flags,
                                   salt=p.salt)
         p.tun_sa_in.add_vpp_config()
                                   flags=p.flags,
                                   salt=p.salt)
         p.tun_sa_in.add_vpp_config()
@@ -311,7 +398,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
                                 IPSEC_API_INTEG_ALG_NONE),
                   'scapy-crypto': "AES-GCM",
                   'scapy-integ': "NULL",
                                 IPSEC_API_INTEG_ALG_NONE),
                   'scapy-crypto': "AES-GCM",
                   'scapy-integ': "NULL",
-                  'key': "JPjyOWBeVEQiMe7h",
+                  'key': b"JPjyOWBeVEQiMe7h",
                   'salt': 3333},
                  {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
                                  IPSEC_API_CRYPTO_ALG_AES_GCM_192),
                   'salt': 3333},
                  {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
                                  IPSEC_API_CRYPTO_ALG_AES_GCM_192),
@@ -319,7 +406,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
                                 IPSEC_API_INTEG_ALG_NONE),
                   'scapy-crypto': "AES-GCM",
                   'scapy-integ': "NULL",
                                 IPSEC_API_INTEG_ALG_NONE),
                   'scapy-crypto': "AES-GCM",
                   'scapy-integ': "NULL",
-                  'key': "JPjyOWBeVEQiMe7hJPjyOWBe",
+                  'key': b"JPjyOWBeVEQiMe7hJPjyOWBe",
                   'salt': 0},
                  {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
                                  IPSEC_API_CRYPTO_ALG_AES_GCM_256),
                   'salt': 0},
                  {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
                                  IPSEC_API_CRYPTO_ALG_AES_GCM_256),
@@ -327,7 +414,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
                                 IPSEC_API_INTEG_ALG_NONE),
                   'scapy-crypto': "AES-GCM",
                   'scapy-integ': "NULL",
                                 IPSEC_API_INTEG_ALG_NONE),
                   'scapy-crypto': "AES-GCM",
                   'scapy-integ': "NULL",
-                  'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
+                  'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
                   'salt': 9999},
                  {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
                                  IPSEC_API_CRYPTO_ALG_AES_CBC_128),
                   'salt': 9999},
                  {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
                                  IPSEC_API_CRYPTO_ALG_AES_CBC_128),
@@ -336,7 +423,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
                   'scapy-crypto': "AES-CBC",
                   'scapy-integ': "HMAC-SHA1-96",
                   'salt': 0,
                   'scapy-crypto': "AES-CBC",
                   'scapy-integ': "HMAC-SHA1-96",
                   'salt': 0,
-                  'key': "JPjyOWBeVEQiMe7h"},
+                  'key': b"JPjyOWBeVEQiMe7h"},
                  {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
                                  IPSEC_API_CRYPTO_ALG_AES_CBC_192),
                   'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
                  {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
                                  IPSEC_API_CRYPTO_ALG_AES_CBC_192),
                   'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
@@ -344,7 +431,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
                   'scapy-crypto': "AES-CBC",
                   'scapy-integ': "HMAC-SHA1-96",
                   'salt': 0,
                   'scapy-crypto': "AES-CBC",
                   'scapy-integ': "HMAC-SHA1-96",
                   'salt': 0,
-                  'key': "JPjyOWBeVEQiMe7hJPjyOWBe"},
+                  'key': b"JPjyOWBeVEQiMe7hJPjyOWBe"},
                  {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
                                  IPSEC_API_CRYPTO_ALG_AES_CBC_256),
                   'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
                  {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
                                  IPSEC_API_CRYPTO_ALG_AES_CBC_256),
                   'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
@@ -352,7 +439,15 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
                   'scapy-crypto': "AES-CBC",
                   'scapy-integ': "HMAC-SHA1-96",
                   'salt': 0,
                   'scapy-crypto': "AES-CBC",
                   'scapy-integ': "HMAC-SHA1-96",
                   'salt': 0,
-                  'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
+                  'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"},
+                 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+                                 IPSEC_API_CRYPTO_ALG_NONE),
+                  'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+                                IPSEC_API_INTEG_ALG_SHA1_96),
+                  'scapy-crypto': "NULL",
+                  'scapy-integ': "HMAC-SHA1-96",
+                  'salt': 0,
+                  'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
 
         for engine in engines:
             self.vapi.cli("set crypto handler all %s" % engine)
 
         for engine in engines:
             self.vapi.cli("set crypto handler all %s" % engine)
@@ -395,7 +490,7 @@ class TestIpsec6MultiTunIfEsp(TemplateIpsec, IpsecTun6):
 
     encryption_type = ESP
     tun6_encrypt_node_name = "esp6-encrypt-tun"
 
     encryption_type = ESP
     tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt"
+    tun6_decrypt_node_name = "esp6-decrypt-tun"
 
     def setUp(self):
         super(TestIpsec6MultiTunIfEsp, self).setUp()
 
     def setUp(self):
         super(TestIpsec6MultiTunIfEsp, self).setUp()
@@ -403,6 +498,8 @@ class TestIpsec6MultiTunIfEsp(TemplateIpsec, IpsecTun6):
         self.tun_if = self.pg0
 
         self.multi_params = []
         self.tun_if = self.pg0
 
         self.multi_params = []
+        self.pg0.generate_remote_hosts(10)
+        self.pg0.configure_ipv6_neighbors()
 
         for ii in range(10):
             p = copy.copy(self.ipv6_params)
 
         for ii in range(10):
             p = copy.copy(self.ipv6_params)
@@ -418,18 +515,18 @@ class TestIpsec6MultiTunIfEsp(TemplateIpsec, IpsecTun6):
             p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
             p.vpp_tra_spi = p.vpp_tra_spi + ii
 
             p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
             p.vpp_tra_spi = p.vpp_tra_spi + ii
 
-            config_tun_params(p, self.encryption_type, self.tun_if)
-            self.multi_params.append(p)
-
             p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
                                             p.scapy_tun_spi,
                                             p.crypt_algo_vpp_id,
                                             p.crypt_key, p.crypt_key,
                                             p.auth_algo_vpp_id, p.auth_key,
             p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
                                             p.scapy_tun_spi,
                                             p.crypt_algo_vpp_id,
                                             p.crypt_key, p.crypt_key,
                                             p.auth_algo_vpp_id, p.auth_key,
-                                            p.auth_key, is_ip6=True)
+                                            p.auth_key, is_ip6=True,
+                                            dst=self.pg0.remote_hosts[ii].ip6)
             p.tun_if.add_vpp_config()
             p.tun_if.admin_up()
             p.tun_if.config_ip6()
             p.tun_if.add_vpp_config()
             p.tun_if.admin_up()
             p.tun_if.config_ip6()
+            config_tun_params(p, self.encryption_type, p.tun_if)
+            self.multi_params.append(p)
 
             r = VppIpRoute(self, p.remote_tun_if_host, 128,
                            [VppRoutePath(p.tun_if.remote_ip6,
 
             r = VppIpRoute(self, p.remote_tun_if_host, 128,
                            [VppRoutePath(p.tun_if.remote_ip6,
@@ -450,8 +547,6 @@ class TestIpsec6MultiTunIfEsp(TemplateIpsec, IpsecTun6):
             self.assertEqual(c['packets'], 127)
 
 
             self.assertEqual(c['packets'], 127)
 
 
-@unittest.skipIf(is_skip_aarch64_set and is_platform_aarch64,
-                 "test doesn't work on aarch64")
 class TestIpsecGreTebIfEsp(TemplateIpsec,
                            IpsecTun4Tests):
     """ Ipsec GRE TEB ESP - TUN tests """
 class TestIpsecGreTebIfEsp(TemplateIpsec,
                            IpsecTun4Tests):
     """ Ipsec GRE TEB ESP - TUN tests """
@@ -469,7 +564,7 @@ class TestIpsecGreTebIfEsp(TemplateIpsec,
                            Ether(dst=self.omac) /
                            IP(src="1.1.1.1", dst="1.1.1.2") /
                            UDP(sport=1144, dport=2233) /
                            Ether(dst=self.omac) /
                            IP(src="1.1.1.1", dst="1.1.1.2") /
                            UDP(sport=1144, dport=2233) /
-                           Raw('X' * payload_size))
+                           Raw(b'X' * payload_size))
                 for i in range(count)]
 
     def gen_pkts(self, sw_intf, src, dst, count=1,
                 for i in range(count)]
 
     def gen_pkts(self, sw_intf, src, dst, count=1,
@@ -477,7 +572,7 @@ class TestIpsecGreTebIfEsp(TemplateIpsec,
         return [Ether(dst=self.omac) /
                 IP(src="1.1.1.1", dst="1.1.1.2") /
                 UDP(sport=1144, dport=2233) /
         return [Ether(dst=self.omac) /
                 IP(src="1.1.1.1", dst="1.1.1.2") /
                 UDP(sport=1144, dport=2233) /
-                Raw('X' * payload_size)
+                Raw(b'X' * payload_size)
                 for i in range(count)]
 
     def verify_decrypted(self, p, rxs):
                 for i in range(count)]
 
     def verify_decrypted(self, p, rxs):
@@ -532,30 +627,32 @@ class TestIpsecGreTebIfEsp(TemplateIpsec,
                                  self.pg0.local_ip4)
         p.tun_sa_in.add_vpp_config()
 
                                  self.pg0.local_ip4)
         p.tun_sa_in.add_vpp_config()
 
-        self.tun = VppGreInterface(self,
+        p.tun_if = VppGreInterface(self,
                                    self.pg0.local_ip4,
                                    self.pg0.remote_ip4,
                                    type=(VppEnum.vl_api_gre_tunnel_type_t.
                                          GRE_API_TUNNEL_TYPE_TEB))
                                    self.pg0.local_ip4,
                                    self.pg0.remote_ip4,
                                    type=(VppEnum.vl_api_gre_tunnel_type_t.
                                          GRE_API_TUNNEL_TYPE_TEB))
-        self.tun.add_vpp_config()
+        p.tun_if.add_vpp_config()
 
         p.tun_protect = VppIpsecTunProtect(self,
 
         p.tun_protect = VppIpsecTunProtect(self,
-                                           self.tun,
+                                           p.tun_if,
                                            p.tun_sa_out,
                                            [p.tun_sa_in])
 
         p.tun_protect.add_vpp_config()
 
                                            p.tun_sa_out,
                                            [p.tun_sa_in])
 
         p.tun_protect.add_vpp_config()
 
-        self.tun.admin_up()
-        self.tun.config_ip4()
+        p.tun_if.admin_up()
+        p.tun_if.config_ip4()
+        config_tun_params(p, self.encryption_type, p.tun_if)
 
 
-        VppBridgeDomainPort(self, bd1, self.tun).add_vpp_config()
+        VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
         VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
 
         self.vapi.cli("clear ipsec sa")
 
     def tearDown(self):
         VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
 
         self.vapi.cli("clear ipsec sa")
 
     def tearDown(self):
-        self.tun.unconfig_ip4()
+        p = self.ipv4_params
+        p.tun_if.unconfig_ip4()
         super(TestIpsecGreTebIfEsp, self).tearDown()
 
 
         super(TestIpsecGreTebIfEsp, self).tearDown()
 
 
@@ -575,7 +672,7 @@ class TestIpsecGreIfEsp(TemplateIpsec,
                            IP(src=self.pg1.local_ip4,
                               dst=self.pg1.remote_ip4) /
                            UDP(sport=1144, dport=2233) /
                            IP(src=self.pg1.local_ip4,
                               dst=self.pg1.remote_ip4) /
                            UDP(sport=1144, dport=2233) /
-                           Raw('X' * payload_size))
+                           Raw(b'X' * payload_size))
                 for i in range(count)]
 
     def gen_pkts(self, sw_intf, src, dst, count=1,
                 for i in range(count)]
 
     def gen_pkts(self, sw_intf, src, dst, count=1,
@@ -583,7 +680,7 @@ class TestIpsecGreIfEsp(TemplateIpsec,
         return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                 IP(src="1.1.1.1", dst="1.1.1.2") /
                 UDP(sport=1144, dport=2233) /
         return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                 IP(src="1.1.1.1", dst="1.1.1.2") /
                 UDP(sport=1144, dport=2233) /
-                Raw('X' * payload_size)
+                Raw(b'X' * payload_size)
                 for i in range(count)]
 
     def verify_decrypted(self, p, rxs):
                 for i in range(count)]
 
     def verify_decrypted(self, p, rxs):
@@ -637,56 +734,66 @@ class TestIpsecGreIfEsp(TemplateIpsec,
                                  self.pg0.local_ip4)
         p.tun_sa_in.add_vpp_config()
 
                                  self.pg0.local_ip4)
         p.tun_sa_in.add_vpp_config()
 
-        self.tun = VppGreInterface(self,
+        p.tun_if = VppGreInterface(self,
                                    self.pg0.local_ip4,
                                    self.pg0.remote_ip4)
                                    self.pg0.local_ip4,
                                    self.pg0.remote_ip4)
-        self.tun.add_vpp_config()
+        p.tun_if.add_vpp_config()
 
         p.tun_protect = VppIpsecTunProtect(self,
 
         p.tun_protect = VppIpsecTunProtect(self,
-                                           self.tun,
+                                           p.tun_if,
                                            p.tun_sa_out,
                                            [p.tun_sa_in])
         p.tun_protect.add_vpp_config()
 
                                            p.tun_sa_out,
                                            [p.tun_sa_in])
         p.tun_protect.add_vpp_config()
 
-        self.tun.admin_up()
-        self.tun.config_ip4()
+        p.tun_if.admin_up()
+        p.tun_if.config_ip4()
+        config_tun_params(p, self.encryption_type, p.tun_if)
 
         VppIpRoute(self, "1.1.1.2", 32,
 
         VppIpRoute(self, "1.1.1.2", 32,
-                   [VppRoutePath(self.tun.remote_ip4,
+                   [VppRoutePath(p.tun_if.remote_ip4,
                                  0xffffffff)]).add_vpp_config()
 
     def tearDown(self):
                                  0xffffffff)]).add_vpp_config()
 
     def tearDown(self):
-        self.tun.unconfig_ip4()
+        p = self.ipv4_params
+        p.tun_if.unconfig_ip4()
         super(TestIpsecGreIfEsp, self).tearDown()
 
 
 class TemplateIpsec4TunProtect(object):
     """ IPsec IPv4 Tunnel protect """
 
         super(TestIpsecGreIfEsp, self).tearDown()
 
 
 class TemplateIpsec4TunProtect(object):
     """ IPsec IPv4 Tunnel protect """
 
+    encryption_type = ESP
+    tun4_encrypt_node_name = "esp4-encrypt-tun"
+    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_input_node = "ipsec4-tun-input"
+
     def config_sa_tra(self, p):
     def config_sa_tra(self, p):
-        config_tun_params(p, self.encryption_type, self.tun_if)
+        config_tun_params(p, self.encryption_type, p.tun_if)
 
         p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                                   p.auth_algo_vpp_id, p.auth_key,
                                   p.crypt_algo_vpp_id, p.crypt_key,
 
         p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                                   p.auth_algo_vpp_id, p.auth_key,
                                   p.crypt_algo_vpp_id, p.crypt_key,
-                                  self.vpp_esp_protocol)
+                                  self.vpp_esp_protocol,
+                                  flags=p.flags)
         p.tun_sa_out.add_vpp_config()
 
         p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
                                  p.auth_algo_vpp_id, p.auth_key,
                                  p.crypt_algo_vpp_id, p.crypt_key,
         p.tun_sa_out.add_vpp_config()
 
         p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
                                  p.auth_algo_vpp_id, p.auth_key,
                                  p.crypt_algo_vpp_id, p.crypt_key,
-                                 self.vpp_esp_protocol)
+                                 self.vpp_esp_protocol,
+                                 flags=p.flags)
         p.tun_sa_in.add_vpp_config()
 
     def config_sa_tun(self, p):
         p.tun_sa_in.add_vpp_config()
 
     def config_sa_tun(self, p):
-        config_tun_params(p, self.encryption_type, self.tun_if)
+        config_tun_params(p, self.encryption_type, p.tun_if)
 
         p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                                   p.auth_algo_vpp_id, p.auth_key,
                                   p.crypt_algo_vpp_id, p.crypt_key,
                                   self.vpp_esp_protocol,
                                   self.tun_if.remote_addr[p.addr_type],
 
         p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                                   p.auth_algo_vpp_id, p.auth_key,
                                   p.crypt_algo_vpp_id, p.crypt_key,
                                   self.vpp_esp_protocol,
                                   self.tun_if.remote_addr[p.addr_type],
-                                  self.tun_if.local_addr[p.addr_type])
+                                  self.tun_if.local_addr[p.addr_type],
+                                  flags=p.flags)
         p.tun_sa_out.add_vpp_config()
 
         p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
         p.tun_sa_out.add_vpp_config()
 
         p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
@@ -694,7 +801,8 @@ class TemplateIpsec4TunProtect(object):
                                  p.crypt_algo_vpp_id, p.crypt_key,
                                  self.vpp_esp_protocol,
                                  self.tun_if.remote_addr[p.addr_type],
                                  p.crypt_algo_vpp_id, p.crypt_key,
                                  self.vpp_esp_protocol,
                                  self.tun_if.remote_addr[p.addr_type],
-                                 self.tun_if.local_addr[p.addr_type])
+                                 self.tun_if.local_addr[p.addr_type],
+                                 flags=p.flags)
         p.tun_sa_in.add_vpp_config()
 
     def config_protect(self, p):
         p.tun_sa_in.add_vpp_config()
 
     def config_protect(self, p):
@@ -711,11 +819,17 @@ class TemplateIpsec4TunProtect(object):
         p.tun_if.add_vpp_config()
         p.tun_if.admin_up()
         p.tun_if.config_ip4()
         p.tun_if.add_vpp_config()
         p.tun_if.admin_up()
         p.tun_if.config_ip4()
+        p.tun_if.config_ip6()
 
         p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
                              [VppRoutePath(p.tun_if.remote_ip4,
                                            0xffffffff)])
         p.route.add_vpp_config()
 
         p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
                              [VppRoutePath(p.tun_if.remote_ip4,
                                            0xffffffff)])
         p.route.add_vpp_config()
+        r = VppIpRoute(self, p.remote_tun_if_host6, 128,
+                       [VppRoutePath(p.tun_if.remote_ip6,
+                                     0xffffffff,
+                                     proto=DpoProto.DPO_PROTO_IP6)])
+        r.add_vpp_config()
 
     def unconfig_network(self, p):
         p.route.remove_vpp_config()
 
     def unconfig_network(self, p):
         p.route.remove_vpp_config()
@@ -734,10 +848,6 @@ class TestIpsec4TunProtect(TemplateIpsec,
                            IpsecTun4):
     """ IPsec IPv4 Tunnel protect - transport mode"""
 
                            IpsecTun4):
     """ IPsec IPv4 Tunnel protect - transport mode"""
 
-    encryption_type = ESP
-    tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
-
     def setUp(self):
         super(TestIpsec4TunProtect, self).setUp()
 
     def setUp(self):
         super(TestIpsec4TunProtect, self).setUp()
 
@@ -761,9 +871,16 @@ class TestIpsec4TunProtect(TemplateIpsec,
         c = p.tun_if.get_tx_stats()
         self.assertEqual(c['packets'], 127)
 
         c = p.tun_if.get_tx_stats()
         self.assertEqual(c['packets'], 127)
 
+        self.vapi.cli("clear ipsec sa")
+        self.verify_tun_64(p, count=127)
+        c = p.tun_if.get_rx_stats()
+        self.assertEqual(c['packets'], 254)
+        c = p.tun_if.get_tx_stats()
+        self.assertEqual(c['packets'], 254)
+
         # rekey - create new SAs and update the tunnel protection
         np = copy.copy(p)
         # rekey - create new SAs and update the tunnel protection
         np = copy.copy(p)
-        np.crypt_key = 'X' + p.crypt_key[1:]
+        np.crypt_key = b'X' + p.crypt_key[1:]
         np.scapy_tun_spi += 100
         np.scapy_tun_sa_id += 1
         np.vpp_tun_spi += 100
         np.scapy_tun_spi += 100
         np.scapy_tun_sa_id += 1
         np.vpp_tun_spi += 100
@@ -777,9 +894,9 @@ class TestIpsec4TunProtect(TemplateIpsec,
 
         self.verify_tun_44(np, count=127)
         c = p.tun_if.get_rx_stats()
 
         self.verify_tun_44(np, count=127)
         c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 254)
+        self.assertEqual(c['packets'], 381)
         c = p.tun_if.get_tx_stats()
         c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 254)
+        self.assertEqual(c['packets'], 381)
 
         # teardown
         self.unconfig_protect(np)
 
         # teardown
         self.unconfig_protect(np)
@@ -787,6 +904,47 @@ class TestIpsec4TunProtect(TemplateIpsec,
         self.unconfig_network(p)
 
 
         self.unconfig_network(p)
 
 
+class TestIpsec4TunProtectUdp(TemplateIpsec,
+                              TemplateIpsec4TunProtect,
+                              IpsecTun4):
+    """ IPsec IPv4 Tunnel protect - transport mode"""
+
+    def setUp(self):
+        super(TestIpsec4TunProtectUdp, self).setUp()
+
+        self.tun_if = self.pg0
+
+        p = self.ipv4_params
+        p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
+                   IPSEC_API_SAD_FLAG_UDP_ENCAP)
+        p.nat_header = UDP(sport=5454, dport=4500)
+        self.config_network(p)
+        self.config_sa_tra(p)
+        self.config_protect(p)
+
+    def tearDown(self):
+        p = self.ipv4_params
+        self.unconfig_protect(p)
+        self.unconfig_sa(p)
+        self.unconfig_network(p)
+        super(TestIpsec4TunProtectUdp, self).tearDown()
+
+    def test_tun_44(self):
+        """IPSEC UDP tunnel protect"""
+
+        p = self.ipv4_params
+
+        self.verify_tun_44(p, count=127)
+        c = p.tun_if.get_rx_stats()
+        self.assertEqual(c['packets'], 127)
+        c = p.tun_if.get_tx_stats()
+        self.assertEqual(c['packets'], 127)
+
+    def test_keepalive(self):
+        """ IPSEC NAT Keepalive """
+        self.verify_keepalive(self.ipv4_params)
+
+
 class TestIpsec4TunProtectTun(TemplateIpsec,
                               TemplateIpsec4TunProtect,
                               IpsecTun4):
 class TestIpsec4TunProtectTun(TemplateIpsec,
                               TemplateIpsec4TunProtect,
                               IpsecTun4):
@@ -811,7 +969,7 @@ class TestIpsec4TunProtectTun(TemplateIpsec,
                               dst=sw_intf.local_ip4) /
                            IP(src=src, dst=dst) /
                            UDP(sport=1144, dport=2233) /
                               dst=sw_intf.local_ip4) /
                            IP(src=src, dst=dst) /
                            UDP(sport=1144, dport=2233) /
-                           Raw('X' * payload_size))
+                           Raw(b'X' * payload_size))
                 for i in range(count)]
 
     def gen_pkts(self, sw_intf, src, dst, count=1,
                 for i in range(count)]
 
     def gen_pkts(self, sw_intf, src, dst, count=1,
@@ -819,7 +977,7 @@ class TestIpsec4TunProtectTun(TemplateIpsec,
         return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                 IP(src=src, dst=dst) /
                 UDP(sport=1144, dport=2233) /
         return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                 IP(src=src, dst=dst) /
                 UDP(sport=1144, dport=2233) /
-                Raw('X' * payload_size)
+                Raw(b'X' * payload_size)
                 for i in range(count)]
 
     def verify_decrypted(self, p, rxs):
                 for i in range(count)]
 
     def verify_decrypted(self, p, rxs):
@@ -866,7 +1024,7 @@ class TestIpsec4TunProtectTun(TemplateIpsec,
 
         # rekey - create new SAs and update the tunnel protection
         np = copy.copy(p)
 
         # rekey - create new SAs and update the tunnel protection
         np = copy.copy(p)
-        np.crypt_key = 'X' + p.crypt_key[1:]
+        np.crypt_key = b'X' + p.crypt_key[1:]
         np.scapy_tun_spi += 100
         np.scapy_tun_sa_id += 1
         np.vpp_tun_spi += 100
         np.scapy_tun_spi += 100
         np.scapy_tun_sa_id += 1
         np.vpp_tun_spi += 100
@@ -894,7 +1052,7 @@ class TemplateIpsec6TunProtect(object):
     """ IPsec IPv6 Tunnel protect """
 
     def config_sa_tra(self, p):
     """ IPsec IPv6 Tunnel protect """
 
     def config_sa_tra(self, p):
-        config_tun_params(p, self.encryption_type, self.tun_if)
+        config_tun_params(p, self.encryption_type, p.tun_if)
 
         p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                                   p.auth_algo_vpp_id, p.auth_key,
 
         p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                                   p.auth_algo_vpp_id, p.auth_key,
@@ -909,7 +1067,7 @@ class TemplateIpsec6TunProtect(object):
         p.tun_sa_in.add_vpp_config()
 
     def config_sa_tun(self, p):
         p.tun_sa_in.add_vpp_config()
 
     def config_sa_tun(self, p):
-        config_tun_params(p, self.encryption_type, self.tun_if)
+        config_tun_params(p, self.encryption_type, p.tun_if)
 
         p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                                   p.auth_algo_vpp_id, p.auth_key,
 
         p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                                   p.auth_algo_vpp_id, p.auth_key,
@@ -941,12 +1099,17 @@ class TemplateIpsec6TunProtect(object):
         p.tun_if.add_vpp_config()
         p.tun_if.admin_up()
         p.tun_if.config_ip6()
         p.tun_if.add_vpp_config()
         p.tun_if.admin_up()
         p.tun_if.config_ip6()
+        p.tun_if.config_ip4()
 
         p.route = VppIpRoute(self, p.remote_tun_if_host, 128,
                              [VppRoutePath(p.tun_if.remote_ip6,
                                            0xffffffff,
                                            proto=DpoProto.DPO_PROTO_IP6)])
         p.route.add_vpp_config()
 
         p.route = VppIpRoute(self, p.remote_tun_if_host, 128,
                              [VppRoutePath(p.tun_if.remote_ip6,
                                            0xffffffff,
                                            proto=DpoProto.DPO_PROTO_IP6)])
         p.route.add_vpp_config()
+        r = VppIpRoute(self, p.remote_tun_if_host4, 32,
+                       [VppRoutePath(p.tun_if.remote_ip4,
+                                     0xffffffff)])
+        r.add_vpp_config()
 
     def unconfig_network(self, p):
         p.route.remove_vpp_config()
 
     def unconfig_network(self, p):
         p.route.remove_vpp_config()
@@ -994,7 +1157,7 @@ class TestIpsec6TunProtect(TemplateIpsec,
 
         # rekey - create new SAs and update the tunnel protection
         np = copy.copy(p)
 
         # rekey - create new SAs and update the tunnel protection
         np = copy.copy(p)
-        np.crypt_key = 'X' + p.crypt_key[1:]
+        np.crypt_key = b'X' + p.crypt_key[1:]
         np.scapy_tun_spi += 100
         np.scapy_tun_sa_id += 1
         np.vpp_tun_spi += 100
         np.scapy_tun_spi += 100
         np.scapy_tun_sa_id += 1
         np.vpp_tun_spi += 100
@@ -1017,7 +1180,7 @@ class TestIpsec6TunProtect(TemplateIpsec,
         #  2) swap output SA to [new]
         #  3) use only [new] input SA
         np3 = copy.copy(np)
         #  2) swap output SA to [new]
         #  3) use only [new] input SA
         np3 = copy.copy(np)
-        np3.crypt_key = 'Z' + p.crypt_key[1:]
+        np3.crypt_key = b'Z' + p.crypt_key[1:]
         np3.scapy_tun_spi += 100
         np3.scapy_tun_sa_id += 1
         np3.vpp_tun_spi += 100
         np3.scapy_tun_spi += 100
         np3.scapy_tun_sa_id += 1
         np3.vpp_tun_spi += 100
@@ -1056,6 +1219,26 @@ class TestIpsec6TunProtect(TemplateIpsec,
         self.unconfig_sa(np3)
         self.unconfig_network(p)
 
         self.unconfig_sa(np3)
         self.unconfig_network(p)
 
+    def test_tun_46(self):
+        """IPSEC tunnel protect"""
+
+        p = self.ipv6_params
+
+        self.config_network(p)
+        self.config_sa_tra(p)
+        self.config_protect(p)
+
+        self.verify_tun_46(p, count=127)
+        c = p.tun_if.get_rx_stats()
+        self.assertEqual(c['packets'], 127)
+        c = p.tun_if.get_tx_stats()
+        self.assertEqual(c['packets'], 127)
+
+        # teardown
+        self.unconfig_protect(p)
+        self.unconfig_sa(p)
+        self.unconfig_network(p)
+
 
 class TestIpsec6TunProtectTun(TemplateIpsec,
                               TemplateIpsec6TunProtect,
 
 class TestIpsec6TunProtectTun(TemplateIpsec,
                               TemplateIpsec6TunProtect,
@@ -1081,7 +1264,7 @@ class TestIpsec6TunProtectTun(TemplateIpsec,
                                 dst=sw_intf.local_ip6) /
                            IPv6(src=src, dst=dst) /
                            UDP(sport=1166, dport=2233) /
                                 dst=sw_intf.local_ip6) /
                            IPv6(src=src, dst=dst) /
                            UDP(sport=1166, dport=2233) /
-                           Raw('X' * payload_size))
+                           Raw(b'X' * payload_size))
                 for i in range(count)]
 
     def gen_pkts6(self, sw_intf, src, dst, count=1,
                 for i in range(count)]
 
     def gen_pkts6(self, sw_intf, src, dst, count=1,
@@ -1089,7 +1272,7 @@ class TestIpsec6TunProtectTun(TemplateIpsec,
         return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                 IPv6(src=src, dst=dst) /
                 UDP(sport=1166, dport=2233) /
         return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                 IPv6(src=src, dst=dst) /
                 UDP(sport=1166, dport=2233) /
-                Raw('X' * payload_size)
+                Raw(b'X' * payload_size)
                 for i in range(count)]
 
     def verify_decrypted6(self, p, rxs):
                 for i in range(count)]
 
     def verify_decrypted6(self, p, rxs):
@@ -1136,7 +1319,7 @@ class TestIpsec6TunProtectTun(TemplateIpsec,
 
         # rekey - create new SAs and update the tunnel protection
         np = copy.copy(p)
 
         # rekey - create new SAs and update the tunnel protection
         np = copy.copy(p)
-        np.crypt_key = 'X' + p.crypt_key[1:]
+        np.crypt_key = b'X' + p.crypt_key[1:]
         np.scapy_tun_spi += 100
         np.scapy_tun_sa_id += 1
         np.vpp_tun_spi += 100
         np.scapy_tun_spi += 100
         np.scapy_tun_sa_id += 1
         np.vpp_tun_spi += 100
Vector Packet Processing