From: Denys Haryachyy <garyachy@gmail.com>
Date: Thu, 28 Aug 2025 09:56:42 +0000 (+0300)
Subject: ipsec: Improve tunnel mode detection in ESP decrypt post-crypto
X-Git-Tag: v26.02-rc0~11
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F43%2F43643%2F2;p=vpp.git

ipsec: Improve tunnel mode detection in ESP decrypt post-crypto

Type: fix

 - Use irt->is_tunnel flag to properly detect IPSec tunnel mode SAs
 - Skip IP address verification for IPSec tunnel mode (outer IP already validated)

Change-Id: Icd57b699b745f764e7e87bbbb4cf891e82320f37
Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
---

diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 7f7cd57488d..479737185f5 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -1018,7 +1018,12 @@ esp_decrypt_post_crypto (vlib_main_t *vm, vlib_node_runtime_t *node,
 	      itp =
 		ipsec_tun_protect_get (vnet_buffer (b)->ipsec.protect_index);
 
-	      if (PREDICT_TRUE (next_header == IP_PROTOCOL_IP_IN_IP))
+	      if (irt->is_tunnel) // IPSec tunnel mode
+		{
+		  next[0] = is_ip6 ? ESP_DECRYPT_NEXT_IP6_INPUT :
+				     ESP_DECRYPT_NEXT_IP4_INPUT;
+		}
+	      else if (next_header == IP_PROTOCOL_IP_IN_IP) // IPIP tunnel
 		{
 		  const ip4_header_t *ip4;