From bb56096e98e1d42af028160fb7e844e57a127ea2 Mon Sep 17 00:00:00 2001
From: Denys Haryachyy <garyachy@gmail.com>
Date: Thu, 28 Aug 2025 12:56:42 +0300
Subject: [PATCH] ipsec: Improve tunnel mode detection in ESP decrypt
 post-crypto

Type: fix

 - Use irt->is_tunnel flag to properly detect IPSec tunnel mode SAs
 - Skip IP address verification for IPSec tunnel mode (outer IP already validated)

Change-Id: Icd57b699b745f764e7e87bbbb4cf891e82320f37
Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
---
 src/vnet/ipsec/esp_decrypt.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 7f7cd57488d..479737185f5 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -1018,7 +1018,12 @@ esp_decrypt_post_crypto (vlib_main_t *vm, vlib_node_runtime_t *node,
 	      itp =
 		ipsec_tun_protect_get (vnet_buffer (b)->ipsec.protect_index);
 
-	      if (PREDICT_TRUE (next_header == IP_PROTOCOL_IP_IN_IP))
+	      if (irt->is_tunnel) // IPSec tunnel mode
+		{
+		  next[0] = is_ip6 ? ESP_DECRYPT_NEXT_IP6_INPUT :
+				     ESP_DECRYPT_NEXT_IP4_INPUT;
+		}
+	      else if (next_header == IP_PROTOCOL_IP_IN_IP) // IPIP tunnel
 		{
 		  const ip4_header_t *ip4;
 
-- 
2.16.6