Updated IPsec example

Configuration steps updated to work in new VPP
cncf · Sep 25, 2020 · 938b72e · 938b72e
1 parent 0a72a6f
commit 938b72e
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 13 deletions.
diff --git a/examples/use_case/ipsec/ipsec/templates/configmap.yaml b/examples/use_case/ipsec/ipsec/templates/configmap.yaml
@@ -21,16 +21,20 @@ data:
     set ip neighbor static memif1/{{ index .memid 0 }} {{ index .remip 0 }} {{ tpl ( index .remmac 0 ) $ }}
     set ip neighbor static memif2/{{ index .memid 1 }} {{ index .remip 1 }} {{ tpl ( index .remmac 1 ) $ }}
     {{ if .ipsec_endpoint }}
-    create ipsec tunnel local-ip {{ index .ipsec_ip 0 }} remote-ip {{ index .ipsec_ip 1 }} local-spi {{ index .ipsec_spi 0 }} remote-spi {{ index .ipsec_spi 1 }} local-crypto-key {{ index .ipsec_key 0 }} remote-crypto-key {{ index .ipsec_key 1 }} crypto-alg aes-gcm-128
+    ipsec sa add 10 spi {{ index .ipsec_spi 0 }} esp crypto-alg aes-cbc-128 crypto-key {{ index .ipsec_key 0 }} integ-alg sha1-96 integ-key {{ index .ipsec_key 1 }}
+    ipsec sa add 20 spi {{ index .ipsec_spi 1 }} esp crypto-alg aes-cbc-128 crypto-key {{ index .ipsec_key 0 }} integ-alg sha1-96 integ-key {{ index .ipsec_key 1 }}
+    ipsec spd add 1
     {{ if eq .ipsec_direction "right" }}
-    set interface unnumbered ipsec0 use memif2/{{ index .memid 1 }}
-    set interface state ipsec0 up
+    set interface ipsec spd memif2/{{ index .memid 1 }} 1
+    ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 172.16.64.0 - 172.16.127.255 remote-ip-range 172.16.192.0 - 172.16.255.255
+    ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 172.16.64.0 - 172.16.127.255 remote-ip-range 172.16.192.0 - 172.16.255.255
     ip route add 172.16.64.0/18 via {{ index .remip 0 }}
-    ip route add 172.16.192.0/18 via {{ index .remip 1 }} ipsec0
+    ip route add 172.16.192.0/18 via {{ index .remip 1 }} memif2/{{ index .memid 1 }}
     {{ else }}
-    set interface unnumbered ipsec0 use memif1/{{ index .memid 0 }}
-    set interface state ipsec0 up
-    ip route add 172.16.64.0/18 via {{ index .remip 0 }} ipsec0
+    set interface ipsec spd memif1/{{ index .memid 0 }} 1
+    ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 172.16.192.0 - 172.16.255.255 remote-ip-range 172.16.64.0 - 172.16.127.255
+    ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 172.16.192.0 - 172.16.255.255 remote-ip-range 172.16.64.0 - 172.16.127.255
+    ip route add 172.16.64.0/18 via {{ index .remip 0 }} memif1/{{ index .memid 0 }}
     ip route add 172.16.192.0/18 via {{ index .remip 1 }}
     {{ end }}
     {{ else }}

diff --git a/examples/use_case/ipsec/ipsec/values.yaml b/examples/use_case/ipsec/ipsec/values.yaml
@@ -45,9 +45,8 @@ cnf:
     remip: ['172.16.31.10','172.16.32.11']
     remmac: ['52:54:00:00:01:bb','52:54:00:00:03:aa']
     ipsec_endpoint: true
-    ipsec_ip: ['172.16.32.10','172.16.32.11']
-    ipsec_spi: ['200000','100000']
-    ipsec_key: ['714c7a456b41476442585353474b586c78796d45','47505069546a6461647565786163726865757346']
+    ipsec_spi: ['1000','2000']
+    ipsec_key: ['3a7a7f4f39efe793db445de138042031','9275e33a6115a8f4601be957c605765d0f12f6ab']
     ipsec_direction: 'right'
 
   3:
@@ -62,9 +61,8 @@ cnf:
     remip: ['172.16.32.10','172.16.33.11']
     remmac: ['52:54:00:00:02:bb','52:54:00:00:04:aa']
     ipsec_endpoint: true
-    ipsec_ip: ['172.16.32.11','172.16.32.10']
-    ipsec_spi: ['100000','200000']
-    ipsec_key: ['47505069546a6461647565786163726865757346','714c7a456b41476442585353474b586c78796d45']
+    ipsec_spi: ['2000','1000']
+    ipsec_key: ['3a7a7f4f39efe793db445de138042031','9275e33a6115a8f4601be957c605765d0f12f6ab']
     ipsec_direction: 'left'
 
   4: