VPP IPSEC implementation using LSDK 21.08 on ls1046ardb eval board

Please refer to sections "VPP IPSec" and "9.3.7 VPP performance reproducibility guide - LS1043A/LS1046A" in LSDK 21.08 user manual.

OS images that I have used on ls1046ard eval board do not have config with VPP enabled therefore, I separately installed fd.io VPP  package on two eval boards and tried the following to establish IPSEC tunnel between two VPP peers:

Assumptions VPP IPSEC:

Peer 1: Local IP 10.0.0.1, Remote IP 10.0.0.2
Peer 2: Local IP 10.0.0.2, Remote IP 10.0.0.1
The Ethernet cable is connected between fm1-mac6 ports on both boards.
VPP Version: v24.10

Steps to establish IPsec tunnel:

Run following commands in VPP peers
/usr/bin/vpp -c /etc/vpp/startup1.conf
vppctl -s /run/vpp/cli.sock

1. Create Interfaces:

On Peer 1 (10.0.0.1):

vpp# create interface memif id 0 master
vpp# set int state memif0/0 up
vpp# set int ip address memif0/0 10.0.0.1/24

On Peer 2 (10.0.0.2):

vpp# create interface memif id 0 slave
vpp# set int state memif0/0 up
vpp# set int ip address memif0/0 10.0.0.2/24

This creates memif interfaces for local communication between peers.

2. Configure IPsec Policies and Create IPsec Tunnel:

On Peer 1 (10.0.0.1):
vpp#create ipip tunnel src 10.0.0.1 dst 10.0.0.2
vpp#set interface state ipip0 up
vpp#ipsec sa add 20 spi 200 crypto-key 6541686776336961656264656f6f6579 crypto-alg aes-gcm-128
vpp#ipsec sa add 30 spi 300 crypto-key 6541686776336961656264656f6f6579 crypto-alg aes-gcm-128
vpp#ipsec tunnel protect ipip0 sa-in 20 sa-out 30
vpp#ip route add 10.0.0.2/32 via ipip0

On Peer 2 (10.0.0.2):
vpp#create ipip tunnel src 10.0.0.2 dst 10.0.0.1
vpp#set interface state ipip0 up
vpp#ipsec sa add 20 spi 200 crypto-key 6541686776336961656264656f6f6579 crypto-alg aes-gcm-128
vpp#ipsec sa add 30 spi 300 crypto-key 6541686776336961656264656f6f6579 crypto-alg aes-gcm-128
vpp#ipsec tunnel protect ipip0 sa-in 20 sa-out 30
vpp#ip route add 10.0.0.1/32 via ipip0

3. Verify Setup:

show interface
show ipsec sa

4. Test with Ping:

ping <remote-ip>

Output is:

vpp#show interface
Name Idx State MTU (L3/IP4/IP6/MPLS) Counter Count
ipip0 2 up 9000/0/0/0
local0 0 down 0/0/0/0
memif0/0 1 up 9000/0/0/0
vpp# show ipsec sa
[0] sa 20 (0x14) spi 200 (0x000000c8) protocol:esp flags:[aead ctr ]
[1] sa 30 (0x1e) spi 300 (0x0000012c) protocol:esp flags:[aead ctr ]
vpp# ping 10.0.0.1

Statistics: 5 sent, 0 received, 100% packet loss
Ping is not working.

Please run 

vpp -c /etc/vpp/startup.conf.dpkg-new &

Please run  the command vppctl show int after running vpp -c /etc/vpp/
startup.conf.dpkg-new & to check the interface names, and use the related interface.

You should not create the interface by yourself like the following.

vpp# create interface memif id 0 master

Please try whether it is possible to ping successfully without setting IPSEC tunnel.

In addition, would you please a new thread to discuss the IPSEC running problem?

Hi,

vpp -c /etc/vpp/startup.conf.dpkg-new &

Above command do not work. I get open configuration file '/etc/vpp/startup.conf.dpdk-new' failed error.
I have installed vpp from fd.io. I manually created  /etc/vpp/startup1.conf which has below content in the file.

unix {cli-listen /run/vpp/cli-vpp1.sock}
api-segment { prefix vpp1 }
plugins { plugin dpdk_plugin.so { disable } }

Would you please address your "vpp -c /etc/vpp/startup.conf.dpkg-new &" running problem in a new thread?

I will have two weeks vacation from today. If your case is urgent, please create a new thread to let my colleague to continue to support you.

Please download LSDK 21.08 pre-built images and deploy to SD card.

$ wget https://www.nxp.com/lgfiles/sdk/lsdk2108/boot_LS_arm64_lts_5.10.tgz

$ wget https://www.nxp.com/lgfiles/sdk/lsdk2108/rootfs_lsdk2108_ubuntu_main_arm64.tgz

$ wget https://www.nxp.com/lgfiles/sdk/lsdk2108/firmware_ls1046ardb_sdboot.img

$ flex-installer -i pf -d /dev/sdb

$ flex-installer -b boot_LS_arm64_lts_5.10.tgz -r rootfs_lsdk2108_ubuntu_main_arm64.tgz -f firmware_ls1046ardb_sdboot.img -d /dev/sdb

Note:/dev/sdb is SD card device name on the host PC.

On the target board, please plugin SD card to the target board, boot up to Linux OS.

~# mount /dev/mmcblk0p2 /mnt

~# cd /mnt

~# mv fsl-ls1046a-rdb-sdk.dtb fsl-ls1046a-rdb-sdk.dtb_bak

~# cp fsl-ls1046a-rdb-usdpaa.dtb fsl-ls1046a-rdb-sdk.dtb

~# reboot

I built vpp to generate *.deb files, and uploaded them in

https://support.nxp.com/s/case/500Tg00000FMl4VIAT/community-vpp-ipsec-implementation-using-lsdk-2108...

Please copy *.deb files to folder /usr/local/vpp on the target board and execute the following command 

$ cp vpp.tar.gz /usr/local/

$ cd /usr/local/

$ tar -xzvf vpp.tar.gz

$ cd /usr/local/vpp

$ dpkg --unpack *.deb

mkdir /mnt/hugepages
mount -t hugetlbfs none /mnt/hugepages
echo 256 > /proc/sys/vm/nr_hugepages
fmc -x
export DPAA_NUM_RX_QUEUES=1
cd /usr/local/dpdk/dpaa
fmc -c usdpaa_config_ls1046.xml -p usdpaa_policy_hash_ipv4_1queue.xml -a

root@localhost:~# vpp -c /etc/vpp/startup.conf.dpkg-new &

root@localhost:~# vppctl show int

Could you please share pre-build images for ls1046ardb eval board where vpp is already enabled?