diff options
author | Damjan Marion <damarion@cisco.com> | 2016-12-19 23:05:39 +0100 |
---|---|---|
committer | Damjan Marion <damarion@cisco.com> | 2016-12-28 12:25:14 +0100 |
commit | 7cd468a3d7dee7d6c92f69a0bb7061ae208ec727 (patch) | |
tree | 5de62f8dbd3a752f5a676ca600e43d2652d1ff1a /vnet/vnet/ipsec-gre/ipsec_gre_doc.md | |
parent | 696f1adec0df3b8f161862566dd9c86174302658 (diff) |
Reorganize source tree to use single autotools instance
Change-Id: I7b51f88292e057c6443b12224486f2d0c9f8ae23
Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'vnet/vnet/ipsec-gre/ipsec_gre_doc.md')
-rw-r--r-- | vnet/vnet/ipsec-gre/ipsec_gre_doc.md | 74 |
1 files changed, 0 insertions, 74 deletions
diff --git a/vnet/vnet/ipsec-gre/ipsec_gre_doc.md b/vnet/vnet/ipsec-gre/ipsec_gre_doc.md deleted file mode 100644 index e1bb9cdab1a..00000000000 --- a/vnet/vnet/ipsec-gre/ipsec_gre_doc.md +++ /dev/null @@ -1,74 +0,0 @@ -# VPP L2-GRE over IPsec implementation {#ipsec_gre_doc} - -This is a memo intended to contain documentation of the VPP L2-GRE over IPsec implementation. -Everything that is not directly obvious should come here. - - -## L2-GRE over IPsec -GRE encapsulate layer 2 traffic and IPSec encrypt what is encapsulated by GRE. The whole point of L2-GRE over IPSec is to tunnel layer 2 over GRE and IPSec by bridging the physical interface with IPSec-GRE tunnel interface. - -There are 2 dedicated nodes for encapsulation: -* ipsec-gre<n>-tx - add GRE header -* esp-encrypt - encrypt GRE packet to ESP packet - -There are 3 dedicated nodes for decapsulation: -* ipsec-if-input - match IPSec SA by source IP address and SPI in ESP packet -* esp-decrypt - decrypt ESP packet -* ipsec-gre-input - remove GRE header - - -### Configuration - -L2-GRE over IPsec support the following CLI configuration command: - create ipsec gre tunnel src <addr> dst <addr> local-sa <id> remote-sa <id> [del] - -src: tunnel source IPv4 address -dst: tunnel destination IPv4 address -local-sa: tunnel local IPSec Security Association -remote-sa: tunnel remote IPSec Security Association -del: delete IPSec-GRE tunnel - -L2-GRE over IPsec support the following API configuration command: - ipsec_gre_add_del_tunnel src <addr> dst <addr> local_sa <sa-id> remote_sa <sa-id> [del] - -src: tunnel source IPv4 address -dst: tunnel destination IPv4 address -local_sa: tunnel local IPSec Security Association -remote_sa: tunnel remote IPSec Security Association -del: delete IPSec-GRE tunnel - - -### Configuration example - -Interface GigabitEthernet0/9/0 is in bridge with ipsec-gre0 tunnel interface, interface GigabitEthernet0/8/0 sending encapsulated and encrypted traffic. - -Configure IPv4 address on sending interface: -set int ip address GigabitEthernet0/8/0 192.168.1.1/24 - -Configure IPSec Security Associations: -ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 -ipsec sa add 20 spi 1000 esp crypto-key 49517065716d6235726c734a4372466c crypto-alg aes-cbc-128 integ-key 307439636a5542735133595835546f68534e4f64 integ-alg sha1-96 - -Create IPSec-GRE tunnel: -create ipsec gre tunnel src 192.168.1.1 dst 192.168.1.2 local-sa 10 remote-sa 20 - -Set interfaces state: -set int state GigabitEthernet0/8/0 up -set int state GigabitEthernet0/9/0 up -set int state ipsec-gre0 up - -Bridge physical interface with IPSec-GRE tunnel interface: -set interface l2 bridge GigabitEthernet0/9/0 1 -set interface l2 bridge ipsec-gre0 1 - - -### Operational data - -L2-GRE over IPsec support the following CLI show command: - show ipsec gre tunnel - -L2-GRE over IPsec support the following API dump command: - ipsec_gre_tunnel_dump [sw_if_index <nn>] - -sw_if_index: software interface index of the IPSec-GRE tunnel interface - |