<div><div>Hi, </div><div><br></div><div>Not able to understand 16 byetes in ESP packet present after sequence no and before Original IP header while doing tunnel mode Ipsec with ESP.</div><div>Details are as below.</div><div>
<br></div><div>I am trying to achieve Ipsec functionality using fast-path application which will do encryption/decryption using some hardware(Cavium) specific API.</div><div>This application will by-pass the IP layer of kernel..</div>
<div>Keys for start-up are pre-shared.</div><div><br></div><div>Communication is done between two machine A and B.</div><div>On Machine A running i386 linux, SA/SP database are updated using setkey utility and packets is encrypted/decrypted using kernel Ipsec.</div>
<div>On Machine B Cavium h/w, keys are pre-shared to application performing Ipsec functionlity...</div><div><br></div><div>Example:</div><div>M/c A configuration:</div><div>add 50.50.50.51 50.50.50.53 esp 15701 -E aes-cbc "0123456789abcdef";</div>
<div>spdadd 10.10.10.20 10.10.10.21 any -P out ipsec</div><div> esp/tunnel/<a href="http://50.50.50.51">50.50.50.51</a> <a href="http://50.50.50.53/require">50.50.50.53/require</a></div><div><br></div></div><div>
<br></div><div>I am able to decrypt received packets on machine B send by M/c A and send encrypted packet to M/c A.</div><div>Issue: </div><div>1. Not able to find what are 16 bytes present after sequence no in ESP header and before original IP header representing...</div>
<div><br></div><div>Decrypted Packet on machine B is like below</div><div>Ethernet header 14 bytes </div><div>Outer Ip header 20 bytes</div><div>ESP header SPI 4 bytes Seq no 4 bytes</div><div>Some data 16 bytes ???????</div>
<div>Original IP header 20 bytes</div><div>UDP header</div><div>Payload data</div><div>Padding</div><div>Pad lenght</div><div>Next Ip header</div><div><br></div><div>2. Packets send from machine B are encrypted and received as ESP packet on machine A.. </div>
<div> Not sure if decryption is happening fine...Seems packets are dropped at IP layer.. Is there way to confirm if packet are decrypted fine by kernel IPSEC...</div><div> Encrypted packet send by Machine B is having encrypted payload(of original IP header plus data) after Sequence number of ESP header...</div>
<div> Seems 16 bytes mentioned above play role for successful decryption at machine A running Linux IPSEC</div><div>Any Inputs for same will be appreciated for same</div><div><br>Cheers<br>Mukesh<br>
</div>