vpp: update ipsec supported encryption algorithms #1755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

dmbaturin merged 1 commit into vyos:current from alexk37:vpp-ipsec-enc

Feb 3, 2026

docs/vpp/configuration/ipsec.rst

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,10 +8,10 @@ @@
     VPP IPsec Configuration
     #######################
     VPP Dataplane in VyOS can offload IPSec processing from kernel. This allows to speed-up IPSec traffic handling significantly, when necessary conditions are met.
     .. note::
        VPP IPsec implementation is not as feature rich as Linux kernel IPsec. It supports only a subset of algorithms and modes.
     Requirements
     ============
@@ Expand All / @@ -19,18 +19,18 @@ @@
     To make IPSec offloading work, following requirements must be met:
     * VPP dataplane must be configured.
     * VPP :doc:`IPsec settings </vpp/configuration/dataplane/ipsec>` should be configured as needed.
     * IPSec should be configured in the VPN configuration section, see :doc:`/configuration/vpn/ipsec/index`.
     * Both source and destination of the IPSec traffic must be reachable via VPP interfaces, so it can perform both encryption and decryption of the traffic.
     Integration Details
     ===================
     VPP Dataplane offloads IPSec processing from kernel, but does not handle IPSec configuration itself. IPSec configuration management and control-plane operation, like IKE negotiation, is still done by the kernel and other daemons.
     After an IPSec tunnel is configured in the kernel, VPP receives the necessary information via netlink messages and creates a corresponding SAs and policies to be able to offload the traffic.
     When VPP is used for offloading IPsec, it creates a virtual interface of a specific type to connect to a peer. The type of the interface can be configured using the ``interface-type`` parameter in the dataplane settings.
     Supported IPsec Modes
     =====================
@@ Expand All / @@ -45,18 +45,18 @@ @@
     .. warning::
         Since VPP dataplane is used only to offload IPsec traffic processing, algorithms mentioned below are applicable to ESP profiles in the IPsec configuration. IKE profiles are not affected by these limitations and can use any algorithms supported by the kernel.
     VPP **supports** only the following **encryption algorithms**:
     * AES-CBC
+    * AES-GCM with ICV
     VPP **does not** support the following **encryption algorithms**:
     * Null encryption
     * AES-CTR
     * AES-CCM with ICV
-    * AES-GCM with ICV
     * Null encryption with AES-GMAC
     * 3DES-EDE-CBC
     * Blowfish-CBC
@@ Expand Down Expand Up / @@ -85,7 +85,7 @@ @@
     * AES CMAC
     * AES-GMAC
     If you have configured ESP profiles with algorithms not supported by VPP and the traffic for such peers flows trough VPP interfaces, such traffic will be dropped.
     Configuration Examples
     ======================
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

vpp: update ipsec supported encryption algorithms #1755

Uh oh!

Diff view

Diff view

There are no files selected for viewing

GitHub Actions / lint-doc / doc-lint

GitHub Actions / lint-doc / doc-lint

GitHub Actions / lint-doc / doc-lint

GitHub Actions / lint-doc / doc-lint

GitHub Actions / lint-doc / doc-lint

GitHub Actions / lint-doc / doc-lint

GitHub Actions / lint-doc / doc-lint

GitHub Actions / lint-doc / doc-lint

GitHub Actions / lint-doc / doc-lint

GitHub Actions / lint-doc / doc-lint

Uh oh!