ahenning

Maybe the solution is not to create more static nat rules, but to create more random source ports in the traffic generator. Each new source port will create a dynamic...

Maybe SetRandIPAddress does what you need? https://github.com/kohler/click/wiki/SetRandIPAddress > InfiniteSource(LENGTH 1000, LIMIT 3, STOP true) -> SetRandIPAddress(192.168.0.0/24, 32) -> UDPIPEncap(1.1.1.1,123, DST_ANNO, 123) -> ipsec_rt::RadixIPsecLookup( 10.10.1.1/32 0, 192.168.0.0/24 10.10.2.1 1 111 1111111111111111...

The ipsec config does not look complete. I believe the missing part is the RadixIPsecLookup, which if I recall correctly sets annotations required by the other ipsec elements.

For what it is worth, here is a simple example to get started with > InfiniteSource(LENGTH 1000, LIMIT 3, STOP true) > -> SetRandIPAddress(192.168.0.0/24, 32) > -> UDPIPEncap(1.1.1.1,123, DST_ANNO, 123)...

The issue appears to be the L2/MAC headers. In the first example it looks like this header is set, while in the second there are no MAC headers. EtherEncap might...

Yes and no. Yes that is how L2 headers could work if the VNF was just a L2 bridge, but due to the udp and ipsec headers you are probably...

I notice 'enp4s0f1' in the ToDevice of the ipsec config and the FromDevice of the sink. If this is actually the exact same interface, that could be the issue. If...

What is between the two enp4s0f1 interfaces? Might want to look if there is some L2 filter going on that might be filtering the spoofed source MAC (1:1:1:1:1:1), or just...

Yes, some L2 devices, physical or virtual, will check if the packets are sourced from the connected interface MAC. I am not sure if this the issue, but double check...

Packets per second looks normal for the default PCAP method. You can try the fastclick DPDK elements for higher throughput. You can also try enabling verbose logging on the IP...