aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAtzm Watanabe <atzmism@gmail.com>2023-01-25 14:11:10 +0900
committerDave Wallace <dwallacelf@gmail.com>2023-02-03 14:24:51 +0000
commitfc2d95d115ea5e82bc3efb18cf40632449112fdf (patch)
treee44f020e08ab43336a430dfb916af94cfa926305
parenta4f994f31e566cc5e6512d3aebf627a6e3ce2cc7 (diff)
vpp-swan: allow SAs to be used to the route-based IPsec
This patch adds a "charon.plugins.kernel-vpp.use_tunnel_mode_sa" key into strongswan.conf. If this is turned off, SAs will be installed without tunnel information and can be used to "ipsec tunnel protect". For the route-based IPsec, it will be used with turning "policies" off in swanctl.conf. Type: feature Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I58fb94bfe56627fa7002d9b95c48930a32993d2d
-rw-r--r--extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c18
1 files changed, 17 insertions, 1 deletions
diff --git a/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c b/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c
index 7849dd6b898..3fe3c4403e2 100644
--- a/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c
+++ b/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c
@@ -126,6 +126,13 @@ struct private_kernel_vpp_ipsec_t
* Whether to install routes along policies
*/
bool install_routes;
+
+ /**
+ * Whether to install SAs with tunnel flag. Disabling this can be useful
+ * in some scenarios e.g. using SAs to "ipsec tunnel protect" for the
+ * route-based IPsec
+ */
+ bool use_tunnel_mode_sa;
};
/**
@@ -1414,9 +1421,15 @@ METHOD (kernel_ipsec_t, add_sa, status_t, private_kernel_vpp_ipsec_t *this,
mp->entry.integrity_key.length);
int flags = IPSEC_API_SAD_FLAG_NONE;
+ if (data->inbound)
+ flags |= IPSEC_API_SAD_FLAG_IS_INBOUND;
+ /* like the kernel-netlink plugin, anti-replay can be disabled with zero
+ * replay_window, but window size cannot be customized for vpp */
+ if (data->replay_window)
+ flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
if (data->esn)
flags |= IPSEC_API_SAD_FLAG_USE_ESN;
- if (data->mode == MODE_TUNNEL)
+ if (this->use_tunnel_mode_sa && data->mode == MODE_TUNNEL)
{
if (id->src->get_family (id->src) == AF_INET6)
flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
@@ -1739,6 +1752,9 @@ kernel_vpp_ipsec_create ()
.routes = linked_list_create(),
.install_routes = lib->settings->get_bool(lib->settings,
"%s.install_routes", TRUE, lib->ns),
+ .use_tunnel_mode_sa = lib->settings->get_bool(lib->settings,
+ "%s.plugins.kernel-vpp.use_tunnel_mode_sa",
+ TRUE, lib->ns),
);
if (!init_spi (this))