diff options
author | Neale Ranns <nranns@cisco.com> | 2020-01-02 05:04:00 +0000 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2020-01-04 04:51:05 +0000 |
commit | f3a6622c7363501b9d4db1f605daa87b4f803cb1 (patch) | |
tree | d1bb0967f886d3cb3e0965881e3ab2c7341b16cd | |
parent | 02950406c49a743f631395ed52073921744e1afd (diff) |
ipsec: AH copy destination and source address from template
Type: fix
Change-Id: I63d4df68eed6589763b5ce62bcd7f3fd867c60e1
Signed-off-by: Neale Ranns <nranns@cisco.com>
-rw-r--r-- | src/vnet/ipsec/ah_encrypt.c | 2 | ||||
-rw-r--r-- | test/template_ipsec.py | 18 | ||||
-rw-r--r-- | test/test_ipsec_tun_if_esp.py | 20 |
3 files changed, 27 insertions, 13 deletions
diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c index 80b3fcca6ea..b4e9af34802 100644 --- a/src/vnet/ipsec/ah_encrypt.c +++ b/src/vnet/ipsec/ah_encrypt.c @@ -306,7 +306,7 @@ ah_encrypt_inline (vlib_main_t * vm, { clib_memcpy_fast (&oh0->ip4.address_pair, &sa0->ip4_hdr.address_pair, - sizeof (ip4_address_t)); + sizeof (ip4_address_pair_t)); next[0] = sa0->dpo.dpoi_next_node; vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = sa0->dpo.dpoi_index; diff --git a/test/template_ipsec.py b/test/template_ipsec.py index 398a6bb0a23..d5e7984d043 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -98,6 +98,8 @@ def config_tun_params(p, encryption_type, tun_if): ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6} esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t. IPSEC_API_SAD_FLAG_USE_ESN)) + p.tun_dst = tun_if.remote_addr[p.addr_type] + p.tun_src = tun_if.local_addr[p.addr_type] crypt_key = mk_scapy_crypt_key(p) p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, @@ -105,8 +107,8 @@ def config_tun_params(p, encryption_type, tun_if): crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, tunnel_header=ip_class_by_addr_type[p.addr_type]( - src=tun_if.remote_addr[p.addr_type], - dst=tun_if.local_addr[p.addr_type]), + src=p.tun_dst, + dst=p.tun_src), nat_t_header=p.nat_header, esn_en=esn_en) p.vpp_tun_sa = SecurityAssociation( @@ -115,8 +117,8 @@ def config_tun_params(p, encryption_type, tun_if): crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, tunnel_header=ip_class_by_addr_type[p.addr_type]( - dst=tun_if.remote_addr[p.addr_type], - src=tun_if.local_addr[p.addr_type]), + dst=p.tun_dst, + src=p.tun_src), nat_t_header=p.nat_header, esn_en=esn_en) @@ -843,6 +845,10 @@ class IpsecTun4(object): self.tun_if, n_rx) self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts) + for rx in recv_pkts: + self.assertEqual(rx[IP].src, p.tun_src) + self.assertEqual(rx[IP].dst, p.tun_dst) + finally: self.logger.info(self.vapi.ppcli("show error")) self.logger.info(self.vapi.ppcli("show ipsec all")) @@ -1069,6 +1075,10 @@ class IpsecTun6(object): recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if) self.verify_encrypted6(p_out, p_out.vpp_tun_sa, recv_pkts) + for rx in recv_pkts: + self.assertEqual(rx[IPv6].src, p_out.tun_src) + self.assertEqual(rx[IPv6].dst, p_out.tun_dst) + finally: self.logger.info(self.vapi.ppcli("show error")) self.logger.info(self.vapi.ppcli("show ipsec all")) diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 469ebc7fc87..1a1ce800706 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -10,7 +10,7 @@ from scapy.layers.inet6 import IPv6 from framework import VppTestRunner from template_ipsec import TemplateIpsec, IpsecTun4Tests, IpsecTun6Tests, \ IpsecTun4, IpsecTun6, IpsecTcpTests, mk_scapy_crypt_key, \ - IpsecTun6HandoffTests, IpsecTun4HandoffTests + IpsecTun6HandoffTests, IpsecTun4HandoffTests, config_tun_params from vpp_ipsec_tun_interface import VppIpsecTunInterface from vpp_gre_interface import VppGreInterface from vpp_ipip_tun_interface import VppIpIpTunInterface @@ -26,14 +26,16 @@ def config_tun_params(p, encryption_type, tun_if): esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t. IPSEC_API_SAD_FLAG_USE_ESN)) crypt_key = mk_scapy_crypt_key(p) + p.tun_dst = tun_if.remote_ip + p.tun_src = tun_if.local_ip p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, tunnel_header=ip_class_by_addr_type[p.addr_type]( - src=tun_if.remote_ip, - dst=tun_if.local_ip), + src=p.tun_dst, + dst=p.tun_src), nat_t_header=p.nat_header, esn_en=esn_en) p.vpp_tun_sa = SecurityAssociation( @@ -42,8 +44,8 @@ def config_tun_params(p, encryption_type, tun_if): crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, tunnel_header=ip_class_by_addr_type[p.addr_type]( - dst=tun_if.remote_ip, - src=tun_if.local_ip), + dst=p.tun_dst, + src=p.tun_src), nat_t_header=p.nat_header, esn_en=esn_en) @@ -53,6 +55,8 @@ def config_tra_params(p, encryption_type, tun_if): esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t. IPSEC_API_SAD_FLAG_USE_ESN)) crypt_key = mk_scapy_crypt_key(p) + p.tun_dst = tun_if.remote_ip + p.tun_src = tun_if.local_ip p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, @@ -1233,8 +1237,8 @@ class TemplateIpsec4TunProtect(object): p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol, - self.tun_if.remote_addr[p.addr_type], self.tun_if.local_addr[p.addr_type], + self.tun_if.remote_addr[p.addr_type], flags=p.flags) p.tun_sa_out.add_vpp_config() @@ -1563,8 +1567,8 @@ class TemplateIpsec6TunProtect(object): p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol, - self.tun_if.remote_addr[p.addr_type], - self.tun_if.local_addr[p.addr_type]) + self.tun_if.local_addr[p.addr_type], + self.tun_if.remote_addr[p.addr_type]) p.tun_sa_out.add_vpp_config() p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi, |