summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2020-04-01 09:45:23 +0000
committerPaul Vinciguerra <pvinci@vinciconsulting.com>2020-05-05 18:36:33 +0000
commitabc5660c61698fa29252dc202358002a97f2608c (patch)
tree969edc7dc2145e40e3fb96c470df917f2053abfe
parent6fdd7a5f77301a3398c4445bfef202b123ce90d8 (diff)
ipsec: User can choose the UDP source port
Type: feature thus allowing NAT traversal, Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
-rw-r--r--src/plugins/ikev2/ikev2.c4
-rw-r--r--src/vnet/ipsec/ipsec.c55
-rw-r--r--src/vnet/ipsec/ipsec.h14
-rw-r--r--src/vnet/ipsec/ipsec_api.c12
-rw-r--r--src/vnet/ipsec/ipsec_cli.c13
-rw-r--r--src/vnet/ipsec/ipsec_format.c3
-rw-r--r--src/vnet/ipsec/ipsec_sa.c23
-rw-r--r--src/vnet/ipsec/ipsec_sa.h2
-rw-r--r--src/vnet/ipsec/ipsec_tun.c6
-rw-r--r--src/vnet/ipsec/ipsec_types.api6
-rw-r--r--test/patches/scapy-2.4.3/ipsec.patch11
-rw-r--r--test/test_ipsec_api.py51
-rw-r--r--test/test_ipsec_tun_if_esp.py136
-rw-r--r--test/vpp_ipsec.py96
-rw-r--r--test/vpp_papi_provider.py55
15 files changed, 364 insertions, 123 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index d695e2d85d1..bb620a86ddd 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -1566,13 +1566,13 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
IPSEC_PROTOCOL_ESP, a->encr_type,
&a->loc_ckey, a->integ_type, &a->loc_ikey,
a->flags, 0, a->salt_local, &a->local_ip,
- &a->remote_ip, NULL, a->dst_port);
+ &a->remote_ip, NULL, a->dst_port, a->dst_port);
rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi,
IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey,
a->integ_type, &a->rem_ikey,
(a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
a->salt_remote, &a->remote_ip,
- &a->local_ip, NULL, a->dst_port);
+ &a->local_ip, NULL, a->dst_port, a->dst_port);
rv |= ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in);
}
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index 95e322e87a6..0ef90673596 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -124,6 +124,61 @@ ipsec_add_node (vlib_main_t * vm, const char *node_name,
*out_next_index = vlib_node_add_next (vm, prev_node->index, node->index);
}
+void
+ipsec_add_feature (const char *arc_name,
+ const char *node_name, u32 * out_feature_index)
+{
+ u8 arc;
+
+ arc = vnet_get_feature_arc_index (arc_name);
+ ASSERT (arc != (u8) ~ 0);
+ *out_feature_index = vnet_get_feature_index (arc, node_name);
+}
+
+void
+ipsec_unregister_udp_port (u16 port)
+{
+ ipsec_main_t *im = &ipsec_main;
+ u32 n_regs;
+ uword *p;
+
+ p = hash_get (im->udp_port_registrations, port);
+
+ ASSERT (p);
+
+ n_regs = p[0];
+
+ if (0 == --n_regs)
+ {
+ udp_unregister_dst_port (vlib_get_main (), port, 1);
+ hash_unset (im->udp_port_registrations, port);
+ }
+ else
+ {
+ hash_unset (im->udp_port_registrations, port);
+ hash_set (im->udp_port_registrations, port, n_regs);
+ }
+}
+
+void
+ipsec_register_udp_port (u16 port)
+{
+ ipsec_main_t *im = &ipsec_main;
+ u32 n_regs;
+ uword *p;
+
+ p = hash_get (im->udp_port_registrations, port);
+
+ n_regs = (p ? p[0] : 0);
+
+ if (0 == n_regs++)
+ udp_register_dst_port (vlib_get_main (), port,
+ ipsec4_tun_input_node.index, 1);
+
+ hash_unset (im->udp_port_registrations, port);
+ hash_set (im->udp_port_registrations, port, n_regs);
+}
+
u32
ipsec_register_ah_backend (vlib_main_t * vm, ipsec_main_t * im,
const char *name,
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index 7646ffb2ddd..603bc33ba4d 100644
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -108,6 +108,9 @@ typedef struct
/* pool of policies */
ipsec_policy_t *policies;
+ /* hash tables of UDP port registrations */
+ uword *udp_port_registrations;
+
uword *tunnel_index_by_key;
/* convenience */
@@ -225,8 +228,8 @@ extern vlib_node_registration_t esp4_encrypt_tun_node;
extern vlib_node_registration_t esp6_encrypt_tun_node;
extern vlib_node_registration_t esp4_decrypt_tun_node;
extern vlib_node_registration_t esp6_decrypt_tun_node;
-extern vlib_node_registration_t ipsec4_if_input_node;
-extern vlib_node_registration_t ipsec6_if_input_node;
+extern vlib_node_registration_t ipsec4_tun_input_node;
+extern vlib_node_registration_t ipsec6_tun_input_node;
/*
* functions
@@ -284,6 +287,13 @@ ipsec_sa_get (u32 sa_index)
return (pool_elt_at_index (ipsec_main.sad, sa_index));
}
+void ipsec_add_feature (const char *arc_name, const char *node_name,
+ u32 * out_feature_index);
+
+void ipsec_set_async_mode (u32 is_enabled);
+extern void ipsec_register_udp_port (u16 udp_port);
+extern void ipsec_unregister_udp_port (u16 udp_port);
+
#endif /* __IPSEC_H__ */
/*
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 4a55a29c288..ad2665a250c 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -374,7 +374,8 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
crypto_alg, &crypto_key,
integ_alg, &integ_key, flags,
0, mp->entry.salt, &tun_src, &tun_dst,
- &sa_index, IPSEC_UDP_PORT_NONE);
+ &sa_index, htons (mp->entry.udp_src_port),
+ htons (mp->entry.udp_dst_port));
else
rv = ipsec_sa_unlock_id (id);
@@ -665,7 +666,7 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
(flags | IPSEC_SA_FLAG_IS_INBOUND),
ntohl (mp->tx_table_id),
mp->salt, &remote_ip, &local_ip, NULL,
- IPSEC_UDP_PORT_NONE);
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
if (rv)
goto done;
@@ -680,7 +681,7 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
flags,
ntohl (mp->tx_table_id),
mp->salt, &local_ip, &remote_ip, NULL,
- IPSEC_UDP_PORT_NONE);
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
if (rv)
goto done;
@@ -816,6 +817,11 @@ send_ipsec_sa_details (ipsec_sa_t * sa, void *arg)
ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
&mp->entry.tunnel_dst);
}
+ if (ipsec_sa_is_set_UDP_ENCAP (sa))
+ {
+ mp->entry.udp_src_port = sa->udp_hdr.src_port;
+ mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
+ }
mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 13f9efdf566..695e5f01c74 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -86,7 +86,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
clib_error_t *error;
ipsec_key_t ck = { 0 };
ipsec_key_t ik = { 0 };
- u32 id, spi, salt;
+ u32 id, spi, salt, sai;
+ u16 udp_src, udp_dst;
int is_add, rv;
salt = 0;
@@ -96,6 +97,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
proto = IPSEC_PROTOCOL_ESP;
integ_alg = IPSEC_INTEG_ALG_NONE;
crypto_alg = IPSEC_CRYPTO_ALG_NONE;
+ udp_src = udp_dst = IPSEC_UDP_PORT_NONE;
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
@@ -149,8 +151,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg,
&ck, integ_alg, &ik, flags,
0, clib_host_to_net_u32 (salt),
- &tun_src, &tun_dst, NULL,
- IPSEC_UDP_PORT_NONE);
+ &tun_src, &tun_dst, &sai, udp_src, udp_dst);
else
rv = ipsec_sa_unlock_id (id);
@@ -856,14 +857,16 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
&lck, integ_alg, &lik, flags, table_id,
clib_host_to_net_u32 (salt), &local_ip,
- &remote_ip, NULL, IPSEC_UDP_PORT_NONE);
+ &remote_ip, NULL, IPSEC_UDP_PORT_NONE,
+ IPSEC_UDP_PORT_NONE);
rv |=
ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
&rck, integ_alg, &rik,
(flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
clib_host_to_net_u32 (salt), &remote_ip,
- &local_ip, NULL, IPSEC_UDP_PORT_NONE);
+ &local_ip, NULL, IPSEC_UDP_PORT_NONE,
+ IPSEC_UDP_PORT_NONE);
rv |=
ipsec_tun_protect_update_one (sw_if_index, &nh,
ipsec_tun_mk_local_sa_id (sw_if_index),
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index bf398cb2105..98de779b0de 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -310,6 +310,9 @@ format_ipsec_sa (u8 * s, va_list * args)
s = format (s, " key %U", format_ipsec_key, &sa->integ_key);
else
s = format (s, " key [redacted]");
+ s = format (s, "\n UDP:[src:%d dst:%d]",
+ clib_host_to_net_u16 (sa->udp_hdr.src_port),
+ clib_host_to_net_u16 (sa->udp_hdr.dst_port));
vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts);
s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index f60566cba79..e5f01bff0d9 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -179,7 +179,7 @@ ipsec_sa_add_and_lock (u32 id,
u32 salt,
const ip46_address_t * tun_src,
const ip46_address_t * tun_dst, u32 * sa_out_index,
- u16 dst_port)
+ u16 src_port, u16 dst_port)
{
vlib_main_t *vm = vlib_get_main ();
ipsec_main_t *im = &ipsec_main;
@@ -329,15 +329,17 @@ ipsec_sa_add_and_lock (u32 id,
if (ipsec_sa_is_set_UDP_ENCAP (sa))
{
if (dst_port == IPSEC_UDP_PORT_NONE)
- {
- sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
- sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
- }
+ sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
else
- {
- sa->udp_hdr.src_port = clib_host_to_net_u16 (dst_port);
- sa->udp_hdr.dst_port = clib_host_to_net_u16 (dst_port);
- }
+ sa->udp_hdr.dst_port = clib_host_to_net_u16 (dst_port);
+
+ if (src_port == IPSEC_UDP_PORT_NONE)
+ sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
+ else
+ sa->udp_hdr.src_port = clib_host_to_net_u16 (src_port);
+
+ if (ipsec_sa_is_set_IS_INBOUND (sa))
+ ipsec_register_udp_port (clib_host_to_net_u16 (sa->udp_hdr.dst_port));
}
hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
@@ -361,6 +363,9 @@ ipsec_sa_del (ipsec_sa_t * sa)
/* no recovery possible when deleting an SA */
(void) ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
+ if (ipsec_sa_is_set_UDP_ENCAP (sa) && ipsec_sa_is_set_IS_INBOUND (sa))
+ ipsec_unregister_udp_port (clib_net_to_host_u16 (sa->udp_hdr.dst_port));
+
if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
{
fib_entry_untrack (sa->fib_entry_index, sa->sibling);
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index de9b51ea66a..5950d6f53b3 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -250,7 +250,7 @@ extern int ipsec_sa_add_and_lock (u32 id,
u32 salt,
const ip46_address_t * tunnel_src_addr,
const ip46_address_t * tunnel_dst_addr,
- u32 * sa_index, u16 dst_port);
+ u32 * sa_index, u16 src_port, u16 dst_port);
extern index_t ipsec_sa_find_and_lock (u32 id);
extern int ipsec_sa_unlock_id (u32 id);
extern void ipsec_sa_unlock (index_t sai);
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index a93e66a8775..9b76d311bc2 100644
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -91,9 +91,7 @@ ipsec_tun_register_nodes (ip_address_family_t af)
{
if (AF_IP4 == af)
{
- udp_register_dst_port (vlib_get_main (),
- UDP_DST_PORT_ipsec,
- ipsec4_tun_input_node.index, 1);
+ ipsec_register_udp_port (UDP_DST_PORT_ipsec);
ip4_register_protocol (IP_PROTOCOL_IPSEC_ESP,
ipsec4_tun_input_node.index);
}
@@ -111,7 +109,7 @@ ipsec_tun_unregister_nodes (ip_address_family_t af)
{
if (AF_IP4 == af)
{
- udp_unregister_dst_port (vlib_get_main (), UDP_DST_PORT_ipsec, 1);
+ ipsec_unregister_udp_port (UDP_DST_PORT_ipsec);
ip4_unregister_protocol (IP_PROTOCOL_IPSEC_ESP);
}
else
diff --git a/src/vnet/ipsec/ipsec_types.api b/src/vnet/ipsec/ipsec_types.api
index f393fc879b9..715f3de0e12 100644
--- a/src/vnet/ipsec/ipsec_types.api
+++ b/src/vnet/ipsec/ipsec_types.api
@@ -104,6 +104,10 @@ typedef key
@param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
@param tx_table_id - the FIB id used for encapsulated packets
@param salt - for use with counter mode ciphers
+ @param udp_src_port - If using UDP Encapsulation, use this source port for
+ TX. It is ignored for RX.
+ @param udp_dst_port - If using UDP Encapsulation, use this destination port
+ for TX. Expect traffic on this port for RX.
*/
typedef ipsec_sad_entry
{
@@ -125,6 +129,8 @@ typedef ipsec_sad_entry
vl_api_address_t tunnel_dst;
u32 tx_table_id;
u32 salt;
+ u16 udp_src_port [default=4500];
+ u16 udp_dst_port [default=4500];
};
/*
diff --git a/test/patches/scapy-2.4.3/ipsec.patch b/test/patches/scapy-2.4.3/ipsec.patch
index 993604768ff..7ee8316bce3 100644
--- a/test/patches/scapy-2.4.3/ipsec.patch
+++ b/test/patches/scapy-2.4.3/ipsec.patch
@@ -2,6 +2,14 @@ diff --git a/scapy/layers/ipsec.py b/scapy/layers/ipsec.py
index f8c601fa..f566d288 100644
--- a/scapy/layers/ipsec.py
+++ b/scapy/layers/ipsec.py
+@@ -138,6 +138,7 @@ bind_layers(IP, ESP, proto=socket.IPPROTO_ESP)
+ bind_layers(IPv6, ESP, nh=socket.IPPROTO_ESP)
+ bind_layers(UDP, ESP, dport=4500) # NAT-Traversal encapsulation
+ bind_layers(UDP, ESP, sport=4500) # NAT-Traversal encapsulation
++bind_layers(UDP, ESP, dport=4545) # NAT-Traversal encapsulation - random port
+
+ ###############################################################################
+
@@ -359,11 +359,8 @@ class CryptAlgo(object):
encryptor = cipher.encryptor()
@@ -147,7 +155,7 @@ index f8c601fa..f566d288 100644
esp = self.crypt_algo.decrypt(self, encrypted, self.crypt_key,
self.crypt_algo.icv_size or
-@@ -1050,9 +1069,10 @@ class SecurityAssociation(object):
+@@ -1050,11 +1069,12 @@ class SecurityAssociation(object):
def _decrypt_ah(self, pkt, verify=True):
@@ -160,3 +168,4 @@ index f8c601fa..f566d288 100644
ah = pkt[AH]
payload = ah.payload
+
diff --git a/test/test_ipsec_api.py b/test/test_ipsec_api.py
index 00885ae05b6..b5b4adac66b 100644
--- a/test/test_ipsec_api.py
+++ b/test/test_ipsec_api.py
@@ -70,23 +70,48 @@ class IpsecApiTestCase(VppTestCase):
crypt_algo_vpp_id = params.crypt_algo_vpp_id
crypt_key = params.crypt_key
- self.vapi.ipsec_sad_entry_add_del(scapy_tun_sa_id, scapy_tun_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_ah_protocol,
- self.pg0.local_addr[addr_type],
- self.pg0.remote_addr[addr_type])
+ self.vapi.ipsec_sad_entry_add_del(
+ is_add=1,
+ entry={
+ 'sad_id': scapy_tun_sa_id,
+ 'spi': scapy_tun_spi,
+ 'integrity_algorithm': auth_algo_vpp_id,
+ 'integrity_key': {
+ 'data': auth_key,
+ 'length': len(auth_key),
+ },
+ 'crypto_algorithm': crypt_algo_vpp_id,
+ 'crypto_key': {
+ 'data': crypt_key,
+ 'length': len(crypt_key),
+ },
+ 'protocol': self.vpp_ah_protocol,
+ 'tunnel_src': self.pg0.local_addr[addr_type],
+ 'tunnel_dst': self.pg0.remote_addr[addr_type]
+ })
with self.vapi.assert_negative_api_retval():
self.vapi.ipsec_select_backend(
protocol=self.vpp_ah_protocol, index=0)
- self.vapi.ipsec_sad_entry_add_del(scapy_tun_sa_id, scapy_tun_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_ah_protocol,
- self.pg0.local_addr[addr_type],
- self.pg0.remote_addr[addr_type],
- is_add=0)
+ self.vapi.ipsec_sad_entry_add_del(
+ is_add=0,
+ entry={
+ 'sad_id': scapy_tun_sa_id,
+ 'spi': scapy_tun_spi,
+ 'integrity_algorithm': auth_algo_vpp_id,
+ 'integrity_key': {
+ 'data': auth_key,
+ 'length': len(auth_key),
+ },
+ 'crypto_algorithm': crypt_algo_vpp_id,
+ 'crypto_key': {
+ 'data': crypt_key,
+ 'length': len(crypt_key),
+ },
+ 'protocol': self.vpp_ah_protocol,
+ 'tunnel_src': self.pg0.local_addr[addr_type],
+ 'tunnel_dst': self.pg0.remote_addr[addr_type]
+ })
self.vapi.ipsec_select_backend(
protocol=self.vpp_ah_protocol, index=0)
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index d8527a3d6c1..3ab0e73ff74 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -64,13 +64,15 @@ def config_tra_params(p, encryption_type, tun_if):
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo, auth_key=p.auth_key,
- esn_en=esn_en)
+ esn_en=esn_en,
+ nat_t_header=p.nat_header)
p.vpp_tun_sa = SecurityAssociation(
encryption_type, spi=p.scapy_tun_spi,
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo, auth_key=p.auth_key,
- esn_en=esn_en)
+ esn_en=esn_en,
+ nat_t_header=p.nat_header)
class TemplateIpsec4TunIfEsp(TemplateIpsec):
@@ -1060,6 +1062,127 @@ class TestIpsecGreTebIfEspTra(TemplateIpsec,
super(TestIpsecGreTebIfEspTra, self).tearDown()
+class TestIpsecGreTebUdpIfEspTra(TemplateIpsec,
+ IpsecTun4Tests):
+ """ Ipsec GRE TEB UDP ESP - Tra tests """
+ tun4_encrypt_node_name = "esp4-encrypt-tun"
+ tun4_decrypt_node_name = "esp4-decrypt-tun"
+ encryption_type = ESP
+ omac = "00:11:22:33:44:55"
+
+ def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
+ payload_size=100):
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ sa.encrypt(IP(src=self.pg0.remote_ip4,
+ dst=self.pg0.local_ip4) /
+ GRE() /
+ Ether(dst=self.omac) /
+ IP(src="1.1.1.1", dst="1.1.1.2") /
+ UDP(sport=1144, dport=2233) /
+ Raw(b'X' * payload_size))
+ for i in range(count)]
+
+ def gen_pkts(self, sw_intf, src, dst, count=1,
+ payload_size=100):
+ return [Ether(dst=self.omac) /
+ IP(src="1.1.1.1", dst="1.1.1.2") /
+ UDP(sport=1144, dport=2233) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def verify_decrypted(self, p, rxs):
+ for rx in rxs:
+ self.assert_equal(rx[Ether].dst, self.omac)
+ self.assert_equal(rx[IP].dst, "1.1.1.2")
+
+ def verify_encrypted(self, p, sa, rxs):
+ for rx in rxs:
+ self.assertTrue(rx.haslayer(UDP))
+ self.assertEqual(rx[UDP].dport, 4545)
+ self.assertEqual(rx[UDP].sport, 5454)
+ try:
+ pkt = sa.decrypt(rx[IP])
+ if not pkt.haslayer(IP):
+ pkt = IP(pkt[Raw].load)
+ self.assert_packet_checksums_valid(pkt)
+ self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
+ self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
+ self.assertTrue(pkt.haslayer(GRE))
+ e = pkt[Ether]
+ self.assertEqual(e[Ether].dst, self.omac)
+ self.assertEqual(e[IP].dst, "1.1.1.2")
+ except (IndexError, AssertionError):
+ self.logger.debug(ppp("Unexpected packet:", rx))
+ try:
+ self.logger.debug(ppp("Decrypted packet:", pkt))
+ except:
+ pass
+ raise
+
+ def setUp(self):
+ super(TestIpsecGreTebUdpIfEspTra, self).setUp()
+
+ self.tun_if = self.pg0
+
+ p = self.ipv4_params
+ p = self.ipv4_params
+ p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
+ IPSEC_API_SAD_FLAG_UDP_ENCAP)
+ p.nat_header = UDP(sport=5454, dport=4545)
+
+ bd1 = VppBridgeDomain(self, 1)
+ bd1.add_vpp_config()
+
+ p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ flags=p.flags,
+ udp_src=5454,
+ udp_dst=4545)
+ p.tun_sa_out.add_vpp_config()
+
+ p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ flags=(p.flags |
+ VppEnum.vl_api_ipsec_sad_flags_t.
+ IPSEC_API_SAD_FLAG_IS_INBOUND),
+ udp_src=5454,
+ udp_dst=4545)
+ p.tun_sa_in.add_vpp_config()
+
+ p.tun_if = VppGreInterface(self,
+ self.pg0.local_ip4,
+ self.pg0.remote_ip4,
+ type=(VppEnum.vl_api_gre_tunnel_type_t.
+ GRE_API_TUNNEL_TYPE_TEB))
+ p.tun_if.add_vpp_config()
+
+ p.tun_protect = VppIpsecTunProtect(self,
+ p.tun_if,
+ p.tun_sa_out,
+ [p.tun_sa_in])
+
+ p.tun_protect.add_vpp_config()
+
+ p.tun_if.admin_up()
+ p.tun_if.config_ip4()
+ config_tra_params(p, self.encryption_type, p.tun_if)
+
+ VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
+ VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
+
+ self.vapi.cli("clear ipsec sa")
+ self.logger.info(self.vapi.cli("sh ipsec sa 0"))
+
+ def tearDown(self):
+ p = self.ipv4_params
+ p.tun_if.unconfig_ip4()
+ super(TestIpsecGreTebUdpIfEspTra, self).tearDown()
+
+
class TestIpsecGreIfEsp(TemplateIpsec,
IpsecTun4Tests):
""" Ipsec GRE ESP - TUN tests """
@@ -1799,7 +1922,7 @@ class TestIpsec4TunProtectUdp(TemplateIpsec,
p = self.ipv4_params
p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
IPSEC_API_SAD_FLAG_UDP_ENCAP)
- p.nat_header = UDP(sport=5454, dport=4500)
+ p.nat_header = UDP(sport=4500, dport=4500)
self.config_network(p)
self.config_sa_tra(p)
self.config_protect(p)
@@ -1811,6 +1934,13 @@ class TestIpsec4TunProtectUdp(TemplateIpsec,
self.unconfig_network(p)
super(TestIpsec4TunProtectUdp, self).tearDown()
+ def verify_encrypted(self, p, sa, rxs):
+ # ensure encrypted packets are recieved with the default UDP ports
+ for rx in rxs:
+ self.assertEqual(rx[UDP].sport, 4500)
+ self.assertEqual(rx[UDP].dport, 4500)
+ super(TestIpsec4TunProtectUdp, self).verify_encrypted(p, sa, rxs)
+
def test_tun_44(self):
"""IPSEC UDP tunnel protect"""
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index 268fe687876..985f6d4dc4e 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -184,12 +184,15 @@ class VppIpsecSA(VppObject):
VPP SAD Entry
"""
+ DEFAULT_UDP_PORT = 4500
+
def __init__(self, test, id, spi,
integ_alg, integ_key,
crypto_alg, crypto_key,
proto,
tun_src=None, tun_dst=None,
- flags=None, salt=0):
+ flags=None, salt=0, udp_src=None,
+ udp_dst=None):
e = VppEnum.vl_api_ipsec_sad_flags_t
self.test = test
self.id = id
@@ -214,44 +217,87 @@ class VppIpsecSA(VppObject):
self.flags = self.flags | e.IPSEC_API_SAD_FLAG_IS_TUNNEL_V6
if (tun_dst):
self.tun_dst = ip_address(text_type(tun_dst))
+ self.udp_src = udp_src
+ self.udp_dst = udp_dst
def add_vpp_config(self):
- r = self.test.vapi.ipsec_sad_entry_add_del(
- self.id,
- self.spi,
- self.integ_alg,
- self.integ_key,
- self.crypto_alg,
- self.crypto_key,
- self.proto,
- (self.tun_src if self.tun_src else []),
- (self.tun_dst if self.tun_dst else []),
- flags=self.flags,
- salt=self.salt)
+ entry = {
+ 'sad_id': self.id,
+ 'spi': self.spi,
+ 'integrity_algorithm': self.integ_alg,
+ 'integrity_key': {
+ 'length': len(self.integ_key),
+ 'data': self.integ_key,
+ },
+ 'crypto_algorithm': self.crypto_alg,
+ 'crypto_key': {
+ 'data': self.crypto_key,
+ 'length': len(self.crypto_key),
+ },
+ 'protocol': self.proto,
+ 'tunnel_src': (self.tun_src if self.tun_src else []),
+ 'tunnel_dst': (self.tun_dst if self.tun_dst else []),
+ 'flags': self.flags,
+ 'salt': self.salt
+ }
+ # don't explicitly send the defaults, let papi fill them in
+ if self.udp_src:
+ entry['udp_src_port'] = self.udp_src
+ if self.udp_dst:
+ entry['udp_dst_port'] = self.udp_dst
+ r = self.test.vapi.ipsec_sad_entry_add_del(is_add=1, entry=entry)
self.stat_index = r.stat_index
self.test.registry.register(self, self.test.logger)
def remove_vpp_config(self):
- self.test.vapi.ipsec_sad_entry_add_del(
- self.id,
- self.spi,
- self.integ_alg,
- self.integ_key,
- self.crypto_alg,
- self.crypto_key,
- self.proto,
- (self.tun_src if self.tun_src else []),
- (self.tun_dst if self.tun_dst else []),
- flags=self.flags,
- is_add=0)
+ r = self.test.vapi.ipsec_sad_entry_add_del(
+ is_add=0,
+ entry={
+ 'sad_id': self.id,
+ 'spi': self.spi,
+ 'integrity_algorithm': self.integ_alg,
+ 'integrity_key': {
+ 'length': len(self.integ_key),
+ 'data': self.integ_key,
+ },
+ 'crypto_algorithm': self.crypto_alg,
+ 'crypto_key': {
+ 'data': self.crypto_key,
+ 'length': len(self.crypto_key),
+ },
+ 'protocol': self.proto,
+ 'tunnel_src': (self.tun_src if self.tun_src else []),
+ 'tunnel_dst': (self.tun_dst if self.tun_dst else []),
+ 'flags': self.flags,
+ 'salt': self.salt
+ })
def object_id(self):
return "ipsec-sa-%d" % self.id
def query_vpp_config(self):
+ e = VppEnum.vl_api_ipsec_sad_flags_t
+
bs = self.test.vapi.ipsec_sa_dump()
for b in bs:
if b.entry.sad_id == self.id:
+ # if udp encap is configured then the ports should match
+ # those configured or the default
+ if (self.flags & e.IPSEC_API_SAD_FLAG_UDP_ENCAP):
+ if not b.entry.flags & e.IPSEC_API_SAD_FLAG_UDP_ENCAP:
+ return False
+ if self.udp_src:
+ if self.udp_src != b.entry.udp_src_port:
+ return False
+ else:
+ if self.DEFAULT_UDP_PORT != b.entry.udp_src_port:
+ return False
+ if self.udp_dst:
+ if self.udp_dst != b.entry.udp_dst_port:
+ return False
+ else:
+ if self.DEFAULT_UDP_PORT != b.entry.udp_dst_port:
+ return False
return True
return False
diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py
index 73544125a7c..ec2f222b540 100644
--- a/test/vpp_papi_provider.py
+++ b/test/vpp_papi_provider.py
@@ -53,7 +53,6 @@ defaultmapping = {
'ip_punt_redirect': {'is_add': 1, },
'ip_route_add_del': {'is_add': 1, },
'ipsec_interface_add_del_spd': {'is_add': 1, },
- 'ipsec_sad_entry_add_del': {'is_add': 1, },
'ipsec_spd_add_del': {'is_add': 1, },
'ipsec_spd_dump': {'sa_id': 4294967295, },
'ipsec_spd_entry_add_del': {'local_port_stop': 65535,
@@ -947,60 +946,6 @@ class VppPapiProvider(object):
{'spd_index': spd_index if spd_index else 0,
'spd_index_valid': 1 if spd_index else 0})
- def ipsec_sad_entry_add_del(self,
- sad_id,
- spi,
- integrity_algorithm,
- integrity_key,
- crypto_algorithm,
- crypto_key,
- protocol,
- tunnel_src_address='',
- tunnel_dst_address='',
- flags=0,
- salt=0,
- is_add=1):
- """ IPSEC SA add/del
- :param sad_id: security association ID
- :param spi: security param index of the SA in decimal
- :param integrity_algorithm:
- :param integrity_key:
- :param crypto_algorithm:
- :param crypto_key:
- :param protocol: AH(0) or ESP(1) protocol
- :param tunnel_src_address: tunnel mode outer src address
- :param tunnel_dst_address: tunnel mode outer dst address
- :param is_add:
- :param is_tunnel:
- :** reference /vpp/src/vnet/ipsec/ipsec.h file for enum values of
- crypto and ipsec algorithms
- """
- return self.api(
- self.papi.ipsec_sad_entry_add_del,
- {
- 'is_add': is_add,
- 'entry':
- {
- 'sad_id': sad_id,
- 'spi': spi,
- 'tunnel_src': tunnel_src_address,
- 'tunnel_dst': tunnel_dst_address,
- 'protocol': protocol,
- 'integrity_algorithm': integrity_algorithm,
- 'integrity_key': {
- 'length': len(integrity_key),
- 'data': integrity_key,
- },
- 'crypto_algorithm': crypto_algorithm,
- 'crypto_key': {
- 'length': len(crypto_key),
- 'data': crypto_key,
- },
- 'flags': flags,
- 'salt': salt,
- }
- })
-
def ipsec_sa_dump(self, sa_id=None):
return self.api(self.papi.ipsec_sa_dump,
{'sa_id': sa_id if sa_id else 0xffffffff})