aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2020-12-23 16:22:28 +0000
committerAndrew Yourtchenko <ayourtch@gmail.com>2021-01-07 09:15:13 +0000
commita9e2774f5561ccb77c8243a196f93f5070f6c5ad (patch)
tree9bf88556378551ca3bc8ba24b2e2a42878b11208
parent3b6c84c8411f0052410fa0f207fd90f99cee5a2b (diff)
ipsec: Deprecated the old IPsec Tunnel interface
Type: fix it's been 2 releases since it was marked deprecated. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I0eba7ed607826ed0d00e7d2d8f9b27d09e8e9a6e
Diffstat
-rw-r--r--src/vat/api_format.c261
-rw-r--r--src/vnet/ipsec/ipsec.api92
-rw-r--r--src/vnet/ipsec/ipsec_api.c190
-rw-r--r--src/vnet/ipsec/ipsec_cli.c195
-rw-r--r--src/vnet/ipsec/ipsec_tun.c111
-rw-r--r--src/vnet/ipsec/ipsec_tun.h10
-rw-r--r--src/vpp/api/custom_dump.c43
-rw-r--r--test/template_ipsec.py10
-rw-r--r--test/test_ipsec_tun_if_esp.py607
-rw-r--r--test/test_punt.py45
-rw-r--r--test/vpp_ipsec.py1
-rw-r--r--test/vpp_ipsec_tun_interface.py56
12 files changed, 292 insertions, 1329 deletions
diff --git a/src/vat/api_format.c b/src/vat/api_format.c
index 3f4d74f656f..d9e5b5b8b21 100644
--- a/src/vat/api_format.c
+++ b/src/vat/api_format.c
@@ -3256,8 +3256,6 @@ _(ipsec_spd_add_del_reply) \
_(ipsec_interface_add_del_spd_reply) \
_(ipsec_spd_entry_add_del_reply) \
_(ipsec_sad_entry_add_del_reply) \
-_(ipsec_tunnel_if_add_del_reply) \
-_(ipsec_tunnel_if_set_sa_reply) \
_(delete_loopback_reply) \
_(bd_ip_mac_add_del_reply) \
_(bd_ip_mac_flush_reply) \
@@ -3439,8 +3437,6 @@ _(IPSEC_INTERFACE_ADD_DEL_SPD_REPLY, ipsec_interface_add_del_spd_reply) \
_(IPSEC_SPD_ENTRY_ADD_DEL_REPLY, ipsec_spd_entry_add_del_reply) \
_(IPSEC_SAD_ENTRY_ADD_DEL_REPLY, ipsec_sad_entry_add_del_reply) \
_(IPSEC_SA_DETAILS, ipsec_sa_details) \
-_(IPSEC_TUNNEL_IF_ADD_DEL_REPLY, ipsec_tunnel_if_add_del_reply) \
-_(IPSEC_TUNNEL_IF_SET_SA_REPLY, ipsec_tunnel_if_set_sa_reply) \
_(DELETE_LOOPBACK_REPLY, delete_loopback_reply) \
_(BD_IP_MAC_ADD_DEL_REPLY, bd_ip_mac_add_del_reply) \
_(BD_IP_MAC_FLUSH_REPLY, bd_ip_mac_flush_reply) \
@@ -10983,206 +10979,6 @@ api_ipsec_sad_entry_add_del (vat_main_t * vam)
return ret;
}
-static int
-api_ipsec_tunnel_if_add_del (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ipsec_tunnel_if_add_del_t *mp;
- u32 local_spi = 0, remote_spi = 0;
- u32 crypto_alg = 0, integ_alg = 0;
- u8 *lck = NULL, *rck = NULL;
- u8 *lik = NULL, *rik = NULL;
- vl_api_address_t local_ip = { 0 };
- vl_api_address_t remote_ip = { 0 };
- f64 before = 0;
- u8 is_add = 1;
- u8 esn = 0;
- u8 anti_replay = 0;
- u8 renumber = 0;
- u32 instance = ~0;
- u32 count = 1, jj;
- int ret = -1;
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "del"))
- is_add = 0;
- else if (unformat (i, "esn"))
- esn = 1;
- else if (unformat (i, "anti-replay"))
- anti_replay = 1;
- else if (unformat (i, "count %d", &count))
- ;
- else if (unformat (i, "local_spi %d", &local_spi))
- ;
- else if (unformat (i, "remote_spi %d", &remote_spi))
- ;
- else
- if (unformat (i, "local_ip %U", unformat_vl_api_address, &local_ip))
- ;
- else
- if (unformat (i, "remote_ip %U", unformat_vl_api_address, &remote_ip))
- ;
- else if (unformat (i, "local_crypto_key %U", unformat_hex_string, &lck))
- ;
- else
- if (unformat (i, "remote_crypto_key %U", unformat_hex_string, &rck))
- ;
- else if (unformat (i, "local_integ_key %U", unformat_hex_string, &lik))
- ;
- else if (unformat (i, "remote_integ_key %U", unformat_hex_string, &rik))
- ;
- else
- if (unformat
- (i, "crypto_alg %U", unformat_ipsec_api_crypto_alg, &crypto_alg))
- {
- if (crypto_alg >= IPSEC_CRYPTO_N_ALG)
- {
- errmsg ("unsupported crypto-alg: '%U'\n",
- format_ipsec_crypto_alg, crypto_alg);
- return -99;
- }
- }
- else
- if (unformat
- (i, "integ_alg %U", unformat_ipsec_api_integ_alg, &integ_alg))
- {
- if (integ_alg >= IPSEC_INTEG_N_ALG)
- {
- errmsg ("unsupported integ-alg: '%U'\n",
- format_ipsec_integ_alg, integ_alg);
- return -99;
- }
- }
- else if (unformat (i, "instance %u", &instance))
- renumber = 1;
- else
- {
- errmsg ("parse error '%U'\n", format_unformat_error, i);
- return -99;
- }
- }
-
- if (count > 1)
- {
- /* Turn on async mode */
- vam->async_mode = 1;
- vam->async_errors = 0;
- before = vat_time_now (vam);
- }
-
- for (jj = 0; jj < count; jj++)
- {
- M (IPSEC_TUNNEL_IF_ADD_DEL, mp);
-
- mp->is_add = is_add;
- mp->esn = esn;
- mp->anti_replay = anti_replay;
-
- if (jj > 0)
- increment_address (&remote_ip);
-
- clib_memcpy (&mp->local_ip, &local_ip, sizeof (local_ip));
- clib_memcpy (&mp->remote_ip, &remote_ip, sizeof (remote_ip));
-
- mp->local_spi = htonl (local_spi + jj);
- mp->remote_spi = htonl (remote_spi + jj);
- mp->crypto_alg = (u8) crypto_alg;
-
- mp->local_crypto_key_len = 0;
- if (lck)
- {
- mp->local_crypto_key_len = vec_len (lck);
- if (mp->local_crypto_key_len > sizeof (mp->local_crypto_key))
- mp->local_crypto_key_len = sizeof (mp->local_crypto_key);
- clib_memcpy (mp->local_crypto_key, lck, mp->local_crypto_key_len);
- }
-
- mp->remote_crypto_key_len = 0;
- if (rck)
- {
- mp->remote_crypto_key_len = vec_len (rck);
- if (mp->remote_crypto_key_len > sizeof (mp->remote_crypto_key))
- mp->remote_crypto_key_len = sizeof (mp->remote_crypto_key);
- clib_memcpy (mp->remote_crypto_key, rck, mp->remote_crypto_key_len);
- }
-
- mp->integ_alg = (u8) integ_alg;
-
- mp->local_integ_key_len = 0;
- if (lik)
- {
- mp->local_integ_key_len = vec_len (lik);
- if (mp->local_integ_key_len > sizeof (mp->local_integ_key))
- mp->local_integ_key_len = sizeof (mp->local_integ_key);
- clib_memcpy (mp->local_integ_key, lik, mp->local_integ_key_len);
- }
-
- mp->remote_integ_key_len = 0;
- if (rik)
- {
- mp->remote_integ_key_len = vec_len (rik);
- if (mp->remote_integ_key_len > sizeof (mp->remote_integ_key))
- mp->remote_integ_key_len = sizeof (mp->remote_integ_key);
- clib_memcpy (mp->remote_integ_key, rik, mp->remote_integ_key_len);
- }
-
- if (renumber)
- {
- mp->renumber = renumber;
- mp->show_instance = ntohl (instance);
- }
- S (mp);
- }
-
- /* When testing multiple add/del ops, use a control-ping to sync */
- if (count > 1)
- {
- vl_api_control_ping_t *mp_ping;
- f64 after;
- f64 timeout;
-
- /* Shut off async mode */
- vam->async_mode = 0;
-
- MPING (CONTROL_PING, mp_ping);
- S (mp_ping);
-
- timeout = vat_time_now (vam) + 1.0;
- while (vat_time_now (vam) < timeout)
- if (vam->result_ready == 1)
- goto out;
- vam->retval = -99;
-
- out:
- if (vam->retval == -99)
- errmsg ("timeout");
-
- if (vam->async_errors > 0)
- {
- errmsg ("%d asynchronous errors", vam->async_errors);
- vam->retval = -98;
- }
- vam->async_errors = 0;
- after = vat_time_now (vam);
-
- /* slim chance, but we might have eaten SIGTERM on the first iteration */
- if (jj > 0)
- count = jj;
-
- print (vam->ofp, "%d tunnels in %.6f secs, %.2f tunnels/sec",
- count, after - before, count / (after - before));
- }
- else
- {
- /* Wait for a reply... */
- W (ret);
- return ret;
- }
-
- return ret;
-}
-
static void
vl_api_ipsec_sa_details_t_handler (vl_api_ipsec_sa_details_t * mp)
{
@@ -11292,57 +11088,6 @@ api_ipsec_sa_dump (vat_main_t * vam)
}
static int
-api_ipsec_tunnel_if_set_sa (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ipsec_tunnel_if_set_sa_t *mp;
- u32 sw_if_index = ~0;
- u32 sa_id = ~0;
- u8 is_outbound = (u8) ~ 0;
- int ret;
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "%U", api_unformat_sw_if_index, vam, &sw_if_index))
- ;
- else if (unformat (i, "sa_id %d", &sa_id))
- ;
- else if (unformat (i, "outbound"))
- is_outbound = 1;
- else if (unformat (i, "inbound"))
- is_outbound = 0;
- else
- {
- clib_warning ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (sw_if_index == ~0)
- {
- errmsg ("interface must be specified");
- return -99;
- }
-
- if (sa_id == ~0)
- {
- errmsg ("SA ID must be specified");
- return -99;
- }
-
- M (IPSEC_TUNNEL_IF_SET_SA, mp);
-
- mp->sw_if_index = htonl (sw_if_index);
- mp->sa_id = htonl (sa_id);
- mp->is_outbound = is_outbound;
-
- S (mp);
- W (ret);
-
- return ret;
-}
-
-static int
api_get_first_msg_id (vat_main_t * vam)
{
vl_api_get_first_msg_id_t *mp;
@@ -15064,13 +14809,7 @@ _(ipsec_spd_entry_add_del, "spd_id <n> priority <n> action <action>\n" \
" (inbound|outbound) [sa_id <n>] laddr_start <ip4|ip6>\n" \
" laddr_stop <ip4|ip6> raddr_start <ip4|ip6> raddr_stop <ip4|ip6>\n" \
" [lport_start <n> lport_stop <n>] [rport_start <n> rport_stop <n>]" ) \
-_(ipsec_tunnel_if_add_del, "local_spi <n> remote_spi <n>\n" \
- " crypto_alg <alg> local_crypto_key <hex> remote_crypto_key <hex>\n" \
- " integ_alg <alg> local_integ_key <hex> remote_integ_key <hex>\n" \
- " local_ip <addr> remote_ip <addr> [esn] [anti_replay] [del]\n" \
- " [instance <n>]") \
_(ipsec_sa_dump, "[sa_id <n>]") \
-_(ipsec_tunnel_if_set_sa, "<intfc> sa_id <n> <inbound|outbound>\n") \
_(delete_loopback,"sw_if_index <nn>") \
_(bd_ip_mac_add_del, "bd_id <bridge-domain-id> <ip4/6-addr> <mac-addr> [del]") \
_(bd_ip_mac_flush, "bd_id <bridge-domain-id>") \
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 9b091317ee0..c009d8dffaa 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-option version = "4.0.0";
+option version = "5.0.0";
import "vnet/ipsec/ipsec_types.api";
import "vnet/interface_types.api";
@@ -324,77 +324,6 @@ define ipsec_spd_interface_details {
vl_api_interface_index_t sw_if_index;
};
-/** \brief Add or delete IPsec tunnel interface
-
- !!DEPRECATED!!
- use the tunnel protect APIs instead
-
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param is_add - add IPsec tunnel interface if nonzero, else delete
- @param is_ip6 - tunnel v6 or v4
- @param esn - enable extended sequence numbers if nonzero, else disable
- @param anti_replay - enable anti replay check if nonzero, else disable
- @param local_ip - local IP address
- @param remote_ip - IP address of remote IPsec peer
- @param local_spi - SPI of outbound IPsec SA
- @param remote_spi - SPI of inbound IPsec SA
- @param crypto_alg - encryption algorithm ID
- @param local_crypto_key_len - length of local crypto key in bytes
- @param local_crypto_key - crypto key for outbound IPsec SA
- @param remote_crypto_key_len - length of remote crypto key in bytes
- @param remote_crypto_key - crypto key for inbound IPsec SA
- @param integ_alg - integrity algorithm ID
- @param local_integ_key_len - length of local integrity key in bytes
- @param local_integ_key - integrity key for outbound IPsec SA
- @param remote_integ_key_len - length of remote integrity key in bytes
- @param remote_integ_key - integrity key for inbound IPsec SA
- @param renumber - intf display name uses a specified instance if != 0
- @param show_instance - instance to display for intf if renumber is set
- @param udp_encap - enable UDP encapsulation for NAT traversal
- @param tx_table_id - the FIB id used after packet encap
- @param salt - for use with counter mode ciphers
-*/
-define ipsec_tunnel_if_add_del {
- option deprecated;
- u32 client_index;
- u32 context;
- bool is_add;
- bool esn;
- bool anti_replay;
- vl_api_address_t local_ip;
- vl_api_address_t remote_ip;
- u32 local_spi;
- u32 remote_spi;
- u8 crypto_alg;
- u8 local_crypto_key_len;
- u8 local_crypto_key[128];
- u8 remote_crypto_key_len;
- u8 remote_crypto_key[128];
- u8 integ_alg;
- u8 local_integ_key_len;
- u8 local_integ_key[128];
- u8 remote_integ_key_len;
- u8 remote_integ_key[128];
- bool renumber;
- u32 show_instance;
- bool udp_encap;
- u32 tx_table_id;
- u32 salt;
-};
-
-/** \brief Add/delete IPsec tunnel interface response
- @param context - sender context, to match reply w/ request
- @param retval - return status
- @param sw_if_index - sw_if_index of new interface (for successful add)
-*/
-define ipsec_tunnel_if_add_del_reply {
- option deprecated;
- u32 context;
- i32 retval;
- vl_api_interface_index_t sw_if_index;
-};
-
typedef ipsec_itf
{
u32 user_instance [default=0xffffffff];
@@ -497,25 +426,6 @@ define ipsec_sa_v2_details {
u32 stat_index;
};
-/** \brief Set new SA on IPsec interface
-
- !! DEPRECATED !!
-
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param sw_if_index - index of tunnel interface
- @param sa_id - ID of SA to use
- @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote)
-*/
-autoreply define ipsec_tunnel_if_set_sa {
- option deprecated;
- u32 client_index;
- u32 context;
- vl_api_interface_index_t sw_if_index;
- u32 sa_id;
- u8 is_outbound;
-};
-
/** \brief Dump IPsec backends
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 06e7ba0d784..335996ee077 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -68,8 +68,6 @@ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
_(IPSEC_ITF_CREATE, ipsec_itf_create) \
_(IPSEC_ITF_DELETE, ipsec_itf_delete) \
_(IPSEC_ITF_DUMP, ipsec_itf_dump) \
-_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
-_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
_(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
_(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \
_(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \
@@ -666,169 +664,6 @@ vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
#endif
}
-static u32
-ipsec_tun_mk_input_sa_id (u32 ti)
-{
- return (0x80000000 | ti);
-}
-
-static u32
-ipsec_tun_mk_output_sa_id (u32 ti)
-{
- return (0xc0000000 | ti);
-}
-
-static void
-vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
- mp)
-{
- vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
- u32 sw_if_index = ~0;
- int rv;
-
-#if WITH_LIBSSL > 0
- ip46_address_t local_ip = ip46_address_initializer;
- ip46_address_t remote_ip = ip46_address_initializer;
- ipsec_key_t crypto_key, integ_key;
- ipsec_sa_flags_t flags;
- ip46_type_t local_ip_type, remote_ip_type;
- ipip_transport_t transport;
- u32 fib_index;
-
- local_ip_type = ip_address_decode (&mp->local_ip, &local_ip);
- remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip);
- transport = (IP46_TYPE_IP6 == local_ip_type ?
- IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4);
-
- if (local_ip_type != remote_ip_type)
- {
- rv = VNET_API_ERROR_INVALID_VALUE;
- goto done;
- }
-
- flags = IPSEC_SA_FLAG_NONE;
-
- if (mp->udp_encap)
- flags |= IPSEC_SA_FLAG_UDP_ENCAP;
- if (mp->esn)
- flags |= IPSEC_SA_FLAG_USE_ESN;
- if (mp->anti_replay)
- flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
-
- ipsec_mk_key (&crypto_key, mp->remote_crypto_key,
- mp->remote_crypto_key_len);
- ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len);
- ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len);
- ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len);
-
- fib_index =
- fib_table_find (fib_proto_from_ip46 (local_ip_type),
- ntohl (mp->tx_table_id));
-
- if (~0 == fib_index)
- {
- rv = VNET_API_ERROR_NO_SUCH_FIB;
- goto done;
- }
-
- if (mp->is_add)
- {
- // remote = input, local = output
- /* create an ip-ip tunnel, then the two SA, then bind them */
- rv = ipip_add_tunnel (transport,
- (mp->renumber ? ntohl (mp->show_instance) : ~0),
- &local_ip,
- &remote_ip, fib_index,
- TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
- TUNNEL_MODE_P2P, &sw_if_index);
-
- if (rv)
- goto done;
-
- rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index),
- ntohl (mp->remote_spi),
- IPSEC_PROTOCOL_ESP,
- mp->crypto_alg,
- &crypto_key,
- mp->integ_alg,
- &integ_key,
- (flags | IPSEC_SA_FLAG_IS_INBOUND),
- ntohl (mp->tx_table_id),
- mp->salt, &remote_ip, &local_ip,
- TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
-
- if (rv)
- goto done;
-
- rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index),
- ntohl (mp->local_spi),
- IPSEC_PROTOCOL_ESP,
- mp->crypto_alg,
- &crypto_key,
- mp->integ_alg,
- &integ_key,
- flags,
- ntohl (mp->tx_table_id),
- mp->salt, &local_ip, &remote_ip,
- TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
-
- if (rv)
- goto done;
-
- rv = ipsec_tun_protect_update_one (sw_if_index, NULL,
- ipsec_tun_mk_output_sa_id
- (sw_if_index),
- ipsec_tun_mk_input_sa_id
- (sw_if_index));
- if (rv)
- goto done;
-
- /* the SAs are locked as a result of being used for proection,
- * they cannot be removed from the API, since they cannot be refered
- * to by the API. unlock them now, so that if the tunnel is rekeyed
- * they-ll disapper
- */
- ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index));
- ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index));
- }
- else
- {
- /* *INDENT-OFF* */
- ipip_tunnel_key_t key = {
- .transport = transport,
- .fib_index = fib_index,
- .src = local_ip,
- .dst = remote_ip
- };
- /* *INDENT-ON* */
-
- ipip_tunnel_t *t = ipip_tunnel_db_find (&key);
-
- if (NULL != t)
- {
- rv = ipsec_tun_protect_del (t->sw_if_index, NULL);
- ipip_del_tunnel (t->sw_if_index);
- }
- else
- rv = VNET_API_ERROR_NO_SUCH_ENTRY;
- }
-
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-done:
- /* *INDENT-OFF* */
- REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
- ({
- rmp->sw_if_index = htonl (sw_if_index);
- }));
- /* *INDENT-ON* */
-}
-
static void
vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp)
{
@@ -1088,31 +923,6 @@ vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
}
static void
-vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
-{
- vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
- int rv;
-
-#if WITH_LIBSSL > 0
- VALIDATE_SW_IF_INDEX(mp);
-
- if (mp->is_outbound)
- rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL,
- ntohl (mp->sa_id));
- else
- rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL,
- ntohl (mp->sa_id));
-
-#else
- clib_warning ("unimplemented");
-#endif
-
- BAD_SW_IF_INDEX_LABEL;
-
- REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
-}
-
-static void
vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
{
vl_api_registration_t *rp;
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 1486bbd89fd..0b0ed6c4f12 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -784,201 +784,6 @@ VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
};
/* *INDENT-ON* */
-static u32
-ipsec_tun_mk_local_sa_id (u32 ti)
-{
- return (0x80000000 | ti);
-}
-
-static u32
-ipsec_tun_mk_remote_sa_id (u32 ti)
-{
- return (0xc0000000 | ti);
-}
-
-static clib_error_t *
-create_ipsec_tunnel_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- unformat_input_t _line_input, *line_input = &_line_input;
- ip46_address_t local_ip = ip46_address_initializer;
- ip46_address_t remote_ip = ip46_address_initializer;
- ip_address_t nh = IP_ADDRESS_V4_ALL_0S;
- ipsec_crypto_alg_t crypto_alg = IPSEC_CRYPTO_ALG_NONE;
- ipsec_integ_alg_t integ_alg = IPSEC_INTEG_ALG_NONE;
- ipsec_sa_flags_t flags;
- u32 local_spi, remote_spi, salt = 0, table_id, fib_index;
- u32 instance = ~0;
- int rv;
- u32 m_args = 0;
- u8 ipv4_set = 0;
- u8 ipv6_set = 0;
- u8 is_add = 1;
- clib_error_t *error = NULL;
- ipsec_key_t rck = { 0 };
- ipsec_key_t lck = { 0 };
- ipsec_key_t lik = { 0 };
- ipsec_key_t rik = { 0 };
-
- table_id = 0;
- flags = IPSEC_SA_FLAG_NONE;
-
- /* Get a line of input. */
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat
- (line_input, "local-ip %U", unformat_ip46_address, &local_ip,
- IP46_TYPE_ANY))
- {
- ip46_address_is_ip4 (&local_ip) ? (ipv4_set = 1) : (ipv6_set = 1);
- m_args |= 1 << 0;
- }
- else
- if (unformat
- (line_input, "remote-ip %U", unformat_ip46_address, &remote_ip,
- IP46_TYPE_ANY))
- {
- ip46_address_is_ip4 (&remote_ip) ? (ipv4_set = 1) : (ipv6_set = 1);
- m_args |= 1 << 1;
- }
- else if (unformat (line_input, "local-spi %u", &local_spi))
- m_args |= 1 << 2;
- else if (unformat (line_input, "remote-spi %u", &remote_spi))
- m_args |= 1 << 3;
- else if (unformat (line_input, "salt 0x%x", &salt))
- ;
- else if (unformat (line_input, "udp-encap"))
- flags |= IPSEC_SA_FLAG_UDP_ENCAP;
- else if (unformat (line_input, "use-esn"))
- flags |= IPSEC_SA_FLAG_USE_ESN;
- else if (unformat (line_input, "use-anti-replay"))
- flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
- else if (unformat (line_input, "instance %u", &instance))
- ;
- else if (unformat (line_input, "tx-table %u", &table_id))
- ;
- else
- if (unformat
- (line_input, "local-crypto-key %U", unformat_ipsec_key, &lck))
- ;
- else
- if (unformat
- (line_input, "remote-crypto-key %U", unformat_ipsec_key, &rck))
- ;
- else if (unformat (line_input, "crypto-alg %U",
- unformat_ipsec_crypto_alg, &crypto_alg))
- ;
- else
- if (unformat
- (line_input, "local-integ-key %U", unformat_ipsec_key, &lik))
- ;
- else
- if (unformat
- (line_input, "remote-integ-key %U", unformat_ipsec_key, &rik))
- ;
- else if (unformat (line_input, "integ-alg %U",
- unformat_ipsec_integ_alg, &integ_alg))
- ;
- else if (unformat (line_input, "del"))
- is_add = 0;
- else if (unformat (line_input, "nh %U", unformat_ip_address, &nh))
- ;
- else
- {
- error = clib_error_return (0, "unknown input `%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- if (0xf != m_args)
- {
- error = clib_error_return (0, "mandatory argument(s) missing");
- goto done;
- }
-
- if (ipv4_set && ipv6_set)
- return clib_error_return (0, "both IPv4 and IPv6 addresses specified");
-
- fib_index = fib_table_find (fib_ip_proto (ipv6_set), table_id);
-
- if (~0 == fib_index)
- {
- rv = VNET_API_ERROR_NO_SUCH_FIB;
- goto done;
- }
-
- if (is_add)
- {
- // remote = input, local = output
- u32 sw_if_index;
-
- /* create an ip-ip tunnel, then the two SA, then bind them */
- rv =
- ipip_add_tunnel (ipv6_set ? IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4,
- instance, &local_ip, &remote_ip, fib_index,
- TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
- TUNNEL_MODE_P2P, &sw_if_index);
- rv |=
- ipsec_sa_add_and_lock (ipsec_tun_mk_local_sa_id (sw_if_index),
- local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
- &lck, integ_alg, &lik, flags, table_id,
- clib_host_to_net_u32 (salt), &local_ip,
- &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
- rv |=
- ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
- remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
- &rck, integ_alg, &rik,
- (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
- clib_host_to_net_u32 (salt), &remote_ip,
- &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
- rv |=
- ipsec_tun_protect_update_one (sw_if_index, &nh,
- ipsec_tun_mk_local_sa_id (sw_if_index),
- ipsec_tun_mk_remote_sa_id
- (sw_if_index));
- }
- else
- rv = 0;
-
- switch (rv)
- {
- case 0:
- break;
- case VNET_API_ERROR_INVALID_VALUE:
- error = clib_error_return (0,
- "IPSec tunnel interface already exists...");
- goto done;
- default:
- error = clib_error_return (0, "ipsec_register_interface returned %d",
- rv);
- goto done;
- }
-
-done:
- unformat_free (line_input);
-
- return error;
-}
-
-/* *INDENT-OFF* */
-VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
- .path = "create ipsec tunnel",
- .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> "
- "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] "
- "[tx-table <table-id>]",
- .function = create_ipsec_tunnel_command_fn,
-};
-/* *INDENT-ON* */
-
static clib_error_t *
ipsec_tun_protect_cmd (vlib_main_t * vm,
unformat_input_t * input, vlib_cli_command_t * cmd)
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index a35b6190c44..c3f50a6ffe9 100644
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -529,111 +529,6 @@ ipsec_tun_protect_unconfig (ipsec_main_t * im, ipsec_tun_protect_t * itp)
ITP_DBG (itp, "unconfigured");
}
-int
-ipsec_tun_protect_update_one (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_out, u32 sa_in)
-{
- u32 *sas_in = NULL;
- int rv;
-
- vec_add1 (sas_in, sa_in);
- rv = ipsec_tun_protect_update (sw_if_index, nh, sa_out, sas_in);
-
- return (rv);
-}
-
-int
-ipsec_tun_protect_update_out (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_out)
-{
- u32 itpi, *sas_in, sai, *saip;
- ipsec_tun_protect_t *itp;
- ipsec_main_t *im;
- int rv;
-
- sas_in = NULL;
- rv = 0;
- im = &ipsec_main;
-
- itpi = ipsec_tun_protect_find (sw_if_index, nh);
-
- if (INDEX_INVALID == itpi)
- {
- return (VNET_API_ERROR_INVALID_INTERFACE);
- }
-
- itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi);
-
- /* *INDENT-OFF* */
- FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai,
- ({
- ipsec_sa_lock (sai);
- vec_add1 (sas_in, sai);
- }));
- /* *INDENT-ON* */
-
- sa_out = ipsec_sa_find_and_lock (sa_out);
-
- if (~0 == sa_out)
- {
- rv = VNET_API_ERROR_INVALID_VALUE;
- goto out;
- }
-
- ipsec_tun_protect_unconfig (im, itp);
- ipsec_tun_protect_config (im, itp, sa_out, sas_in);
-
- ipsec_sa_unlock (sa_out);
- vec_foreach (saip, sas_in) ipsec_sa_unlock (*saip);
-
-out:
- vec_free (sas_in);
- return (rv);
-}
-
-int
-ipsec_tun_protect_update_in (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_in)
-{
- u32 itpi, *sas_in, sa_out;
- ipsec_tun_protect_t *itp;
- ipsec_main_t *im;
- int rv;
-
- sas_in = NULL;
- rv = 0;
- im = &ipsec_main;
- itpi = ipsec_tun_protect_find (sw_if_index, nh);
-
- if (INDEX_INVALID == itpi)
- {
- return (VNET_API_ERROR_INVALID_INTERFACE);
- }
-
- sa_in = ipsec_sa_find_and_lock (sa_in);
-
- if (~0 == sa_in)
- {
- rv = VNET_API_ERROR_INVALID_VALUE;
- goto out;
- }
- vec_add1 (sas_in, sa_in);
-
- itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi);
- sa_out = itp->itp_out_sa;
-
- ipsec_sa_lock (sa_out);
-
- ipsec_tun_protect_unconfig (im, itp);
- ipsec_tun_protect_config (im, itp, sa_out, sas_in);
-
- ipsec_sa_unlock (sa_out);
- ipsec_sa_unlock (sa_in);
-out:
- vec_free (sas_in);
- return (rv);
-}
-
static void
ipsec_tun_protect_update_from_teib (ipsec_tun_protect_t * itp,
const teib_entry_t * ne)
@@ -972,7 +867,7 @@ const static teib_vft_t ipsec_tun_teib_vft = {
.nv_deleted = ipsec_tun_teib_entry_deleted,
};
-void
+static void
ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets)
{
ipsec_main_t *im;
@@ -987,8 +882,8 @@ ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets)
"IPSec IPv6 tunnels", n_buckets, table_size);
}
-clib_error_t *
-ipsec_tunnel_protect_init (vlib_main_t * vm)
+static clib_error_t *
+ipsec_tunnel_protect_init (vlib_main_t *vm)
{
ipsec_main_t *im;
diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h
index b8e80d3565f..7ae00992faa 100644
--- a/src/vnet/ipsec/ipsec_tun.h
+++ b/src/vnet/ipsec/ipsec_tun.h
@@ -143,16 +143,9 @@ typedef struct ipsec_tun_protect_t_
} \
}
-extern int ipsec_tun_protect_update_one (u32 sw_if_index,
- const ip_address_t * nh,
- u32 sa_out, u32 sa_in);
extern int ipsec_tun_protect_update (u32 sw_if_index,
const ip_address_t * nh,
u32 sa_out, u32 * sa_ins);
-extern int ipsec_tun_protect_update_in (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_in);
-extern int ipsec_tun_protect_update_out (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_out);
extern int ipsec_tun_protect_del (u32 sw_if_index, const ip_address_t * nh);
@@ -169,9 +162,6 @@ extern u8 *format_ipsec_tun_protect_index (u8 * s, va_list * args);
extern void ipsec_tun_register_nodes (ip_address_family_t af);
extern void ipsec_tun_unregister_nodes (ip_address_family_t af);
-extern void ipsec_tun_table_init (ip_address_family_t af,
- uword table_size, u32 n_buckets);
-
// FIXME
extern vlib_node_registration_t ipsec4_tun_input_node;
extern vlib_node_registration_t ipsec6_tun_input_node;
diff --git a/src/vpp/api/custom_dump.c b/src/vpp/api/custom_dump.c
index d0b5dac4844..1bc4cde900d 100644
--- a/src/vpp/api/custom_dump.c
+++ b/src/vpp/api/custom_dump.c
@@ -2464,48 +2464,6 @@ static void *vl_api_ip_source_and_port_range_check_interface_add_del_t_print
FINISH;
}
-static void *vl_api_ipsec_tunnel_if_add_del_t_print
- (vl_api_ipsec_tunnel_if_add_del_t * mp, void *handle)
-{
- u8 *s;
-
- s = format (0, "SCRIPT: ipsec_tunnel_if_add_del ");
-
- if (mp->esn)
- s = format (s, "esn");
- if (mp->anti_replay)
- s = format (s, "anti-replay");
- if (mp->udp_encap)
- s = format (s, "udp-encap");
-
- s = format (s, "local-ip %U ", format_vl_api_address, &mp->remote_ip);
-
- s = format (s, "remote-ip %U ", format_vl_api_address, &mp->local_ip);
- s = format (s, "tx-table-id %d ", (mp->tx_table_id));
-
- s = format (s, "local-spi %d ", (mp->local_spi));
-
- s = format (s, "remote-spi %d ", (mp->remote_spi));
-
- s = format (s, "local-crypto-key-len %d ", mp->local_crypto_key_len);
- s = format (s, "local-crypto-key %U ", format_hex_bytes,
- mp->local_crypto_key, mp->local_crypto_key_len, 0);
- s = format (s, "remote-crypto-key-len %d ", mp->remote_crypto_key_len);
- s = format (s, "remote-crypto-key %U ", format_hex_bytes,
- mp->remote_crypto_key, mp->remote_crypto_key_len, 0);
- s = format (s, "local-integ-key-len %d ", mp->local_integ_key_len);
- s = format (s, "local-integ-key %U ", format_hex_bytes,
- mp->local_integ_key, mp->local_integ_key_len, 0);
- s = format (s, "remote-integ-key-len %d ", mp->remote_integ_key_len);
- s = format (s, "remote-integ-key %U ", format_hex_bytes,
- mp->remote_integ_key, mp->remote_integ_key_len, 0);
-
- if (mp->is_add == 0)
- s = format (s, "del ");
-
- FINISH;
-}
-
/* static u8 * */
/* format_nsh_address_vat (u8 * s, va_list * args) */
/* { */
@@ -3099,7 +3057,6 @@ _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
_(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
_(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
_(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
-_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
_(DELETE_SUBIF, delete_subif) \
_(L2_INTERFACE_PBB_TAG_REWRITE, l2_interface_pbb_tag_rewrite) \
_(SET_PUNT, set_punt) \
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 129f220c314..9a9fbd070a6 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -28,14 +28,14 @@ class IPsecIPv4Params:
self.remote_tun_if_host6 = '1111::1'
self.scapy_tun_sa_id = 100
- self.scapy_tun_spi = 1001
+ self.scapy_tun_spi = 1000
self.vpp_tun_sa_id = 200
- self.vpp_tun_spi = 1000
+ self.vpp_tun_spi = 2000
self.scapy_tra_sa_id = 300
- self.scapy_tra_spi = 2001
+ self.scapy_tra_spi = 3000
self.vpp_tra_sa_id = 400
- self.vpp_tra_spi = 2000
+ self.vpp_tra_spi = 4000
self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96)
@@ -798,7 +798,7 @@ class IpsecTun4(object):
"incorrect SA in counts: expected %d != %d" %
(count, pkts))
pkts = p.tun_sa_out.get_stats(worker)['packets']
- self.assertEqual(pkts, count,
+ self.assertEqual(pkts, n_frags,
"incorrect SA out counts: expected %d != %d" %
(count, pkts))
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index f505fa0ebc6..7e36d1345be 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -11,7 +11,6 @@ from framework import VppTestRunner
from template_ipsec import TemplateIpsec, IpsecTun4Tests, IpsecTun6Tests, \
IpsecTun4, IpsecTun6, IpsecTcpTests, mk_scapy_crypt_key, \
IpsecTun6HandoffTests, IpsecTun4HandoffTests, config_tun_params
-from vpp_ipsec_tun_interface import VppIpsecTunInterface
from vpp_gre_interface import VppGreInterface
from vpp_ipip_tun_interface import VppIpIpTunInterface
from vpp_ip_route import VppIpRoute, VppRoutePath, DpoProto
@@ -82,7 +81,96 @@ def config_tra_params(p, encryption_type, tun_if):
nat_t_header=p.nat_header)
-class TemplateIpsec4TunIfEsp(TemplateIpsec):
+class TemplateIpsec4TunProtect(object):
+ """ IPsec IPv4 Tunnel protect """
+
+ encryption_type = ESP
+ tun4_encrypt_node_name = "esp4-encrypt-tun"
+ tun4_decrypt_node_name = "esp4-decrypt-tun"
+ tun4_input_node = "ipsec4-tun-input"
+
+ def config_sa_tra(self, p):
+ config_tun_params(p, self.encryption_type, p.tun_if)
+
+ p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ flags=p.flags)
+ p.tun_sa_out.add_vpp_config()
+
+ p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ flags=p.flags)
+ p.tun_sa_in.add_vpp_config()
+
+ def config_sa_tun(self, p):
+ config_tun_params(p, self.encryption_type, p.tun_if)
+
+ p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ self.tun_if.local_addr[p.addr_type],
+ self.tun_if.remote_addr[p.addr_type],
+ flags=p.flags)
+ p.tun_sa_out.add_vpp_config()
+
+ p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ self.tun_if.remote_addr[p.addr_type],
+ self.tun_if.local_addr[p.addr_type],
+ flags=p.flags)
+ p.tun_sa_in.add_vpp_config()
+
+ def config_protect(self, p):
+ p.tun_protect = VppIpsecTunProtect(self,
+ p.tun_if,
+ p.tun_sa_out,
+ [p.tun_sa_in])
+ p.tun_protect.add_vpp_config()
+
+ def config_network(self, p):
+ if hasattr(p, 'tun_dst'):
+ tun_dst = p.tun_dst
+ else:
+ tun_dst = self.pg0.remote_ip4
+ p.tun_if = VppIpIpTunInterface(self, self.pg0,
+ self.pg0.local_ip4,
+ tun_dst)
+ p.tun_if.add_vpp_config()
+ p.tun_if.admin_up()
+ p.tun_if.config_ip4()
+ p.tun_if.config_ip6()
+
+ p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
+ [VppRoutePath(p.tun_if.remote_ip4,
+ 0xffffffff)])
+ p.route.add_vpp_config()
+ r = VppIpRoute(self, p.remote_tun_if_host6, 128,
+ [VppRoutePath(p.tun_if.remote_ip6,
+ 0xffffffff,
+ proto=DpoProto.DPO_PROTO_IP6)])
+ r.add_vpp_config()
+
+ def unconfig_network(self, p):
+ p.route.remove_vpp_config()
+ p.tun_if.remove_vpp_config()
+
+ def unconfig_protect(self, p):
+ p.tun_protect.remove_vpp_config()
+
+ def unconfig_sa(self, p):
+ p.tun_sa_out.remove_vpp_config()
+ p.tun_sa_in.remove_vpp_config()
+
+
+class TemplateIpsec4TunIfEsp(TemplateIpsec4TunProtect,
+ TemplateIpsec):
""" IPsec tunnel interface tests """
encryption_type = ESP
@@ -102,32 +190,16 @@ class TemplateIpsec4TunIfEsp(TemplateIpsec):
p = self.ipv4_params
- p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
- p.scapy_tun_spi, p.crypt_algo_vpp_id,
- p.crypt_key, p.crypt_key,
- p.auth_algo_vpp_id, p.auth_key,
- p.auth_key)
- p.tun_if.add_vpp_config()
- p.tun_if.admin_up()
- p.tun_if.config_ip4()
- p.tun_if.config_ip6()
- config_tun_params(p, self.encryption_type, p.tun_if)
-
- r = VppIpRoute(self, p.remote_tun_if_host, 32,
- [VppRoutePath(p.tun_if.remote_ip4,
- 0xffffffff)])
- r.add_vpp_config()
- r = VppIpRoute(self, p.remote_tun_if_host6, 128,
- [VppRoutePath(p.tun_if.remote_ip6,
- 0xffffffff,
- proto=DpoProto.DPO_PROTO_IP6)])
- r.add_vpp_config()
+ self.config_network(p)
+ self.config_sa_tra(p)
+ self.config_protect(p)
def tearDown(self):
super(TemplateIpsec4TunIfEsp, self).tearDown()
-class TemplateIpsec4TunIfEspUdp(TemplateIpsec):
+class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect,
+ TemplateIpsec):
""" IPsec UDP tunnel interface tests """
tun4_encrypt_node_name = "esp4-encrypt-tun"
@@ -148,7 +220,7 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec):
# ensure the UDP ports are correct before we decrypt
# which strips them
self.assertTrue(rx.haslayer(UDP))
- self.assert_equal(rx[UDP].sport, 4500)
+ self.assert_equal(rx[UDP].sport, p.nat_header.sport)
self.assert_equal(rx[UDP].dport, 4500)
pkt = sa.decrypt(rx[IP])
@@ -166,6 +238,27 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec):
pass
raise
+ def config_sa_tra(self, p):
+ config_tun_params(p, self.encryption_type, p.tun_if)
+
+ p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ flags=p.flags,
+ udp_src=p.nat_header.sport,
+ udp_dst=p.nat_header.dport)
+ p.tun_sa_out.add_vpp_config()
+
+ p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ flags=p.flags,
+ udp_src=p.nat_header.sport,
+ udp_dst=p.nat_header.dport)
+ p.tun_sa_in.add_vpp_config()
+
def setUp(self):
super(TemplateIpsec4TunIfEspUdp, self).setUp()
@@ -174,30 +267,11 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec):
IPSEC_API_SAD_FLAG_UDP_ENCAP)
p.nat_header = UDP(sport=5454, dport=4500)
- def config_network(self):
-
self.tun_if = self.pg0
- p = self.ipv4_params
- p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
- p.scapy_tun_spi, p.crypt_algo_vpp_id,
- p.crypt_key, p.crypt_key,
- p.auth_algo_vpp_id, p.auth_key,
- p.auth_key, udp_encap=True)
- p.tun_if.add_vpp_config()
- p.tun_if.admin_up()
- p.tun_if.config_ip4()
- p.tun_if.config_ip6()
- config_tun_params(p, self.encryption_type, p.tun_if)
- r = VppIpRoute(self, p.remote_tun_if_host, 32,
- [VppRoutePath(p.tun_if.remote_ip4,
- 0xffffffff)])
- r.add_vpp_config()
- r = VppIpRoute(self, p.remote_tun_if_host6, 128,
- [VppRoutePath(p.tun_if.remote_ip6,
- 0xffffffff,
- proto=DpoProto.DPO_PROTO_IP6)])
- r.add_vpp_config()
+ self.config_network(p)
+ self.config_sa_tra(p)
+ self.config_protect(p)
def tearDown(self):
super(TemplateIpsec4TunIfEspUdp, self).tearDown()
@@ -240,8 +314,7 @@ class TestIpsec4TunIfEspUdp(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
tun4_input_node = "ipsec4-tun-input"
def setUp(self):
- super(TemplateIpsec4TunIfEspUdp, self).setUp()
- self.config_network()
+ super(TestIpsec4TunIfEspUdp, self).setUp()
def test_keepalive(self):
""" IPSEC NAT Keepalive """
@@ -254,7 +327,7 @@ class TestIpsec4TunIfEspUdpGCM(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
tun4_input_node = "ipsec4-tun-input"
def setUp(self):
- super(TemplateIpsec4TunIfEspUdp, self).setUp()
+ super(TestIpsec4TunIfEspUdpGCM, self).setUp()
p = self.ipv4_params
p.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_NONE)
@@ -264,7 +337,6 @@ class TestIpsec4TunIfEspUdpGCM(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
p.auth_algo = "NULL"
p.crypt_key = b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"
p.salt = 0
- self.config_network()
class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
@@ -272,38 +344,101 @@ class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
pass
-class TemplateIpsec6TunIfEsp(TemplateIpsec):
- """ IPsec tunnel interface tests """
+class TemplateIpsec6TunProtect(object):
+ """ IPsec IPv6 Tunnel protect """
- encryption_type = ESP
+ def config_sa_tra(self, p):
+ config_tun_params(p, self.encryption_type, p.tun_if)
- def setUp(self):
- super(TemplateIpsec6TunIfEsp, self).setUp()
+ p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol)
+ p.tun_sa_out.add_vpp_config()
- self.tun_if = self.pg0
+ p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol)
+ p.tun_sa_in.add_vpp_config()
- p = self.ipv6_params
- p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
- p.scapy_tun_spi, p.crypt_algo_vpp_id,
- p.crypt_key, p.crypt_key,
- p.auth_algo_vpp_id, p.auth_key,
- p.auth_key, is_ip6=True)
+ def config_sa_tun(self, p):
+ config_tun_params(p, self.encryption_type, p.tun_if)
+
+ p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ self.tun_if.local_addr[p.addr_type],
+ self.tun_if.remote_addr[p.addr_type])
+ p.tun_sa_out.add_vpp_config()
+
+ p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ self.tun_if.remote_addr[p.addr_type],
+ self.tun_if.local_addr[p.addr_type])
+ p.tun_sa_in.add_vpp_config()
+
+ def config_protect(self, p):
+ p.tun_protect = VppIpsecTunProtect(self,
+ p.tun_if,
+ p.tun_sa_out,
+ [p.tun_sa_in])
+ p.tun_protect.add_vpp_config()
+
+ def config_network(self, p):
+ if hasattr(p, 'tun_dst'):
+ tun_dst = p.tun_dst
+ else:
+ tun_dst = self.pg0.remote_ip6
+ p.tun_if = VppIpIpTunInterface(self, self.pg0,
+ self.pg0.local_ip6,
+ tun_dst)
p.tun_if.add_vpp_config()
p.tun_if.admin_up()
p.tun_if.config_ip6()
p.tun_if.config_ip4()
- config_tun_params(p, self.encryption_type, p.tun_if)
- r = VppIpRoute(self, p.remote_tun_if_host, 128,
- [VppRoutePath(p.tun_if.remote_ip6,
- 0xffffffff,
- proto=DpoProto.DPO_PROTO_IP6)])
- r.add_vpp_config()
+ p.route = VppIpRoute(self, p.remote_tun_if_host, 128,
+ [VppRoutePath(p.tun_if.remote_ip6,
+ 0xffffffff,
+ proto=DpoProto.DPO_PROTO_IP6)])
+ p.route.add_vpp_config()
r = VppIpRoute(self, p.remote_tun_if_host4, 32,
[VppRoutePath(p.tun_if.remote_ip4,
0xffffffff)])
r.add_vpp_config()
+ def unconfig_network(self, p):
+ p.route.remove_vpp_config()
+ p.tun_if.remove_vpp_config()
+
+ def unconfig_protect(self, p):
+ p.tun_protect.remove_vpp_config()
+
+ def unconfig_sa(self, p):
+ p.tun_sa_out.remove_vpp_config()
+ p.tun_sa_in.remove_vpp_config()
+
+
+class TemplateIpsec6TunIfEsp(TemplateIpsec6TunProtect,
+ TemplateIpsec):
+ """ IPsec tunnel interface tests """
+
+ encryption_type = ESP
+
+ def setUp(self):
+ super(TemplateIpsec6TunIfEsp, self).setUp()
+
+ self.tun_if = self.pg0
+
+ p = self.ipv6_params
+ self.config_network(p)
+ self.config_sa_tra(p)
+ self.config_protect(p)
+
def tearDown(self):
super(TemplateIpsec6TunIfEsp, self).tearDown()
@@ -339,7 +474,9 @@ class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp,
tun4_decrypt_node_name = "esp4-decrypt-tun"
-class TestIpsec4MultiTunIfEsp(TemplateIpsec, IpsecTun4):
+class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect,
+ TemplateIpsec,
+ IpsecTun4):
""" IPsec IPv4 Multi Tunnel interface """
encryption_type = ESP
@@ -370,22 +507,10 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec, IpsecTun4):
p.vpp_tra_spi = p.vpp_tra_spi + ii
p.tun_dst = self.pg0.remote_hosts[ii].ip4
- p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
- p.scapy_tun_spi,
- p.crypt_algo_vpp_id,
- p.crypt_key, p.crypt_key,
- p.auth_algo_vpp_id, p.auth_key,
- p.auth_key,
- dst=p.tun_dst)
- p.tun_if.add_vpp_config()
- p.tun_if.admin_up()
- p.tun_if.config_ip4()
- config_tun_params(p, self.encryption_type, p.tun_if)
self.multi_params.append(p)
-
- VppIpRoute(self, p.remote_tun_if_host, 32,
- [VppRoutePath(p.tun_if.remote_ip4,
- 0xffffffff)]).add_vpp_config()
+ self.config_network(p)
+ self.config_sa_tra(p)
+ self.config_protect(p)
def tearDown(self):
super(TestIpsec4MultiTunIfEsp, self).tearDown()
@@ -421,51 +546,38 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec, IpsecTun4):
self.verify_encrypted(p, p.vpp_tun_sa, [rx])
-class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
+class TestIpsec4TunIfEspAll(TemplateIpsec4TunProtect,
+ TemplateIpsec,
+ IpsecTun4):
""" IPsec IPv4 Tunnel interface all Algos """
encryption_type = ESP
tun4_encrypt_node_name = "esp4-encrypt-tun"
tun4_decrypt_node_name = "esp4-decrypt-tun"
- def config_network(self, p):
-
- p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
- p.scapy_tun_spi,
- p.crypt_algo_vpp_id,
- p.crypt_key, p.crypt_key,
- p.auth_algo_vpp_id, p.auth_key,
- p.auth_key,
- salt=p.salt)
- p.tun_if.add_vpp_config()
- p.tun_if.admin_up()
- p.tun_if.config_ip4()
- config_tun_params(p, self.encryption_type, p.tun_if)
- self.logger.info(self.vapi.cli("sh ipsec sa 0"))
- self.logger.info(self.vapi.cli("sh ipsec sa 1"))
-
- p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
- [VppRoutePath(p.tun_if.remote_ip4,
- 0xffffffff)])
- p.route.add_vpp_config()
-
- def unconfig_network(self, p):
- p.tun_if.unconfig_ip4()
- p.tun_if.remove_vpp_config()
- p.route.remove_vpp_config()
-
def setUp(self):
super(TestIpsec4TunIfEspAll, self).setUp()
self.tun_if = self.pg0
+ p = self.ipv4_params
+
+ self.config_network(p)
+ self.config_sa_tra(p)
+ self.config_protect(p)
def tearDown(self):
+ p = self.ipv4_params
+ self.unconfig_protect(p)
+ self.unconfig_network(p)
+ self.unconfig_sa(p)
+
super(TestIpsec4TunIfEspAll, self).tearDown()
def rekey(self, p):
#
# change the key and the SPI
#
+ np = copy.copy(p)
p.crypt_key = b'X' + p.crypt_key[1:]
p.scapy_tun_spi += 1
p.scapy_tun_sa_id += 1
@@ -476,19 +588,9 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
config_tun_params(p, self.encryption_type, p.tun_if)
- p.tun_sa_in = VppIpsecSA(self,
- p.scapy_tun_sa_id,
- p.scapy_tun_spi,
- p.auth_algo_vpp_id,
- p.auth_key,
- p.crypt_algo_vpp_id,
- p.crypt_key,
- self.vpp_esp_protocol,
- flags=p.flags,
- salt=p.salt)
p.tun_sa_out = VppIpsecSA(self,
- p.vpp_tun_sa_id,
- p.vpp_tun_spi,
+ p.scapy_tun_sa_id,
+ p.scapy_tun_spi,
p.auth_algo_vpp_id,
p.auth_key,
p.crypt_algo_vpp_id,
@@ -496,15 +598,22 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
self.vpp_esp_protocol,
flags=p.flags,
salt=p.salt)
+ p.tun_sa_in = VppIpsecSA(self,
+ p.vpp_tun_sa_id,
+ p.vpp_tun_spi,
+ p.auth_algo_vpp_id,
+ p.auth_key,
+ p.crypt_algo_vpp_id,
+ p.crypt_key,
+ self.vpp_esp_protocol,
+ flags=p.flags,
+ salt=p.salt)
p.tun_sa_in.add_vpp_config()
p.tun_sa_out.add_vpp_config()
- self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index,
- sa_id=p.tun_sa_in.id,
- is_outbound=1)
- self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index,
- sa_id=p.tun_sa_out.id,
- is_outbound=0)
+ self.config_protect(p)
+ np.tun_sa_out.remove_vpp_config()
+ np.tun_sa_in.remove_vpp_config()
self.logger.info(self.vapi.cli("sh ipsec sa"))
def test_tun_44(self):
@@ -580,7 +689,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
for algo in algos:
# with self.subTest(algo=algo['scapy']):
- p = copy.copy(self.ipv4_params)
+ p = self.ipv4_params
p.auth_algo_vpp_id = algo['vpp-integ']
p.crypt_algo_vpp_id = algo['vpp-crypto']
p.crypt_algo = algo['scapy-crypto']
@@ -588,34 +697,27 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
p.crypt_key = algo['key']
p.salt = algo['salt']
- self.config_network(p)
-
- self.verify_tun_44(p, count=127)
- c = p.tun_if.get_rx_stats()
- self.assertEqual(c['packets'], 127)
- c = p.tun_if.get_tx_stats()
- self.assertEqual(c['packets'], 127)
-
#
# rekey the tunnel
#
self.rekey(p)
self.verify_tun_44(p, count=127)
- self.unconfig_network(p)
- p.tun_sa_out.remove_vpp_config()
- p.tun_sa_in.remove_vpp_config()
-
-class TestIpsec4TunIfEspNoAlgo(TemplateIpsec, IpsecTun4):
+class TestIpsec4TunIfEspNoAlgo(TemplateIpsec4TunProtect,
+ TemplateIpsec,
+ IpsecTun4):
""" IPsec IPv4 Tunnel interface no Algos """
encryption_type = ESP
tun4_encrypt_node_name = "esp4-encrypt-tun"
tun4_decrypt_node_name = "esp4-decrypt-tun"
- def config_network(self, p):
+ def setUp(self):
+ super(TestIpsec4TunIfEspNoAlgo, self).setUp()
+ self.tun_if = self.pg0
+ p = self.ipv4_params
p.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_NONE)
p.auth_algo = 'NULL'
@@ -626,35 +728,6 @@ class TestIpsec4TunIfEspNoAlgo(TemplateIpsec, IpsecTun4):
p.crypt_algo = 'NULL'
p.crypt_key = []
- p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
- p.scapy_tun_spi,
- p.crypt_algo_vpp_id,
- p.crypt_key, p.crypt_key,
- p.auth_algo_vpp_id, p.auth_key,
- p.auth_key,
- salt=p.salt)
- p.tun_if.add_vpp_config()
- p.tun_if.admin_up()
- p.tun_if.config_ip4()
- config_tun_params(p, self.encryption_type, p.tun_if)
- self.logger.info(self.vapi.cli("sh ipsec sa 0"))
- self.logger.info(self.vapi.cli("sh ipsec sa 1"))
-
- p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
- [VppRoutePath(p.tun_if.remote_ip4,
- 0xffffffff)])
- p.route.add_vpp_config()
-
- def unconfig_network(self, p):
- p.tun_if.unconfig_ip4()
- p.tun_if.remove_vpp_config()
- p.route.remove_vpp_config()
-
- def setUp(self):
- super(TestIpsec4TunIfEspNoAlgo, self).setUp()
-
- self.tun_if = self.pg0
-
def tearDown(self):
super(TestIpsec4TunIfEspNoAlgo, self).tearDown()
@@ -663,15 +736,21 @@ class TestIpsec4TunIfEspNoAlgo(TemplateIpsec, IpsecTun4):
p = self.ipv4_params
self.config_network(p)
+ self.config_sa_tra(p)
+ self.config_protect(p)
tx = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
dst=p.remote_tun_if_host)
self.send_and_assert_no_replies(self.pg1, tx)
+ self.unconfig_protect(p)
+ self.unconfig_sa(p)
self.unconfig_network(p)
-class TestIpsec6MultiTunIfEsp(TemplateIpsec, IpsecTun6):
+class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect,
+ TemplateIpsec,
+ IpsecTun6):
""" IPsec IPv6 Multi Tunnel interface """
encryption_type = ESP
@@ -700,25 +779,12 @@ class TestIpsec6MultiTunIfEsp(TemplateIpsec, IpsecTun6):
p.scapy_tra_spi = p.scapy_tra_spi + ii
p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
p.vpp_tra_spi = p.vpp_tra_spi + ii
+ p.tun_dst = self.pg0.remote_hosts[ii].ip6
- p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
- p.scapy_tun_spi,
- p.crypt_algo_vpp_id,
- p.crypt_key, p.crypt_key,
- p.auth_algo_vpp_id, p.auth_key,
- p.auth_key, is_ip6=True,
- dst=self.pg0.remote_hosts[ii].ip6)
- p.tun_if.add_vpp_config()
- p.tun_if.admin_up()
- p.tun_if.config_ip6()
- config_tun_params(p, self.encryption_type, p.tun_if)
self.multi_params.append(p)
-
- r = VppIpRoute(self, p.remote_tun_if_host, 128,
- [VppRoutePath(p.tun_if.remote_ip6,
- 0xffffffff,
- proto=DpoProto.DPO_PROTO_IP6)])
- r.add_vpp_config()
+ self.config_network(p)
+ self.config_sa_tra(p)
+ self.config_protect(p)
def tearDown(self):
super(TestIpsec6MultiTunIfEsp, self).tearDown()
@@ -1771,90 +1837,6 @@ class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6):
self.verify_tun_66(p, count=63)
-class TemplateIpsec4TunProtect(object):
- """ IPsec IPv4 Tunnel protect """
-
- encryption_type = ESP
- tun4_encrypt_node_name = "esp4-encrypt-tun"
- tun4_decrypt_node_name = "esp4-decrypt-tun"
- tun4_input_node = "ipsec4-tun-input"
-
- def config_sa_tra(self, p):
- config_tun_params(p, self.encryption_type, p.tun_if)
-
- p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
- p.auth_algo_vpp_id, p.auth_key,
- p.crypt_algo_vpp_id, p.crypt_key,
- self.vpp_esp_protocol,
- flags=p.flags)
- p.tun_sa_out.add_vpp_config()
-
- p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
- p.auth_algo_vpp_id, p.auth_key,
- p.crypt_algo_vpp_id, p.crypt_key,
- self.vpp_esp_protocol,
- flags=p.flags)
- p.tun_sa_in.add_vpp_config()
-
- def config_sa_tun(self, p):
- config_tun_params(p, self.encryption_type, p.tun_if)
-
- p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
- p.auth_algo_vpp_id, p.auth_key,
- p.crypt_algo_vpp_id, p.crypt_key,
- self.vpp_esp_protocol,
- self.tun_if.local_addr[p.addr_type],
- self.tun_if.remote_addr[p.addr_type],
- flags=p.flags)
- p.tun_sa_out.add_vpp_config()
-
- p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
- p.auth_algo_vpp_id, p.auth_key,
- p.crypt_algo_vpp_id, p.crypt_key,
- self.vpp_esp_protocol,
- self.tun_if.remote_addr[p.addr_type],
- self.tun_if.local_addr[p.addr_type],
- flags=p.flags)
- p.tun_sa_in.add_vpp_config()
-
- def config_protect(self, p):
- p.tun_protect = VppIpsecTunProtect(self,
- p.tun_if,
- p.tun_sa_out,
- [p.tun_sa_in])
- p.tun_protect.add_vpp_config()
-
- def config_network(self, p):
- p.tun_if = VppIpIpTunInterface(self, self.pg0,
- self.pg0.local_ip4,
- self.pg0.remote_ip4)
- p.tun_if.add_vpp_config()
- p.tun_if.admin_up()
- p.tun_if.config_ip4()
- p.tun_if.config_ip6()
-
- p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
- [VppRoutePath(p.tun_if.remote_ip4,
- 0xffffffff)])
- p.route.add_vpp_config()
- r = VppIpRoute(self, p.remote_tun_if_host6, 128,
- [VppRoutePath(p.tun_if.remote_ip6,
- 0xffffffff,
- proto=DpoProto.DPO_PROTO_IP6)])
- r.add_vpp_config()
-
- def unconfig_network(self, p):
- p.route.remove_vpp_config()
- p.tun_if.remove_vpp_config()
-
- def unconfig_protect(self, p):
- p.tun_protect.remove_vpp_config()
-
- def unconfig_sa(self, p):
- p.tun_sa_out.remove_vpp_config()
- p.tun_sa_in.remove_vpp_config()
-
-
class TestIpsec4TunProtect(TemplateIpsec,
TemplateIpsec4TunProtect,
IpsecTun4):
@@ -2126,81 +2108,6 @@ class TestIpsec4TunProtectTunDrop(TemplateIpsec,
self.unconfig_network(p)
-class TemplateIpsec6TunProtect(object):
- """ IPsec IPv6 Tunnel protect """
-
- def config_sa_tra(self, p):
- config_tun_params(p, self.encryption_type, p.tun_if)
-
- p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
- p.auth_algo_vpp_id, p.auth_key,
- p.crypt_algo_vpp_id, p.crypt_key,
- self.vpp_esp_protocol)
- p.tun_sa_out.add_vpp_config()
-
- p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
- p.auth_algo_vpp_id, p.auth_key,
- p.crypt_algo_vpp_id, p.crypt_key,
- self.vpp_esp_protocol)
- p.tun_sa_in.add_vpp_config()
-
- def config_sa_tun(self, p):
- config_tun_params(p, self.encryption_type, p.tun_if)
-
- p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
- p.auth_algo_vpp_id, p.auth_key,
- p.crypt_algo_vpp_id, p.crypt_key,
- self.vpp_esp_protocol,
- self.tun_if.local_addr[p.addr_type],
- self.tun_if.remote_addr[p.addr_type])
- p.tun_sa_out.add_vpp_config()
-
- p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
- p.auth_algo_vpp_id, p.auth_key,
- p.crypt_algo_vpp_id, p.crypt_key,
- self.vpp_esp_protocol,
- self.tun_if.remote_addr[p.addr_type],
- self.tun_if.local_addr[p.addr_type])
- p.tun_sa_in.add_vpp_config()
-
- def config_protect(self, p):
- p.tun_protect = VppIpsecTunProtect(self,
- p.tun_if,
- p.tun_sa_out,
- [p.tun_sa_in])
- p.tun_protect.add_vpp_config()
-
- def config_network(self, p):
- p.tun_if = VppIpIpTunInterface(self, self.pg0,
- self.pg0.local_ip6,
- self.pg0.remote_ip6)
- p.tun_if.add_vpp_config()
- p.tun_if.admin_up()
- p.tun_if.config_ip6()
- p.tun_if.config_ip4()
-
- p.route = VppIpRoute(self, p.remote_tun_if_host, 128,
- [VppRoutePath(p.tun_if.remote_ip6,
- 0xffffffff,
- proto=DpoProto.DPO_PROTO_IP6)])
- p.route.add_vpp_config()
- r = VppIpRoute(self, p.remote_tun_if_host4, 32,
- [VppRoutePath(p.tun_if.remote_ip4,
- 0xffffffff)])
- r.add_vpp_config()
-
- def unconfig_network(self, p):
- p.route.remove_vpp_config()
- p.tun_if.remove_vpp_config()
-
- def unconfig_protect(self, p):
- p.tun_protect.remove_vpp_config()
-
- def unconfig_sa(self, p):
- p.tun_sa_out.remove_vpp_config()
- p.tun_sa_in.remove_vpp_config()
-
-
class TestIpsec6TunProtect(TemplateIpsec,
TemplateIpsec6TunProtect,
IpsecTun6):
diff --git a/test/test_punt.py b/test/test_punt.py
index 0c5ec7efe1f..d3a9307c367 100644
--- a/test/test_punt.py
+++ b/test/test_punt.py
@@ -30,8 +30,8 @@ from framework import VppTestCase, VppTestRunner
from vpp_ip import DpoProto
from vpp_ip_route import VppIpRoute, VppRoutePath
+from vpp_ipsec import VppIpsecSA, VppIpsecTunProtect, VppIpsecInterface
from vpp_papi import VppEnum
-from vpp_ipsec_tun_interface import VppIpsecTunInterface
NUM_PKTS = 67
@@ -857,25 +857,30 @@ class TestExceptionPuntSocket(TestPuntSocket):
#
# add some tunnels, make sure it still punts
#
- VppIpsecTunInterface(self, self.pg0, 1000, 1000,
- (VppEnum.vl_api_ipsec_crypto_alg_t.
- IPSEC_API_CRYPTO_ALG_AES_CBC_128),
- b"0123456701234567",
- b"0123456701234567",
- (VppEnum.vl_api_ipsec_integ_alg_t.
- IPSEC_API_INTEG_ALG_SHA1_96),
- b"0123456701234567",
- b"0123456701234567").add_vpp_config()
- VppIpsecTunInterface(self, self.pg1, 1000, 1000,
- (VppEnum.vl_api_ipsec_crypto_alg_t.
- IPSEC_API_CRYPTO_ALG_AES_CBC_128),
- b"0123456701234567",
- b"0123456701234567",
- (VppEnum.vl_api_ipsec_integ_alg_t.
- IPSEC_API_INTEG_ALG_SHA1_96),
- b"0123456701234567",
- b"0123456701234567",
- udp_encap=True).add_vpp_config()
+ tun = VppIpsecInterface(self).add_vpp_config()
+ sa_in = VppIpsecSA(self, 11, 11,
+ (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_SHA1_96),
+ b"0123456701234567",
+ (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_CBC_128),
+ b"0123456701234567",
+ 50,
+ self.pg0.local_ip4,
+ self.pg0.remote_ip4).add_vpp_config()
+ sa_out = VppIpsecSA(self, 22, 22,
+ (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_SHA1_96),
+ b"0123456701234567",
+ (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_CBC_128),
+ b"0123456701234567",
+ 50,
+ self.pg0.local_ip4,
+ self.pg0.remote_ip4).add_vpp_config()
+ protect = VppIpsecTunProtect(self, tun,
+ sa_out,
+ [sa_in]).add_vpp_config()
#
# send packets for each SPI we expect to be punted
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index d7ed8564fc4..013e3d7310b 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -259,6 +259,7 @@ class VppIpsecSA(VppObject):
r = self.test.vapi.ipsec_sad_entry_add_del_v2(is_add=1, entry=entry)
self.stat_index = r.stat_index
self.test.registry.register(self, self.test.logger)
+ return self
def remove_vpp_config(self):
r = self.test.vapi.ipsec_sad_entry_add_del_v2(
diff --git a/test/vpp_ipsec_tun_interface.py b/test/vpp_ipsec_tun_interface.py
deleted file mode 100644
index 7f11b7ebb1a..00000000000
--- a/test/vpp_ipsec_tun_interface.py
+++ /dev/null
@@ -1,56 +0,0 @@
-from vpp_tunnel_interface import VppTunnelInterface
-
-
-class VppIpsecTunInterface(VppTunnelInterface):
- """
- VPP IPsec Tunnel interface
- """
-
- def __init__(self, test, parent_if, local_spi,
- remote_spi, crypto_alg, local_crypto_key, remote_crypto_key,
- integ_alg, local_integ_key, remote_integ_key, salt=0,
- udp_encap=False,
- is_ip6=False,
- dst=None):
- super(VppIpsecTunInterface, self).__init__(test, parent_if)
- self.local_spi = local_spi
- self.remote_spi = remote_spi
- self.crypto_alg = crypto_alg
- self.local_crypto_key = local_crypto_key
- self.remote_crypto_key = remote_crypto_key
- self.integ_alg = integ_alg
- self.local_integ_key = local_integ_key
- self.remote_integ_key = remote_integ_key
- self.salt = salt
- if is_ip6:
- self.local_ip = self.parent_if.local_ip6
- self.remote_ip = self.parent_if.remote_ip6
- else:
- self.local_ip = self.parent_if.local_ip4
- self.remote_ip = self.parent_if.remote_ip4
- if dst:
- self.remote_ip = dst
- self.udp_encap = udp_encap
-
- def add_vpp_config(self):
- r = self.test.vapi.ipsec_tunnel_if_add_del(
- self.local_ip, self.remote_ip,
- self.remote_spi, self.local_spi,
- self.crypto_alg, self.local_crypto_key, self.remote_crypto_key,
- self.integ_alg, self.local_integ_key, self.remote_integ_key,
- salt=self.salt,
- udp_encap=self.udp_encap)
- self.set_sw_if_index(r.sw_if_index)
- self.generate_remote_hosts()
- self.test.registry.register(self, self.test.logger)
-
- def remove_vpp_config(self):
- self.test.vapi.ipsec_tunnel_if_add_del(
- self.local_ip, self.remote_ip,
- self.remote_spi, self.local_spi,
- self.crypto_alg, self.local_crypto_key, self.remote_crypto_key,
- self.integ_alg, self.local_integ_key, self.remote_integ_key,
- is_add=0)
-
- def object_id(self):
- return "ipsec-tun-if-%d" % self._sw_if_index