diff options
author | Atzm Watanabe <atzmism@gmail.com> | 2023-01-25 14:11:10 +0900 |
---|---|---|
committer | Dave Wallace <dwallacelf@gmail.com> | 2023-02-03 14:24:51 +0000 |
commit | fc2d95d115ea5e82bc3efb18cf40632449112fdf (patch) | |
tree | e44f020e08ab43336a430dfb916af94cfa926305 /extras | |
parent | a4f994f31e566cc5e6512d3aebf627a6e3ce2cc7 (diff) |
vpp-swan: allow SAs to be used to the route-based IPsec
This patch adds a "charon.plugins.kernel-vpp.use_tunnel_mode_sa"
key into strongswan.conf. If this is turned off, SAs will be
installed without tunnel information and can be used to
"ipsec tunnel protect". For the route-based IPsec, it will be
used with turning "policies" off in swanctl.conf.
Type: feature
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I58fb94bfe56627fa7002d9b95c48930a32993d2d
Diffstat (limited to 'extras')
-rw-r--r-- | extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c b/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c index 7849dd6b898..3fe3c4403e2 100644 --- a/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c +++ b/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c @@ -126,6 +126,13 @@ struct private_kernel_vpp_ipsec_t * Whether to install routes along policies */ bool install_routes; + + /** + * Whether to install SAs with tunnel flag. Disabling this can be useful + * in some scenarios e.g. using SAs to "ipsec tunnel protect" for the + * route-based IPsec + */ + bool use_tunnel_mode_sa; }; /** @@ -1414,9 +1421,15 @@ METHOD (kernel_ipsec_t, add_sa, status_t, private_kernel_vpp_ipsec_t *this, mp->entry.integrity_key.length); int flags = IPSEC_API_SAD_FLAG_NONE; + if (data->inbound) + flags |= IPSEC_API_SAD_FLAG_IS_INBOUND; + /* like the kernel-netlink plugin, anti-replay can be disabled with zero + * replay_window, but window size cannot be customized for vpp */ + if (data->replay_window) + flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY; if (data->esn) flags |= IPSEC_API_SAD_FLAG_USE_ESN; - if (data->mode == MODE_TUNNEL) + if (this->use_tunnel_mode_sa && data->mode == MODE_TUNNEL) { if (id->src->get_family (id->src) == AF_INET6) flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6; @@ -1739,6 +1752,9 @@ kernel_vpp_ipsec_create () .routes = linked_list_create(), .install_routes = lib->settings->get_bool(lib->settings, "%s.install_routes", TRUE, lib->ns), + .use_tunnel_mode_sa = lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-vpp.use_tunnel_mode_sa", + TRUE, lib->ns), ); if (!init_spi (this)) |