diff options
author | Neale Ranns <nranns@cisco.com> | 2020-02-17 10:39:09 +0000 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2020-02-17 12:31:05 +0000 |
commit | 4dc5a43f4871c3f0a88ad0bb9041332bf3b03f1b (patch) | |
tree | 9a7f2fdff6998c7b40af912db7c088aba54708be /src/plugins/ikev2 | |
parent | 627fb6a16d8e7430e84aa664cb2b8f89a5688fab (diff) |
ikev2: IKE plugin manages the state of the protected tunnel interface
Type: improvement
IKE will bring the tunnel up ince the negociation is complete and bring
it down when the session ends. It is the clinets responsibility to
manage the state of the tunnel before and after these events. So to
prevent any unencrpyted traffic egressing the tunnel before the session
is negpciated, the tunnel should be in the down state when it a
associated with the IKE session.
Change-Id: I8aee593c79ca006d6ab08f9fa560fbbf6f8dcc16
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/plugins/ikev2')
-rw-r--r-- | src/plugins/ikev2/ikev2.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index 75b9dcbac61..7d03150bd45 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -1525,7 +1525,10 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) hash_set1 (km->sw_if_indices, sw_if_index); } else - sw_if_index = a->sw_if_index; + { + sw_if_index = a->sw_if_index; + vnet_sw_interface_admin_up (vnet_get_main (), sw_if_index); + } if (rv) { @@ -1797,7 +1800,10 @@ ikev2_del_tunnel_from_main (ikev2_del_ipsec_tunnel_args_t * a) sw_if_index = ~0; } else - sw_if_index = a->sw_if_index; + { + sw_if_index = a->sw_if_index; + vnet_sw_interface_admin_down (vnet_get_main (), sw_if_index); + } if (~0 != sw_if_index) ipsec_tun_protect_del (sw_if_index); |