summaryrefslogtreecommitdiffstats
path: root/src/plugins/ikev2
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2020-02-17 10:39:09 +0000
committerDamjan Marion <dmarion@me.com>2020-02-17 12:31:05 +0000
commit4dc5a43f4871c3f0a88ad0bb9041332bf3b03f1b (patch)
tree9a7f2fdff6998c7b40af912db7c088aba54708be /src/plugins/ikev2
parent627fb6a16d8e7430e84aa664cb2b8f89a5688fab (diff)
ikev2: IKE plugin manages the state of the protected tunnel interface
Type: improvement IKE will bring the tunnel up ince the negociation is complete and bring it down when the session ends. It is the clinets responsibility to manage the state of the tunnel before and after these events. So to prevent any unencrpyted traffic egressing the tunnel before the session is negpciated, the tunnel should be in the down state when it a associated with the IKE session. Change-Id: I8aee593c79ca006d6ab08f9fa560fbbf6f8dcc16 Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/plugins/ikev2')
-rw-r--r--src/plugins/ikev2/ikev2.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 75b9dcbac61..7d03150bd45 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -1525,7 +1525,10 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
hash_set1 (km->sw_if_indices, sw_if_index);
}
else
- sw_if_index = a->sw_if_index;
+ {
+ sw_if_index = a->sw_if_index;
+ vnet_sw_interface_admin_up (vnet_get_main (), sw_if_index);
+ }
if (rv)
{
@@ -1797,7 +1800,10 @@ ikev2_del_tunnel_from_main (ikev2_del_ipsec_tunnel_args_t * a)
sw_if_index = ~0;
}
else
- sw_if_index = a->sw_if_index;
+ {
+ sw_if_index = a->sw_if_index;
+ vnet_sw_interface_admin_down (vnet_get_main (), sw_if_index);
+ }
if (~0 != sw_if_index)
ipsec_tun_protect_del (sw_if_index);