Allow IPsec interface to have SAs reset

Make it easier to integrate with external IKE daemon.
IPsec interfaces can have one or both SAs replaced after
creation. This allows for the possibility of setting a
new child SA on an interface when rekeying occurs. It also
allows for the possibility of creating an interface ahead
of time and updating the SA when parameters that are
negotiated during IKE exchange become known.

Change-Id: I0a31afdcc2bdff7098a924a51abbc58bdab2bd08
Signed-off-by: Matthew Smith <mgsmith@netgate.com>

1 files changed, 16 insertions, 0 deletions

diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 67c333665b7..1b2e4bdd01c 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -157,6 +157,7 @@ autoreply define ipsec_sad_add_del_entry
   u8 integrity_key[128];
 
   u8 use_extended_sequence_number;
+  u8 use_anti_replay;
 
   u8 is_tunnel;
   u8 is_tunnel_ipv6;
@@ -634,6 +635,21 @@ autoreply define ipsec_tunnel_if_set_key {
   u8 key[128];
 };
 
+/** \brief Set new SA on IPsec interface
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sw_if_index - index of tunnel interface
+    @param sa_id - ID of SA to use
+    @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote)
+*/
+autoreply define ipsec_tunnel_if_set_sa {
+  u32 client_index;
+  u32 context;
+  u32 sw_if_index;
+  u32 sa_id;
+  u8 is_outbound;
+};
+
 /*
  * Local Variables:
  * eval: (c-set-style "gnu")