diff options
| author |   Matthew Smith <mgsmith@netgate.com> | 2017-10-12 12:06:59 -0500 |
|---|---|---|
| committer |   Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> | 2017-10-26 13:48:54 +0000 |
| commit | ca514fda1125573d513215cb6ea7f22057a82d6b (patch) | |
| tree | c40b3964b2f295e541cb7fffc3feea378c66f24d /src/vnet/ipsec/ipsec_api.c | |
| parent | db41776a92e3e13178d7a565b7700a2a05336f04 (diff) | |
Allow IPsec interface to have SAs reset
Make it easier to integrate with external IKE daemon.
IPsec interfaces can have one or both SAs replaced after
creation. This allows for the possibility of setting a
new child SA on an interface when rekeying occurs. It also
allows for the possibility of creating an interface ahead
of time and updating the SA when parameters that are
negotiated during IKE exchange become known.
Change-Id: I0a31afdcc2bdff7098a924a51abbc58bdab2bd08
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec_api.c')
| -rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index c3f5745b85f..e96da8168fa 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -57,6 +57,7 @@ _(IPSEC_SA_DUMP, ipsec_sa_dump) \ _(IPSEC_SPD_DUMP, ipsec_spd_dump) \ _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ _(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \ +_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \ _(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \ _(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \ _(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \ @@ -236,6 +237,7 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler clib_memcpy (&sa.tunnel_src_addr.ip4.data, mp->tunnel_src_address, 4); clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4); } + sa.use_anti_replay = mp->use_anti_replay; ASSERT (im->cb.check_support_cb); clib_error_t *err = im->cb.check_support_cb (&sa); @@ -566,6 +568,28 @@ out: static void +vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) +{ + vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp; + ipsec_main_t *im = &ipsec_main; + vnet_main_t *vnm = im->vnet_main; + vnet_sw_interface_t *sw; + int rv; + +#if WITH_LIBSSL > 0 + sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index)); + + rv = ipsec_set_interface_sa (vnm, sw->hw_if_index, ntohl (mp->sa_id), + mp->is_outbound); +#else + clib_warning ("unimplemented"); +#endif + + REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY); +} + + +static void vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp) { vl_api_ikev2_profile_add_del_reply_t *rmp; |