diff options
author | Matthew Smith <mgsmith@netgate.com> | 2022-08-09 22:19:38 +0000 |
---|---|---|
committer | Matthew Smith <mgsmith@netgate.com> | 2022-08-19 14:13:36 +0000 |
commit | 6f1eb484c85cfdb091cbef18252a02b3310b9aae (patch) | |
tree | 5e2d31421dea41d774615aafe8cf96eedd67485a /src/vnet/ipsec/ipsec_sa.c | |
parent | 47c1b1c6338c2d46173f337cf69a4b0d7f27845e (diff) |
ipsec: enable UDP encap for IPv6 ESP tun protect
Type: improvement
If an SA protecting an IPv6 tunnel interface has UDP encapsulation
enabled, the code in esp_encrypt_inline() inserts a UDP header but does
not set the next protocol or the UDP payload length, so the peer that
receives the packet drops it. Set the next protocol field and the UDP
payload length correctly.
The port(s) for UDP encapsulation of IPsec was not registered for IPv6.
Add this registration for IPv6 SAs when UDP encapsulation is enabled.
Add punt handling for IPv6 IKE on NAT-T port.
Add registration of linux-cp for the new punt reason.
Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268
Diffstat (limited to 'src/vnet/ipsec/ipsec_sa.c')
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index 387d8a747a3..5c80545bb21 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -325,7 +325,8 @@ ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto, sa->udp_hdr.src_port = clib_host_to_net_u16 (src_port); if (ipsec_sa_is_set_IS_INBOUND (sa)) - ipsec_register_udp_port (clib_host_to_net_u16 (sa->udp_hdr.dst_port)); + ipsec_register_udp_port (clib_host_to_net_u16 (sa->udp_hdr.dst_port), + !ipsec_sa_is_set_IS_TUNNEL_V6 (sa)); } hash_set (im->sa_index_by_sa_id, sa->id, sa_index); @@ -353,7 +354,8 @@ ipsec_sa_del (ipsec_sa_t * sa) if (ipsec_sa_is_set_IS_ASYNC (sa)) vnet_crypto_request_async_mode (0); if (ipsec_sa_is_set_UDP_ENCAP (sa) && ipsec_sa_is_set_IS_INBOUND (sa)) - ipsec_unregister_udp_port (clib_net_to_host_u16 (sa->udp_hdr.dst_port)); + ipsec_unregister_udp_port (clib_net_to_host_u16 (sa->udp_hdr.dst_port), + !ipsec_sa_is_set_IS_TUNNEL_V6 (sa)); if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa)) dpo_reset (&sa->dpo); |