diff options
author | Filip Tehlar <ftehlar@cisco.com> | 2020-03-02 15:17:37 +0000 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2020-03-21 11:50:03 +0000 |
commit | e5d34919b4561a5ee11e41dec6b0184537b39696 (patch) | |
tree | 9ceae975f3ce8da4a5ef7da8922b1ab4781cb231 /src/vnet | |
parent | 7f6d145accc6e63b150ab4efc282f19cbe996b57 (diff) |
ikev2: add support for custom ipsec-over-udp port
Type: feature
Change-Id: Ifee2b3dca85ea915067b9285e3636802bf0c19a8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Diffstat (limited to 'src/vnet')
-rw-r--r-- | src/vnet/api_errno.h | 4 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 8 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 7 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.c | 15 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 5 |
5 files changed, 28 insertions, 11 deletions
diff --git a/src/vnet/api_errno.h b/src/vnet/api_errno.h index eb25f05a853..15b17a86d5d 100644 --- a/src/vnet/api_errno.h +++ b/src/vnet/api_errno.h @@ -153,7 +153,9 @@ _(FIB_PATH_UNSUPPORTED_NH_PROTO, -157, "Unsupported FIB Path protocol") \ _(API_ENDIAN_FAILED, -159, "Endian mismatch detected") \ _(NO_CHANGE, -160, "No change in table") \ _(MISSING_CERT_KEY, -161, "Missing certifcate or key") \ -_(LIMIT_EXCEEDED, -162, "limit exceeded") +_(LIMIT_EXCEEDED, -162, "limit exceeded") \ +_(IKE_NO_PORT, -163, "port not managed by IKE") \ +_(UDP_PORT_TAKEN, -164, "UDP port already taken") \ typedef enum { diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index c7ce3ef83d5..177300aeb9a 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -372,7 +372,7 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler crypto_alg, &crypto_key, integ_alg, &integ_key, flags, 0, mp->entry.salt, &tun_src, &tun_dst, - &sa_index); + &sa_index, IPSEC_UDP_PORT_NONE); else rv = ipsec_sa_unlock_id (id); @@ -662,7 +662,8 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * &integ_key, (flags | IPSEC_SA_FLAG_IS_INBOUND), ntohl (mp->tx_table_id), - mp->salt, &remote_ip, &local_ip, NULL); + mp->salt, &remote_ip, &local_ip, NULL, + IPSEC_UDP_PORT_NONE); if (rv) goto done; @@ -676,7 +677,8 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * &integ_key, flags, ntohl (mp->tx_table_id), - mp->salt, &local_ip, &remote_ip, NULL); + mp->salt, &local_ip, &remote_ip, NULL, + IPSEC_UDP_PORT_NONE); if (rv) goto done; diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 04061901ccc..7779e79f067 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -149,7 +149,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, &ik, flags, 0, clib_host_to_net_u32 (salt), - &tun_src, &tun_dst, NULL); + &tun_src, &tun_dst, NULL, + IPSEC_UDP_PORT_NONE); else rv = ipsec_sa_unlock_id (id); @@ -852,14 +853,14 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm, local_spi, IPSEC_PROTOCOL_ESP, crypto_alg, &lck, integ_alg, &lik, flags, table_id, clib_host_to_net_u32 (salt), &local_ip, - &remote_ip, NULL); + &remote_ip, NULL, IPSEC_UDP_PORT_NONE); rv |= ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index), remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg, &rck, integ_alg, &rik, (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id, clib_host_to_net_u32 (salt), &remote_ip, - &local_ip, NULL); + &local_ip, NULL, IPSEC_UDP_PORT_NONE); rv |= ipsec_tun_protect_update_one (sw_if_index, &nh, ipsec_tun_mk_local_sa_id (sw_if_index), diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index 4401c2e3d74..0e1e63d0db4 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -135,7 +135,8 @@ ipsec_sa_add_and_lock (u32 id, u32 tx_table_id, u32 salt, const ip46_address_t * tun_src, - const ip46_address_t * tun_dst, u32 * sa_out_index) + const ip46_address_t * tun_dst, u32 * sa_out_index, + u16 dst_port) { vlib_main_t *vm = vlib_get_main (); ipsec_main_t *im = &ipsec_main; @@ -269,8 +270,16 @@ ipsec_sa_add_and_lock (u32 id, if (ipsec_sa_is_set_UDP_ENCAP (sa)) { - sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec); - sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec); + if (dst_port == IPSEC_UDP_PORT_NONE) + { + sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec); + sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec); + } + else + { + sa->udp_hdr.src_port = clib_host_to_net_u16 (dst_port); + sa->udp_hdr.dst_port = clib_host_to_net_u16 (dst_port); + } } hash_set (im->sa_index_by_sa_id, sa->id, sa_index); diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index e0d74e1309e..0997eb7d8bc 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -16,6 +16,7 @@ #define __IPSEC_SPD_SA_H__ #include <vlib/vlib.h> +#include <vnet/crypto/crypto.h> #include <vnet/ip/ip.h> #include <vnet/fib/fib_node.h> @@ -209,7 +210,7 @@ extern int ipsec_sa_add_and_lock (u32 id, u32 salt, const ip46_address_t * tunnel_src_addr, const ip46_address_t * tunnel_dst_addr, - u32 * sa_index); + u32 * sa_index, u16 dst_port); extern index_t ipsec_sa_find_and_lock (u32 id); extern int ipsec_sa_unlock_id (u32 id); extern void ipsec_sa_unlock (index_t sai); @@ -233,6 +234,8 @@ extern uword unformat_ipsec_integ_alg (unformat_input_t * input, va_list * args); extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args); +#define IPSEC_UDP_PORT_NONE ((u16)~0) + /* * Anti Replay definitions */ |