aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorFilip Tehlar <ftehlar@cisco.com>2020-11-06 11:00:42 +0000
committerAndrew Yourtchenko <ayourtch@gmail.com>2020-11-26 15:02:41 +0000
commitcbc3dc0b3043512f3fc31763683a220c1bcc5de0 (patch)
tree02580cfc27f4d0f9c53d167e6e2396ff526bcbb9 /src
parent8035ffe8dc6c967414d0081c9b83ac7658006a3b (diff)
ikev2: fix udp encap
Type: fix Change-Id: I8c66f79f2d8cfff7c6d45e1fc5b529ffb3941491 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 67b8a7fa76d8ec2d73f1b2380e11bf8e2793448e)
Diffstat (limited to 'src')
-rw-r--r--src/plugins/ikev2/ikev2.c9
-rw-r--r--src/plugins/ikev2/test/test_ikev2.py23
2 files changed, 23 insertions, 9 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 09a7359d5c6..024cf326c16 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -1816,7 +1816,6 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
ikev2_main_t *km = &ikev2_main;
u32 sw_if_index;
int rv = 0;
- ip46_address_t zero_addr = ip46_address_initializer;
if (~0 == a->sw_if_index)
{
@@ -1865,14 +1864,14 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
a->local_spi,
IPSEC_PROTOCOL_ESP, a->encr_type,
&a->loc_ckey, a->integ_type, &a->loc_ikey,
- a->flags, 0, a->salt_local, &zero_addr,
- &zero_addr, NULL, a->src_port, a->dst_port);
+ a->flags, 0, a->salt_local, &a->local_ip,
+ &a->remote_ip, NULL, a->src_port, a->dst_port);
rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi,
IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey,
a->integ_type, &a->rem_ikey,
(a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
- a->salt_remote, &zero_addr,
- &zero_addr, NULL, a->ipsec_over_udp_port,
+ a->salt_remote, &a->remote_ip,
+ &a->local_ip, NULL, a->ipsec_over_udp_port,
a->ipsec_over_udp_port);
rv |= ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in);
diff --git a/src/plugins/ikev2/test/test_ikev2.py b/src/plugins/ikev2/test/test_ikev2.py
index d065d46e8eb..61dd53e7988 100644
--- a/src/plugins/ikev2/test/test_ikev2.py
+++ b/src/plugins/ikev2/test/test_ikev2.py
@@ -181,7 +181,9 @@ class IKEv2SA(object):
def __init__(self, test, is_initiator=True, i_id=None, r_id=None,
spi=b'\x01\x02\x03\x04\x05\x06\x07\x08', id_type='fqdn',
nonce=None, auth_data=None, local_ts=None, remote_ts=None,
- auth_method='shared-key', priv_key=None, natt=False):
+ auth_method='shared-key', priv_key=None, natt=False,
+ udp_encap=False):
+ self.udp_encap = udp_encap
self.natt = natt
if natt:
self.sport = 4500
@@ -662,6 +664,13 @@ class IkePeer(VppTestCase):
assert(len(res) == tlen)
return res
+ def verify_udp_encap(self, ipsec_sa):
+ e = VppEnum.vl_api_ipsec_sad_flags_t
+ if self.sa.udp_encap or self.sa.natt:
+ self.assertIn(e.IPSEC_API_SAD_FLAG_UDP_ENCAP, ipsec_sa.flags)
+ else:
+ self.assertNotIn(e.IPSEC_API_SAD_FLAG_UDP_ENCAP, ipsec_sa.flags)
+
def verify_ipsec_sas(self, is_rekey=False):
sas = self.vapi.ipsec_sa_dump()
if is_rekey:
@@ -671,7 +680,6 @@ class IkePeer(VppTestCase):
else:
sa_count = 2
self.assertEqual(len(sas), sa_count)
- e = VppEnum.vl_api_ipsec_sad_flags_t
if self.sa.is_initiator:
if is_rekey:
sa0 = sas[0].entry
@@ -689,6 +697,8 @@ class IkePeer(VppTestCase):
c = self.sa.child_sas[0]
+ self.verify_udp_encap(sa0)
+ self.verify_udp_encap(sa1)
vpp_crypto_alg = self.vpp_enums[self.sa.vpp_esp_cypto_alg]
self.assertEqual(sa0.crypto_algorithm, vpp_crypto_alg)
self.assertEqual(sa1.crypto_algorithm, vpp_crypto_alg)
@@ -1332,13 +1342,17 @@ class Ikev2Params(object):
if 'esp_transforms' in params:
self.p.add_esp_transforms(params['esp_transforms'])
+ udp_encap = False if 'udp_encap' not in params else\
+ params['udp_encap']
+ if udp_encap:
+ self.p.set_udp_encap(True)
+
self.sa = IKEv2SA(self, i_id=idi['data'], r_id=idr['data'],
is_initiator=is_init,
id_type=self.p.local_id['id_type'], natt=is_natt,
priv_key=client_priv, auth_method=auth_method,
- auth_data=auth_data,
+ auth_data=auth_data, udp_encap=udp_encap,
local_ts=self.p.remote_ts, remote_ts=self.p.local_ts)
-
if is_init:
ike_crypto = ('AES-CBC', 32) if 'ike-crypto' not in params else\
params['ike-crypto']
@@ -1687,6 +1701,7 @@ class TestResponderRsaSign(TemplateResponder, Ikev2Params):
""" test ikev2 responder - cert based auth """
def config_tc(self):
self.config_params({
+ 'udp_encap': True,
'auth': 'rsa-sig',
'server-key': 'server-key.pem',
'client-key': 'client-key.pem',