summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorChristian E. Hopps <chopps@chopps.org>2019-09-27 15:05:41 -0400
committerAndrew Yourtchenko <ayourtch@gmail.com>2019-10-11 11:50:52 +0000
commitc1ee34f8d12546456ebf5aec559803ce5e2cd03f (patch)
tree4929012067e894a03c3a677219d51d2ccbbdeeaf /src
parent3a61a40dd4cbe41ca16bb2d7d99b156bf562487a (diff)
ipsec: initialize msgid and allow no dh in child sa
- set msgid to 0 not random. - allow for no DH in ESP child SA Ticket: VPP-1781 Type: fix Signed-off-by: Christian E. Hopps <chopps@chopps.org> Change-Id: Ibe26009d38f444eeaec5b042097f145d161c7672 (cherry picked from commit 0e182c5b1d27139764dca7059c9c91be8387977a)
Diffstat (limited to 'src')
-rw-r--r--src/plugins/ikev2/ikev2.c32
1 files changed, 18 insertions, 14 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 090f66c151a..3b47ee21724 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -2575,24 +2575,27 @@ ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa,
}
/* DH */
- error = 1;
- vec_foreach (td, km->supported_transforms)
- {
- if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
+ if (is_ike || ts->dh_type != IKEV2_TRANSFORM_DH_TYPE_NONE)
+ {
+ error = 1;
+ vec_foreach (td, km->supported_transforms)
{
- vec_add1 (proposal->transforms, *td);
- if (is_ike)
+ if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
{
- sa->dh_group = td->dh_type;
+ vec_add1 (proposal->transforms, *td);
+ if (is_ike)
+ {
+ sa->dh_group = td->dh_type;
+ }
+ error = 0;
+ break;
}
- error = 0;
- break;
}
- }
- if (error)
- {
- r = clib_error_return (0, "Unsupported algorithm");
- return r;
+ if (error)
+ {
+ r = clib_error_return (0, "Unsupported algorithm");
+ return r;
+ }
}
if (!is_ike)
@@ -3057,6 +3060,7 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
ike0->ispi = sa.ispi;
ike0->rspi = 0;
+ ike0->msgid = 0;
/* store whole IKE payload - needed for PSK auth */
vec_free (sa.last_sa_init_req_packet_data);