diff options
-rw-r--r-- | src/scripts/vnet/ipsec | 66 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 33 |
2 files changed, 99 insertions, 0 deletions
diff --git a/src/scripts/vnet/ipsec b/src/scripts/vnet/ipsec new file mode 100644 index 00000000000..6762a173699 --- /dev/null +++ b/src/scripts/vnet/ipsec @@ -0,0 +1,66 @@ + +create packet-generator interface pg0 +create packet-generator interface pg1 + +pipe create + +ip table add 1 +set int ip table pg1 1 +set int ip table pipe0.1 1 + +set int ip address pg0 192.168.0.1/24 +set int ip address pg1 192.168.1.1/24 + +set int ip address pipe0.0 10.0.0.1/24 +set int ip address pipe0.1 10.0.0.2/24 + +set int state pg0 up +set int state pg1 up +set int state pipe0 up + +create ipsec tunnel local-ip 10.0.0.1 remote-ip 10.0.0.2 local-spi 100 remote-spi 101 local-crypto-key A11E51E5B1E0 remote-crypto-key A11E51E5B1E0 crypto-alg aes-cbc-128 + +set int state ipsec0 up +set int unnum ipsec0 use pg0 + +create ipsec tunnel local-ip 10.0.0.2 remote-ip 10.0.0.1 local-spi 101 remote-spi 100 tx-table 1 local-crypto-key A11E51E5B1E0 remote-crypto-key A11E51E5B1E0 crypto-alg aes-cbc-128 + +set int state ipsec1 up +set int ip table ipsec1 1 +set int unnum ipsec1 use pg1 + +ip route add 192.168.1.0/24 via ipsec0 +set ip arp pg1 192.168.1.2 00:11:22:33:44:55 +ip route add table 1 192.168.0.0/24 via ipsec1 +set ip arp pg0 192.168.0.2 00:11:22:33:44:66 + +trace add pg-input 100 + +packet-generator new { + name ipsec1 + limit 1 + rate 1e4 + node ip4-input + interface pg0 + size 100-100 + data { + UDP: 192.168.0.2 -> 192.168.1.2 + UDP: 4321 -> 1234 + length 72 + incrementing 100 + } +} +packet-generator new { + name ipsec2 + limit 1 + rate 1e4 + node ip4-input + interface pg1 + size 100-100 + data { + UDP: 192.168.1.2 -> 192.168.0.2 + UDP: 4321 -> 1234 + length 72 + incrementing 100 + } +} diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 22fbcdf9599..ee2e870c343 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -619,6 +619,7 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm, u8 ipv4_set = 0; u8 ipv6_set = 0; clib_error_t *error = NULL; + ipsec_key_t rck, lck, lik, rik; clib_memset (&a, 0, sizeof (a)); a.is_add = 1; @@ -659,6 +660,28 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm, a.anti_replay = 1; else if (unformat (line_input, "tx-table %u", &a.tx_table_id)) ; + else + if (unformat + (line_input, "local-crypto-key %U", unformat_ipsec_key, &lck)) + ; + else + if (unformat + (line_input, "remote-crypto-key %U", unformat_ipsec_key, &rck)) + ; + else if (unformat (line_input, "crypto-alg %U", + unformat_ipsec_crypto_alg, &a.crypto_alg)) + ; + else + if (unformat + (line_input, "local-integ-key %U", unformat_ipsec_key, &lik)) + ; + else + if (unformat + (line_input, "rmote-integ-key %U", unformat_ipsec_key, &rik)) + ; + else if (unformat (line_input, "integ-alg %U", + unformat_ipsec_integ_alg, &a.integ_alg)) + ; else if (unformat (line_input, "del")) a.is_add = 0; else @@ -681,6 +704,16 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm, if (ipv4_set && ipv6_set) return clib_error_return (0, "both IPv4 and IPv6 addresses specified"); + clib_memcpy (a.local_crypto_key, lck.data, lck.len); + a.local_crypto_key_len = lck.len; + clib_memcpy (a.remote_crypto_key, rck.data, rck.len); + a.remote_crypto_key_len = rck.len; + + clib_memcpy (a.local_integ_key, lck.data, lck.len); + a.local_integ_key_len = lck.len; + clib_memcpy (a.remote_integ_key, rck.data, rck.len); + a.remote_integ_key_len = rck.len; + rv = ipsec_add_del_tunnel_if (&a); switch (rv) |