aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/ipsec.c4
-rw-r--r--src/vnet/ipsec/ipsec.h4
-rw-r--r--src/vnet/ipsec/ipsec_api.c3
-rw-r--r--src/vnet/ipsec/ipsec_cli.c14
-rw-r--r--src/vnet/ipsec/ipsec_if.c2
5 files changed, 17 insertions, 10 deletions
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index 73b51012880..d15bfec1b9e 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -411,8 +411,7 @@ ipsec_is_sa_used (u32 sa_index)
}
int
-ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add,
- u8 udp_encap)
+ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
{
ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa = 0;
@@ -451,7 +450,6 @@ ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add,
pool_get (im->sad, sa);
clib_memcpy (sa, new_sa, sizeof (*sa));
sa_index = sa - im->sad;
- sa->udp_encap = udp_encap ? 1 : 0;
hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
if (im->cb.add_del_sa_sess_cb)
{
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index 4d066c381ba..07944a1d227 100644
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -174,6 +174,7 @@ typedef struct
u8 remote_integ_key[128];
u8 renumber;
u32 show_instance;
+ u8 udp_encap;
} ipsec_add_del_tunnel_args_t;
typedef struct
@@ -321,8 +322,7 @@ int ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id,
int ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add);
int ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy,
int is_add);
-int ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add,
- u8 udp_encap);
+int ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add);
int ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update);
u32 ipsec_get_sa_index_by_sa_id (u32 sa_id);
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 8ea47b7ebe1..c4284b91478 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -219,6 +219,7 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler
sa.use_esn = mp->use_extended_sequence_number;
sa.is_tunnel = mp->is_tunnel;
sa.is_tunnel_ip6 = mp->is_tunnel_ipv6;
+ sa.udp_encap = mp->udp_encap;
if (sa.is_tunnel_ip6)
{
clib_memcpy (&sa.tunnel_src_addr, mp->tunnel_src_address, 16);
@@ -240,7 +241,7 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler
goto out;
}
- rv = ipsec_add_del_sa (vm, &sa, mp->is_add, mp->udp_encap);
+ rv = ipsec_add_del_sa (vm, &sa, mp->is_add);
#else
rv = VNET_API_ERROR_UNIMPLEMENTED;
goto out;
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 6a97b7bc8d9..5603fae368a 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -148,6 +148,10 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
sa.is_tunnel = 1;
sa.is_tunnel_ip6 = 1;
}
+ else if (unformat (line_input, "udp-encap"))
+ {
+ sa.udp_encap = 1;
+ }
else
{
error = clib_error_return (0, "parse error: '%U'",
@@ -176,7 +180,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
goto done;
}
- ipsec_add_del_sa (vm, &sa, is_add, 0 /* enable nat traversal */ );
+ ipsec_add_del_sa (vm, &sa, is_add);
done:
unformat_free (line_input);
@@ -665,8 +669,8 @@ show_ipsec_command_fn (vlib_main_t * vm,
hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
vlib_cli_output(vm, " %s seq", hi->name);
sa = pool_elt_at_index(im->sad, t->output_sa_index);
- vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u",
- sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay);
+ vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u",
+ sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap);
vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
format_ip4_address, &sa->tunnel_src_addr.ip4);
vlib_cli_output(vm, " local-crypto %U %U",
@@ -766,6 +770,8 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
a.renumber = 1;
else if (unformat (line_input, "del"))
a.is_add = 0;
+ else if (unformat (line_input, "udp-encap"))
+ a.udp_encap = 1;
else
{
error = clib_error_return (0, "unknown input `%U'",
@@ -808,7 +814,7 @@ done:
/* *INDENT-OFF* */
VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
.path = "create ipsec tunnel",
- .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>]",
+ .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap]",
.function = create_ipsec_tunnel_command_fn,
};
/* *INDENT-ON* */
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index 82c2394e5cc..cb7e89a68e6 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -318,6 +318,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
sa->use_esn = args->esn;
sa->use_anti_replay = args->anti_replay;
sa->integ_alg = args->integ_alg;
+ sa->udp_encap = args->udp_encap;
if (args->remote_integ_key_len <= sizeof (args->remote_integ_key))
{
sa->integ_key_len = args->remote_integ_key_len;
@@ -342,6 +343,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
sa->use_esn = args->esn;
sa->use_anti_replay = args->anti_replay;
sa->integ_alg = args->integ_alg;
+ sa->udp_encap = args->udp_encap;
if (args->local_integ_key_len <= sizeof (args->local_integ_key))
{
sa->integ_key_len = args->local_integ_key_len;