Age | Commit message (Collapse) | Author | Files | Lines |
|
The following issues are fixed:
* in responder code: do lookup again as the old pointer could be
invalidated during the cleanup operation
* in initiar code: do the cleanup of session if there're no child SAs or
if there's no response from the responder during initial request (this
can easily happen if the response packet was lost/dropped/etc)
* print the state of ikev2 profile (for easier tshooting)
Type: fix
Change-Id: I853d9851c0cf131696585e3c98fa97e66789badd
Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
|
|
Type: improvement
Change-Id: I3fbbda0378b72843ecd39a7e8592dedc9757793a
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload
to enable stronger guarantees of forward secrecy.
When the KEi payload is included in the CREATE_CHILD_SA request,
responder should reply with the KEr payload and complete the key
exchange, in accordance with the RFC.
Type: improvement
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638
|
|
Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b
|
|
- do not initialize resources if ikev2 is not used.
- process IKE packets only if we have profile(s) configured
Type: improvement
Change-Id: I57c95a888532eafd70989096c0555ebb1d7bef25
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: feature
Ticket: VPP-1901
Change-Id: I1ad222b54363fd35679d0132d458345a9a18362c
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: refactor
IKEv2 registers the IPSec node as the port handler, so it can use the
IPSec functions to do that.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: If398dde0a8eb0407eba3ede62a3d5a8c12fe68a7
|
|
When strongSwan rekeys it sends create child sa request first and then
delete request for the old child sa (or vice versa depending on
configuration) as opposed to sending just a single create child sa with
rekey notify message.
Type: fix
Change-Id: I1fa55a607ca623cd3a6d887436207153c6f6bbf6
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: Ic502d806410ea3c8f3f1eac70b694114ccb053bf
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Ticket: VPP-1935
Change-Id: I705f84047b112279377590157a1c7b4a34f693d2
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: I0db0a9b2f872753fa64d27335838cb34645a9ee8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Ticket: VPP-1894
Change-Id: I5a24a48416bca2ffbd346cdaa813fb25801e6c9b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: Ic406aa914d92e802a5fb0f27c2ffa1b98db012b0
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Ticket: VPP-1917
Type: feature
Change-Id: Ie9f22e7336aa7807b1967c48de9843df10fb575c
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Ticket: VPP-1918
Type: improvement
Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: Ie3d24b3df02d08fbb74d97f4e5ab0d79c35b0c0d
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Ticket: VPP-1920
Change-Id: I6e30f3594cb30553f3ca5a35e0a4f679325aacec
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: refactor
Change-Id: I04af90b4d86c00092ce1732aeb3c0517af1808e0
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Change-Id: I0893d7cd8b8ab9958f585ac564bd0638bc60e78a
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I3198461f3dfc13cd3cedf2b8611dc80bb6f959c8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
* initiator behind NAT supported
* tested with static NAT mappings
* works only with pre-configured tunnels
The pre-configured tunnel has to be defined as follows:
initiator (i) side: src=ip(i) dst=ip(r)
responder (r) side: src=ip(r) dst=ip(nat)
Change-Id: Ia9f79ddbbcc3f7dc8fde6bbeca2a433e3b784e94
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Introduce new cli for setting liveness check period and max retries for
a peer to consider its partner dead.
ikev2 set liveness <period-in-seconds> <max-retires>
Type: improvement
Change-Id: Iadae1de245d34fe3ee85e09b570f9df8c401772b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
This patch fixes 2 different crashes:
1) BN_bn2bin() returns bytes written, not actual key length. Use
BN_bn2binpad() instead which adds padding.
2) Initiator may receive multiple sa-init responses for the same ispi
which may result in crash. Remember first response and ignore any
subsequent ones.
Type: fix
Change-Id: Ia1eac9167e3100a6894c0563ee70bab04f6a5f4f
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: Ibc65d739583dc11735f993f4c7e7ee6d3c8f5b0a
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: Ifee2b3dca85ea915067b9285e3636802bf0c19a8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Change-Id: Id8fc6750e856862157917587234a6b7b03531b13
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Change-Id: I081dec2dc0c2bd0845dd4638b7b2f12806594112
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: Ifb675c7783f03de4db8147858dd93d9687176f40
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
... rather than always creating a new interface.
Change-Id: If8a22ad5a8a3a4e511bea7cab7d8bbf7e6af9433
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: refactor
Change-Id: Iedcb24684c54f4d78583ab3aa3db1097e73df248
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: Ib00ab9b2f28c0f4d85e96bf95697f61b8e415f37
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I5ad27b05c34494c5a2ea28706130612b547aaf67
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I382499061ff4b1c2cc1b70ebbf9725ff0e1be325
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I8aa9029e0a5cf21aa24a90b39eb2787653f65abb
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
for easy integration with ptoducts running their own Ike stack.
Without the VPP IKE plugin loaded, the product is free to handle
IKE packets as it pleases.
Change-Id: Id0839f4d58b797f4c2da0382eb499fc08b05f66f
Signed-off-by: Neale Ranns <nranns@cisco.com>
|