aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/ikev2/ikev2_priv.h
AgeCommit message (Collapse)AuthorFilesLines
2023-07-27ikev2: cleanup stuck sessionsDenys Haryachyy1-8/+13
The following issues are fixed: * in responder code: do lookup again as the old pointer could be invalidated during the cleanup operation * in initiar code: do the cleanup of session if there're no child SAs or if there's no response from the responder during initial request (this can easily happen if the response packet was lost/dropped/etc) * print the state of ikev2 profile (for easier tshooting) Type: fix Change-Id: I853d9851c0cf131696585e3c98fa97e66789badd Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
2022-10-12misc: fix issues reported by clang-15Damjan Marion1-1/+1
Type: improvement Change-Id: I3fbbda0378b72843ecd39a7e8592dedc9757793a Signed-off-by: Damjan Marion <dmarion@me.com>
2022-08-18ikev2: accept key exchange on CREATE_CHILD_SAAtzm Watanabe1-0/+1
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload to enable stronger guarantees of forward secrecy. When the KEi payload is included in the CREATE_CHILD_SA request, responder should reply with the KEr payload and complete the key exchange, in accordance with the RFC. Type: improvement Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638
2022-08-10ikev2: do not accept rekey until old SA is deletedAtzm Watanabe1-0/+1
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b
2021-10-08ikev2: lazy initializationBenoît Ganne1-0/+10
- do not initialize resources if ikev2 is not used. - process IKE packets only if we have profile(s) configured Type: improvement Change-Id: I57c95a888532eafd70989096c0555ebb1d7bef25 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-03-15ikev2: support responder hostnameFilip Tehlar1-0/+5
Type: feature Ticket: VPP-1901 Change-Id: I1ad222b54363fd35679d0132d458345a9a18362c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-25ikev2: Use the IPSec functions for UDP port managementNeale Ranns1-3/+0
Type: refactor IKEv2 registers the IPSec node as the port handler, so it can use the IPSec functions to do that. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: If398dde0a8eb0407eba3ede62a3d5a8c12fe68a7
2021-02-15ikev2: fix rekey against strongSwanFilip Tehlar1-0/+2
When strongSwan rekeys it sends create child sa request first and then delete request for the old child sa (or vice versa depending on configuration) as opposed to sending just a single create child sa with rekey notify message. Type: fix Change-Id: I1fa55a607ca623cd3a6d887436207153c6f6bbf6 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-01-27ikev2: add per SA statsFilip Tehlar1-0/+12
Type: feature Change-Id: Ic502d806410ea3c8f3f1eac70b694114ccb053bf Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-31ikev2: add option to disable NAT traversalFilip Tehlar1-1/+18
Type: feature Ticket: VPP-1935 Change-Id: I705f84047b112279377590157a1c7b4a34f693d2 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-02ikev2: cli for disabling dead peer detectionFilip Tehlar1-0/+4
Type: feature Change-Id: I0db0a9b2f872753fa64d27335838cb34645a9ee8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-21ikev2: support sending requests from responderFilip Tehlar1-0/+2
Type: improvement Ticket: VPP-1894 Change-Id: I5a24a48416bca2ffbd346cdaa813fb25801e6c9b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-21ikev2: fix setting responder/initiator addressesFilip Tehlar1-0/+1
Type: fix Change-Id: Ic406aa914d92e802a5fb0f27c2ffa1b98db012b0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-05ikev2: support ipv6 traffic selectors & overlayFilip Tehlar1-32/+18
Ticket: VPP-1917 Type: feature Change-Id: Ie9f22e7336aa7807b1967c48de9843df10fb575c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-30ikev2: better packet parsing functionsFilip Tehlar1-8/+12
Ticket: VPP-1918 Type: improvement Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-28ikev2: fix session re-initiate after SA expiresFilip Tehlar1-0/+1
Type: fix Change-Id: Ie3d24b3df02d08fbb74d97f4e5ab0d79c35b0c0d Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-15ikev2: add support for AES-GCM cipher in IKEFilip Tehlar1-2/+19
Type: feature Ticket: VPP-1920 Change-Id: I6e30f3594cb30553f3ca5a35e0a4f679325aacec Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-07ikev2: per thread usage of openssl contextFilip Tehlar1-0/+7
Type: refactor Change-Id: I04af90b4d86c00092ce1732aeb3c0517af1808e0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-27ikev2: remove unused fieldFilip Tehlar1-1/+0
Type: improvement Change-Id: I0893d7cd8b8ab9958f585ac564bd0638bc60e78a Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-04ikev2: session cleanup after profile is deletedFilip Tehlar1-1/+0
Type: fix Change-Id: I3198461f3dfc13cd3cedf2b8611dc80bb6f959c8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-05-15ikev2: add support for NAT traversalFilip Tehlar1-2/+8
Type: feature * initiator behind NAT supported * tested with static NAT mappings * works only with pre-configured tunnels The pre-configured tunnel has to be defined as follows: initiator (i) side: src=ip(i) dst=ip(r) responder (r) side: src=ip(r) dst=ip(nat) Change-Id: Ia9f79ddbbcc3f7dc8fde6bbeca2a433e3b784e94 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-04-07ikev2: make liveness params configurableFilip Tehlar1-0/+6
Introduce new cli for setting liveness check period and max retries for a peer to consider its partner dead. ikev2 set liveness <period-in-seconds> <max-retires> Type: improvement Change-Id: Iadae1de245d34fe3ee85e09b570f9df8c401772b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-26ikev2: fix wrong usage of BN_bn2bin()Filip Tehlar1-0/+1
This patch fixes 2 different crashes: 1) BN_bn2bin() returns bytes written, not actual key length. Use BN_bn2binpad() instead which adds padding. 2) Initiator may receive multiple sa-init responses for the same ispi which may result in crash. Remember first response and ignore any subsequent ones. Type: fix Change-Id: Ia1eac9167e3100a6894c0563ee70bab04f6a5f4f Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-26ikev2: dead peer detectionFilip Tehlar1-0/+3
Type: feature Change-Id: Ibc65d739583dc11735f993f4c7e7ee6d3c8f5b0a Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-21ikev2: add support for custom ipsec-over-udp portFilip Tehlar1-0/+5
Type: feature Change-Id: Ifee2b3dca85ea915067b9285e3636802bf0c19a8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-06ikev2: align per thread data to cache lineFilip Tehlar1-0/+2
Type: improvement Change-Id: Id8fc6750e856862157917587234a6b7b03531b13 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-02ikev2: make UDP encap flag configurableFilip Tehlar1-0/+2
Type: improvement Change-Id: I081dec2dc0c2bd0845dd4638b7b2f12806594112 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-02-24ikev2: proper cleanup of SAs during rekeyFilip Tehlar1-0/+5
Type: fix Change-Id: Ifb675c7783f03de4db8147858dd93d9687176f40 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-02-11ikev2: Configure a profile with an existing interfaceNeale Ranns1-0/+4
Type: feature ... rather than always creating a new interface. Change-Id: If8a22ad5a8a3a4e511bea7cab7d8bbf7e6af9433 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-02-10ikev2: better loggingFilip Tehlar1-7/+173
Type: refactor Change-Id: Iedcb24684c54f4d78583ab3aa3db1097e73df248 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-12-12ikev2: fix crash during SA rekeyFilip Tehlar1-0/+3
Type: fix Change-Id: Ib00ab9b2f28c0f4d85e96bf95697f61b8e415f37 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-11-22ikev2: install/remove ipsec tunnels from main threadFilip Tehlar1-3/+2
Type: fix Change-Id: I5ad27b05c34494c5a2ea28706130612b547aaf67 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-10-22ikev2: fix GCM cipherFilip Tehlar1-0/+7
Type: fix Change-Id: I382499061ff4b1c2cc1b70ebbf9725ff0e1be325 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-10-09ikev2: fix dangling pointerFilip Tehlar1-1/+2
Type: fix Change-Id: I8aa9029e0a5cf21aa24a90b39eb2787653f65abb Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-02-25IKEv2 to pluginNeale Ranns1-0/+364
for easy integration with ptoducts running their own Ike stack. Without the VPP IKE plugin loaded, the product is free to handle IKE packets as it pleases. Change-Id: Id0839f4d58b797f4c2da0382eb499fc08b05f66f Signed-off-by: Neale Ranns <nranns@cisco.com>