summaryrefslogtreecommitdiffstats
path: root/src/plugins/ikev2
AgeCommit message (Collapse)AuthorFilesLines
2021-02-19ikev2: start counting msgid from 0Filip Tehlar1-2/+2
This fixes an issue when initiator is expecting request with intitial msgid being 0 but 1 is received instead which results in retransmission (instead of normally processing the new request). Type: fix Change-Id: I60062276bd93de78128847c5b15f5d6cecf1df65 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-16ikev2: fix coverity warningsFilip Tehlar2-100/+117
Type: fix Change-Id: Ia22b1189b82e885eb380f638ea6d05923a858f01 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-15ikev2: fix rekey against strongSwanFilip Tehlar2-52/+94
When strongSwan rekeys it sends create child sa request first and then delete request for the old child sa (or vice versa depending on configuration) as opposed to sending just a single create child sa with rekey notify message. Type: fix Change-Id: I1fa55a607ca623cd3a6d887436207153c6f6bbf6 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-11tests: tag the tests that do not work with multi-worker configurationAndrew Yourtchenko1-0/+16
If the multi-worker default VPP configuration is triggered by setting VPP_WORKER_CONFIG="workers 2", some of the tests fail for various reasons. It's a substantial number, so this change marks all of the testsets that have this issue, such that they can be addressed later independently. Type: test Change-Id: I4f77196499edef3300afe7eabef9cbff91f794d3 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-02-10ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-23/+37
support Type: feature attmpet 2. this includes changes in ah_encrypt that don't use uninitialised memory when doing tunnel mode fixups. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
2021-02-09Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"Matthew Smith1-37/+23
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f. Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged. Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-02-08ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-23/+37
support Type: feature Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
2021-02-05ikev2: fix bad ip in logsFilip Tehlar1-5/+9
Type: fix Change-Id: Icd01491043e9fd1bb8f51f4f55e1252fd78512de Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-05tests: ikev2: non-default table id testFilip Tehlar1-0/+33
Test whether responder sends info requests using correct ip table Type: test Change-Id: I9e97576f9d80686961f92de3cbc3e6f8d6341587 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-04ikev2: add hint to the log when IDs do not matchFilip Tehlar1-1/+10
Type: improvement Ticket: VPP-1908 Change-Id: I1d86ea18fcb6174b86c449d5d9403fd0e5715318 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-04ikev2: fix msgidFilip Tehlar1-0/+1
Type: fix In responder initialize msgid in requests to 1 as the previous value (0) was causing retransmision on the initiator. Change-Id: I8f5b84331ecac5943129f4c9a377076768fec455 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-01-27ikev2: add per SA statsFilip Tehlar7-15/+68
Type: feature Change-Id: Ic502d806410ea3c8f3f1eac70b694114ccb053bf Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-01-21ip: Use correct enum type in ip_address_setNeale Ranns1-2/+2
Type: refactor Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ice2bc42838e6d5ba579f449c3f8b0feffebeb719
2021-01-20ikev2: use new counters data model & add more countersFilip Tehlar3-50/+169
Type: feature Ticket: VPP-1916 Change-Id: Ibe612d21f748a532d88b73b286dc4a1dd15d7420 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-01-13ikev2: remove assert conditionFilip Tehlar1-19/+36
Remove assert condition ensuring that a packet was punted with reason spi=0. We can't rely on data in punt_reason because it is defind in an union. This patch adds a new IKE node that handles punted IKE packets separately. Type: fix Change-Id: I2e1b44922e53e049bd8512fa5cb85cee6a2b8aa7 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-01-08ikev2: fix lookup in wrong ip tableFilip Tehlar1-4/+6
In responder mode we need to remember interface index from which IKE session was initiated. Otherwise when sending keep alive packets to the initiator, the default ip table is always used for lookup instead of the one associated with the interface. Type: fix Change-Id: Iade3fc3a490b7ae83c3f6e9014d1f4204e476ac1 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-12-14ikev2: add reason for deleted sa debug logBenoît Ganne1-5/+5
Type: improvement Change-Id: If991165406d10d877aa6c7b2a03b4b741272928c Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-12-14ikev2: fix show ikev2 profileBenoît Ganne1-38/+18
format_ip_address() to display {local,remote}_id does not work because we do not store ip_address_t but ip{4,6}_address_t, hence we lack the ip_address_family_t version field. Update format_ikev2_id_type_and_data() to support all types and use it instead. Type: fix Change-Id: I7a81beb0b22fcf1c5d1bf03a32a6cc4f030f4361 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-12-14misc: move to new pool_foreach macrosDamjan Marion3-40/+40
Type: refactor Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-14api: add missing version infoPaul Vinciguerra1-1/+1
Type: fix Change-Id: I269214e3eae72e837f25ee61d714556d976d410f Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-12-09ikev2: test responder behind NATFilip Tehlar1-29/+49
Type: test Ticket: VPP-1903 Change-Id: I7fab6931833d6e253b7b921172825387302d8f70 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-12-07tests: py2 cleanup - remove subclassing of objectPaul Vinciguerra1-0/+1
Type: refactor Change-Id: I9096e3b473110350e1e8e5936e3c4c164f8969a7 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-12-02ikev2: fix nat traversalFilip Tehlar2-3/+48
Type: fix Change-Id: Ie723cf680745ec2292a15e2df05c1821436dba19 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-26ikev2: better handling when no IKE DH configuredFilip Tehlar2-34/+161
Type: improvement Change-Id: I4289d20adaa3f2872889d5dbaafd9c025df8aca8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-25ikev2: fix issue when sending multiple requests at onceFilip Tehlar2-20/+68
Type: fix Change-Id: I8ed556de4370a03d10c56cce101cd5ea0d0aaf8b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-19ikev2: respect punting only for ipv4Benoît Ganne1-1/+7
IPSec punting to IKEv2 is valid only for NAT-T in IPv4. Fix coverity CID 214915. Type: fix Change-Id: I6f2db38abf179565316f50c5d47c78acce3a0d01 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-11-18ikev2: fix memleak when tunnel protect failsFilip Tehlar1-20/+37
Type: fix Change-Id: I1d278fc2b03b948c054ff1686315635ac0278ae8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-11-09ikev2: add tests for DPDFilip Tehlar1-1/+62
Type: test Change-Id: I9c1129a8596344551f3f8f2e029846d22511482e Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-09ikev2: fix msg IDs generationFilip Tehlar1-14/+16
Type: fix Change-Id: Id922895c269f0d2450e55fcb6871b6857f443462 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-09ikev2: fix udp encapFilip Tehlar2-9/+23
Type: fix Change-Id: I8c66f79f2d8cfff7c6d45e1fc5b529ffb3941491 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-31ikev2: add option to disable NAT traversalFilip Tehlar9-34/+154
Type: feature Ticket: VPP-1935 Change-Id: I705f84047b112279377590157a1c7b4a34f693d2 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-04ikev2: fix reply during rekeyFilip Tehlar2-44/+192
Type: fix Change-Id: If87f4b8ae92508215fe91178958fe2ddb91e5a35 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-04ikev2: increase tick interval in process nodeFilip Tehlar1-13/+2
This helps to resolve sporadic failures in unit tests. Type: fix Change-Id: I3abd77ed74310f9729a841e8569eafe6d7758dcb Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-02ikev2: cli for disabling dead peer detectionFilip Tehlar3-2/+30
Type: feature Change-Id: I0db0a9b2f872753fa64d27335838cb34645a9ee8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-30ikev2: fix memory leakFilip Tehlar1-2/+7
Type: fix Change-Id: I33c38c791cc9a28898de402ae831c4862073eb2d Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-02ipsec: Tunnel SA DSCP behaviourNeale Ranns1-2/+6
Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
2020-10-21ikev2: support sending requests from responderFilip Tehlar4-29/+146
Type: improvement Ticket: VPP-1894 Change-Id: I5a24a48416bca2ffbd346cdaa813fb25801e6c9b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-21ikev2: fix setting responder/initiator addressesFilip Tehlar4-67/+95
Type: fix Change-Id: Ic406aa914d92e802a5fb0f27c2ffa1b98db012b0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-21ikev2: prevent crash after no IP addressFilip Tehlar1-196/+345
Type: fix Ticket: VPP-1900 This fixes a crash when initiating IKE connection using interface without any IP address. It also ensures that the IKE connection is automatically retried once the interface obtains an address. Signed-off-by: jan_cavojsky <Jan.Cavojsky@pantheon.tech> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: Ia1919c349e64b3a0a4198365e075e177e3ba3de5
2020-10-21misc: minimize dependencies on udp.hFlorin Coras2-2/+0
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id13f33843b230a1d169560742c4f7b2dc17d8718
2020-10-13ikev2: fix initial contact cleanupFilip Tehlar2-306/+562
When looking for existing SA connection to clean up search all per thread data, not only current one. Type: fix Change-Id: I59312e08a07ca1f474b6389999e59320c5128e7d Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-13ikev2: fix coverity warningFilip Tehlar1-5/+21
Type: fix Change-Id: Iee96b3ea3e71ec248c3c3c98d153a08372b5faf0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-13ikev2: fix memory leak in auth routineFilip Tehlar1-0/+4
Type: fix Change-Id: I93529b069925fcef32cdb22e27975b802b4c3b97 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-07misc: Purge unused pg includesNeale Ranns3-3/+0
Type: style Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I26a19e42076e031ec5399d5ca05cb49fd6fbe1cd
2020-10-05ikev2: support ipv6 traffic selectors & overlayFilip Tehlar11-380/+695
Ticket: VPP-1917 Type: feature Change-Id: Ie9f22e7336aa7807b1967c48de9843df10fb575c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-02ikev2: fix leaking pending INIT requestsFilip Tehlar1-0/+16
.. when associated profile is deleted. Type: fix Change-Id: Ib05831d79b3b58664ee0a930960513fd465373bf Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-02ikev2: fix cli memory leakBenoît Ganne1-30/+40
Type: fix Change-Id: Ibdd83fa336427ec0c66224ecebb1b6bd36d1d1ba Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-30ikev2: fix issue when decrypting packet with no keysFilip Tehlar1-1/+1
Type: fix Change-Id: I0e615d5089587992012a0f280ee902b2906f21c2 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-01ikev2: refactor ikev2 nodeFilip Tehlar1-407/+359
Type: refactor Change-Id: I65acbd5d9724c500a24699de973df08016d9d8d6 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-30ikev2: better packet parsing functionsFilip Tehlar7-274/+596
Ticket: VPP-1918 Type: improvement Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e Signed-off-by: Filip Tehlar <ftehlar@cisco.com>