aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/ikev2
AgeCommit message (Collapse)AuthorFilesLines
2020-10-21ikev2: support sending requests from responderFilip Tehlar4-29/+146
Type: improvement Ticket: VPP-1894 Change-Id: I5a24a48416bca2ffbd346cdaa813fb25801e6c9b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-21ikev2: fix setting responder/initiator addressesFilip Tehlar4-67/+95
Type: fix Change-Id: Ic406aa914d92e802a5fb0f27c2ffa1b98db012b0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-21ikev2: prevent crash after no IP addressFilip Tehlar1-196/+345
Type: fix Ticket: VPP-1900 This fixes a crash when initiating IKE connection using interface without any IP address. It also ensures that the IKE connection is automatically retried once the interface obtains an address. Signed-off-by: jan_cavojsky <Jan.Cavojsky@pantheon.tech> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: Ia1919c349e64b3a0a4198365e075e177e3ba3de5
2020-10-21misc: minimize dependencies on udp.hFlorin Coras2-2/+0
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id13f33843b230a1d169560742c4f7b2dc17d8718
2020-10-13ikev2: fix initial contact cleanupFilip Tehlar2-306/+562
When looking for existing SA connection to clean up search all per thread data, not only current one. Type: fix Change-Id: I59312e08a07ca1f474b6389999e59320c5128e7d Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-13ikev2: fix coverity warningFilip Tehlar1-5/+21
Type: fix Change-Id: Iee96b3ea3e71ec248c3c3c98d153a08372b5faf0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-13ikev2: fix memory leak in auth routineFilip Tehlar1-0/+4
Type: fix Change-Id: I93529b069925fcef32cdb22e27975b802b4c3b97 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-07misc: Purge unused pg includesNeale Ranns3-3/+0
Type: style Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I26a19e42076e031ec5399d5ca05cb49fd6fbe1cd
2020-10-05ikev2: support ipv6 traffic selectors & overlayFilip Tehlar11-380/+695
Ticket: VPP-1917 Type: feature Change-Id: Ie9f22e7336aa7807b1967c48de9843df10fb575c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-02ikev2: fix leaking pending INIT requestsFilip Tehlar1-0/+16
.. when associated profile is deleted. Type: fix Change-Id: Ib05831d79b3b58664ee0a930960513fd465373bf Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-02ikev2: fix cli memory leakBenoît Ganne1-30/+40
Type: fix Change-Id: Ibdd83fa336427ec0c66224ecebb1b6bd36d1d1ba Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-30ikev2: fix issue when decrypting packet with no keysFilip Tehlar1-1/+1
Type: fix Change-Id: I0e615d5089587992012a0f280ee902b2906f21c2 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-01ikev2: refactor ikev2 nodeFilip Tehlar1-407/+359
Type: refactor Change-Id: I65acbd5d9724c500a24699de973df08016d9d8d6 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-30ikev2: better packet parsing functionsFilip Tehlar7-274/+596
Ticket: VPP-1918 Type: improvement Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-30ikev2: show IKE SA command improvementsFilip Tehlar1-95/+169
Ticket: VPP-1898 Type: improvement Change-Id: I1c56df331965c733a2d0eae63a12d5a4ee5a2e41 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-29ikev2: fix false positive NAT detectionFilip Tehlar1-18/+13
Type: fix Change-Id: Id7f865f537c55d00a784eec51624ba28e903a083 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-28ikev2: fix memory leaksBenoît Ganne2-3/+21
Type: fix Change-Id: I5be19a4923b37e2636621d36155178ac348ee41c Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-10ikev2: fix copy-paste error when freeing memoryFilip Tehlar1-1/+1
Type: fix Change-Id: If44c807d188b3e88d819f4132d73e6a34402a525 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-11ikev2: fix memory leaksBenoît Ganne1-7/+20
- make sure everything is freed on cleanup - reuse already allocated vectors where possible Type: fix Change-Id: Ibd8da1edb37126522dc2d525596521d32dceb73a Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-07-28ikev2: fix session re-initiate after SA expiresFilip Tehlar2-1/+3
Type: fix Change-Id: Ie3d24b3df02d08fbb74d97f4e5ab0d79c35b0c0d Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-24ikev2: add SA dump APIjan_cavojsky5-6/+907
Type: feature Ticket: VPP-1897 Change-Id: I0245aceeb344efd29b1f9217c35889a8bbe1f744 Signed-off-by: jan_cavojsky <Jan.Cavojsky@pantheon.tech> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-23ikev2: add global message length checkBenoît Ganne1-96/+89
Type: fix Change-Id: I3eb51ea4f6c29005b0315cf488fcabb8543dfcd1 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-07-20ikev2: refactor and test profile dump APIFilip Tehlar9-129/+340
Type: refactor Change-Id: I6b8dc68e5d4a452776fbaf5a69fbd7f53a8abb75 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-16ikev2: fix race condition in child_sa updateBenoît Ganne1-0/+3
Type: fix Change-Id: I864d49a641b45337c0a45a0af7d996cad75f6629 Signed-off-by: Benoît Ganne <bganne@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-15ikev2: add support for AES-GCM cipher in IKEFilip Tehlar6-120/+345
Type: feature Ticket: VPP-1920 Change-Id: I6e30f3594cb30553f3ca5a35e0a4f679325aacec Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-14ikev2: API downgrade due to lack of ikev2 testsFilip Tehlar1-19/+17
Type: refactor Change-Id: Ic7ddad20088e069887f81721cceb21f4902e8907 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-07ikev2: per thread usage of openssl contextFilip Tehlar3-77/+47
Type: refactor Change-Id: I04af90b4d86c00092ce1732aeb3c0517af1808e0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-06ikev2: add profile dump APIJan Cavojsky6-0/+436
Type: feature Signed-off-by: Jan Cavojsky <Jan.Cavojsky@pantheon.tech> Change-Id: I84776a50b520134e8a3ca6ae41b4cc29009e6319
2020-07-06ikev2: add more ikev2 testsFilip Tehlar1-18/+135
Tests for AES-GCM and AES-CBC with different key lengths Type: test Change-Id: Ie7eeebb0f7e8331a717866475cb4ee00042857ce Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-02ikev2: use remote proposals when installing tunnelFilip Tehlar1-2/+2
Change-Id: Ib9c5dff6c825f495400a73869d429b9c2df670fc Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-30tests: ikev2: add nat traversal & cert based auth testFilip Tehlar6-49/+253
Type: test Change-Id: I3e8e451c5deaf04f519a471369370c383d9cda3b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-27ikev2: add FEATURE.yamlBenoît Ganne1-0/+17
Type: docs Change-Id: Ie7836543e52bee08d12c565fbb6238d3e82ea3ce Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-06-27ikev2: remove unused fieldFilip Tehlar1-1/+0
Type: improvement Change-Id: I0893d7cd8b8ab9958f585ac564bd0638bc60e78a Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-18ikev2: use both local and remote ID for profile lookupFilip Tehlar2-22/+50
Type: fix Ticket: VPP-1890 Change-Id: I9441d5afc38df7dabf6cccaead69dd32646d2a9e Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-18tests: add ikev2 test framework with basic test caseFilip Tehlar2-0/+651
Ticket: VPP-1905 Type: test Change-Id: Ie66fbd8e37eb5e69bd61b701ed3449366bee8c84 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-15ikev2: announce both 'ESN' and 'No ESN'Filip Tehlar1-1/+0
Type: fix Change-Id: If73b88b9478b9314df6d9163c3a13724d4253c80 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-11ikev2: don't add DH group in ESP transform proposalsFilip Tehlar2-10/+10
Type: fix Anouncing DH group in esp transform proposals will enable PFS which is not suppored now. This fixes issue during rekey when using strongswan as responder. Change-Id: Ib9f586113ae0ab9dc67e6ceadff43f8aac463820 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-04ikev2: session cleanup after profile is deletedFilip Tehlar2-52/+119
Type: fix Change-Id: I3198461f3dfc13cd3cedf2b8611dc80bb6f959c8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-02ikev2: remove unused hash computationFilip Tehlar1-4/+1
Type: improvement Change-Id: I99c2383dd0d30efd1837f3d10ff2e4cf3a784283 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-05-15ikev2: add support for NAT traversalFilip Tehlar4-82/+286
Type: feature * initiator behind NAT supported * tested with static NAT mappings * works only with pre-configured tunnels The pre-configured tunnel has to be defined as follows: initiator (i) side: src=ip(i) dst=ip(r) responder (r) side: src=ip(r) dst=ip(nat) Change-Id: Ia9f79ddbbcc3f7dc8fde6bbeca2a433e3b784e94 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-05-14ikev2: use u32 in unformatFilip Tehlar1-1/+1
Type: fix Change-Id: If240bd8b3579678c0a6b5ea723946a35b53e5c31 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-05-13ikev2: fix removing of expired SAsFilip Tehlar1-1/+1
Type: fix Change-Id: Idf9b0ffb4e3a0113bece80d1195192bdf46feb89 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-05-05ipsec: User can choose the UDP source portNeale Ranns1-2/+2
Type: feature thus allowing NAT traversal, Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-05ikev2: remove sa from main threadFilip Tehlar1-17/+29
Type: fix Change-Id: Ib73ce48552cfa9e825a6833f5594650783d82f3b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-05-04ikev2: fix string in apiFilip Tehlar1-1/+1
Type: fix key file name should be a string and not array of u8. Change-Id: I7d280d2397030e73732b374ad9d3146fad0bb19f Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-04-30ikev2: use thread local vlib_main in vlib_time_nowFilip Tehlar1-13/+9
Type: fix Change-Id: I8e4a47bd16fa8475ef695c09e3487eabf08faabe Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-04-07ikev2: make liveness params configurableFilip Tehlar7-4/+130
Introduce new cli for setting liveness check period and max retries for a peer to consider its partner dead. ikev2 set liveness <period-in-seconds> <max-retires> Type: improvement Change-Id: Iadae1de245d34fe3ee85e09b570f9df8c401772b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-04-06ikev2: fix wrong index computationFilip Tehlar1-1/+1
Type: fix Change-Id: Ia7b07b4ec9e5681946f3f5c01c230c1f814e2cf6 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-31ikev2: fix crash during peer live checkFilip Tehlar1-1/+8
Fix crash when peer tries to build INFO req before key exchange which results using NULL key pointers for crypto operations. Type: fix Change-Id: I20aaf1ce769e4bfb45235047c2dd38307b4e0b59 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-26ikev2: fix wrong usage of BN_bn2bin()Filip Tehlar3-12/+56
This patch fixes 2 different crashes: 1) BN_bn2bin() returns bytes written, not actual key length. Use BN_bn2binpad() instead which adds padding. 2) Initiator may receive multiple sa-init responses for the same ispi which may result in crash. Remember first response and ignore any subsequent ones. Type: fix Change-Id: Ia1eac9167e3100a6894c0563ee70bab04f6a5f4f Signed-off-by: Filip Tehlar <ftehlar@cisco.com>