aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/ikev2
AgeCommit message (Collapse)AuthorFilesLines
2020-11-26ikev2: better handling when no IKE DH configuredFilip Tehlar2-34/+161
Type: improvement Change-Id: I4289d20adaa3f2872889d5dbaafd9c025df8aca8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-25ikev2: fix issue when sending multiple requests at onceFilip Tehlar2-20/+68
Type: fix Change-Id: I8ed556de4370a03d10c56cce101cd5ea0d0aaf8b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-19ikev2: respect punting only for ipv4Benoît Ganne1-1/+7
IPSec punting to IKEv2 is valid only for NAT-T in IPv4. Fix coverity CID 214915. Type: fix Change-Id: I6f2db38abf179565316f50c5d47c78acce3a0d01 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-11-18ikev2: fix memleak when tunnel protect failsFilip Tehlar1-20/+37
Type: fix Change-Id: I1d278fc2b03b948c054ff1686315635ac0278ae8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-11-09ikev2: add tests for DPDFilip Tehlar1-1/+62
Type: test Change-Id: I9c1129a8596344551f3f8f2e029846d22511482e Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-09ikev2: fix msg IDs generationFilip Tehlar1-14/+16
Type: fix Change-Id: Id922895c269f0d2450e55fcb6871b6857f443462 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-09ikev2: fix udp encapFilip Tehlar2-9/+23
Type: fix Change-Id: I8c66f79f2d8cfff7c6d45e1fc5b529ffb3941491 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-31ikev2: add option to disable NAT traversalFilip Tehlar9-34/+154
Type: feature Ticket: VPP-1935 Change-Id: I705f84047b112279377590157a1c7b4a34f693d2 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-04ikev2: fix reply during rekeyFilip Tehlar2-44/+192
Type: fix Change-Id: If87f4b8ae92508215fe91178958fe2ddb91e5a35 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-04ikev2: increase tick interval in process nodeFilip Tehlar1-13/+2
This helps to resolve sporadic failures in unit tests. Type: fix Change-Id: I3abd77ed74310f9729a841e8569eafe6d7758dcb Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-02ikev2: cli for disabling dead peer detectionFilip Tehlar3-2/+30
Type: feature Change-Id: I0db0a9b2f872753fa64d27335838cb34645a9ee8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-30ikev2: fix memory leakFilip Tehlar1-2/+7
Type: fix Change-Id: I33c38c791cc9a28898de402ae831c4862073eb2d Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-11-02ipsec: Tunnel SA DSCP behaviourNeale Ranns1-2/+6
Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
2020-10-21ikev2: support sending requests from responderFilip Tehlar4-29/+146
Type: improvement Ticket: VPP-1894 Change-Id: I5a24a48416bca2ffbd346cdaa813fb25801e6c9b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-21ikev2: fix setting responder/initiator addressesFilip Tehlar4-67/+95
Type: fix Change-Id: Ic406aa914d92e802a5fb0f27c2ffa1b98db012b0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-21ikev2: prevent crash after no IP addressFilip Tehlar1-196/+345
Type: fix Ticket: VPP-1900 This fixes a crash when initiating IKE connection using interface without any IP address. It also ensures that the IKE connection is automatically retried once the interface obtains an address. Signed-off-by: jan_cavojsky <Jan.Cavojsky@pantheon.tech> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: Ia1919c349e64b3a0a4198365e075e177e3ba3de5
2020-10-21misc: minimize dependencies on udp.hFlorin Coras2-2/+0
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id13f33843b230a1d169560742c4f7b2dc17d8718
2020-10-13ikev2: fix initial contact cleanupFilip Tehlar2-306/+562
When looking for existing SA connection to clean up search all per thread data, not only current one. Type: fix Change-Id: I59312e08a07ca1f474b6389999e59320c5128e7d Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-13ikev2: fix coverity warningFilip Tehlar1-5/+21
Type: fix Change-Id: Iee96b3ea3e71ec248c3c3c98d153a08372b5faf0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-13ikev2: fix memory leak in auth routineFilip Tehlar1-0/+4
Type: fix Change-Id: I93529b069925fcef32cdb22e27975b802b4c3b97 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-07misc: Purge unused pg includesNeale Ranns3-3/+0
Type: style Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I26a19e42076e031ec5399d5ca05cb49fd6fbe1cd
2020-10-05ikev2: support ipv6 traffic selectors & overlayFilip Tehlar11-380/+695
Ticket: VPP-1917 Type: feature Change-Id: Ie9f22e7336aa7807b1967c48de9843df10fb575c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-02ikev2: fix leaking pending INIT requestsFilip Tehlar1-0/+16
.. when associated profile is deleted. Type: fix Change-Id: Ib05831d79b3b58664ee0a930960513fd465373bf Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-02ikev2: fix cli memory leakBenoît Ganne1-30/+40
Type: fix Change-Id: Ibdd83fa336427ec0c66224ecebb1b6bd36d1d1ba Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-30ikev2: fix issue when decrypting packet with no keysFilip Tehlar1-1/+1
Type: fix Change-Id: I0e615d5089587992012a0f280ee902b2906f21c2 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-10-01ikev2: refactor ikev2 nodeFilip Tehlar1-407/+359
Type: refactor Change-Id: I65acbd5d9724c500a24699de973df08016d9d8d6 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-30ikev2: better packet parsing functionsFilip Tehlar7-274/+596
Ticket: VPP-1918 Type: improvement Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-30ikev2: show IKE SA command improvementsFilip Tehlar1-95/+169
Ticket: VPP-1898 Type: improvement Change-Id: I1c56df331965c733a2d0eae63a12d5a4ee5a2e41 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-29ikev2: fix false positive NAT detectionFilip Tehlar1-18/+13
Type: fix Change-Id: Id7f865f537c55d00a784eec51624ba28e903a083 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-28ikev2: fix memory leaksBenoît Ganne2-3/+21
Type: fix Change-Id: I5be19a4923b37e2636621d36155178ac348ee41c Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-09-10ikev2: fix copy-paste error when freeing memoryFilip Tehlar1-1/+1
Type: fix Change-Id: If44c807d188b3e88d819f4132d73e6a34402a525 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-11ikev2: fix memory leaksBenoît Ganne1-7/+20
- make sure everything is freed on cleanup - reuse already allocated vectors where possible Type: fix Change-Id: Ibd8da1edb37126522dc2d525596521d32dceb73a Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-07-28ikev2: fix session re-initiate after SA expiresFilip Tehlar2-1/+3
Type: fix Change-Id: Ie3d24b3df02d08fbb74d97f4e5ab0d79c35b0c0d Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-24ikev2: add SA dump APIjan_cavojsky5-6/+907
Type: feature Ticket: VPP-1897 Change-Id: I0245aceeb344efd29b1f9217c35889a8bbe1f744 Signed-off-by: jan_cavojsky <Jan.Cavojsky@pantheon.tech> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-23ikev2: add global message length checkBenoît Ganne1-96/+89
Type: fix Change-Id: I3eb51ea4f6c29005b0315cf488fcabb8543dfcd1 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-07-20ikev2: refactor and test profile dump APIFilip Tehlar9-129/+340
Type: refactor Change-Id: I6b8dc68e5d4a452776fbaf5a69fbd7f53a8abb75 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-16ikev2: fix race condition in child_sa updateBenoît Ganne1-0/+3
Type: fix Change-Id: I864d49a641b45337c0a45a0af7d996cad75f6629 Signed-off-by: Benoît Ganne <bganne@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-15ikev2: add support for AES-GCM cipher in IKEFilip Tehlar6-120/+345
Type: feature Ticket: VPP-1920 Change-Id: I6e30f3594cb30553f3ca5a35e0a4f679325aacec Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-14ikev2: API downgrade due to lack of ikev2 testsFilip Tehlar1-19/+17
Type: refactor Change-Id: Ic7ddad20088e069887f81721cceb21f4902e8907 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-07ikev2: per thread usage of openssl contextFilip Tehlar3-77/+47
Type: refactor Change-Id: I04af90b4d86c00092ce1732aeb3c0517af1808e0 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-06ikev2: add profile dump APIJan Cavojsky6-0/+436
Type: feature Signed-off-by: Jan Cavojsky <Jan.Cavojsky@pantheon.tech> Change-Id: I84776a50b520134e8a3ca6ae41b4cc29009e6319
2020-07-06ikev2: add more ikev2 testsFilip Tehlar1-18/+135
Tests for AES-GCM and AES-CBC with different key lengths Type: test Change-Id: Ie7eeebb0f7e8331a717866475cb4ee00042857ce Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-07-02ikev2: use remote proposals when installing tunnelFilip Tehlar1-2/+2
Change-Id: Ib9c5dff6c825f495400a73869d429b9c2df670fc Type: fix Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-30tests: ikev2: add nat traversal & cert based auth testFilip Tehlar6-49/+253
Type: test Change-Id: I3e8e451c5deaf04f519a471369370c383d9cda3b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-27ikev2: add FEATURE.yamlBenoît Ganne1-0/+17
Type: docs Change-Id: Ie7836543e52bee08d12c565fbb6238d3e82ea3ce Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-06-27ikev2: remove unused fieldFilip Tehlar1-1/+0
Type: improvement Change-Id: I0893d7cd8b8ab9958f585ac564bd0638bc60e78a Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-18ikev2: use both local and remote ID for profile lookupFilip Tehlar2-22/+50
Type: fix Ticket: VPP-1890 Change-Id: I9441d5afc38df7dabf6cccaead69dd32646d2a9e Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-18tests: add ikev2 test framework with basic test caseFilip Tehlar2-0/+651
Ticket: VPP-1905 Type: test Change-Id: Ie66fbd8e37eb5e69bd61b701ed3449366bee8c84 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-15ikev2: announce both 'ESN' and 'No ESN'Filip Tehlar1-1/+0
Type: fix Change-Id: If73b88b9478b9314df6d9163c3a13724d4253c80 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-06-11ikev2: don't add DH group in ESP transform proposalsFilip Tehlar2-10/+10
Type: fix Anouncing DH group in esp transform proposals will enable PFS which is not suppored now. This fixes issue during rekey when using strongswan as responder. Change-Id: Ib9f586113ae0ab9dc67e6ceadff43f8aac463820 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>