From 67b8a7fa76d8ec2d73f1b2380e11bf8e2793448e Mon Sep 17 00:00:00 2001 From: Filip Tehlar Date: Fri, 6 Nov 2020 11:00:42 +0000 Subject: ikev2: fix udp encap Type: fix Change-Id: I8c66f79f2d8cfff7c6d45e1fc5b529ffb3941491 Signed-off-by: Filip Tehlar --- src/plugins/ikev2/ikev2.c | 9 ++++----- src/plugins/ikev2/test/test_ikev2.py | 23 +++++++++++++++++++---- 2 files changed, 23 insertions(+), 9 deletions(-) (limited to 'src/plugins/ikev2') diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index ad727a9e355..a2e4247275b 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -1815,7 +1815,6 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) ikev2_main_t *km = &ikev2_main; u32 sw_if_index; int rv = 0; - ip46_address_t zero_addr = ip46_address_initializer; if (~0 == a->sw_if_index) { @@ -1864,16 +1863,16 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) a->local_spi, IPSEC_PROTOCOL_ESP, a->encr_type, &a->loc_ckey, a->integ_type, &a->loc_ikey, - a->flags, 0, a->salt_local, &zero_addr, - &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE, + a->flags, 0, a->salt_local, &a->local_ip, + &a->remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0, NULL, a->src_port, a->dst_port); rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi, IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey, a->integ_type, &a->rem_ikey, (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0, - a->salt_remote, &zero_addr, - &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE, + a->salt_remote, &a->remote_ip, + &a->local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0, NULL, a->ipsec_over_udp_port, a->ipsec_over_udp_port); diff --git a/src/plugins/ikev2/test/test_ikev2.py b/src/plugins/ikev2/test/test_ikev2.py index d065d46e8eb..61dd53e7988 100644 --- a/src/plugins/ikev2/test/test_ikev2.py +++ b/src/plugins/ikev2/test/test_ikev2.py @@ -181,7 +181,9 @@ class IKEv2SA(object): def __init__(self, test, is_initiator=True, i_id=None, r_id=None, spi=b'\x01\x02\x03\x04\x05\x06\x07\x08', id_type='fqdn', nonce=None, auth_data=None, local_ts=None, remote_ts=None, - auth_method='shared-key', priv_key=None, natt=False): + auth_method='shared-key', priv_key=None, natt=False, + udp_encap=False): + self.udp_encap = udp_encap self.natt = natt if natt: self.sport = 4500 @@ -662,6 +664,13 @@ class IkePeer(VppTestCase): assert(len(res) == tlen) return res + def verify_udp_encap(self, ipsec_sa): + e = VppEnum.vl_api_ipsec_sad_flags_t + if self.sa.udp_encap or self.sa.natt: + self.assertIn(e.IPSEC_API_SAD_FLAG_UDP_ENCAP, ipsec_sa.flags) + else: + self.assertNotIn(e.IPSEC_API_SAD_FLAG_UDP_ENCAP, ipsec_sa.flags) + def verify_ipsec_sas(self, is_rekey=False): sas = self.vapi.ipsec_sa_dump() if is_rekey: @@ -671,7 +680,6 @@ class IkePeer(VppTestCase): else: sa_count = 2 self.assertEqual(len(sas), sa_count) - e = VppEnum.vl_api_ipsec_sad_flags_t if self.sa.is_initiator: if is_rekey: sa0 = sas[0].entry @@ -689,6 +697,8 @@ class IkePeer(VppTestCase): c = self.sa.child_sas[0] + self.verify_udp_encap(sa0) + self.verify_udp_encap(sa1) vpp_crypto_alg = self.vpp_enums[self.sa.vpp_esp_cypto_alg] self.assertEqual(sa0.crypto_algorithm, vpp_crypto_alg) self.assertEqual(sa1.crypto_algorithm, vpp_crypto_alg) @@ -1332,13 +1342,17 @@ class Ikev2Params(object): if 'esp_transforms' in params: self.p.add_esp_transforms(params['esp_transforms']) + udp_encap = False if 'udp_encap' not in params else\ + params['udp_encap'] + if udp_encap: + self.p.set_udp_encap(True) + self.sa = IKEv2SA(self, i_id=idi['data'], r_id=idr['data'], is_initiator=is_init, id_type=self.p.local_id['id_type'], natt=is_natt, priv_key=client_priv, auth_method=auth_method, - auth_data=auth_data, + auth_data=auth_data, udp_encap=udp_encap, local_ts=self.p.remote_ts, remote_ts=self.p.local_ts) - if is_init: ike_crypto = ('AES-CBC', 32) if 'ike-crypto' not in params else\ params['ike-crypto'] @@ -1687,6 +1701,7 @@ class TestResponderRsaSign(TemplateResponder, Ikev2Params): """ test ikev2 responder - cert based auth """ def config_tc(self): self.config_params({ + 'udp_encap': True, 'auth': 'rsa-sig', 'server-key': 'server-key.pem', 'client-key': 'client-key.pem', -- cgit 1.2.3-korg