From ca514fda1125573d513215cb6ea7f22057a82d6b Mon Sep 17 00:00:00 2001 From: Matthew Smith Date: Thu, 12 Oct 2017 12:06:59 -0500 Subject: Allow IPsec interface to have SAs reset Make it easier to integrate with external IKE daemon. IPsec interfaces can have one or both SAs replaced after creation. This allows for the possibility of setting a new child SA on an interface when rekeying occurs. It also allows for the possibility of creating an interface ahead of time and updating the SA when parameters that are negotiated during IKE exchange become known. Change-Id: I0a31afdcc2bdff7098a924a51abbc58bdab2bd08 Signed-off-by: Matthew Smith --- src/vat/api_format.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) (limited to 'src/vat/api_format.c') diff --git a/src/vat/api_format.c b/src/vat/api_format.c index 08d0c2e033e..d8f72090ef7 100644 --- a/src/vat/api_format.c +++ b/src/vat/api_format.c @@ -5107,6 +5107,7 @@ _(ipsec_sad_add_del_entry_reply) \ _(ipsec_sa_set_key_reply) \ _(ipsec_tunnel_if_add_del_reply) \ _(ipsec_tunnel_if_set_key_reply) \ +_(ipsec_tunnel_if_set_sa_reply) \ _(ikev2_profile_add_del_reply) \ _(ikev2_profile_set_auth_reply) \ _(ikev2_profile_set_id_reply) \ @@ -5341,6 +5342,7 @@ _(IPSEC_SA_DETAILS, ipsec_sa_details) \ _(IPSEC_SA_SET_KEY_REPLY, ipsec_sa_set_key_reply) \ _(IPSEC_TUNNEL_IF_ADD_DEL_REPLY, ipsec_tunnel_if_add_del_reply) \ _(IPSEC_TUNNEL_IF_SET_KEY_REPLY, ipsec_tunnel_if_set_key_reply) \ +_(IPSEC_TUNNEL_IF_SET_SA_REPLY, ipsec_tunnel_if_set_sa_reply) \ _(IKEV2_PROFILE_ADD_DEL_REPLY, ikev2_profile_add_del_reply) \ _(IKEV2_PROFILE_SET_AUTH_REPLY, ikev2_profile_set_auth_reply) \ _(IKEV2_PROFILE_SET_ID_REPLY, ikev2_profile_set_id_reply) \ @@ -14401,6 +14403,57 @@ api_ipsec_tunnel_if_set_key (vat_main_t * vam) return ret; } +static int +api_ipsec_tunnel_if_set_sa (vat_main_t * vam) +{ + unformat_input_t *i = vam->input; + vl_api_ipsec_tunnel_if_set_sa_t *mp; + u32 sw_if_index = ~0; + u32 sa_id = ~0; + u8 is_outbound = (u8) ~ 0; + int ret; + + while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) + { + if (unformat (i, "%U", api_unformat_sw_if_index, vam, &sw_if_index)) + ; + else if (unformat (i, "sa_id %d", &sa_id)) + ; + else if (unformat (i, "outbound")) + is_outbound = 1; + else if (unformat (i, "inbound")) + is_outbound = 0; + else + { + clib_warning ("parse error '%U'", format_unformat_error, i); + return -99; + } + } + + if (sw_if_index == ~0) + { + errmsg ("interface must be specified"); + return -99; + } + + if (sa_id == ~0) + { + errmsg ("SA ID must be specified"); + return -99; + } + + M (IPSEC_TUNNEL_IF_SET_SA, mp); + + mp->sw_if_index = htonl (sw_if_index); + mp->sa_id = htonl (sa_id); + mp->is_outbound = is_outbound; + + S (mp); + W (ret); + + return ret; +} + static int api_ikev2_profile_add_del (vat_main_t * vam) { @@ -21708,6 +21761,7 @@ _(ipsec_tunnel_if_add_del, "local_spi remote_spi \n" \ _(ipsec_sa_dump, "[sa_id ]") \ _(ipsec_tunnel_if_set_key, " \n" \ " \n") \ +_(ipsec_tunnel_if_set_sa, " sa_id \n") \ _(ikev2_profile_add_del, "name [del]") \ _(ikev2_profile_set_auth, "name auth_method \n" \ "(auth_data 0x | auth_data )") \ -- cgit 1.2.3-korg