From cb33dc2d7a566d571c86b950b4aa92dd7ae01c3c Mon Sep 17 00:00:00 2001 From: Radu Nicolau Date: Thu, 16 Feb 2017 16:49:46 +0000 Subject: Implemented IKEv2 initiator features: - IKE_SA_INIT and IKE_AUTH initial exchanges - Delete IKA SA - Rekey and delete Child SA - Child SAs lifetime policy To set up one VPP instance as the initiator use the following CLI commands (or API equivalents): ikev2 profile set responder ikev2 profile set ike-crypto-alg ike-integ-alg ike-dh ikev2 profile set esp-crypto-alg esp-integ-alg esp-dh ikev2 profile set sa-lifetime and finally ikev2 initiate sa-init to initiate the IKE_SA_INIT exchange Child SA re-keying process: 1. Child SA expires 2. A new Child SA is created using the Child SA rekey exchange 3. For a set time both SAs are alive 4. After the set time interval expires old SA is deleted Any additional settings will not be carried over (i.e. settings of the ipsec interface associated with the Child SA) CLI API additions: ikev2 profile set responder ikev2 profile set ike-crypto-alg ike-integ-alg ike-dh ikev2 profile set esp-crypto-alg esp-integ-alg esp-dh ikev2 profile set sa-lifetime ikev2 initiate sa-init ikev2 initiate del-child-sa ikev2 initiate del-sa ikev2 initiate rekey-child-sa Sample configurations: Responder: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.responder ikev2 profile set pr1 id remote fqdn vpp.home.initiator ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 Initiator: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.initiator ikev2 profile set pr1 id remote fqdn vpp.home.responder ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20 ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048 ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256 ikev2 profile set pr1 sa-lifetime 3600 10 5 0 Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e Signed-off-by: Radu Nicolau --- src/vnet/ipsec/ikev2_cli.c | 125 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 124 insertions(+), 1 deletion(-) (limited to 'src/vnet/ipsec/ikev2_cli.c') diff --git a/src/vnet/ipsec/ikev2_cli.c b/src/vnet/ipsec/ikev2_cli.c index 1369c187775..5c88d8d4681 100644 --- a/src/vnet/ipsec/ikev2_cli.c +++ b/src/vnet/ipsec/ikev2_cli.c @@ -173,14 +173,21 @@ ikev2_profile_add_del_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { + vnet_main_t *vnm = vnet_get_main (); unformat_input_t _line_input, *line_input = &_line_input; u8 *name = 0; clib_error_t *r = 0; u32 id_type; u8 *data = 0; u32 tmp1, tmp2, tmp3; + u64 tmp4, tmp5; ip4_address_t ip4; ip4_address_t end_addr; + u32 responder_sw_if_index = (u32) ~ 0; + ip4_address_t responder_ip4; + ikev2_transform_encr_type_t crypto_alg; + ikev2_transform_integ_type_t integ_alg; + ikev2_transform_dh_type_t dh_type; const char *valid_chars = "a-zA-Z0-9_"; @@ -308,6 +315,53 @@ ikev2_profile_add_del_command_fn (vlib_main_t * vm, ip4, end_addr, /*remote */ 0); goto done; } + else if (unformat (line_input, "set %U responder %U %U", + unformat_token, valid_chars, &name, + unformat_vnet_sw_interface, vnm, + &responder_sw_if_index, unformat_ip4_address, + &responder_ip4)) + { + r = + ikev2_set_profile_responder (vm, name, responder_sw_if_index, + responder_ip4); + goto done; + } + else + if (unformat + (line_input, + "set %U ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U", + unformat_token, valid_chars, &name, + unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1, + unformat_ikev2_transform_integ_type, &integ_alg, + unformat_ikev2_transform_dh_type, &dh_type)) + { + r = + ikev2_set_profile_ike_transforms (vm, name, crypto_alg, integ_alg, + dh_type, tmp1); + goto done; + } + else + if (unformat + (line_input, + "set %U esp-crypto-alg %U %u esp-integ-alg %U esp-dh %U", + unformat_token, valid_chars, &name, + unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1, + unformat_ikev2_transform_integ_type, &integ_alg, + unformat_ikev2_transform_dh_type, &dh_type)) + { + r = + ikev2_set_profile_esp_transforms (vm, name, crypto_alg, integ_alg, + dh_type, tmp1); + goto done; + } + else if (unformat (line_input, "set %U sa-lifetime %lu %u %u %lu", + unformat_token, valid_chars, &name, + &tmp4, &tmp1, &tmp2, &tmp5)) + { + r = + ikev2_set_profile_sa_lifetime (vm, name, tmp4, tmp1, tmp2, tmp5); + goto done; + } else break; } @@ -332,7 +386,11 @@ VLIB_CLI_COMMAND (ikev2_profile_add_del_command, static) = { "ikev2 profile set id \n" "ikev2 profile set traffic-selector ip-range " " - port-range - " - "protocol ", + "protocol \n" + "ikev2 profile set responder \n" + "ikev2 profile set ike-crypto-alg ike-integ-alg ike-dh \n" + "ikev2 profile set esp-crypto-alg esp-integ-alg esp-dh \n" + "ikev2 profile set sa-lifetime ", .function = ikev2_profile_add_del_command_fn, }; /* *INDENT-ON* */ @@ -462,6 +520,71 @@ VLIB_CLI_COMMAND (set_ikev2_local_key_command, static) = { }; /* *INDENT-ON* */ + +static clib_error_t * +ikev2_initiate_command_fn (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + clib_error_t *r = 0; + u8 *name = 0; + u32 tmp1; + u64 tmp2; + + const char *valid_chars = "a-zA-Z0-9_"; + + if (!unformat_user (input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat + (line_input, "sa-init %U", unformat_token, valid_chars, &name)) + { + r = ikev2_initiate_sa_init (vm, name); + goto done; + } + else if (unformat (line_input, "del-child-sa %x", &tmp1)) + { + r = ikev2_initiate_delete_child_sa (vm, tmp1); + goto done; + } + else if (unformat (line_input, "del-sa %lx", &tmp2)) + { + r = ikev2_initiate_delete_ike_sa (vm, tmp2); + goto done; + } + else if (unformat (line_input, "rekey-child-sa %x", &tmp1)) + { + r = ikev2_initiate_rekey_child_sa (vm, tmp1); + goto done; + } + else + break; + } + + r = clib_error_return (0, "parse error: '%U'", + format_unformat_error, line_input); + +done: + vec_free (name); + unformat_free (line_input); + return r; +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (ikev2_initiate_command, static) = { + .path = "ikev2 initiate", + .short_help = + "ikev2 initiate sa-init \n" + "ikev2 initiate del-child-sa \n" + "ikev2 initiate del-sa \n" + "ikev2 initiate rekey-child-sa \n", + .function = ikev2_initiate_command_fn, +}; +/* *INDENT-ON* */ + + clib_error_t * ikev2_cli_init (vlib_main_t * vm) { -- cgit 1.2.3-korg