From abc5660c61698fa29252dc202358002a97f2608c Mon Sep 17 00:00:00 2001
From: Neale Ranns <nranns@cisco.com>
Date: Wed, 1 Apr 2020 09:45:23 +0000
Subject: ipsec: User can choose the UDP source port

Type: feature

thus allowing NAT traversal,

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
---
 src/vnet/ipsec/ipsec_cli.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'src/vnet/ipsec/ipsec_cli.c')

diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 13f9efdf566..695e5f01c74 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -86,7 +86,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
   clib_error_t *error;
   ipsec_key_t ck = { 0 };
   ipsec_key_t ik = { 0 };
-  u32 id, spi, salt;
+  u32 id, spi, salt, sai;
+  u16 udp_src, udp_dst;
   int is_add, rv;
 
   salt = 0;
@@ -96,6 +97,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
   proto = IPSEC_PROTOCOL_ESP;
   integ_alg = IPSEC_INTEG_ALG_NONE;
   crypto_alg = IPSEC_CRYPTO_ALG_NONE;
+  udp_src = udp_dst = IPSEC_UDP_PORT_NONE;
 
   if (!unformat_user (input, unformat_line_input, line_input))
     return 0;
@@ -149,8 +151,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
     rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg,
 				&ck, integ_alg, &ik, flags,
 				0, clib_host_to_net_u32 (salt),
-				&tun_src, &tun_dst, NULL,
-				IPSEC_UDP_PORT_NONE);
+				&tun_src, &tun_dst, &sai, udp_src, udp_dst);
   else
     rv = ipsec_sa_unlock_id (id);
 
@@ -856,14 +857,16 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
 			       local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
 			       &lck, integ_alg, &lik, flags, table_id,
 			       clib_host_to_net_u32 (salt), &local_ip,
-			       &remote_ip, NULL, IPSEC_UDP_PORT_NONE);
+			       &remote_ip, NULL, IPSEC_UDP_PORT_NONE,
+			       IPSEC_UDP_PORT_NONE);
       rv |=
 	ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
 			       remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
 			       &rck, integ_alg, &rik,
 			       (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
 			       clib_host_to_net_u32 (salt), &remote_ip,
-			       &local_ip, NULL, IPSEC_UDP_PORT_NONE);
+			       &local_ip, NULL, IPSEC_UDP_PORT_NONE,
+			       IPSEC_UDP_PORT_NONE);
       rv |=
 	ipsec_tun_protect_update_one (sw_if_index, &nh,
 				      ipsec_tun_mk_local_sa_id (sw_if_index),
-- 
cgit 1.2.3-korg