From 6f1eb484c85cfdb091cbef18252a02b3310b9aae Mon Sep 17 00:00:00 2001 From: Matthew Smith Date: Tue, 9 Aug 2022 22:19:38 +0000 Subject: ipsec: enable UDP encap for IPv6 ESP tun protect Type: improvement If an SA protecting an IPv6 tunnel interface has UDP encapsulation enabled, the code in esp_encrypt_inline() inserts a UDP header but does not set the next protocol or the UDP payload length, so the peer that receives the packet drops it. Set the next protocol field and the UDP payload length correctly. The port(s) for UDP encapsulation of IPsec was not registered for IPv6. Add this registration for IPv6 SAs when UDP encapsulation is enabled. Add punt handling for IPv6 IKE on NAT-T port. Add registration of linux-cp for the new punt reason. Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect Signed-off-by: Matthew Smith Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268 --- src/vnet/ipsec/ipsec_punt.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/vnet/ipsec/ipsec_punt.h') diff --git a/src/vnet/ipsec/ipsec_punt.h b/src/vnet/ipsec/ipsec_punt.h index afed908bffb..9b9fc803391 100644 --- a/src/vnet/ipsec/ipsec_punt.h +++ b/src/vnet/ipsec/ipsec_punt.h @@ -20,7 +20,8 @@ #define foreach_ipsec_punt_reason \ _ (IP4_SPI_UDP_0, "ipsec4-spi-o-udp-0", IP4_PACKET) \ _ (IP4_NO_SUCH_TUNNEL, "ipsec4-no-such-tunnel", IP4_PACKET) \ - _ (IP6_NO_SUCH_TUNNEL, "ipsec6-no-such-tunnel", IP6_PACKET) + _ (IP6_NO_SUCH_TUNNEL, "ipsec6-no-such-tunnel", IP6_PACKET) \ + _ (IP6_SPI_UDP_0, "ipsec6-spi-o-udp-0", IP6_PACKET) typedef enum ipsec_punt_reason_t_ { -- cgit 1.2.3-korg