From e5d34919b4561a5ee11e41dec6b0184537b39696 Mon Sep 17 00:00:00 2001
From: Filip Tehlar <ftehlar@cisco.com>
Date: Mon, 2 Mar 2020 15:17:37 +0000
Subject: ikev2: add support for custom ipsec-over-udp port

Type: feature

Change-Id: Ifee2b3dca85ea915067b9285e3636802bf0c19a8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
---
 src/vnet/ipsec/ipsec_api.c |  8 +++++---
 src/vnet/ipsec/ipsec_cli.c |  7 ++++---
 src/vnet/ipsec/ipsec_sa.c  | 15 ++++++++++++---
 src/vnet/ipsec/ipsec_sa.h  |  5 ++++-
 4 files changed, 25 insertions(+), 10 deletions(-)

(limited to 'src/vnet/ipsec')

diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index c7ce3ef83d5..177300aeb9a 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -372,7 +372,7 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
 				crypto_alg, &crypto_key,
 				integ_alg, &integ_key, flags,
 				0, mp->entry.salt, &tun_src, &tun_dst,
-				&sa_index);
+				&sa_index, IPSEC_UDP_PORT_NONE);
   else
     rv = ipsec_sa_unlock_id (id);
 
@@ -662,7 +662,8 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
 				  &integ_key,
 				  (flags | IPSEC_SA_FLAG_IS_INBOUND),
 				  ntohl (mp->tx_table_id),
-				  mp->salt, &remote_ip, &local_ip, NULL);
+				  mp->salt, &remote_ip, &local_ip, NULL,
+				  IPSEC_UDP_PORT_NONE);
 
       if (rv)
 	goto done;
@@ -676,7 +677,8 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
 				  &integ_key,
 				  flags,
 				  ntohl (mp->tx_table_id),
-				  mp->salt, &local_ip, &remote_ip, NULL);
+				  mp->salt, &local_ip, &remote_ip, NULL,
+				  IPSEC_UDP_PORT_NONE);
 
       if (rv)
 	goto done;
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 04061901ccc..7779e79f067 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -149,7 +149,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
     rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg,
 				&ck, integ_alg, &ik, flags,
 				0, clib_host_to_net_u32 (salt),
-				&tun_src, &tun_dst, NULL);
+				&tun_src, &tun_dst, NULL,
+				IPSEC_UDP_PORT_NONE);
   else
     rv = ipsec_sa_unlock_id (id);
 
@@ -852,14 +853,14 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
 			       local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
 			       &lck, integ_alg, &lik, flags, table_id,
 			       clib_host_to_net_u32 (salt), &local_ip,
-			       &remote_ip, NULL);
+			       &remote_ip, NULL, IPSEC_UDP_PORT_NONE);
       rv |=
 	ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
 			       remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
 			       &rck, integ_alg, &rik,
 			       (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
 			       clib_host_to_net_u32 (salt), &remote_ip,
-			       &local_ip, NULL);
+			       &local_ip, NULL, IPSEC_UDP_PORT_NONE);
       rv |=
 	ipsec_tun_protect_update_one (sw_if_index, &nh,
 				      ipsec_tun_mk_local_sa_id (sw_if_index),
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 4401c2e3d74..0e1e63d0db4 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -135,7 +135,8 @@ ipsec_sa_add_and_lock (u32 id,
 		       u32 tx_table_id,
 		       u32 salt,
 		       const ip46_address_t * tun_src,
-		       const ip46_address_t * tun_dst, u32 * sa_out_index)
+		       const ip46_address_t * tun_dst, u32 * sa_out_index,
+		       u16 dst_port)
 {
   vlib_main_t *vm = vlib_get_main ();
   ipsec_main_t *im = &ipsec_main;
@@ -269,8 +270,16 @@ ipsec_sa_add_and_lock (u32 id,
 
   if (ipsec_sa_is_set_UDP_ENCAP (sa))
     {
-      sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
-      sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
+      if (dst_port == IPSEC_UDP_PORT_NONE)
+	{
+	  sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
+	  sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
+	}
+      else
+	{
+	  sa->udp_hdr.src_port = clib_host_to_net_u16 (dst_port);
+	  sa->udp_hdr.dst_port = clib_host_to_net_u16 (dst_port);
+	}
     }
 
   hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index e0d74e1309e..0997eb7d8bc 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -16,6 +16,7 @@
 #define __IPSEC_SPD_SA_H__
 
 #include <vlib/vlib.h>
+#include <vnet/crypto/crypto.h>
 #include <vnet/ip/ip.h>
 #include <vnet/fib/fib_node.h>
 
@@ -209,7 +210,7 @@ extern int ipsec_sa_add_and_lock (u32 id,
 				  u32 salt,
 				  const ip46_address_t * tunnel_src_addr,
 				  const ip46_address_t * tunnel_dst_addr,
-				  u32 * sa_index);
+				  u32 * sa_index, u16 dst_port);
 extern index_t ipsec_sa_find_and_lock (u32 id);
 extern int ipsec_sa_unlock_id (u32 id);
 extern void ipsec_sa_unlock (index_t sai);
@@ -233,6 +234,8 @@ extern uword unformat_ipsec_integ_alg (unformat_input_t * input,
 				       va_list * args);
 extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args);
 
+#define IPSEC_UDP_PORT_NONE ((u16)~0)
+
 /*
  * Anti Replay definitions
  */
-- 
cgit 1.2.3-korg