From 4dc5a43f4871c3f0a88ad0bb9041332bf3b03f1b Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Mon, 17 Feb 2020 10:39:09 +0000 Subject: ikev2: IKE plugin manages the state of the protected tunnel interface Type: improvement IKE will bring the tunnel up ince the negociation is complete and bring it down when the session ends. It is the clinets responsibility to manage the state of the tunnel before and after these events. So to prevent any unencrpyted traffic egressing the tunnel before the session is negpciated, the tunnel should be in the down state when it a associated with the IKE session. Change-Id: I8aee593c79ca006d6ab08f9fa560fbbf6f8dcc16 Signed-off-by: Neale Ranns --- src/plugins/ikev2/ikev2.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index 75b9dcbac61..7d03150bd45 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -1525,7 +1525,10 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) hash_set1 (km->sw_if_indices, sw_if_index); } else - sw_if_index = a->sw_if_index; + { + sw_if_index = a->sw_if_index; + vnet_sw_interface_admin_up (vnet_get_main (), sw_if_index); + } if (rv) { @@ -1797,7 +1800,10 @@ ikev2_del_tunnel_from_main (ikev2_del_ipsec_tunnel_args_t * a) sw_if_index = ~0; } else - sw_if_index = a->sw_if_index; + { + sw_if_index = a->sw_if_index; + vnet_sw_interface_admin_down (vnet_get_main (), sw_if_index); + } if (~0 != sw_if_index) ipsec_tun_protect_del (sw_if_index); -- cgit 1.2.3-korg