Skip to content

Commit 67b8a7f

Browse files
Filip Tehlarbganne
Filip Tehlar
authored and
bganne
committed
ikev2: fix udp encap
Type: fix Change-Id: I8c66f79f2d8cfff7c6d45e1fc5b529ffb3941491 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
1 parent a6c34a1 commit 67b8a7f

File tree

2 files changed

+23
-9
lines changed

2 files changed

+23
-9
lines changed

src/plugins/ikev2/ikev2.c

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1815,7 +1815,6 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
18151815
ikev2_main_t *km = &ikev2_main;
18161816
u32 sw_if_index;
18171817
int rv = 0;
1818-
ip46_address_t zero_addr = ip46_address_initializer;
18191818

18201819
if (~0 == a->sw_if_index)
18211820
{
@@ -1864,16 +1863,16 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
18641863
a->local_spi,
18651864
IPSEC_PROTOCOL_ESP, a->encr_type,
18661865
&a->loc_ckey, a->integ_type, &a->loc_ikey,
1867-
a->flags, 0, a->salt_local, &zero_addr,
1868-
&zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE,
1866+
a->flags, 0, a->salt_local, &a->local_ip,
1867+
&a->remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
18691868
IP_DSCP_CS0, NULL, a->src_port, a->dst_port);
18701869

18711870
rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi,
18721871
IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey,
18731872
a->integ_type, &a->rem_ikey,
18741873
(a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
1875-
a->salt_remote, &zero_addr,
1876-
&zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE,
1874+
a->salt_remote, &a->remote_ip,
1875+
&a->local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
18771876
IP_DSCP_CS0, NULL,
18781877
a->ipsec_over_udp_port,
18791878
a->ipsec_over_udp_port);

src/plugins/ikev2/test/test_ikev2.py

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -181,7 +181,9 @@ class IKEv2SA(object):
181181
def __init__(self, test, is_initiator=True, i_id=None, r_id=None,
182182
spi=b'\x01\x02\x03\x04\x05\x06\x07\x08', id_type='fqdn',
183183
nonce=None, auth_data=None, local_ts=None, remote_ts=None,
184-
auth_method='shared-key', priv_key=None, natt=False):
184+
auth_method='shared-key', priv_key=None, natt=False,
185+
udp_encap=False):
186+
self.udp_encap = udp_encap
185187
self.natt = natt
186188
if natt:
187189
self.sport = 4500
@@ -662,6 +664,13 @@ def encrypt_ike_msg(self, header, plain, first_payload):
662664
assert(len(res) == tlen)
663665
return res
664666

667+
def verify_udp_encap(self, ipsec_sa):
668+
e = VppEnum.vl_api_ipsec_sad_flags_t
669+
if self.sa.udp_encap or self.sa.natt:
670+
self.assertIn(e.IPSEC_API_SAD_FLAG_UDP_ENCAP, ipsec_sa.flags)
671+
else:
672+
self.assertNotIn(e.IPSEC_API_SAD_FLAG_UDP_ENCAP, ipsec_sa.flags)
673+
665674
def verify_ipsec_sas(self, is_rekey=False):
666675
sas = self.vapi.ipsec_sa_dump()
667676
if is_rekey:
@@ -671,7 +680,6 @@ def verify_ipsec_sas(self, is_rekey=False):
671680
else:
672681
sa_count = 2
673682
self.assertEqual(len(sas), sa_count)
674-
e = VppEnum.vl_api_ipsec_sad_flags_t
675683
if self.sa.is_initiator:
676684
if is_rekey:
677685
sa0 = sas[0].entry
@@ -689,6 +697,8 @@ def verify_ipsec_sas(self, is_rekey=False):
689697

690698
c = self.sa.child_sas[0]
691699

700+
self.verify_udp_encap(sa0)
701+
self.verify_udp_encap(sa1)
692702
vpp_crypto_alg = self.vpp_enums[self.sa.vpp_esp_cypto_alg]
693703
self.assertEqual(sa0.crypto_algorithm, vpp_crypto_alg)
694704
self.assertEqual(sa1.crypto_algorithm, vpp_crypto_alg)
@@ -1332,13 +1342,17 @@ def config_params(self, params={}):
13321342
if 'esp_transforms' in params:
13331343
self.p.add_esp_transforms(params['esp_transforms'])
13341344

1345+
udp_encap = False if 'udp_encap' not in params else\
1346+
params['udp_encap']
1347+
if udp_encap:
1348+
self.p.set_udp_encap(True)
1349+
13351350
self.sa = IKEv2SA(self, i_id=idi['data'], r_id=idr['data'],
13361351
is_initiator=is_init,
13371352
id_type=self.p.local_id['id_type'], natt=is_natt,
13381353
priv_key=client_priv, auth_method=auth_method,
1339-
auth_data=auth_data,
1354+
auth_data=auth_data, udp_encap=udp_encap,
13401355
local_ts=self.p.remote_ts, remote_ts=self.p.local_ts)
1341-
13421356
if is_init:
13431357
ike_crypto = ('AES-CBC', 32) if 'ike-crypto' not in params else\
13441358
params['ike-crypto']
@@ -1687,6 +1701,7 @@ class TestResponderRsaSign(TemplateResponder, Ikev2Params):
16871701
""" test ikev2 responder - cert based auth """
16881702
def config_tc(self):
16891703
self.config_params({
1704+
'udp_encap': True,
16901705
'auth': 'rsa-sig',
16911706
'server-key': 'server-key.pem',
16921707
'client-key': 'client-key.pem',

0 commit comments

Comments
 (0)