2 * decap.c : IPSec tunnel support
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
23 #include <vnet/ipsec/ipsec.h>
26 set_interface_spd_command_fn (vlib_main_t * vm,
27 unformat_input_t * input,
28 vlib_cli_command_t * cmd)
30 unformat_input_t _line_input, *line_input = &_line_input;
31 ipsec_main_t *im = &ipsec_main;
32 u32 sw_if_index = (u32) ~ 0;
35 clib_error_t *error = NULL;
37 if (!unformat_user (input, unformat_line_input, line_input))
41 (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main,
42 &sw_if_index, &spd_id))
44 else if (unformat (line_input, "del"))
48 error = clib_error_return (0, "parse error: '%U'",
49 format_unformat_error, line_input);
53 ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
56 unformat_free (line_input);
62 VLIB_CLI_COMMAND (set_interface_spd_command, static) = {
63 .path = "set interface ipsec spd",
65 "set interface ipsec spd <int> <id>",
66 .function = set_interface_spd_command_fn,
71 ipsec_sa_add_del_command_fn (vlib_main_t * vm,
72 unformat_input_t * input,
73 vlib_cli_command_t * cmd)
75 ipsec_main_t *im = &ipsec_main;
76 unformat_input_t _line_input, *line_input = &_line_input;
80 clib_error_t *error = NULL;
82 memset (&sa, 0, sizeof (sa));
84 if (!unformat_user (input, unformat_line_input, line_input))
87 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
89 if (unformat (line_input, "add %u", &sa.id))
91 else if (unformat (line_input, "del %u", &sa.id))
93 else if (unformat (line_input, "spi %u", &sa.spi))
95 else if (unformat (line_input, "esp"))
96 sa.protocol = IPSEC_PROTOCOL_ESP;
97 else if (unformat (line_input, "ah"))
99 sa.protocol = IPSEC_PROTOCOL_AH;
102 if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
103 sa.crypto_key_len = vec_len (ck);
106 (line_input, "crypto-alg %U", unformat_ipsec_crypto_alg,
109 if (sa.crypto_alg < IPSEC_CRYPTO_ALG_NONE ||
110 sa.crypto_alg >= IPSEC_CRYPTO_N_ALG)
112 error = clib_error_return (0, "unsupported crypto-alg: '%U'",
113 format_ipsec_crypto_alg,
119 if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
120 sa.integ_key_len = vec_len (ik);
121 else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
124 if (sa.integ_alg < IPSEC_INTEG_ALG_NONE ||
125 sa.integ_alg >= IPSEC_INTEG_N_ALG)
127 error = clib_error_return (0, "unsupported integ-alg: '%U'",
128 format_ipsec_integ_alg,
133 else if (unformat (line_input, "tunnel-src %U",
134 unformat_ip4_address, &sa.tunnel_src_addr.ip4))
136 else if (unformat (line_input, "tunnel-dst %U",
137 unformat_ip4_address, &sa.tunnel_dst_addr.ip4))
139 else if (unformat (line_input, "tunnel-src %U",
140 unformat_ip6_address, &sa.tunnel_src_addr.ip6))
143 sa.is_tunnel_ip6 = 1;
145 else if (unformat (line_input, "tunnel-dst %U",
146 unformat_ip6_address, &sa.tunnel_dst_addr.ip6))
149 sa.is_tunnel_ip6 = 1;
151 else if (unformat (line_input, "udp-encap"))
157 error = clib_error_return (0, "parse error: '%U'",
158 format_unformat_error, line_input);
163 if (sa.crypto_key_len > sizeof (sa.crypto_key))
164 sa.crypto_key_len = sizeof (sa.crypto_key);
166 if (sa.integ_key_len > sizeof (sa.integ_key))
167 sa.integ_key_len = sizeof (sa.integ_key);
170 strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
173 strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
177 ASSERT (im->cb.check_support_cb);
178 error = im->cb.check_support_cb (&sa);
183 ipsec_add_del_sa (vm, &sa, is_add);
186 unformat_free (line_input);
192 VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
195 "ipsec sa [add|del]",
196 .function = ipsec_sa_add_del_command_fn,
200 static clib_error_t *
201 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
202 unformat_input_t * input,
203 vlib_cli_command_t * cmd)
205 unformat_input_t _line_input, *line_input = &_line_input;
208 clib_error_t *error = NULL;
210 if (!unformat_user (input, unformat_line_input, line_input))
213 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
215 if (unformat (line_input, "add"))
217 else if (unformat (line_input, "del"))
219 else if (unformat (line_input, "%u", &spd_id))
223 error = clib_error_return (0, "parse error: '%U'",
224 format_unformat_error, line_input);
231 error = clib_error_return (0, "please specify SPD ID");
235 ipsec_add_del_spd (vm, spd_id, is_add);
238 unformat_free (line_input);
244 VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = {
247 "ipsec spd [add|del] <id>",
248 .function = ipsec_spd_add_del_command_fn,
253 static clib_error_t *
254 ipsec_policy_add_del_command_fn (vlib_main_t * vm,
255 unformat_input_t * input,
256 vlib_cli_command_t * cmd)
258 unformat_input_t _line_input, *line_input = &_line_input;
263 clib_error_t *error = NULL;
265 memset (&p, 0, sizeof (p));
266 p.lport.stop = p.rport.stop = ~0;
267 p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
268 p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
269 p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
271 if (!unformat_user (input, unformat_line_input, line_input))
274 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
276 if (unformat (line_input, "add"))
278 else if (unformat (line_input, "del"))
280 else if (unformat (line_input, "spd %u", &p.id))
282 else if (unformat (line_input, "inbound"))
284 else if (unformat (line_input, "outbound"))
286 else if (unformat (line_input, "priority %d", &p.priority))
288 else if (unformat (line_input, "protocol %u", &tmp))
289 p.protocol = (u8) tmp;
292 (line_input, "action %U", unformat_ipsec_policy_action,
295 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
297 error = clib_error_return (0, "unsupported action: 'resolve'");
301 else if (unformat (line_input, "sa %u", &p.sa_id))
303 else if (unformat (line_input, "local-ip-range %U - %U",
304 unformat_ip4_address, &p.laddr.start.ip4,
305 unformat_ip4_address, &p.laddr.stop.ip4))
307 else if (unformat (line_input, "remote-ip-range %U - %U",
308 unformat_ip4_address, &p.raddr.start.ip4,
309 unformat_ip4_address, &p.raddr.stop.ip4))
311 else if (unformat (line_input, "local-ip-range %U - %U",
312 unformat_ip6_address, &p.laddr.start.ip6,
313 unformat_ip6_address, &p.laddr.stop.ip6))
318 else if (unformat (line_input, "remote-ip-range %U - %U",
319 unformat_ip6_address, &p.raddr.start.ip6,
320 unformat_ip6_address, &p.raddr.stop.ip6))
325 else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
331 if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
338 error = clib_error_return (0, "parse error: '%U'",
339 format_unformat_error, line_input);
344 /* Check if SA is for IPv6/AH which is not supported. Return error if TRUE. */
348 ipsec_main_t *im = &ipsec_main;
350 p1 = hash_get (im->sa_index_by_sa_id, p.sa_id);
354 clib_error_return (0, "SA with index %u not found", p.sa_id);
357 sa = pool_elt_at_index (im->sad, p1[0]);
358 if (sa && sa->protocol == IPSEC_PROTOCOL_AH && is_add && p.is_ipv6)
360 error = clib_error_return (0, "AH not supported for IPV6: '%U'",
361 format_unformat_error, line_input);
365 ipsec_add_del_policy (vm, &p, is_add);
369 ipsec_add_del_policy (vm, &p, is_add);
373 unformat_free (line_input);
379 VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
380 .path = "ipsec policy",
382 "ipsec policy [add|del] spd <id> priority <n> ",
383 .function = ipsec_policy_add_del_command_fn,
387 static clib_error_t *
388 set_ipsec_sa_key_command_fn (vlib_main_t * vm,
389 unformat_input_t * input,
390 vlib_cli_command_t * cmd)
392 unformat_input_t _line_input, *line_input = &_line_input;
395 clib_error_t *error = NULL;
397 memset (&sa, 0, sizeof (sa));
399 if (!unformat_user (input, unformat_line_input, line_input))
402 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
404 if (unformat (line_input, "%u", &sa.id))
407 if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
408 sa.crypto_key_len = vec_len (ck);
410 if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
411 sa.integ_key_len = vec_len (ik);
414 error = clib_error_return (0, "parse error: '%U'",
415 format_unformat_error, line_input);
420 if (sa.crypto_key_len > sizeof (sa.crypto_key))
421 sa.crypto_key_len = sizeof (sa.crypto_key);
423 if (sa.integ_key_len > sizeof (sa.integ_key))
424 sa.integ_key_len = sizeof (sa.integ_key);
427 strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
430 strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
432 ipsec_set_sa_key (vm, &sa);
435 unformat_free (line_input);
441 VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = {
442 .path = "set ipsec sa",
444 "set ipsec sa <id> crypto-key <key> integ-key <key>",
445 .function = set_ipsec_sa_key_command_fn,
449 static clib_error_t *
450 show_ipsec_command_fn (vlib_main_t * vm,
451 unformat_input_t * input, vlib_cli_command_t * cmd)
456 ipsec_main_t *im = &ipsec_main;
458 ipsec_tunnel_if_t *t;
459 vnet_hw_interface_t *hi;
464 pool_foreach (sa, im->sad, ({
466 vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s", sa->id, sa->spi,
467 sa->is_tunnel ? "tunnel" : "transport",
468 sa->protocol ? "esp" : "ah",
469 sa->udp_encap ? " udp-encap-enabled" : "");
470 if (sa->protocol == IPSEC_PROTOCOL_ESP) {
471 vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
472 format_ipsec_crypto_alg, sa->crypto_alg,
473 sa->crypto_alg ? " key " : "",
474 format_hex_bytes, sa->crypto_key, sa->crypto_key_len,
475 format_ipsec_integ_alg, sa->integ_alg,
476 sa->integ_alg ? " key " : "",
477 format_hex_bytes, sa->integ_key, sa->integ_key_len);
479 if (sa->is_tunnel && sa->is_tunnel_ip6) {
480 vlib_cli_output(vm, " tunnel src %U dst %U",
481 format_ip6_address, &sa->tunnel_src_addr.ip6,
482 format_ip6_address, &sa->tunnel_dst_addr.ip6);
483 } else if (sa->is_tunnel) {
484 vlib_cli_output(vm, " tunnel src %U dst %U",
485 format_ip4_address, &sa->tunnel_src_addr.ip4,
486 format_ip4_address, &sa->tunnel_dst_addr.ip4);
493 pool_foreach (spd, im->spds, ({
494 vlib_cli_output(vm, "spd %u", spd->id);
496 vlib_cli_output(vm, " outbound policies");
497 vec_foreach(i, spd->ipv4_outbound_policies)
499 p = pool_elt_at_index(spd->policies, *i);
500 vec_reset_length(protocol);
501 vec_reset_length(policy);
503 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
505 protocol = format(protocol, "any");
507 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
508 policy = format(policy, " sa %u", p->sa_id);
511 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
512 p->priority, format_ipsec_policy_action, p->policy,
514 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
515 format_ip4_address, &p->laddr.start.ip4,
516 format_ip4_address, &p->laddr.stop.ip4,
517 p->lport.start, p->lport.stop);
518 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
519 format_ip4_address, &p->raddr.start.ip4,
520 format_ip4_address, &p->raddr.stop.ip4,
521 p->rport.start, p->rport.stop);
522 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
525 vec_foreach(i, spd->ipv6_outbound_policies)
527 p = pool_elt_at_index(spd->policies, *i);
528 vec_reset_length(protocol);
529 vec_reset_length(policy);
531 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
533 protocol = format(protocol, "any");
535 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
536 policy = format(policy, " sa %u", p->sa_id);
538 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
539 p->priority, format_ipsec_policy_action, p->policy,
541 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
542 format_ip6_address, &p->laddr.start.ip6,
543 format_ip6_address, &p->laddr.stop.ip6,
544 p->lport.start, p->lport.stop);
545 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
546 format_ip6_address, &p->raddr.start.ip6,
547 format_ip6_address, &p->raddr.stop.ip6,
548 p->rport.start, p->rport.stop);
549 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
552 vlib_cli_output(vm, " inbound policies");
553 vec_foreach(i, spd->ipv4_inbound_protect_policy_indices)
555 p = pool_elt_at_index(spd->policies, *i);
556 vec_reset_length(protocol);
557 vec_reset_length(policy);
559 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
561 protocol = format(protocol, "any");
563 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
564 policy = format(policy, " sa %u", p->sa_id);
566 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
567 p->priority, format_ipsec_policy_action, p->policy,
569 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
570 format_ip4_address, &p->laddr.start.ip4,
571 format_ip4_address, &p->laddr.stop.ip4,
572 p->lport.start, p->lport.stop);
573 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
574 format_ip4_address, &p->raddr.start.ip4,
575 format_ip4_address, &p->raddr.stop.ip4,
576 p->rport.start, p->rport.stop);
577 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
580 vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
582 p = pool_elt_at_index(spd->policies, *i);
583 vec_reset_length(protocol);
584 vec_reset_length(policy);
586 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
588 protocol = format(protocol, "any");
590 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
591 policy = format(policy, " sa %u", p->sa_id);
593 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
594 p->priority, format_ipsec_policy_action, p->policy,
596 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
597 format_ip4_address, &p->laddr.start.ip4,
598 format_ip4_address, &p->laddr.stop.ip4,
599 p->lport.start, p->lport.stop);
600 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
601 format_ip4_address, &p->raddr.start.ip4,
602 format_ip4_address, &p->raddr.stop.ip4,
603 p->rport.start, p->rport.stop);
604 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
607 vec_foreach(i, spd->ipv6_inbound_protect_policy_indices)
609 p = pool_elt_at_index(spd->policies, *i);
610 vec_reset_length(protocol);
611 vec_reset_length(policy);
613 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
615 protocol = format(protocol, "any");
617 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
618 policy = format(policy, " sa %u", p->sa_id);
620 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
621 p->priority, format_ipsec_policy_action, p->policy,
623 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
624 format_ip6_address, &p->laddr.start.ip6,
625 format_ip6_address, &p->laddr.stop.ip6,
626 p->lport.start, p->lport.stop);
627 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
628 format_ip6_address, &p->raddr.start.ip6,
629 format_ip6_address, &p->raddr.stop.ip6,
630 p->rport.start, p->rport.stop);
631 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
634 vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
636 p = pool_elt_at_index(spd->policies, *i);
637 vec_reset_length(protocol);
638 vec_reset_length(policy);
640 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
642 protocol = format(protocol, "any");
644 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
645 policy = format(policy, " sa %u", p->sa_id);
647 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
648 p->priority, format_ipsec_policy_action, p->policy,
650 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
651 format_ip6_address, &p->laddr.start.ip6,
652 format_ip6_address, &p->laddr.stop.ip6,
653 p->lport.start, p->lport.stop);
654 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
655 format_ip6_address, &p->raddr.start.ip6,
656 format_ip6_address, &p->raddr.stop.ip6,
657 p->rport.start, p->rport.stop);
658 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
664 vlib_cli_output (vm, "tunnel interfaces");
666 pool_foreach (t, im->tunnel_interfaces, ({
667 if (t->hw_if_index == ~0)
669 hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
670 vlib_cli_output(vm, " %s seq", hi->name);
671 sa = pool_elt_at_index(im->sad, t->output_sa_index);
672 vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u",
673 sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap);
674 vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
675 format_ip4_address, &sa->tunnel_src_addr.ip4);
676 vlib_cli_output(vm, " local-crypto %U %U",
677 format_ipsec_crypto_alg, sa->crypto_alg,
678 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
679 vlib_cli_output(vm, " local-integrity %U %U",
680 format_ipsec_integ_alg, sa->integ_alg,
681 format_hex_bytes, sa->integ_key, sa->integ_key_len);
682 sa = pool_elt_at_index(im->sad, t->input_sa_index);
683 vlib_cli_output(vm, " last-seq %u last-seq-hi %u esn %u anti-replay %u window %U",
684 sa->last_seq, sa->last_seq_hi, sa->use_esn,
686 format_ipsec_replay_window, sa->replay_window);
687 vlib_cli_output(vm, " remote-spi %u remote-ip %U", sa->spi,
688 format_ip4_address, &sa->tunnel_src_addr.ip4);
689 vlib_cli_output(vm, " remote-crypto %U %U",
690 format_ipsec_crypto_alg, sa->crypto_alg,
691 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
692 vlib_cli_output(vm, " remote-integrity %U %U",
693 format_ipsec_integ_alg, sa->integ_alg,
694 format_hex_bytes, sa->integ_key, sa->integ_key_len);
703 VLIB_CLI_COMMAND (show_ipsec_command, static) = {
704 .path = "show ipsec",
705 .short_help = "show ipsec",
706 .function = show_ipsec_command_fn,
710 static clib_error_t *
711 clear_ipsec_counters_command_fn (vlib_main_t * vm,
712 unformat_input_t * input,
713 vlib_cli_command_t * cmd)
715 ipsec_main_t *im = &ipsec_main;
720 pool_foreach (spd, im->spds, ({
721 pool_foreach(p, spd->policies, ({
722 p->counter.packets = p->counter.bytes = 0;
731 VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
732 .path = "clear ipsec counters",
733 .short_help = "clear ipsec counters",
734 .function = clear_ipsec_counters_command_fn,
738 static clib_error_t *
739 create_ipsec_tunnel_command_fn (vlib_main_t * vm,
740 unformat_input_t * input,
741 vlib_cli_command_t * cmd)
743 unformat_input_t _line_input, *line_input = &_line_input;
744 ipsec_add_del_tunnel_args_t a;
747 clib_error_t *error = NULL;
749 memset (&a, 0, sizeof (a));
752 /* Get a line of input. */
753 if (!unformat_user (input, unformat_line_input, line_input))
756 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
759 (line_input, "local-ip %U", unformat_ip4_address, &a.local_ip))
763 (line_input, "remote-ip %U", unformat_ip4_address, &a.remote_ip))
765 else if (unformat (line_input, "local-spi %u", &a.local_spi))
767 else if (unformat (line_input, "remote-spi %u", &a.remote_spi))
769 else if (unformat (line_input, "instance %u", &a.show_instance))
771 else if (unformat (line_input, "del"))
773 else if (unformat (line_input, "udp-encap"))
777 error = clib_error_return (0, "unknown input `%U'",
778 format_unformat_error, line_input);
785 error = clib_error_return (0, "mandatory argument(s) missing");
789 rv = ipsec_add_del_tunnel_if (&a);
795 case VNET_API_ERROR_INVALID_VALUE:
797 error = clib_error_return (0,
798 "IPSec tunnel interface already exists...");
800 error = clib_error_return (0, "IPSec tunnel interface not exists...");
803 error = clib_error_return (0, "ipsec_register_interface returned %d",
809 unformat_free (line_input);
815 VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
816 .path = "create ipsec tunnel",
817 .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap]",
818 .function = create_ipsec_tunnel_command_fn,
822 static clib_error_t *
823 set_interface_key_command_fn (vlib_main_t * vm,
824 unformat_input_t * input,
825 vlib_cli_command_t * cmd)
827 unformat_input_t _line_input, *line_input = &_line_input;
828 ipsec_main_t *im = &ipsec_main;
829 ipsec_if_set_key_type_t type = IPSEC_IF_SET_KEY_TYPE_NONE;
830 u32 hw_if_index = (u32) ~ 0;
833 clib_error_t *error = NULL;
835 if (!unformat_user (input, unformat_line_input, line_input))
838 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
840 if (unformat (line_input, "%U",
841 unformat_vnet_hw_interface, im->vnet_main, &hw_if_index))
845 (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg))
846 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO;
849 (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg))
850 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO;
853 (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg))
854 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG;
857 (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg))
858 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG;
859 else if (unformat (line_input, "%U", unformat_hex_string, &key))
863 error = clib_error_return (0, "parse error: '%U'",
864 format_unformat_error, line_input);
869 if (type == IPSEC_IF_SET_KEY_TYPE_NONE)
871 error = clib_error_return (0, "unknown key type");
875 if (alg > 0 && vec_len (key) == 0)
877 error = clib_error_return (0, "key is not specified");
881 if (hw_if_index == (u32) ~ 0)
883 error = clib_error_return (0, "interface not specified");
887 ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key);
891 unformat_free (line_input);
897 VLIB_CLI_COMMAND (set_interface_key_command, static) = {
898 .path = "set interface ipsec key",
900 "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
901 .function = set_interface_key_command_fn,
906 ipsec_cli_init (vlib_main_t * vm)
911 VLIB_INIT_FUNCTION (ipsec_cli_init);
915 * fd.io coding-style-patch-verification: ON
918 * eval: (c-set-style "gnu")