2 * decap.c : IPSec tunnel support
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
23 #include <vnet/ipsec/ipsec.h>
26 set_interface_spd_command_fn (vlib_main_t * vm,
27 unformat_input_t * input,
28 vlib_cli_command_t * cmd)
30 unformat_input_t _line_input, *line_input = &_line_input;
31 ipsec_main_t *im = &ipsec_main;
32 u32 sw_if_index = (u32) ~ 0;
36 if (!unformat_user (input, unformat_line_input, line_input))
40 (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main,
41 &sw_if_index, &spd_id))
43 else if (unformat (line_input, "del"))
46 return clib_error_return (0, "parse error: '%U'",
47 format_unformat_error, line_input);
49 unformat_free (line_input);
51 ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
57 VLIB_CLI_COMMAND (set_interface_spd_command, static) = {
58 .path = "set interface ipsec spd",
60 "set interface ipsec spd <int> <id>",
61 .function = set_interface_spd_command_fn,
66 ipsec_sa_add_del_command_fn (vlib_main_t * vm,
67 unformat_input_t * input,
68 vlib_cli_command_t * cmd)
70 unformat_input_t _line_input, *line_input = &_line_input;
75 memset (&sa, 0, sizeof (sa));
77 if (!unformat_user (input, unformat_line_input, line_input))
80 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
82 if (unformat (line_input, "add %u", &sa.id))
84 else if (unformat (line_input, "del %u", &sa.id))
86 else if (unformat (line_input, "spi %u", &sa.spi))
88 else if (unformat (line_input, "esp"))
89 sa.protocol = IPSEC_PROTOCOL_ESP;
90 else if (unformat (line_input, "ah"))
91 //sa.protocol = IPSEC_PROTOCOL_AH;
92 return clib_error_return (0, "unsupported security protocol 'AH'");
94 if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
95 sa.crypto_key_len = vec_len (ck);
98 (line_input, "crypto-alg %U", unformat_ipsec_crypto_alg,
101 if (sa.crypto_alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
102 sa.crypto_alg > IPSEC_CRYPTO_ALG_AES_CBC_256)
103 return clib_error_return (0, "unsupported crypto-alg: '%U'",
104 format_ipsec_crypto_alg, sa.crypto_alg);
107 if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
108 sa.integ_key_len = vec_len (ik);
109 else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
112 if (sa.integ_alg < IPSEC_INTEG_ALG_SHA1_96 ||
113 sa.integ_alg > IPSEC_INTEG_ALG_SHA_512_256)
114 return clib_error_return (0, "unsupported integ-alg: '%U'",
115 format_ipsec_integ_alg, sa.integ_alg);
117 else if (unformat (line_input, "tunnel-src %U",
118 unformat_ip4_address, &sa.tunnel_src_addr.ip4))
120 else if (unformat (line_input, "tunnel-dst %U",
121 unformat_ip4_address, &sa.tunnel_dst_addr.ip4))
123 else if (unformat (line_input, "tunnel-src %U",
124 unformat_ip6_address, &sa.tunnel_src_addr.ip6))
127 sa.is_tunnel_ip6 = 1;
129 else if (unformat (line_input, "tunnel-dst %U",
130 unformat_ip6_address, &sa.tunnel_dst_addr.ip6))
133 sa.is_tunnel_ip6 = 1;
136 return clib_error_return (0, "parse error: '%U'",
137 format_unformat_error, line_input);
140 unformat_free (line_input);
142 if (sa.crypto_key_len > sizeof (sa.crypto_key))
143 sa.crypto_key_len = sizeof (sa.crypto_key);
145 if (sa.integ_key_len > sizeof (sa.integ_key))
146 sa.integ_key_len = sizeof (sa.integ_key);
149 strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
152 strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
154 ipsec_add_del_sa (vm, &sa, is_add);
160 VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
163 "ipsec sa [add|del]",
164 .function = ipsec_sa_add_del_command_fn,
168 static clib_error_t *
169 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
170 unformat_input_t * input,
171 vlib_cli_command_t * cmd)
173 unformat_input_t _line_input, *line_input = &_line_input;
177 if (!unformat_user (input, unformat_line_input, line_input))
180 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
182 if (unformat (line_input, "add"))
184 else if (unformat (line_input, "del"))
186 else if (unformat (line_input, "%u", &spd_id))
189 return clib_error_return (0, "parse error: '%U'",
190 format_unformat_error, line_input);
193 unformat_free (line_input);
195 ipsec_add_del_spd (vm, spd_id, is_add);
201 VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = {
204 "ipsec spd [add|del] <id>",
205 .function = ipsec_spd_add_del_command_fn,
210 static clib_error_t *
211 ipsec_policy_add_del_command_fn (vlib_main_t * vm,
212 unformat_input_t * input,
213 vlib_cli_command_t * cmd)
215 unformat_input_t _line_input, *line_input = &_line_input;
221 memset (&p, 0, sizeof (p));
222 p.lport.stop = p.rport.stop = ~0;
223 p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
224 p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
225 p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
227 if (!unformat_user (input, unformat_line_input, line_input))
230 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
232 if (unformat (line_input, "add"))
234 else if (unformat (line_input, "del"))
236 else if (unformat (line_input, "spd %u", &p.id))
238 else if (unformat (line_input, "inbound"))
240 else if (unformat (line_input, "outbound"))
242 else if (unformat (line_input, "priority %d", &p.priority))
244 else if (unformat (line_input, "protocol %u", &tmp))
245 p.protocol = (u8) tmp;
248 (line_input, "action %U", unformat_ipsec_policy_action,
251 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
252 return clib_error_return (0, "unsupported action: 'resolve'");
254 else if (unformat (line_input, "sa %u", &p.sa_id))
256 else if (unformat (line_input, "local-ip-range %U - %U",
257 unformat_ip4_address, &p.laddr.start.ip4,
258 unformat_ip4_address, &p.laddr.stop.ip4))
260 else if (unformat (line_input, "remote-ip-range %U - %U",
261 unformat_ip4_address, &p.raddr.start.ip4,
262 unformat_ip4_address, &p.raddr.stop.ip4))
264 else if (unformat (line_input, "local-ip-range %U - %U",
265 unformat_ip6_address, &p.laddr.start.ip6,
266 unformat_ip6_address, &p.laddr.stop.ip6))
271 else if (unformat (line_input, "remote-ip-range %U - %U",
272 unformat_ip6_address, &p.raddr.start.ip6,
273 unformat_ip6_address, &p.raddr.stop.ip6))
278 else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
284 if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
290 return clib_error_return (0, "parse error: '%U'",
291 format_unformat_error, line_input);
294 unformat_free (line_input);
296 ipsec_add_del_policy (vm, &p, is_add);
300 ipsec_add_del_policy (vm, &p, is_add);
306 VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
307 .path = "ipsec policy",
309 "ipsec policy [add|del] spd <id> priority <n> ",
310 .function = ipsec_policy_add_del_command_fn,
314 static clib_error_t *
315 set_ipsec_sa_key_command_fn (vlib_main_t * vm,
316 unformat_input_t * input,
317 vlib_cli_command_t * cmd)
319 unformat_input_t _line_input, *line_input = &_line_input;
323 memset (&sa, 0, sizeof (sa));
325 if (!unformat_user (input, unformat_line_input, line_input))
328 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
330 if (unformat (line_input, "%u", &sa.id))
333 if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
334 sa.crypto_key_len = vec_len (ck);
336 if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
337 sa.integ_key_len = vec_len (ik);
339 return clib_error_return (0, "parse error: '%U'",
340 format_unformat_error, line_input);
343 unformat_free (line_input);
345 if (sa.crypto_key_len > sizeof (sa.crypto_key))
346 sa.crypto_key_len = sizeof (sa.crypto_key);
348 if (sa.integ_key_len > sizeof (sa.integ_key))
349 sa.integ_key_len = sizeof (sa.integ_key);
352 strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
355 strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
357 ipsec_set_sa_key (vm, &sa);
363 VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = {
364 .path = "set ipsec sa",
366 "set ipsec sa <id> crypto-key <key> integ-key <key>",
367 .function = set_ipsec_sa_key_command_fn,
371 static clib_error_t *
372 show_ipsec_command_fn (vlib_main_t * vm,
373 unformat_input_t * input, vlib_cli_command_t * cmd)
378 ipsec_main_t *im = &ipsec_main;
380 ipsec_tunnel_if_t *t;
381 vnet_hw_interface_t *hi;
384 pool_foreach (sa, im->sad, ({
386 vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s", sa->id, sa->spi,
387 sa->is_tunnel ? "tunnel" : "transport",
388 sa->protocol ? "esp" : "ah");
389 if (sa->protocol == IPSEC_PROTOCOL_ESP) {
390 vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
391 format_ipsec_crypto_alg, sa->crypto_alg,
392 sa->crypto_alg ? " key " : "",
393 format_hex_bytes, sa->crypto_key, sa->crypto_key_len,
394 format_ipsec_integ_alg, sa->integ_alg,
395 sa->integ_alg ? " key " : "",
396 format_hex_bytes, sa->integ_key, sa->integ_key_len);
398 if (sa->is_tunnel && sa->is_tunnel_ip6) {
399 vlib_cli_output(vm, " tunnel src %U dst %U",
400 format_ip6_address, &sa->tunnel_src_addr.ip6,
401 format_ip6_address, &sa->tunnel_dst_addr.ip6);
402 } else if (sa->is_tunnel) {
403 vlib_cli_output(vm, " tunnel src %U dst %U",
404 format_ip4_address, &sa->tunnel_src_addr.ip4,
405 format_ip4_address, &sa->tunnel_dst_addr.ip4);
412 pool_foreach (spd, im->spds, ({
413 vlib_cli_output(vm, "spd %u", spd->id);
415 vlib_cli_output(vm, " outbound policies");
416 vec_foreach(i, spd->ipv4_outbound_policies)
418 p = pool_elt_at_index(spd->policies, *i);
419 vlib_cli_output(vm, " priority %d action %U protocol %s%s",
421 format_ipsec_policy_action, p->policy,
423 format(0, "%U", format_ip_protocol, p->protocol) :
425 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
426 format(0, " sa %u", p->sa_id) :
428 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
429 format_ip4_address, &p->laddr.start.ip4,
430 format_ip4_address, &p->laddr.stop.ip4,
431 p->lport.start, p->lport.stop);
432 vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
433 format_ip4_address, &p->raddr.start.ip4,
434 format_ip4_address, &p->raddr.stop.ip4,
435 p->rport.start, p->rport.stop);
436 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
439 vec_foreach(i, spd->ipv6_outbound_policies)
441 p = pool_elt_at_index(spd->policies, *i);
442 vlib_cli_output(vm, " priority %d action %U protocol %s%s",
444 format_ipsec_policy_action, p->policy,
446 format(0, "%U", format_ip_protocol, p->protocol) :
448 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
449 format(0, " sa %u", p->sa_id) :
451 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
452 format_ip6_address, &p->laddr.start.ip6,
453 format_ip6_address, &p->laddr.stop.ip6,
454 p->lport.start, p->lport.stop);
455 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
456 format_ip6_address, &p->raddr.start.ip6,
457 format_ip6_address, &p->raddr.stop.ip6,
458 p->rport.start, p->rport.stop);
459 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
462 vlib_cli_output(vm, " inbound policies");
463 vec_foreach(i, spd->ipv4_inbound_protect_policy_indices)
465 p = pool_elt_at_index(spd->policies, *i);
466 vlib_cli_output(vm, " priority %d action %U protocol %s%s",
468 format_ipsec_policy_action, p->policy,
470 format(0, "%U", format_ip_protocol, p->protocol) :
472 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
473 format(0, " sa %u", p->sa_id) :
475 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
476 format_ip4_address, &p->laddr.start.ip4,
477 format_ip4_address, &p->laddr.stop.ip4,
478 p->lport.start, p->lport.stop);
479 vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
480 format_ip4_address, &p->raddr.start.ip4,
481 format_ip4_address, &p->raddr.stop.ip4,
482 p->rport.start, p->rport.stop);
483 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
486 vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
488 p = pool_elt_at_index(spd->policies, *i);
489 vlib_cli_output(vm, " priority %d action %U protocol %s%s",
491 format_ipsec_policy_action, p->policy,
493 format(0, "%U", format_ip_protocol, p->protocol) :
495 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
496 format(0, " sa %u", p->sa_id) :
498 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
499 format_ip4_address, &p->laddr.start.ip4,
500 format_ip4_address, &p->laddr.stop.ip4,
501 p->lport.start, p->lport.stop);
502 vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
503 format_ip4_address, &p->raddr.start.ip4,
504 format_ip4_address, &p->raddr.stop.ip4,
505 p->rport.start, p->rport.stop);
506 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
509 vec_foreach(i, spd->ipv6_inbound_protect_policy_indices)
511 p = pool_elt_at_index(spd->policies, *i);
512 vlib_cli_output(vm, " priority %d action %U protocol %s%s",
514 format_ipsec_policy_action, p->policy,
516 format(0, "%U", format_ip_protocol, p->protocol) :
518 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
519 format(0, " sa %u", p->sa_id) :
521 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
522 format_ip6_address, &p->laddr.start.ip6,
523 format_ip6_address, &p->laddr.stop.ip6,
524 p->lport.start, p->lport.stop);
525 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
526 format_ip6_address, &p->raddr.start.ip6,
527 format_ip6_address, &p->raddr.stop.ip6,
528 p->rport.start, p->rport.stop);
529 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
532 vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
534 p = pool_elt_at_index(spd->policies, *i);
535 vlib_cli_output(vm, " priority %d action %U protocol %s%s",
537 format_ipsec_policy_action, p->policy,
539 format(0, "%U", format_ip_protocol, p->protocol) :
541 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
542 format(0, " sa %u", p->sa_id) :
544 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
545 format_ip6_address, &p->laddr.start.ip6,
546 format_ip6_address, &p->laddr.stop.ip6,
547 p->lport.start, p->lport.stop);
548 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
549 format_ip6_address, &p->raddr.start.ip6,
550 format_ip6_address, &p->raddr.stop.ip6,
551 p->rport.start, p->rport.stop);
552 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
558 vlib_cli_output (vm, "tunnel interfaces");
560 pool_foreach (t, im->tunnel_interfaces, ({
561 hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
562 vlib_cli_output(vm, " %s seq", hi->name);
563 sa = pool_elt_at_index(im->sad, t->output_sa_index);
564 vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u",
565 sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay);
566 vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
567 format_ip4_address, &sa->tunnel_src_addr.ip4);
568 vlib_cli_output(vm, " local-crypto %U %U",
569 format_ipsec_crypto_alg, sa->crypto_alg,
570 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
571 vlib_cli_output(vm, " local-integrity %U %U",
572 format_ipsec_integ_alg, sa->integ_alg,
573 format_hex_bytes, sa->integ_key, sa->integ_key_len);
574 sa = pool_elt_at_index(im->sad, t->input_sa_index);
575 vlib_cli_output(vm, " last-seq %u last-seq-hi %u esn %u anti-replay %u window %U",
576 sa->last_seq, sa->last_seq_hi, sa->use_esn,
578 format_ipsec_replay_window, sa->replay_window);
579 vlib_cli_output(vm, " remote-spi %u remote-ip %U", sa->spi,
580 format_ip4_address, &sa->tunnel_src_addr.ip4);
581 vlib_cli_output(vm, " remote-crypto %U %U",
582 format_ipsec_crypto_alg, sa->crypto_alg,
583 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
584 vlib_cli_output(vm, " remote-integrity %U %U",
585 format_ipsec_integ_alg, sa->integ_alg,
586 format_hex_bytes, sa->integ_key, sa->integ_key_len);
593 VLIB_CLI_COMMAND (show_ipsec_command, static) = {
594 .path = "show ipsec",
595 .short_help = "show ipsec",
596 .function = show_ipsec_command_fn,
600 static clib_error_t *
601 clear_ipsec_counters_command_fn (vlib_main_t * vm,
602 unformat_input_t * input,
603 vlib_cli_command_t * cmd)
605 ipsec_main_t *im = &ipsec_main;
610 pool_foreach (spd, im->spds, ({
611 pool_foreach(p, spd->policies, ({
612 p->counter.packets = p->counter.bytes = 0;
621 VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
622 .path = "clear ipsec counters",
623 .short_help = "clear ipsec counters",
624 .function = clear_ipsec_counters_command_fn,
628 static clib_error_t *
629 create_ipsec_tunnel_command_fn (vlib_main_t * vm,
630 unformat_input_t * input,
631 vlib_cli_command_t * cmd)
633 unformat_input_t _line_input, *line_input = &_line_input;
634 ipsec_add_del_tunnel_args_t a;
638 memset (&a, 0, sizeof (a));
641 /* Get a line of input. */
642 if (!unformat_user (input, unformat_line_input, line_input))
645 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
648 (line_input, "local-ip %U", unformat_ip4_address, &a.local_ip))
652 (line_input, "remote-ip %U", unformat_ip4_address, &a.remote_ip))
654 else if (unformat (line_input, "local-spi %u", &a.local_spi))
656 else if (unformat (line_input, "remote-spi %u", &a.remote_spi))
658 else if (unformat (line_input, "del"))
661 return clib_error_return (0, "unknown input `%U'",
662 format_unformat_error, input);
664 unformat_free (line_input);
667 return clib_error_return (0, "mandatory argument(s) missing");
669 rv = ipsec_add_del_tunnel_if (&a);
675 case VNET_API_ERROR_INVALID_VALUE:
677 return clib_error_return (0,
678 "IPSec tunnel interface already exists...");
680 return clib_error_return (0, "IPSec tunnel interface not exists...");
682 return clib_error_return (0, "ipsec_register_interface returned %d",
690 VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
691 .path = "create ipsec tunnel",
692 .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi>",
693 .function = create_ipsec_tunnel_command_fn,
697 static clib_error_t *
698 set_interface_key_command_fn (vlib_main_t * vm,
699 unformat_input_t * input,
700 vlib_cli_command_t * cmd)
702 unformat_input_t _line_input, *line_input = &_line_input;
703 ipsec_main_t *im = &ipsec_main;
704 ipsec_if_set_key_type_t type = IPSEC_IF_SET_KEY_TYPE_NONE;
705 u32 hw_if_index = (u32) ~ 0;
709 if (!unformat_user (input, unformat_line_input, line_input))
712 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
714 if (unformat (line_input, "%U",
715 unformat_vnet_hw_interface, im->vnet_main, &hw_if_index))
719 (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg))
720 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO;
723 (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg))
724 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO;
727 (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg))
728 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG;
731 (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg))
732 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG;
733 else if (unformat (line_input, "%U", unformat_hex_string, &key))
736 return clib_error_return (0, "parse error: '%U'",
737 format_unformat_error, line_input);
740 unformat_free (line_input);
742 if (type == IPSEC_IF_SET_KEY_TYPE_NONE)
743 return clib_error_return (0, "unknown key type");
745 if (alg > 0 && vec_len (key) == 0)
746 return clib_error_return (0, "key is not specified");
748 if (hw_if_index == (u32) ~ 0)
749 return clib_error_return (0, "interface not specified");
751 ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key);
758 VLIB_CLI_COMMAND (set_interface_key_command, static) = {
759 .path = "set interface ipsec key",
761 "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
762 .function = set_interface_key_command_fn,
768 ipsec_cli_init (vlib_main_t * vm)
773 VLIB_INIT_FUNCTION (ipsec_cli_init);
777 * fd.io coding-style-patch-verification: ON
780 * eval: (c-set-style "gnu")