+ # Configure IPSec SAD entries
+ cmd = u"ipsec_sad_entry_add_del_v2"
+ c_key = dict(
+ length=0,
+ data=None
+ )
+ i_key = dict(
+ length=0,
+ data=None
+ )
+ sad_entry = dict(
+ sad_id=None,
+ spi=None,
+ protocol=int(IPsecProto.IPSEC_API_PROTO_ESP),
+
+ crypto_algorithm=crypto_alg.alg_int_repr,
+ crypto_key=c_key,
+ integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0,
+ integrity_key=i_key,
+
+ flags=None,
+ tunnel_src=0,
+ tunnel_dst=0,
+ tunnel_flags=int(
+ TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ ),
+ dscp=int(IpDscp.IP_API_DSCP_CS0),
+ table_id=0,
+ salt=0,
+ udp_src_port=IPSEC_UDP_PORT_NONE,
+ udp_dst_port=IPSEC_UDP_PORT_NONE
+ )
+ args = dict(
+ is_add=True,
+ entry=sad_entry
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ ckeys.append(
+ gen_key(IPsecUtil.get_crypto_alg_key_len(crypto_alg))
+ )
+ if integ_alg:
+ ikeys.append(
+ gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg))
+ )
+ # SAD entry for outband / tx path
+ args[u"entry"][u"sad_id"] = 100000 + i
+ args[u"entry"][u"spi"] = spi_d[u"spi_2"] + i
+
+ args[u"entry"][u"crypto_key"][u"length"] = len(ckeys[i])
+ args[u"entry"][u"crypto_key"][u"data"] = ckeys[i]
+ if integ_alg:
+ args[u"entry"][u"integrity_key"][u"length"] = len(ikeys[i])
+ args[u"entry"][u"integrity_key"][u"data"] = ikeys[i]
+ args[u"entry"][u"flags"] = int(
+ IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ # SAD entry for inband / rx path
+ args[u"entry"][u"sad_id"] = i
+ args[u"entry"][u"spi"] = spi_d[u"spi_1"] + i
+
+ args[u"entry"][u"crypto_key"][u"length"] = len(ckeys[i])
+ args[u"entry"][u"crypto_key"][u"data"] = ckeys[i]
+ if integ_alg:
+ args[u"entry"][u"integrity_key"][u"length"] = len(ikeys[i])
+ args[u"entry"][u"integrity_key"][u"data"] = ikeys[i]
+ args[u"entry"][u"flags"] = int(
+ IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE |
+ IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_INBOUND
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ err_msg = f"Failed to add IPsec SAD entries on host" \
+ f" {nodes[u'DUT2'][u'host']}"
+ papi_exec.get_replies(err_msg)
+ # Add protection for tunnels with IPSEC
+ cmd = u"ipsec_tunnel_protect_update"
+ n_hop = dict(
+ address=0,
+ via_label=MPLS_LABEL_INVALID,
+ obj_id=Constants.BITWISE_NON_ZERO
+ )
+ ipsec_tunnel_protect = dict(
+ sw_if_index=None,
+ nh=n_hop,
+ sa_out=None,
+ n_sa_in=1,
+ sa_in=None
+ )
+ args = dict(
+ tunnel=ipsec_tunnel_protect
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"tunnel"][u"sw_if_index"] = ipip_tunnels[i]
+ args[u"tunnel"][u"sa_out"] = 100000 + i
+ args[u"tunnel"][u"sa_in"] = [i]
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ err_msg = f"Failed to add protection for tunnels with IPSEC " \
+ f"on host {nodes[u'DUT2'][u'host']}"
+ papi_exec.get_replies(err_msg)
+