+clib_error_t *
+ikev2_set_profile_responder (vlib_main_t * vm, u8 * name,
+ u32 sw_if_index, ip4_address_t ip4)
+{
+ ikev2_profile_t *p;
+ clib_error_t *r;
+
+ p = ikev2_profile_index_by_name (name);
+
+ if (!p)
+ {
+ r = clib_error_return (0, "unknown profile %v", name);
+ return r;
+ }
+
+ p->responder.sw_if_index = sw_if_index;
+ p->responder.ip4 = ip4;
+
+ return 0;
+}
+
+clib_error_t *
+ikev2_set_profile_ike_transforms (vlib_main_t * vm, u8 * name,
+ ikev2_transform_encr_type_t crypto_alg,
+ ikev2_transform_integ_type_t integ_alg,
+ ikev2_transform_dh_type_t dh_type,
+ u32 crypto_key_size)
+{
+ ikev2_profile_t *p;
+ clib_error_t *r;
+
+ p = ikev2_profile_index_by_name (name);
+
+ if (!p)
+ {
+ r = clib_error_return (0, "unknown profile %v", name);
+ return r;
+ }
+
+ p->ike_ts.crypto_alg = crypto_alg;
+ p->ike_ts.integ_alg = integ_alg;
+ p->ike_ts.dh_type = dh_type;
+ p->ike_ts.crypto_key_size = crypto_key_size;
+ return 0;
+}
+
+clib_error_t *
+ikev2_set_profile_esp_transforms (vlib_main_t * vm, u8 * name,
+ ikev2_transform_encr_type_t crypto_alg,
+ ikev2_transform_integ_type_t integ_alg,
+ ikev2_transform_dh_type_t dh_type,
+ u32 crypto_key_size)
+{
+ ikev2_profile_t *p;
+ clib_error_t *r;
+
+ p = ikev2_profile_index_by_name (name);
+
+ if (!p)
+ {
+ r = clib_error_return (0, "unknown profile %v", name);
+ return r;
+ }
+
+ p->esp_ts.crypto_alg = crypto_alg;
+ p->esp_ts.integ_alg = integ_alg;
+ p->esp_ts.dh_type = dh_type;
+ p->esp_ts.crypto_key_size = crypto_key_size;
+ return 0;
+}
+
+clib_error_t *
+ikev2_set_profile_sa_lifetime (vlib_main_t * vm, u8 * name,
+ u64 lifetime, u32 jitter, u32 handover,
+ u64 maxdata)
+{
+ ikev2_profile_t *p;
+ clib_error_t *r;
+
+ p = ikev2_profile_index_by_name (name);
+
+ if (!p)
+ {
+ r = clib_error_return (0, "unknown profile %v", name);
+ return r;
+ }
+
+ p->lifetime = lifetime;
+ p->lifetime_jitter = jitter;
+ p->handover = handover;
+ p->lifetime_maxdata = maxdata;
+ return 0;
+}
+
+clib_error_t *
+ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
+{
+ ikev2_profile_t *p;
+ clib_error_t *r;
+ ip4_main_t *im = &ip4_main;
+ ikev2_main_t *km = &ikev2_main;
+
+ p = ikev2_profile_index_by_name (name);
+
+ if (!p)
+ {
+ r = clib_error_return (0, "unknown profile %v", name);
+ return r;
+ }
+
+ if (p->responder.sw_if_index == ~0 || p->responder.ip4.data_u32 == 0)
+ {
+ r = clib_error_return (0, "responder not set for profile %v", name);
+ return r;
+ }
+
+
+ /* Create the Initiator Request */
+ {
+ ike_header_t *ike0;
+ u32 bi0 = 0;
+ ip_lookup_main_t *lm = &im->lookup_main;
+ u32 if_add_index0;
+ int len = sizeof (ike_header_t);
+
+ /* Get own iface IP */
+ if_add_index0 =
+ lm->if_address_pool_index_by_sw_if_index[p->responder.sw_if_index];
+ ip_interface_address_t *if_add =
+ pool_elt_at_index (lm->if_address_pool, if_add_index0);
+ ip4_address_t *if_ip = ip_interface_address_get_address (lm, if_add);
+
+ bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
+
+ /* Prepare the SA and the IKE payload */
+ ikev2_sa_t sa;
+ clib_memset (&sa, 0, sizeof (ikev2_sa_t));
+ ikev2_payload_chain_t *chain = 0;
+ ikev2_payload_new_chain (chain);
+
+ /* Build the IKE proposal payload */
+ ikev2_sa_proposal_t *proposals = 0;
+ ikev2_set_initiator_proposals (vm, &sa, &p->ike_ts, &proposals, 1);
+ proposals[0].proposal_num = 1;
+ proposals[0].protocol_id = IKEV2_PROTOCOL_IKE;
+
+ /* Add and then cleanup proposal data */
+ ikev2_payload_add_sa (chain, proposals);
+ ikev2_sa_free_proposal_vector (&proposals);
+
+ sa.is_initiator = 1;
+ sa.profile = p;
+ sa.state = IKEV2_STATE_SA_INIT;
+ ikev2_generate_sa_init_data (&sa);
+ ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data);
+ ikev2_payload_add_nonce (chain, sa.i_nonce);
+
+ /* Build the child SA proposal */
+ vec_resize (sa.childs, 1);
+ ikev2_set_initiator_proposals (vm, &sa, &p->esp_ts,
+ &sa.childs[0].i_proposals, 0);
+ sa.childs[0].i_proposals[0].proposal_num = 1;
+ sa.childs[0].i_proposals[0].protocol_id = IKEV2_PROTOCOL_ESP;
+ RAND_bytes ((u8 *) & sa.childs[0].i_proposals[0].spi,
+ sizeof (sa.childs[0].i_proposals[0].spi));
+
+
+
+ /* Add NAT detection notification messages (mandatory) */
+ u8 nat_detection_source[8 + 8 + 4 + 2];
+ u8 *nat_detection_sha1 = vec_new (u8, 20);
+
+ u64 tmpspi = clib_host_to_net_u64 (sa.ispi);
+ clib_memcpy_fast (&nat_detection_source[0], &tmpspi, sizeof (tmpspi));
+ tmpspi = clib_host_to_net_u64 (sa.rspi);
+ clib_memcpy_fast (&nat_detection_source[8], &tmpspi, sizeof (tmpspi));
+ u16 tmpport = clib_host_to_net_u16 (500);
+ clib_memcpy_fast (&nat_detection_source[8 + 8 + 4], &tmpport,
+ sizeof (tmpport));
+ u32 tmpip = clib_host_to_net_u32 (if_ip->as_u32);
+ clib_memcpy_fast (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
+ SHA1 (nat_detection_source, sizeof (nat_detection_source),
+ nat_detection_sha1);
+ ikev2_payload_add_notify (chain, IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP,
+ nat_detection_sha1);
+ tmpip = clib_host_to_net_u32 (p->responder.ip4.as_u32);
+ clib_memcpy_fast (&nat_detection_source[8 + 8], &tmpip, sizeof (tmpip));
+ SHA1 (nat_detection_source, sizeof (nat_detection_source),
+ nat_detection_sha1);
+ ikev2_payload_add_notify (chain,
+ IKEV2_NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP,
+ nat_detection_sha1);
+ vec_free (nat_detection_sha1);
+
+ u8 *sig_hash_algo = vec_new (u8, 8);
+ u64 tmpsig = clib_host_to_net_u64 (0x0001000200030004);
+ clib_memcpy_fast (sig_hash_algo, &tmpsig, sizeof (tmpsig));
+ ikev2_payload_add_notify (chain,
+ IKEV2_NOTIFY_MSG_SIGNATURE_HASH_ALGORITHMS,
+ sig_hash_algo);
+ vec_free (sig_hash_algo);
+
+
+ /* Buffer update and boilerplate */
+ len += vec_len (chain->data);
+ ike0->nextpayload = chain->first_payload_type;
+ ike0->length = clib_host_to_net_u32 (len);
+ clib_memcpy_fast (ike0->payload, chain->data, vec_len (chain->data));
+ ikev2_payload_destroy_chain (chain);
+
+ ike0->version = IKE_VERSION_2;
+ ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
+ ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
+ ike0->ispi = sa.ispi;
+
+ /* store whole IKE payload - needed for PSK auth */
+ vec_free (sa.last_sa_init_req_packet_data);
+ vec_add (sa.last_sa_init_req_packet_data, ike0, len);
+
+ /* add data to the SA then add it to the pool */
+ sa.iaddr.as_u32 = if_ip->as_u32;
+ sa.raddr.as_u32 = p->responder.ip4.as_u32;
+ sa.i_id.type = p->loc_id.type;
+ sa.i_id.data = vec_dup (p->loc_id.data);
+ sa.i_auth.method = p->auth.method;
+ sa.i_auth.hex = p->auth.hex;
+ sa.i_auth.data = vec_dup (p->auth.data);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ clib_memcpy_fast (sa.i_auth.key, p->auth.key,
+ EVP_PKEY_size (p->auth.key));
+#else
+ sa.i_auth.key = vec_dup (p->auth.key);
+#endif
+ vec_add (sa.childs[0].tsi, &p->loc_ts, 1);
+ vec_add (sa.childs[0].tsr, &p->rem_ts, 1);
+
+ /* add SA to the pool */
+ ikev2_sa_t *sa0 = 0;
+ pool_get (km->sais, sa0);
+ clib_memcpy_fast (sa0, &sa, sizeof (*sa0));
+ hash_set (km->sa_by_ispi, sa0->ispi, sa0 - km->sais);
+
+ ikev2_send_ike (vm, if_ip, &p->responder.ip4, bi0, len);
+
+ }
+
+ return 0;
+}
+
+static void
+ikev2_delete_child_sa_internal (vlib_main_t * vm, ikev2_sa_t * sa,
+ ikev2_child_sa_t * csa)
+{
+ /* Create the Initiator notification for child SA removal */
+ ikev2_main_t *km = &ikev2_main;
+ ike_header_t *ike0;
+ u32 bi0 = 0;
+ int len;
+
+ bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
+
+
+ ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
+ ike0->ispi = clib_host_to_net_u64 (sa->ispi);
+ ike0->rspi = clib_host_to_net_u64 (sa->rspi);
+ vec_resize (sa->del, 1);
+ sa->del->protocol_id = IKEV2_PROTOCOL_ESP;
+ sa->del->spi = csa->i_proposals->spi;
+ ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
+ sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
+ len = ikev2_generate_message (sa, ike0, 0);
+
+ ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len);
+
+ /* delete local child SA */
+ ikev2_delete_tunnel_interface (km->vnet_main, sa, csa);
+ ikev2_sa_del_child_sa (sa, csa);
+}
+
+clib_error_t *
+ikev2_initiate_delete_child_sa (vlib_main_t * vm, u32 ispi)
+{
+ clib_error_t *r;
+ ikev2_main_t *km = &ikev2_main;
+ ikev2_main_per_thread_data_t *tkm;
+ ikev2_sa_t *fsa = 0;
+ ikev2_child_sa_t *fchild = 0;
+
+ /* Search for the child SA */
+ vec_foreach (tkm, km->per_thread_data)
+ {
+ ikev2_sa_t *sa;
+ if (fchild)
+ break;
+ /* *INDENT-OFF* */
+ pool_foreach (sa, tkm->sas, ({
+ fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
+ if (fchild)
+ {
+ fsa = sa;
+ break;
+ }
+ }));
+ /* *INDENT-ON* */
+ }
+
+ if (!fchild || !fsa)
+ {
+ r = clib_error_return (0, "Child SA not found");
+ return r;
+ }
+ else
+ {
+ ikev2_delete_child_sa_internal (vm, fsa, fchild);
+ }
+
+ return 0;
+}
+
+clib_error_t *
+ikev2_initiate_delete_ike_sa (vlib_main_t * vm, u64 ispi)
+{
+ clib_error_t *r;
+ ikev2_main_t *km = &ikev2_main;
+ ikev2_main_per_thread_data_t *tkm;
+ ikev2_sa_t *fsa = 0;
+ ikev2_main_per_thread_data_t *ftkm = 0;
+
+ /* Search for the IKE SA */
+ vec_foreach (tkm, km->per_thread_data)
+ {
+ ikev2_sa_t *sa;
+ if (fsa)
+ break;
+ /* *INDENT-OFF* */
+ pool_foreach (sa, tkm->sas, ({
+ if (sa->ispi == ispi)
+ {
+ fsa = sa;
+ ftkm = tkm;
+ break;
+ }
+ }));
+ /* *INDENT-ON* */
+ }
+
+ if (!fsa)
+ {
+ r = clib_error_return (0, "IKE SA not found");
+ return r;
+ }
+
+
+ /* Create the Initiator notification for IKE SA removal */
+ {
+ ike_header_t *ike0;
+ u32 bi0 = 0;
+ int len;
+
+ bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
+
+
+ ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
+ ike0->ispi = clib_host_to_net_u64 (fsa->ispi);
+ ike0->rspi = clib_host_to_net_u64 (fsa->rspi);
+ vec_resize (fsa->del, 1);
+ fsa->del->protocol_id = IKEV2_PROTOCOL_IKE;
+ fsa->del->spi = ispi;
+ ike0->msgid = clib_host_to_net_u32 (fsa->last_init_msg_id + 1);
+ fsa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
+ len = ikev2_generate_message (fsa, ike0, 0);
+
+ ikev2_send_ike (vm, &fsa->iaddr, &fsa->raddr, bi0, len);
+ }
+
+
+ /* delete local SA */
+ ikev2_child_sa_t *c;
+ vec_foreach (c, fsa->childs)
+ {
+ ikev2_delete_tunnel_interface (km->vnet_main, fsa, c);
+ ikev2_sa_del_child_sa (fsa, c);
+ }
+ ikev2_sa_free_all_vec (fsa);
+ uword *p = hash_get (ftkm->sa_by_rspi, fsa->rspi);
+ if (p)
+ {
+ hash_unset (ftkm->sa_by_rspi, fsa->rspi);
+ pool_put (ftkm->sas, fsa);
+ }
+
+
+ return 0;
+}
+
+static void
+ikev2_rekey_child_sa_internal (vlib_main_t * vm, ikev2_sa_t * sa,
+ ikev2_child_sa_t * csa)
+{
+ /* Create the Initiator request for create child SA */
+ ike_header_t *ike0;
+ u32 bi0 = 0;
+ int len;
+
+
+ bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
+
+
+ ike0->version = IKE_VERSION_2;
+ ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
+ ike0->exchange = IKEV2_EXCHANGE_CREATE_CHILD_SA;
+ ike0->ispi = clib_host_to_net_u64 (sa->ispi);
+ ike0->rspi = clib_host_to_net_u64 (sa->rspi);
+ ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
+ sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
+
+ ikev2_rekey_t *rekey;
+ vec_add2 (sa->rekey, rekey, 1);
+ ikev2_sa_proposal_t *proposals = vec_dup (csa->i_proposals);
+
+ /*need new ispi */
+ RAND_bytes ((u8 *) & proposals[0].spi, sizeof (proposals[0].spi));
+ rekey->spi = proposals[0].spi;
+ rekey->ispi = csa->i_proposals->spi;
+ len = ikev2_generate_message (sa, ike0, proposals);
+ ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len);
+ vec_free (proposals);
+}
+
+clib_error_t *
+ikev2_initiate_rekey_child_sa (vlib_main_t * vm, u32 ispi)
+{
+ clib_error_t *r;
+ ikev2_main_t *km = &ikev2_main;
+ ikev2_main_per_thread_data_t *tkm;
+ ikev2_sa_t *fsa = 0;
+ ikev2_child_sa_t *fchild = 0;
+
+ /* Search for the child SA */
+ vec_foreach (tkm, km->per_thread_data)
+ {
+ ikev2_sa_t *sa;
+ if (fchild)
+ break;
+ /* *INDENT-OFF* */
+ pool_foreach (sa, tkm->sas, ({
+ fchild = ikev2_sa_get_child(sa, ispi, IKEV2_PROTOCOL_ESP, 1);
+ if (fchild)
+ {
+ fsa = sa;
+ break;
+ }
+ }));
+ /* *INDENT-ON* */
+ }
+
+ if (!fchild || !fsa)
+ {
+ r = clib_error_return (0, "Child SA not found");
+ return r;
+ }
+ else
+ {
+ ikev2_rekey_child_sa_internal (vm, fsa, fchild);
+ }
+
+ return 0;
+}
+