- rv = vnet_feature_enable_disable ("ip4-output",
- enc_node,
- itp->itp_sw_if_index, enable,
- &sai, sizeof (sai));
- rv = vnet_feature_enable_disable ("ip6-output",
- enc_node,
- itp->itp_sw_if_index, enable,
- &sai, sizeof (sai));
+ ipsec_main_t *im;
+ ipsec_sa_t *sa;
+ u32 fi4, fi6;
+
+ im = &ipsec_main;
+ sa = ipsec_sa_get (sai);
+
+ if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE &&
+ sa->integ_alg == IPSEC_INTEG_ALG_NONE)
+ {
+ fi4 = im->esp4_no_crypto_tun_feature_index;
+ fi6 = im->esp6_no_crypto_tun_feature_index;
+ }
+ else
+ {
+ if (ip46_address_is_ip4 (&itp->itp_tun.src))
+ {
+ /* tunnel destination is v4 so we need the Xo4 indexes */
+ fi4 = im->esp44_encrypt_tun_feature_index;
+ fi6 = im->esp64_encrypt_tun_feature_index;
+ }
+ else
+ {
+ /* tunnel destination is v6 so we need the Xo6 indexes */
+ fi4 = im->esp46_encrypt_tun_feature_index;
+ fi6 = im->esp66_encrypt_tun_feature_index;
+ }
+ }
+
+ vnet_feature_enable_disable_with_index
+ (vnet_get_feature_arc_index ("ip4-output"),
+ fi4, itp->itp_sw_if_index, enable, &sai, sizeof (sai));
+ vnet_feature_enable_disable_with_index
+ (vnet_get_feature_arc_index ("ip6-output"),
+ fi6, itp->itp_sw_if_index, enable, &sai, sizeof (sai));