ikev2: add support for custom ipsec-over-udp port

[vpp.git] / src / vnet / ipsec / ipsec.c

diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index 3881799..e7cb615 100644 (file)
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -167,9 +167,11 @@ ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
                            const char *esp4_encrypt_node_name,
                            const char *esp4_encrypt_node_tun_name,
                            const char *esp4_decrypt_node_name,
+                           const char *esp4_decrypt_tun_node_name,
                            const char *esp6_encrypt_node_name,
                            const char *esp6_encrypt_node_tun_name,
                            const char *esp6_decrypt_node_name,
+                           const char *esp6_decrypt_tun_node_name,
                            check_support_cb_t esp_check_support_cb,
                            add_del_sa_sess_cb_t esp_add_del_sa_sess_cb)
 {
@@ -186,11 +188,21 @@ ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
                  &b->esp6_encrypt_node_index, &b->esp6_encrypt_next_index);
   ipsec_add_node (vm, esp6_decrypt_node_name, "ipsec6-input-feature",
                  &b->esp6_decrypt_node_index, &b->esp6_decrypt_next_index);
+  ipsec_add_node (vm, esp4_decrypt_tun_node_name, "ipsec4-tun-input",
+                 &b->esp4_decrypt_tun_node_index,
+                 &b->esp4_decrypt_tun_next_index);
+  ipsec_add_node (vm, esp6_decrypt_tun_node_name, "ipsec6-tun-input",
+                 &b->esp6_decrypt_tun_node_index,
+                 &b->esp6_decrypt_tun_next_index);
 
   ipsec_add_feature ("ip4-output", esp4_encrypt_node_tun_name,
-                    &b->esp4_encrypt_tun_feature_index);
+                    &b->esp44_encrypt_tun_feature_index);
+  ipsec_add_feature ("ip4-output", esp6_encrypt_node_tun_name,
+                    &b->esp46_encrypt_tun_feature_index);
   ipsec_add_feature ("ip6-output", esp6_encrypt_node_tun_name,
-                    &b->esp6_encrypt_tun_feature_index);
+                    &b->esp66_encrypt_tun_feature_index);
+  ipsec_add_feature ("ip6-output", esp4_encrypt_node_tun_name,
+                    &b->esp64_encrypt_tun_feature_index);
 
   b->check_support_cb = esp_check_support_cb;
   b->add_del_sa_sess_cb = esp_add_del_sa_sess_cb;
@@ -206,11 +218,6 @@ ipsec_rsc_in_use (ipsec_main_t * im)
                              "%d SA entries configured",
                              pool_elts (im->sad));
 
-  if (pool_elts (im->tunnel_interfaces))
-    return clib_error_return (0,
-                             "%d tunnel-interface entries configured",
-                             pool_elts (im->tunnel_interfaces));
-
   return (NULL);
 }
 
@@ -256,9 +263,15 @@ ipsec_select_esp_backend (ipsec_main_t * im, u32 backend_idx)
   im->esp6_decrypt_node_index = b->esp6_decrypt_node_index;
   im->esp6_encrypt_next_index = b->esp6_encrypt_next_index;
   im->esp6_decrypt_next_index = b->esp6_decrypt_next_index;
+  im->esp4_decrypt_tun_node_index = b->esp4_decrypt_tun_node_index;
+  im->esp4_decrypt_tun_next_index = b->esp4_decrypt_tun_next_index;
+  im->esp6_decrypt_tun_node_index = b->esp6_decrypt_tun_node_index;
+  im->esp6_decrypt_tun_next_index = b->esp6_decrypt_tun_next_index;
 
-  im->esp4_encrypt_tun_feature_index = b->esp4_encrypt_tun_feature_index;
-  im->esp6_encrypt_tun_feature_index = b->esp6_encrypt_tun_feature_index;
+  im->esp44_encrypt_tun_feature_index = b->esp44_encrypt_tun_feature_index;
+  im->esp64_encrypt_tun_feature_index = b->esp64_encrypt_tun_feature_index;
+  im->esp46_encrypt_tun_feature_index = b->esp46_encrypt_tun_feature_index;
+  im->esp66_encrypt_tun_feature_index = b->esp66_encrypt_tun_feature_index;
 
   return 0;
 }
@@ -302,9 +315,11 @@ ipsec_init (vlib_main_t * vm)
                                    "esp4-encrypt",
                                    "esp4-encrypt-tun",
                                    "esp4-decrypt",
+                                   "esp4-decrypt-tun",
                                    "esp6-encrypt",
                                    "esp6-encrypt-tun",
                                    "esp6-decrypt",
+                                   "esp6-decrypt-tun",
                                    ipsec_check_esp_support, NULL);
   im->esp_default_backend = idx;
 
@@ -315,11 +330,15 @@ ipsec_init (vlib_main_t * vm)
   if ((error = vlib_call_init_function (vm, ipsec_cli_init)))
     return error;
 
-  if ((error = vlib_call_init_function (vm, ipsec_tunnel_if_init)))
-    return error;
-
   vec_validate (im->crypto_algs, IPSEC_CRYPTO_N_ALG - 1);
 
+  a = im->crypto_algs + IPSEC_CRYPTO_ALG_NONE;
+  a->enc_op_id = VNET_CRYPTO_OP_NONE;
+  a->dec_op_id = VNET_CRYPTO_OP_NONE;
+  a->alg = VNET_CRYPTO_ALG_NONE;
+  a->iv_size = 0;
+  a->block_size = 1;
+
   a = im->crypto_algs + IPSEC_CRYPTO_ALG_DES_CBC;
   a->enc_op_id = VNET_CRYPTO_OP_DES_CBC_ENC;
   a->dec_op_id = VNET_CRYPTO_OP_DES_CBC_DEC;
@@ -354,21 +373,24 @@ ipsec_init (vlib_main_t * vm)
   a->enc_op_id = VNET_CRYPTO_OP_AES_128_GCM_ENC;
   a->dec_op_id = VNET_CRYPTO_OP_AES_128_GCM_DEC;
   a->alg = VNET_CRYPTO_ALG_AES_128_GCM;
-  a->iv_size = a->block_size = 8;
+  a->iv_size = 8;
+  a->block_size = 16;
   a->icv_size = 16;
 
   a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_192;
   a->enc_op_id = VNET_CRYPTO_OP_AES_192_GCM_ENC;
   a->dec_op_id = VNET_CRYPTO_OP_AES_192_GCM_DEC;
   a->alg = VNET_CRYPTO_ALG_AES_192_GCM;
-  a->iv_size = a->block_size = 8;
+  a->iv_size = 8;
+  a->block_size = 16;
   a->icv_size = 16;
 
   a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_256;
   a->enc_op_id = VNET_CRYPTO_OP_AES_256_GCM_ENC;
   a->dec_op_id = VNET_CRYPTO_OP_AES_256_GCM_DEC;
   a->alg = VNET_CRYPTO_ALG_AES_256_GCM;
-  a->iv_size = a->block_size = 8;
+  a->iv_size = 8;
+  a->block_size = 16;
   a->icv_size = 16;
 
   vec_validate (im->integ_algs, IPSEC_INTEG_N_ALG - 1);
@@ -406,6 +428,32 @@ ipsec_init (vlib_main_t * vm)
 
   vec_validate_aligned (im->ptd, vlib_num_workers (), CLIB_CACHE_LINE_BYTES);
 
+  im->ah4_enc_fq_index =
+    vlib_frame_queue_main_init (ah4_encrypt_node.index, 0);
+  im->ah4_dec_fq_index =
+    vlib_frame_queue_main_init (ah4_decrypt_node.index, 0);
+  im->ah6_enc_fq_index =
+    vlib_frame_queue_main_init (ah6_encrypt_node.index, 0);
+  im->ah6_dec_fq_index =
+    vlib_frame_queue_main_init (ah6_decrypt_node.index, 0);
+
+  im->esp4_enc_fq_index =
+    vlib_frame_queue_main_init (esp4_encrypt_node.index, 0);
+  im->esp4_dec_fq_index =
+    vlib_frame_queue_main_init (esp4_decrypt_node.index, 0);
+  im->esp6_enc_fq_index =
+    vlib_frame_queue_main_init (esp6_encrypt_node.index, 0);
+  im->esp6_dec_fq_index =
+    vlib_frame_queue_main_init (esp6_decrypt_node.index, 0);
+  im->esp4_enc_tun_fq_index =
+    vlib_frame_queue_main_init (esp4_encrypt_tun_node.index, 0);
+  im->esp6_enc_tun_fq_index =
+    vlib_frame_queue_main_init (esp6_encrypt_tun_node.index, 0);
+  im->esp4_dec_tun_fq_index =
+    vlib_frame_queue_main_init (esp4_decrypt_tun_node.index, 0);
+  im->esp6_dec_tun_fq_index =
+    vlib_frame_queue_main_init (esp6_decrypt_tun_node.index, 0);
+
   return 0;
 }