ipsec: support UDP encap/decap for NAT traversal

[vpp.git] / src / vnet / ipsec / ipsec_cli.c

diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 711403f..238ef97 100644 (file)
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -106,7 +106,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
            (line_input, "crypto-alg %U", unformat_ipsec_crypto_alg,
             &sa.crypto_alg))
        {
-         if (sa.crypto_alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
+         if (sa.crypto_alg < IPSEC_CRYPTO_ALG_NONE ||
              sa.crypto_alg >= IPSEC_CRYPTO_N_ALG)
            {
              error = clib_error_return (0, "unsupported crypto-alg: '%U'",
@@ -121,7 +121,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
       else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
                         &sa.integ_alg))
        {
-         if (sa.integ_alg < IPSEC_INTEG_ALG_SHA1_96 ||
+         if (sa.integ_alg < IPSEC_INTEG_ALG_NONE ||
              sa.integ_alg >= IPSEC_INTEG_N_ALG)
            {
              error = clib_error_return (0, "unsupported integ-alg: '%U'",
@@ -176,7 +176,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
        goto done;
     }
 
-  ipsec_add_del_sa (vm, &sa, is_add);
+  ipsec_add_del_sa (vm, &sa, is_add, 0 /* enable nat traversal */ );
 
 done:
   unformat_free (line_input);
@@ -451,9 +451,10 @@ show_ipsec_command_fn (vlib_main_t * vm,
   /* *INDENT-OFF* */
   pool_foreach (sa, im->sad, ({
     if (sa->id) {
-      vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s", sa->id, sa->spi,
+      vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s", sa->id, sa->spi,
                       sa->is_tunnel ? "tunnel" : "transport",
-                      sa->protocol ? "esp" : "ah");
+                      sa->protocol ? "esp" : "ah",
+                     sa->udp_encap ? " udp-encap-enabled" : "");
       if (sa->protocol == IPSEC_PROTOCOL_ESP) {
         vlib_cli_output(vm, "  crypto alg %U%s%U integrity alg %U%s%U",
                         format_ipsec_crypto_alg, sa->crypto_alg,
@@ -726,6 +727,8 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
        num_m_args++;
       else if (unformat (line_input, "remote-spi %u", &a.remote_spi))
        num_m_args++;
+      else if (unformat (line_input, "instance %u", &a.show_instance))
+       a.renumber = 1;
       else if (unformat (line_input, "del"))
        a.is_add = 0;
       else
@@ -770,7 +773,7 @@ done:
 /* *INDENT-OFF* */
 VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
   .path = "create ipsec tunnel",
-  .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi>",
+  .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>]",
   .function = create_ipsec_tunnel_command_fn,
 };
 /* *INDENT-ON* */