(line_input, "crypto-alg %U", unformat_ipsec_crypto_alg,
&sa.crypto_alg))
{
- if (sa.crypto_alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
+ if (sa.crypto_alg < IPSEC_CRYPTO_ALG_NONE ||
sa.crypto_alg >= IPSEC_CRYPTO_N_ALG)
{
error = clib_error_return (0, "unsupported crypto-alg: '%U'",
else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
&sa.integ_alg))
{
- if (sa.integ_alg < IPSEC_INTEG_ALG_SHA1_96 ||
+ if (sa.integ_alg < IPSEC_INTEG_ALG_NONE ||
sa.integ_alg >= IPSEC_INTEG_N_ALG)
{
error = clib_error_return (0, "unsupported integ-alg: '%U'",
goto done;
}
- ipsec_add_del_sa (vm, &sa, is_add);
+ ipsec_add_del_sa (vm, &sa, is_add, 0 /* enable nat traversal */ );
done:
unformat_free (line_input);
u32 *i;
ipsec_tunnel_if_t *t;
vnet_hw_interface_t *hi;
+ u8 *protocol = NULL;
+ u8 *policy = NULL;
/* *INDENT-OFF* */
pool_foreach (sa, im->sad, ({
if (sa->id) {
- vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s", sa->id, sa->spi,
+ vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s", sa->id, sa->spi,
sa->is_tunnel ? "tunnel" : "transport",
- sa->protocol ? "esp" : "ah");
+ sa->protocol ? "esp" : "ah",
+ sa->udp_encap ? " udp-encap-enabled" : "");
if (sa->protocol == IPSEC_PROTOCOL_ESP) {
vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
format_ipsec_crypto_alg, sa->crypto_alg,
vec_foreach(i, spd->ipv4_outbound_policies)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip4_address, &p->laddr.start.ip4,
format_ip4_address, &p->laddr.stop.ip4,
vec_foreach(i, spd->ipv6_outbound_policies)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip6_address, &p->laddr.start.ip6,
format_ip6_address, &p->laddr.stop.ip6,
vec_foreach(i, spd->ipv4_inbound_protect_policy_indices)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip4_address, &p->laddr.start.ip4,
format_ip4_address, &p->laddr.stop.ip4,
vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip4_address, &p->laddr.start.ip4,
format_ip4_address, &p->laddr.stop.ip4,
vec_foreach(i, spd->ipv6_inbound_protect_policy_indices)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip6_address, &p->laddr.start.ip6,
format_ip6_address, &p->laddr.stop.ip6,
vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip6_address, &p->laddr.start.ip6,
format_ip6_address, &p->laddr.stop.ip6,
format_ipsec_integ_alg, sa->integ_alg,
format_hex_bytes, sa->integ_key, sa->integ_key_len);
}));
+ vec_free(policy);
+ vec_free(protocol);
/* *INDENT-ON* */
return 0;
}
num_m_args++;
else if (unformat (line_input, "remote-spi %u", &a.remote_spi))
num_m_args++;
+ else if (unformat (line_input, "instance %u", &a.show_instance))
+ a.renumber = 1;
else if (unformat (line_input, "del"))
a.is_add = 0;
else
/* *INDENT-OFF* */
VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
.path = "create ipsec tunnel",
- .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi>",
+ .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>]",
.function = create_ipsec_tunnel_command_fn,
};
/* *INDENT-ON* */