X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fikev2%2Fikev2.c;h=4bbe5549c75db61067dddde7453d225e5d94289c;hb=44476c6b2;hp=00b8f8eea29edffeba5e2abff710105fe1ebb9ff;hpb=99eefc2cfee4f71e1aaad1d420e6d9335072eb2c;p=vpp.git diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index 00b8f8eea29..4bbe5549c75 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -15,6 +15,7 @@ #include #include +#include #include #include #include @@ -36,7 +37,7 @@ static int ikev2_delete_tunnel_interface (vnet_main_t * vnm, #define ikev2_set_state(sa, v) do { \ (sa)->state = v; \ - clib_warning("sa state changed to " #v); \ + ikev2_elog_sa_state("ispi %lx SA state changed to " #v, sa->ispi); \ } while(0); typedef struct @@ -170,9 +171,6 @@ ikev2_select_proposal (ikev2_sa_proposal_t * proposals, } } - clib_warning ("bitmap is %x mandatory is %x optional is %x", - bitmap, mandatory_bitmap, optional_bitmap); - if ((bitmap & mandatory_bitmap) == mandatory_bitmap && (bitmap & ~optional_bitmap) == 0) { @@ -345,8 +343,6 @@ ikev2_generate_sa_init_data (ikev2_sa_t * sa) if (!t) { - clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group, - vec_len (sa->i_dh_data)); sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE; return; } @@ -393,6 +389,8 @@ ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai) sa->i_id.type = sai->i_id.type; sa->profile_index = sai->profile_index; sa->is_profile_index_set = sai->is_profile_index_set; + sa->tun_itf = sai->tun_itf; + sa->is_tun_itf_set = sai->is_tun_itf_set; sa->i_id.data = _(sai->i_id.data); sa->i_auth.method = sai->i_auth.method; sa->i_auth.hex = sai->i_auth.hex; @@ -420,8 +418,6 @@ ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai) if (!t) { - clib_warning ("unknown dh data group %u (data len %u)", sa->dh_group, - vec_len (sa->i_dh_data)); sa->dh_group = IKEV2_TRANSFORM_DH_TYPE_NONE; return; } @@ -595,13 +591,10 @@ ikev2_process_sa_init_req (vlib_main_t * vm, ikev2_sa_t * sa, u32 len = clib_net_to_host_u32 (ike->length); u8 payload = ike->nextpayload; - clib_warning ("ispi %lx rspi %lx nextpayload %x version %x " - "exchange %x flags %x msgid %x length %u", - clib_net_to_host_u64 (ike->ispi), - clib_net_to_host_u64 (ike->rspi), - payload, ike->version, - ike->exchange, ike->flags, - clib_net_to_host_u32 (ike->msgid), len); + ikev2_elog_exchange ("ispi %lx rspi %lx IKE_INIT request received " + "from %d.%d.%d.%d", + clib_net_to_host_u64 (ike->ispi), + clib_net_to_host_u64 (ike->rspi), sa->iaddr.as_u32); sa->ispi = clib_net_to_host_u64 (ike->ispi); @@ -645,8 +638,8 @@ ikev2_process_sa_init_req (vlib_main_t * vm, ikev2_sa_t * sa, } else { - clib_warning ("unknown payload %u flags %x length %u", payload, - ikep->flags, plen); + ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d", + payload); if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) { ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE); @@ -670,17 +663,13 @@ ikev2_process_sa_init_resp (vlib_main_t * vm, ikev2_sa_t * sa, u32 len = clib_net_to_host_u32 (ike->length); u8 payload = ike->nextpayload; - clib_warning ("ispi %lx rspi %lx nextpayload %x version %x " - "exchange %x flags %x msgid %x length %u", - clib_net_to_host_u64 (ike->ispi), - clib_net_to_host_u64 (ike->rspi), - payload, ike->version, - ike->exchange, ike->flags, - clib_net_to_host_u32 (ike->msgid), len); - sa->ispi = clib_net_to_host_u64 (ike->ispi); sa->rspi = clib_net_to_host_u64 (ike->rspi); + ikev2_elog_exchange ("ispi %lx rspi %lx IKE_INIT response received " + "from %d.%d.%d.%d", sa->ispi, sa->rspi, + sa->raddr.as_u32); + /* store whole IKE payload - needed for PSK auth */ vec_free (sa->last_sa_init_res_packet_data); vec_add (sa->last_sa_init_res_packet_data, ike, len); @@ -727,8 +716,8 @@ ikev2_process_sa_init_resp (vlib_main_t * vm, ikev2_sa_t * sa, } else { - clib_warning ("unknown payload %u flags %x length %u", payload, - ikep->flags, plen); + ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d", + payload); if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) { ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE); @@ -766,13 +755,12 @@ ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload) if (*payload == IKEV2_PAYLOAD_SK) { - clib_warning ("received IKEv2 payload SK, len %u", plen - 4); last_payload = *payload; } else { - clib_warning ("unknown payload %u flags %x length %u", payload, - ikep->flags, plen); + ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d", + *payload); if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) { sa->unsupported_cp = *payload; @@ -786,7 +774,7 @@ ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload) if (last_payload != IKEV2_PAYLOAD_SK) { - clib_warning ("Last payload must be SK"); + ikev2_elog_error ("Last payload must be SK"); return 0; } @@ -798,7 +786,7 @@ ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload) if (memcmp (hmac, &ikep->payload[plen], tr_integ->key_trunc)) { - clib_warning ("message integrity check failed"); + ikev2_elog_error ("message integrity check failed"); vec_free (hmac); return 0; } @@ -844,6 +832,9 @@ ikev2_initial_contact_cleanup (ikev2_sa_t * sa) vec_free (delete); sa->initial_contact = 0; + + km->log_level = IKEV2_LOG_ERROR; + km->log_class = vlib_log_register_class ("ikev2", 0); } static void @@ -851,20 +842,16 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) { ikev2_child_sa_t *first_child_sa; int p = 0; - u32 len = clib_net_to_host_u32 (ike->length); u8 payload = ike->nextpayload; u8 *plaintext = 0; - ike_payload_header_t *ikep; u32 plen; - clib_warning ("ispi %lx rspi %lx nextpayload %x version %x " - "exchange %x flags %x msgid %x length %u", - clib_net_to_host_u64 (ike->ispi), - clib_net_to_host_u64 (ike->rspi), - payload, ike->version, - ike->exchange, ike->flags, - clib_net_to_host_u32 (ike->msgid), len); + ikev2_elog_exchange ("ispi %lx rspi %lx EXCHANGE_IKE_AUTH received " + "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi), + clib_host_to_net_u64 (ike->rspi), + sa->is_initiator ? sa->raddr.as_u32 : sa-> + iaddr.as_u32); ikev2_calc_keys (sa); @@ -901,7 +888,6 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) if (payload == IKEV2_PAYLOAD_SA) /* 33 */ { - clib_warning ("received payload SA, len %u", plen - sizeof (*ikep)); if (sa->is_initiator) { ikev2_sa_free_proposal_vector (&first_child_sa->r_proposals); @@ -920,9 +906,6 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) sa->i_id.type = id->id_type; vec_free (sa->i_id.data); vec_add (sa->i_id.data, id->payload, plen - sizeof (*id)); - - clib_warning ("received payload IDi, len %u id_type %u", - plen - sizeof (*id), id->id_type); } else if (payload == IKEV2_PAYLOAD_IDR) /* 36 */ { @@ -931,9 +914,6 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) sa->r_id.type = id->id_type; vec_free (sa->r_id.data); vec_add (sa->r_id.data, id->payload, plen - sizeof (*id)); - - clib_warning ("received payload IDr len %u id_type %u", - plen - sizeof (*id), id->id_type); } else if (payload == IKEV2_PAYLOAD_AUTH) /* 39 */ { @@ -951,9 +931,6 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) vec_free (sa->i_auth.data); vec_add (sa->i_auth.data, a->payload, plen - sizeof (*a)); } - - clib_warning ("received payload AUTH, len %u auth_type %u", - plen - sizeof (*a), a->auth_method); } else if (payload == IKEV2_PAYLOAD_NOTIFY) /* 41 */ { @@ -970,25 +947,18 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) } else if (payload == IKEV2_PAYLOAD_TSI) /* 44 */ { - clib_warning ("received payload TSi, len %u", - plen - sizeof (*ikep)); - vec_free (first_child_sa->tsi); first_child_sa->tsi = ikev2_parse_ts_payload (ikep); } else if (payload == IKEV2_PAYLOAD_TSR) /* 45 */ { - clib_warning ("received payload TSr, len %u", - plen - sizeof (*ikep)); - vec_free (first_child_sa->tsr); first_child_sa->tsr = ikev2_parse_ts_payload (ikep); } else { - clib_warning ("unknown payload %u flags %x length %u data %u", - payload, ikep->flags, plen - 4, - format_hex_bytes, ikep->payload, plen - 4); + ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d", + payload); if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) { @@ -1011,20 +981,14 @@ ikev2_process_informational_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) { int p = 0; - u32 len = clib_net_to_host_u32 (ike->length); u8 payload = ike->nextpayload; u8 *plaintext = 0; - ike_payload_header_t *ikep; u32 plen; - clib_warning ("ispi %lx rspi %lx nextpayload %x version %x " - "exchange %x flags %x msgid %x length %u", - clib_net_to_host_u64 (ike->ispi), - clib_net_to_host_u64 (ike->rspi), - payload, ike->version, - ike->exchange, ike->flags, - clib_net_to_host_u32 (ike->msgid), len); + ikev2_elog_exchange ("ispi %lx rspi %lx INFORMATIONAL received " + "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi), + clib_host_to_net_u64 (ike->rspi), sa->iaddr.as_u32); plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload); @@ -1058,10 +1022,8 @@ ikev2_process_informational_req (vlib_main_t * vm, ikev2_sa_t * sa, } else { - clib_warning ("unknown payload %u flags %x length %u data %u", - payload, ikep->flags, plen - 4, - format_hex_bytes, ikep->payload, plen - 4); - + ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d", + payload); if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) { sa->unsupported_cp = payload; @@ -1082,7 +1044,6 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike) { int p = 0; - u32 len = clib_net_to_host_u32 (ike->length); u8 payload = ike->nextpayload; u8 *plaintext = 0; u8 rekeying = 0; @@ -1096,13 +1057,9 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa, ikev2_sa_proposal_t *proposal = 0; ikev2_child_sa_t *child_sa; - clib_warning ("ispi %lx rspi %lx nextpayload %x version %x " - "exchange %x flags %x msgid %x length %u", - clib_net_to_host_u64 (ike->ispi), - clib_net_to_host_u64 (ike->rspi), - payload, ike->version, - ike->exchange, ike->flags, - clib_net_to_host_u32 (ike->msgid), len); + ikev2_elog_exchange ("ispi %lx rspi %lx CREATE_CHILD_SA received " + "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi), + clib_host_to_net_u64 (ike->rspi), sa->raddr.as_u32); plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload); @@ -1153,10 +1110,8 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa, } else { - clib_warning ("unknown payload %u flags %x length %u data %u", - payload, ikep->flags, plen - 4, - format_hex_bytes, ikep->payload, plen - 4); - + ikev2_elog_uint (IKEV2_LOG_ERROR, "Unknown payload! type=%d", + payload); if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL) { sa->unsupported_cp = payload; @@ -1193,7 +1148,8 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa, child_sa = ikev2_sa_get_child (sa, n->spi, n->protocol_id, 1); if (!child_sa) { - clib_warning ("child SA spi %lx not found", n->spi); + ikev2_elog_uint (IKEV2_LOG_ERROR, "child SA spi %lx not found", + n->spi); goto cleanup_and_exit; } vec_add2 (sa->rekey, rekey, 1); @@ -1355,8 +1311,9 @@ ikev2_sa_auth (ikev2_sa_t * sa) if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC || sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG)) { - clib_warning ("unsupported authentication method %u", - sa->i_auth.method); + ikev2_elog_uint (IKEV2_LOG_ERROR, + "unsupported authentication method %u", + sa->i_auth.method); ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED); return; } @@ -1456,6 +1413,8 @@ ikev2_sa_auth (ikev2_sa_t * sa) } else { + ikev2_elog_uint (IKEV2_LOG_ERROR, "authentication failed, no matching " + "profile found! ispi %lx", sa->ispi); ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED); } vec_free (psk); @@ -1477,8 +1436,9 @@ ikev2_sa_auth_init (ikev2_sa_t * sa) if (!(sa->i_auth.method == IKEV2_AUTH_METHOD_SHARED_KEY_MIC || sa->i_auth.method == IKEV2_AUTH_METHOD_RSA_SIG)) { - clib_warning ("unsupported authentication method %u", - sa->i_auth.method); + ikev2_elog_uint (IKEV2_LOG_ERROR, + "unsupported authentication method %u", + sa->i_auth.method); ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED); return; } @@ -1507,34 +1467,103 @@ ikev2_sa_auth_init (ikev2_sa_t * sa) } static u32 -ikev2_mk_local_sa_id (u32 ti) +ikev2_mk_local_sa_id (u32 sai, u32 ci, u32 ti) { - return (0x80000000 | ti); + return (0x80000000 | (ti << 24) | (sai << 12) | ci); } static u32 -ikev2_mk_remote_sa_id (u32 ti) +ikev2_mk_remote_sa_id (u32 sai, u32 ci, u32 ti) { - return (0xc0000000 | ti); + return (0xc0000000 | (ti << 24) | (sai << 12) | ci); +} + +typedef struct +{ + u32 sw_if_index; + u32 salt_local; + u32 salt_remote; + u32 local_sa_id; + u32 remote_sa_id; + ipsec_sa_flags_t flags; + u32 local_spi; + u32 remote_spi; + ipsec_crypto_alg_t encr_type; + ipsec_integ_alg_t integ_type; + ip46_address_t local_ip; + ip46_address_t remote_ip; + ipsec_key_t loc_ckey, rem_ckey, loc_ikey, rem_ikey; +} ikev2_add_ipsec_tunnel_args_t; + +static void +ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) +{ + ikev2_main_t *km = &ikev2_main; + u32 sw_if_index; + int rv = 0; + + if (~0 == a->sw_if_index) + { + /* no tunnel associated with the SA/profile - create a new one */ + rv = ipip_add_tunnel (IPIP_TRANSPORT_IP4, ~0, + &a->local_ip, &a->remote_ip, 0, + TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0, + TUNNEL_MODE_P2P, &sw_if_index); + + if (rv == VNET_API_ERROR_IF_ALREADY_EXISTS) + { + if (hash_get (km->sw_if_indices, sw_if_index)) + /* interface is managed by IKE; proceed with updating SAs */ + rv = 0; + } + hash_set1 (km->sw_if_indices, sw_if_index); + } + else + sw_if_index = a->sw_if_index; + + if (rv) + { + ikev2_elog_peers (IKEV2_LOG_ERROR, "installing ipip tunnel failed! " + "loc:%d.%d.%d.%d rem:%d.%d.%d.%d", + a->local_ip.ip4.as_u32, a->remote_ip.ip4.as_u32); + return; + } + + rv |= ipsec_sa_add_and_lock (a->local_sa_id, + a->local_spi, + IPSEC_PROTOCOL_ESP, a->encr_type, + &a->loc_ckey, a->integ_type, &a->loc_ikey, + a->flags, 0, a->salt_local, &a->local_ip, + &a->remote_ip, NULL); + rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi, + IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey, + a->integ_type, &a->rem_ikey, + (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0, + a->salt_remote, &a->remote_ip, + &a->local_ip, NULL); + + u32 *sas_in = NULL; + vec_add1 (sas_in, a->remote_sa_id); + rv |= ipsec_tun_protect_update (sw_if_index, a->local_sa_id, sas_in); } static int -ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa, - ikev2_child_sa_t * child) +ikev2_create_tunnel_interface (vnet_main_t * vnm, + u32 thread_index, + ikev2_sa_t * sa, + ikev2_child_sa_t * child, u32 sa_index, + u32 child_index) { ikev2_main_t *km = &ikev2_main; + ipsec_crypto_alg_t encr_type; + ipsec_integ_alg_t integ_type; ikev2_profile_t *p = 0; - ipsec_key_t loc_ckey, rem_ckey, loc_ikey, rem_ikey; ikev2_sa_transform_t *tr; ikev2_sa_proposal_t *proposals; - ipsec_sa_flags_t flags = 0; - ipsec_crypto_alg_t encr_type; - ipsec_integ_alg_t integ_type; - u32 local_spi, remote_spi; u8 is_aead = 0; - u32 salt_local = 0, salt_remote = 0; - ip46_address_t local_ip, remote_ip; - int rv; + ikev2_add_ipsec_tunnel_args_t a; + + clib_memset (&a, 0, sizeof (a)); if (!child->r_proposals) { @@ -1544,26 +1573,26 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa, if (sa->is_initiator) { - ip46_address_set_ip4 (&local_ip, &sa->iaddr); - ip46_address_set_ip4 (&remote_ip, &sa->raddr); + ip46_address_set_ip4 (&a.local_ip, &sa->iaddr); + ip46_address_set_ip4 (&a.remote_ip, &sa->raddr); proposals = child->i_proposals; - local_spi = child->r_proposals[0].spi; - remote_spi = child->i_proposals[0].spi; + a.local_spi = child->r_proposals[0].spi; + a.remote_spi = child->i_proposals[0].spi; } else { - ip46_address_set_ip4 (&local_ip, &sa->raddr); - ip46_address_set_ip4 (&remote_ip, &sa->iaddr); + ip46_address_set_ip4 (&a.local_ip, &sa->raddr); + ip46_address_set_ip4 (&a.remote_ip, &sa->iaddr); proposals = child->r_proposals; - local_spi = child->i_proposals[0].spi; - remote_spi = child->r_proposals[0].spi; + a.local_spi = child->i_proposals[0].spi; + a.remote_spi = child->r_proposals[0].spi; } - flags = IPSEC_SA_FLAG_USE_ANTI_REPLAY; + a.flags = IPSEC_SA_FLAG_USE_ANTI_REPLAY; tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ESN); if (tr && tr->esn_type) - flags |= IPSEC_SA_FLAG_USE_ESN; + a.flags |= IPSEC_SA_FLAG_USE_ESN; tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ENCR); if (tr) @@ -1619,6 +1648,7 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa, ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN); return 1; } + a.encr_type = encr_type; if (!is_aead) { @@ -1655,30 +1685,31 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa, integ_type = IPSEC_INTEG_ALG_NONE; } + a.integ_type = integ_type; ikev2_calc_child_keys (sa, child); if (sa->is_initiator) { - ipsec_mk_key (&loc_ikey, child->sk_ai, vec_len (child->sk_ai)); - ipsec_mk_key (&rem_ikey, child->sk_ar, vec_len (child->sk_ar)); - ipsec_mk_key (&loc_ckey, child->sk_ei, vec_len (child->sk_ei)); - ipsec_mk_key (&rem_ckey, child->sk_er, vec_len (child->sk_er)); + ipsec_mk_key (&a.loc_ikey, child->sk_ai, vec_len (child->sk_ai)); + ipsec_mk_key (&a.rem_ikey, child->sk_ar, vec_len (child->sk_ar)); + ipsec_mk_key (&a.loc_ckey, child->sk_ei, vec_len (child->sk_ei)); + ipsec_mk_key (&a.rem_ckey, child->sk_er, vec_len (child->sk_er)); if (is_aead) { - salt_remote = child->salt_er; - salt_local = child->salt_ei; + a.salt_remote = child->salt_er; + a.salt_local = child->salt_ei; } } else { - ipsec_mk_key (&loc_ikey, child->sk_ar, vec_len (child->sk_ar)); - ipsec_mk_key (&rem_ikey, child->sk_ai, vec_len (child->sk_ai)); - ipsec_mk_key (&loc_ckey, child->sk_er, vec_len (child->sk_er)); - ipsec_mk_key (&rem_ckey, child->sk_ei, vec_len (child->sk_ei)); + ipsec_mk_key (&a.loc_ikey, child->sk_ar, vec_len (child->sk_ar)); + ipsec_mk_key (&a.rem_ikey, child->sk_ai, vec_len (child->sk_ai)); + ipsec_mk_key (&a.loc_ckey, child->sk_er, vec_len (child->sk_er)); + ipsec_mk_key (&a.rem_ckey, child->sk_ei, vec_len (child->sk_ei)); if (is_aead) { - salt_remote = child->salt_ei; - salt_local = child->salt_er; + a.salt_remote = child->salt_ei; + a.salt_local = child->salt_er; } } @@ -1703,40 +1734,100 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa, } } - rv = ipip_add_tunnel (IPIP_TRANSPORT_IP4, ~0, - &local_ip, &remote_ip, 0, 0, &child->sw_if_index); + if (thread_index & 0xffffffc0) + ikev2_elog_error ("error: thread index exceeds max range 0x3f!"); - child->local_sa = ikev2_mk_local_sa_id (child->sw_if_index); - child->remote_sa = ikev2_mk_remote_sa_id (child->sw_if_index); + if (child_index & 0xfffff000 || sa_index & 0xfffff000) + ikev2_elog_error ("error: sa/child index exceeds max range 0xfff!"); - rv |= ipsec_sa_add_and_lock (child->local_sa, - local_spi, - IPSEC_PROTOCOL_ESP, encr_type, - &loc_ckey, integ_type, &loc_ikey, flags, - 0, salt_local, &local_ip, &remote_ip, NULL); - rv |= ipsec_sa_add_and_lock (child->remote_sa, - remote_spi, - IPSEC_PROTOCOL_ESP, encr_type, - &rem_ckey, integ_type, &rem_ikey, - (flags | IPSEC_SA_FLAG_IS_INBOUND), - 0, salt_remote, &remote_ip, &local_ip, NULL); - - u32 *sas_in = NULL; - vec_add1 (sas_in, child->remote_sa); - rv |= - ipsec_tun_protect_update (child->sw_if_index, child->local_sa, sas_in); + child->local_sa_id = + a.local_sa_id = + ikev2_mk_local_sa_id (sa_index, child_index, thread_index); + child->remote_sa_id = + a.remote_sa_id = + ikev2_mk_remote_sa_id (sa_index, child_index, thread_index); + a.sw_if_index = (sa->is_tun_itf_set ? sa->tun_itf : ~0); + vl_api_rpc_call_main_thread (ikev2_add_tunnel_from_main, + (u8 *) & a, sizeof (a)); return 0; } +typedef struct +{ + ip46_address_t local_ip; + ip46_address_t remote_ip; + u32 remote_sa_id; + u32 local_sa_id; + u32 sw_if_index; +} ikev2_del_ipsec_tunnel_args_t; + +static void +ikev2_del_tunnel_from_main (ikev2_del_ipsec_tunnel_args_t * a) +{ + ikev2_main_t *km = &ikev2_main; + ipip_tunnel_t *ipip = NULL; + u32 sw_if_index; + + if (~0 == a->sw_if_index) + { + /* *INDENT-OFF* */ + ipip_tunnel_key_t key = { + .src = a->local_ip, + .dst = a->remote_ip, + .transport = IPIP_TRANSPORT_IP4, + .fib_index = 0, + }; + /* *INDENT-ON* */ + + ipip = ipip_tunnel_db_find (&key); + + if (ipip) + { + sw_if_index = ipip->sw_if_index; + hash_unset (km->sw_if_indices, ipip->sw_if_index); + } + else + sw_if_index = ~0; + } + else + sw_if_index = a->sw_if_index; + + if (~0 != sw_if_index) + ipsec_tun_protect_del (sw_if_index); + + ipsec_sa_unlock_id (a->remote_sa_id); + ipsec_sa_unlock_id (a->local_sa_id); + + if (ipip) + ipip_del_tunnel (ipip->sw_if_index); +} + static int ikev2_delete_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa, ikev2_child_sa_t * child) { - ipsec_tun_protect_del (child->sw_if_index); - ipsec_sa_unlock_id (child->remote_sa); - ipsec_sa_unlock_id (child->local_sa); - ipip_del_tunnel (child->sw_if_index); + ikev2_del_ipsec_tunnel_args_t a; + + clib_memset (&a, 0, sizeof (a)); + + if (sa->is_initiator) + { + ip46_address_set_ip4 (&a.local_ip, &sa->iaddr); + ip46_address_set_ip4 (&a.remote_ip, &sa->raddr); + } + else + { + ip46_address_set_ip4 (&a.local_ip, &sa->raddr); + ip46_address_set_ip4 (&a.remote_ip, &sa->iaddr); + } + + a.remote_sa_id = child->remote_sa_id; + a.local_sa_id = child->local_sa_id; + a.sw_if_index = (sa->is_tun_itf_set ? sa->tun_itf : ~0); + + vl_api_rpc_call_main_thread (ikev2_del_tunnel_from_main, (u8 *) & a, + sizeof (a)); return 0; } @@ -2065,17 +2156,21 @@ ikev2_retransmit_sa_init (ike_header_t * ike, ike->length = tmp->length; clib_memcpy_fast(ike->payload, tmp->payload, clib_net_to_host_u32(tmp->length) - sizeof(*ike)); - clib_warning("IKE_SA_INIT retransmit from %U to %U", - format_ip4_address, &raddr, - format_ip4_address, &iaddr); + ikev2_elog_uint_peers (IKEV2_LOG_DEBUG, + "ispi %lx IKE_SA_INIT retransmit " + "from %d.%d.%d.%d to %d.%d.%d.%d", + ike->ispi, + raddr.as_u32, iaddr.as_u32); return 1; } /* else ignore req */ else { - clib_warning("IKE_SA_INIT ignore from %U to %U", - format_ip4_address, &raddr, - format_ip4_address, &iaddr); + ikev2_elog_uint_peers (IKEV2_LOG_DEBUG, + "ispi %lx IKE_SA_INIT ignore " + "from %d.%d.%d.%d to %d.%d.%d.%d", + ike->ispi, + raddr.as_u32, iaddr.as_u32); return -1; } } @@ -2117,21 +2212,17 @@ ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike) ike->length = tmp->length; clib_memcpy_fast (ike->payload, tmp->payload, clib_net_to_host_u32 (tmp->length) - sizeof (*ike)); - clib_warning ("IKE msgid %u retransmit from %U to %U", - msg_id, - format_ip4_address, &sa->raddr, - format_ip4_address, &sa->iaddr); + ikev2_elog_uint_peers (IKEV2_LOG_DEBUG, "IKE retransmit msgid %d", + msg_id, sa->raddr.as_u32, sa->iaddr.as_u32); return 1; } /* old req ignore */ else { - clib_warning ("IKE msgid %u req ignore from %U to %U", - msg_id, - format_ip4_address, &sa->raddr, - format_ip4_address, &sa->iaddr); - return -1; + ikev2_elog_uint_peers (IKEV2_LOG_DEBUG, "IKE req ignore msgid %d", + msg_id, sa->raddr.as_u32, sa->iaddr.as_u32); } + return -1; } @@ -2325,8 +2416,10 @@ ikev2_node_fn (vlib_main_t * vm, ikev2_initial_contact_cleanup (sa0); ikev2_sa_match_ts (sa0); if (sa0->state != IKEV2_STATE_TS_UNACCEPTABLE) - ikev2_create_tunnel_interface (km->vnet_main, sa0, - &sa0->childs[0]); + ikev2_create_tunnel_interface (km->vnet_main, + thread_index, sa0, + &sa0->childs[0], + p[0], 0); } if (sa0->is_initiator) @@ -2446,14 +2539,18 @@ ikev2_node_fn (vlib_main_t * vm, { if (sa0->rekey[0].protocol_id != IKEV2_PROTOCOL_IKE) { + if (sa0->childs) + vec_free (sa0->childs); ikev2_child_sa_t *child; vec_add2 (sa0->childs, child, 1); child->r_proposals = sa0->rekey[0].r_proposal; child->i_proposals = sa0->rekey[0].i_proposal; child->tsi = sa0->rekey[0].tsi; child->tsr = sa0->rekey[0].tsr; - ikev2_create_tunnel_interface (km->vnet_main, sa0, - child); + ikev2_create_tunnel_interface (km->vnet_main, + thread_index, sa0, + child, p[0], + child - sa0->childs); } if (sa0->is_initiator) { @@ -2468,10 +2565,11 @@ ikev2_node_fn (vlib_main_t * vm, } else { - clib_warning ("IKEv2 exchange %u packet received from %U to %U", - ike0->exchange, - format_ip4_address, ip40->src_address.as_u8, - format_ip4_address, ip40->dst_address.as_u8); + ikev2_elog_uint_peers (IKEV2_LOG_WARNING, "IKEv2 exchange %d " + "received from %d.%d.%d.%d to %d.%d.%d.%d", + ike0->exchange, + ip40->src_address.as_u32, + ip40->dst_address.as_u32); } dispatch0: @@ -2602,7 +2700,7 @@ ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa, } if (error) { - clib_warning + ikev2_elog_error ("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG"); r = clib_error_return (0, "Unsupported algorithm"); return r; @@ -2971,6 +3069,26 @@ ikev2_set_profile_esp_transforms (vlib_main_t * vm, u8 * name, return 0; } +clib_error_t * +ikev2_set_profile_tunnel_interface (vlib_main_t * vm, + u8 * name, u32 sw_if_index) +{ + ikev2_profile_t *p; + clib_error_t *r; + + p = ikev2_profile_index_by_name (name); + + if (!p) + { + r = clib_error_return (0, "unknown profile %v", name); + return r; + } + + p->tun_itf = sw_if_index; + + return 0; +} + clib_error_t * ikev2_set_profile_sa_lifetime (vlib_main_t * vm, u8 * name, u64 lifetime, u32 jitter, u32 handover, @@ -3054,6 +3172,8 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name) sa.profile_index = km->profiles - p; sa.is_profile_index_set = 1; sa.state = IKEV2_STATE_SA_INIT; + sa.tun_itf = p->tun_itf; + sa.is_tun_itf_set = 1; ikev2_generate_sa_init_data (&sa); ikev2_payload_add_ke (chain, sa.dh_group, sa.i_dh_data); ikev2_payload_add_nonce (chain, sa.i_nonce); @@ -3141,6 +3261,9 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name) ikev2_send_ike (vm, if_ip, &p->responder.ip4, bi0, len); + ikev2_elog_exchange ("ispi %lx rspi %lx IKEV2_EXCHANGE_SA_INIT sent to " + "%d.%d.%d.%d", clib_host_to_net_u64 (sa0->ispi), 0, + p->responder.ip4.as_u32); } return 0; @@ -3389,6 +3512,7 @@ ikev2_init (vlib_main_t * vm) } km->sa_by_ispi = hash_create (0, sizeof (uword)); + km->sw_if_indices = hash_create (0, 0); udp_register_dst_port (vm, 500, ikev2_node.index, 1); @@ -3432,8 +3556,8 @@ ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa) else if (csa->rekey_retries > 0) { csa->rekey_retries--; - clib_warning ("Rekeying Child SA 0x%x, retries left %d", - csa->i_proposals->spi, csa->rekey_retries); + ikev2_log_debug ("Rekeying Child SA 0x%x, retries left %d", + csa->i_proposals->spi, csa->rekey_retries); if (csa->rekey_retries == 0) { csa->rekey_retries = -1; @@ -3452,6 +3576,21 @@ ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa) return res; } +int +ikev2_set_log_level (ikev2_log_level_t log_level) +{ + ikev2_main_t *km = &ikev2_main; + + if (log_level >= IKEV2_LOG_MAX) + { + ikev2_log_error ("unknown logging level %d", log_level); + return -1; + } + + km->log_level = log_level; + return 0; +} + static void ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa) {