X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_api.c;h=767cd2fb0764f22c514ddabb6309ea9938d2b344;hb=47feb1146ec3b0e1cf2ebd83cd5211e1df261194;hp=06f954622c70f1accdf5c6190a6a17f91c8e36a7;hpb=a09c1ff5b6ae535932b4fc9477ffc4e39748ca62;p=vpp.git

diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 06f954622c7..767cd2fb076 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -30,7 +30,6 @@
 
 #if WITH_LIBSSL > 0
 #include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/ikev2.h>
 #endif /* IPSEC */
 
 #define vl_typedefs		/* define message structures */
@@ -62,19 +61,6 @@ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump)		\
 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del)             \
 _(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key)             \
 _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa)               \
-_(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del)                 \
-_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth)               \
-_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id)                   \
-_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts)                   \
-_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key)                     \
-_(IKEV2_SET_RESPONDER, ikev2_set_responder)                     \
-_(IKEV2_SET_IKE_TRANSFORMS, ikev2_set_ike_transforms)           \
-_(IKEV2_SET_ESP_TRANSFORMS, ikev2_set_esp_transforms)           \
-_(IKEV2_SET_SA_LIFETIME, ikev2_set_sa_lifetime)                 \
-_(IKEV2_INITIATE_SA_INIT, ikev2_initiate_sa_init)               \
-_(IKEV2_INITIATE_DEL_IKE_SA, ikev2_initiate_del_ike_sa)         \
-_(IKEV2_INITIATE_DEL_CHILD_SA, ikev2_initiate_del_child_sa)     \
-_(IKEV2_INITIATE_REKEY_CHILD_SA, ikev2_initiate_rekey_child_sa) \
 _(IPSEC_SELECT_BACKEND, ipsec_select_backend)                   \
 _(IPSEC_BACKEND_DUMP, ipsec_backend_dump)
 
@@ -146,6 +132,8 @@ static void vl_api_ipsec_spd_entry_add_del_t_handler
   u32 stat_index;
   int rv;
 
+  stat_index = ~0;
+
 #if WITH_LIBSSL > 0
   ipsec_policy_t p;
 
@@ -153,7 +141,6 @@ static void vl_api_ipsec_spd_entry_add_del_t_handler
 
   p.id = ntohl (mp->entry.spd_id);
   p.priority = ntohl (mp->entry.priority);
-  p.is_outbound = mp->entry.is_outbound;
 
   itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
   ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
@@ -163,10 +150,11 @@ static void vl_api_ipsec_spd_entry_add_del_t_handler
   p.is_ipv6 = (itype == IP46_TYPE_IP6);
 
   p.protocol = mp->entry.protocol;
-  p.rport.start = ntohs (mp->entry.remote_port_start);
-  p.rport.stop = ntohs (mp->entry.remote_port_stop);
-  p.lport.start = ntohs (mp->entry.local_port_start);
-  p.lport.stop = ntohs (mp->entry.local_port_stop);
+  /* leave the ports in network order */
+  p.rport.start = mp->entry.remote_port_start;
+  p.rport.stop = mp->entry.remote_port_stop;
+  p.lport.start = mp->entry.local_port_start;
+  p.lport.stop = mp->entry.local_port_stop;
 
   rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
 
@@ -181,6 +169,11 @@ static void vl_api_ipsec_spd_entry_add_del_t_handler
       goto out;
     }
   p.sa_id = ntohl (mp->entry.sa_id);
+  rv =
+    ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
+			  &p.type);
+  if (rv)
+    goto out;
 
   rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
   if (rv)
@@ -214,6 +207,19 @@ ipsec_proto_decode (vl_api_ipsec_proto_t in, ipsec_protocol_t * out)
       *out = IPSEC_PROTOCOL_AH;
       return (0);
     }
+  return (VNET_API_ERROR_INVALID_PROTOCOL);
+}
+
+static vl_api_ipsec_proto_t
+ipsec_proto_encode (ipsec_protocol_t p)
+{
+  switch (p)
+    {
+    case IPSEC_PROTOCOL_ESP:
+      return clib_host_to_net_u32 (IPSEC_API_PROTO_ESP);
+    case IPSEC_PROTOCOL_AH:
+      return clib_host_to_net_u32 (IPSEC_API_PROTO_AH);
+    }
   return (VNET_API_ERROR_UNIMPLEMENTED);
 }
 
@@ -231,9 +237,26 @@ ipsec_crypto_algo_decode (vl_api_ipsec_crypto_alg_t in,
       foreach_ipsec_crypto_alg
 #undef _
     }
+  return (VNET_API_ERROR_INVALID_ALGORITHM);
+}
+
+static vl_api_ipsec_crypto_alg_t
+ipsec_crypto_algo_encode (ipsec_crypto_alg_t c)
+{
+  switch (c)
+    {
+#define _(v,f,s) case IPSEC_CRYPTO_ALG_##f:                     \
+      return clib_host_to_net_u32(IPSEC_API_CRYPTO_ALG_##f);
+      foreach_ipsec_crypto_alg
+#undef _
+    case IPSEC_CRYPTO_N_ALG:
+      break;
+    }
+  ASSERT (0);
   return (VNET_API_ERROR_UNIMPLEMENTED);
 }
 
+
 static int
 ipsec_integ_algo_decode (vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t * out)
 {
@@ -247,93 +270,141 @@ ipsec_integ_algo_decode (vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t * out)
       foreach_ipsec_integ_alg
 #undef _
     }
+  return (VNET_API_ERROR_INVALID_ALGORITHM);
+}
+
+static vl_api_ipsec_integ_alg_t
+ipsec_integ_algo_encode (ipsec_integ_alg_t i)
+{
+  switch (i)
+    {
+#define _(v,f,s) case IPSEC_INTEG_ALG_##f:                      \
+      return (clib_host_to_net_u32(IPSEC_API_INTEG_ALG_##f));
+      foreach_ipsec_integ_alg
+#undef _
+    case IPSEC_INTEG_N_ALG:
+      break;
+    }
+  ASSERT (0);
   return (VNET_API_ERROR_UNIMPLEMENTED);
 }
 
 static void
-vl_api_ipsec_key_decode (const vl_api_key_t * key, u8 * len, u8 out[128])
+ipsec_key_decode (const vl_api_key_t * key, ipsec_key_t * out)
 {
-  *len = key->length;
-  clib_memcpy (out, key->data, key->length);
+  ipsec_mk_key (out, key->data, key->length);
 }
 
 static void
-vl_api_ipsec_sad_flags_decode (vl_api_ipsec_sad_flags_t in, ipsec_sa_t * sa)
+ipsec_key_encode (const ipsec_key_t * in, vl_api_key_t * out)
+{
+  out->length = in->len;
+  clib_memcpy (out->data, in->data, out->length);
+}
+
+static ipsec_sa_flags_t
+ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
 {
+  ipsec_sa_flags_t flags = IPSEC_SA_FLAG_NONE;
   in = clib_net_to_host_u32 (in);
 
-  if (in & IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM)
-    sa->use_esn = 1;
+  if (in & IPSEC_API_SAD_FLAG_USE_ESN)
+    flags |= IPSEC_SA_FLAG_USE_ESN;
   if (in & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
-    sa->use_anti_replay = 1;
+    flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
   if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL)
-    sa->is_tunnel = 1;
+    flags |= IPSEC_SA_FLAG_IS_TUNNEL;
   if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL_V6)
-    sa->is_tunnel_ip6 = 1;
+    flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
   if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
-    sa->udp_encap = 1;
+    flags |= IPSEC_SA_FLAG_UDP_ENCAP;
+
+  return (flags);
 }
 
+static vl_api_ipsec_sad_flags_t
+ipsec_sad_flags_encode (const ipsec_sa_t * sa)
+{
+  vl_api_ipsec_sad_flags_t flags = IPSEC_API_SAD_FLAG_NONE;
+
+  if (ipsec_sa_is_set_USE_ESN (sa))
+    flags |= IPSEC_API_SAD_FLAG_USE_ESN;
+  if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
+    flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
+  if (ipsec_sa_is_set_IS_TUNNEL (sa))
+    flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
+  if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
+    flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
+  if (ipsec_sa_is_set_UDP_ENCAP (sa))
+    flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
+
+  return clib_host_to_net_u32 (flags);
+}
 
 static void vl_api_ipsec_sad_entry_add_del_t_handler
   (vl_api_ipsec_sad_entry_add_del_t * mp)
 {
   vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
   vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
+  ip46_address_t tun_src = { }, tun_dst =
+  {
+  };
+  ipsec_key_t crypto_key, integ_key;
+  ipsec_crypto_alg_t crypto_alg;
+  ipsec_integ_alg_t integ_alg;
+  ipsec_protocol_t proto;
+  ipsec_sa_flags_t flags;
+  u32 id, spi, sa_index = ~0;
   int rv;
-#if WITH_LIBSSL > 0
-  ipsec_main_t *im = &ipsec_main;
-  ipsec_sa_t sa;
 
-  clib_memset (&sa, 0, sizeof (sa));
+#if WITH_LIBSSL > 0
 
-  sa.id = ntohl (mp->entry.sad_id);
-  sa.spi = ntohl (mp->entry.spi);
+  id = ntohl (mp->entry.sad_id);
+  spi = ntohl (mp->entry.spi);
 
-  rv = ipsec_proto_decode (mp->entry.protocol, &sa.protocol);
+  rv = ipsec_proto_decode (mp->entry.protocol, &proto);
 
   if (rv)
     goto out;
 
-  rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &sa.crypto_alg);
+  rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
 
   if (rv)
     goto out;
 
-  rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &sa.integ_alg);
+  rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
 
   if (rv)
     goto out;
 
-  vl_api_ipsec_key_decode (&mp->entry.crypto_key,
-			   &sa.crypto_key_len, sa.crypto_key);
-  vl_api_ipsec_key_decode (&mp->entry.integrity_key,
-			   &sa.integ_key_len, sa.integ_key);
+  ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
+  ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
 
-  vl_api_ipsec_sad_flags_decode (mp->entry.flags, &sa);
+  flags = ipsec_sa_flags_decode (mp->entry.flags);
 
-  if (sa.is_tunnel_ip6 || sa.is_tunnel)
-    {
-      ip_address_decode (&mp->entry.tunnel_src, &sa.tunnel_src_addr);
-      ip_address_decode (&mp->entry.tunnel_dst, &sa.tunnel_dst_addr);
-    }
+  ip_address_decode (&mp->entry.tunnel_src, &tun_src);
+  ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
 
-  clib_error_t *err = ipsec_check_support_cb (im, &sa);
-  if (err)
-    {
-      clib_warning ("%s", err->what);
-      rv = VNET_API_ERROR_UNIMPLEMENTED;
-      goto out;
-    }
 
-  rv = ipsec_add_del_sa (vm, &sa, mp->is_add);
+  if (mp->is_add)
+    rv = ipsec_sa_add (id, spi, proto,
+		       crypto_alg, &crypto_key,
+		       integ_alg, &integ_key, flags,
+		       0, 0, &tun_src, &tun_dst, &sa_index);
+  else
+    rv = ipsec_sa_del (id);
+
 #else
   rv = VNET_API_ERROR_UNIMPLEMENTED;
-  goto out;
 #endif
 
 out:
-  REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY);
+  /* *INDENT-OFF* */
+  REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
+  {
+    rmp->stat_index = htonl (sa_index);
+  });
+  /* *INDENT-ON* */
 }
 
 static void
@@ -407,7 +478,8 @@ send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
 
   mp->entry.spd_id = htonl (p->id);
   mp->entry.priority = htonl (p->priority);
-  mp->entry.is_outbound = p->is_outbound;
+  mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
+			   (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));
 
   ip_address_encode (&p->laddr.start, IP46_TYPE_ANY,
 		     &mp->entry.local_address_start);
@@ -417,10 +489,10 @@ send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
 		     &mp->entry.remote_address_start);
   ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
 		     &mp->entry.remote_address_stop);
-  mp->entry.local_port_start = htons (p->lport.start);
-  mp->entry.local_port_stop = htons (p->lport.stop);
-  mp->entry.remote_port_start = htons (p->rport.start);
-  mp->entry.remote_port_stop = htons (p->rport.stop);
+  mp->entry.local_port_start = p->lport.start;
+  mp->entry.local_port_stop = p->lport.stop;
+  mp->entry.remote_port_start = p->rport.start;
+  mp->entry.remote_port_stop = p->rport.stop;
   mp->entry.protocol = p->protocol;
   mp->entry.policy = ipsec_spd_action_encode (p->policy);
   mp->entry.sa_id = htonl (p->sa_id);
@@ -433,7 +505,7 @@ vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
 {
   vl_api_registration_t *reg;
   ipsec_main_t *im = &ipsec_main;
-  ipsec_spd_policy_t ptype;
+  ipsec_spd_policy_type_t ptype;
   ipsec_policy_t *policy;
   ipsec_spd_t *spd;
   uword *p;
@@ -525,17 +597,17 @@ vl_api_ipsec_sa_set_key_t_handler (vl_api_ipsec_sa_set_key_t * mp)
 {
   vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
   vl_api_ipsec_sa_set_key_reply_t *rmp;
+  ipsec_key_t ck, ik;
+  u32 id;
   int rv;
 #if WITH_LIBSSL > 0
-  ipsec_sa_t sa;
-  sa.id = ntohl (mp->sa_id);
 
-  vl_api_ipsec_key_decode (&mp->crypto_key,
-			   &sa.crypto_key_len, sa.crypto_key);
-  vl_api_ipsec_key_decode (&mp->integrity_key,
-			   &sa.integ_key_len, sa.integ_key);
+  id = ntohl (mp->sa_id);
+
+  ipsec_key_decode (&mp->crypto_key, &ck);
+  ipsec_key_decode (&mp->integrity_key, &ik);
 
-  rv = ipsec_set_sa_key (vm, &sa);
+  rv = ipsec_set_sa_key (id, &ck, &ik);
 #else
   rv = VNET_API_ERROR_UNIMPLEMENTED;
 #endif
@@ -551,6 +623,7 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
   ipsec_main_t *im = &ipsec_main;
   vnet_main_t *vnm = im->vnet_main;
   u32 sw_if_index = ~0;
+  ip46_type_t itype;
   int rv;
 
 #if WITH_LIBSSL > 0
@@ -571,8 +644,9 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
   tun.remote_integ_key_len = mp->remote_integ_key_len;
   tun.udp_encap = mp->udp_encap;
   tun.tx_table_id = ntohl (mp->tx_table_id);
-  memcpy (&tun.local_ip, mp->local_ip, 4);
-  memcpy (&tun.remote_ip, mp->remote_ip, 4);
+  itype = ip_address_decode (&mp->local_ip, &tun.local_ip);
+  itype = ip_address_decode (&mp->remote_ip, &tun.remote_ip);
+  tun.is_ip6 = (IP46_TYPE_IP6 == itype);
   memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
 	  mp->local_crypto_key_len);
   memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key,
@@ -590,11 +664,12 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
   rv = VNET_API_ERROR_UNIMPLEMENTED;
 #endif
 
-  REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY, (
-							{
-							rmp->sw_if_index =
-							htonl (sw_if_index);
-							}));
+  /* *INDENT-OFF* */
+  REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
+  ({
+    rmp->sw_if_index = htonl (sw_if_index);
+  }));
+  /* *INDENT-ON* */
 }
 
 static void
@@ -608,55 +683,39 @@ send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg,
   mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
   mp->context = context;
 
-  mp->sa_id = htonl (sa->id);
-  mp->sw_if_index = htonl (sw_if_index);
-
-  mp->spi = htonl (sa->spi);
-  mp->protocol = sa->protocol;
-
-  mp->crypto_alg = sa->crypto_alg;
-  mp->crypto_key_len = sa->crypto_key_len;
-  memcpy (mp->crypto_key, sa->crypto_key, sa->crypto_key_len);
+  mp->entry.sad_id = htonl (sa->id);
+  mp->entry.spi = htonl (sa->spi);
+  mp->entry.protocol = ipsec_proto_encode (sa->protocol);
+  mp->entry.tx_table_id =
+    htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
 
-  mp->integ_alg = sa->integ_alg;
-  mp->integ_key_len = sa->integ_key_len;
-  memcpy (mp->integ_key, sa->integ_key, sa->integ_key_len);
+  mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
+  ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
 
-  mp->use_esn = sa->use_esn;
-  mp->use_anti_replay = sa->use_anti_replay;
+  mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
+  ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
 
-  mp->is_tunnel = sa->is_tunnel;
-  mp->is_tunnel_ip6 = sa->is_tunnel_ip6;
+  mp->entry.flags = ipsec_sad_flags_encode (sa);
 
-  if (sa->is_tunnel)
+  if (ipsec_sa_is_set_IS_TUNNEL (sa))
     {
-      if (sa->is_tunnel_ip6)
-	{
-	  memcpy (mp->tunnel_src_addr, &sa->tunnel_src_addr.ip6, 16);
-	  memcpy (mp->tunnel_dst_addr, &sa->tunnel_dst_addr.ip6, 16);
-	}
-      else
-	{
-	  memcpy (mp->tunnel_src_addr, &sa->tunnel_src_addr.ip4, 4);
-	  memcpy (mp->tunnel_dst_addr, &sa->tunnel_dst_addr.ip4, 4);
-	}
+      ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
+			 &mp->entry.tunnel_src);
+      ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
+			 &mp->entry.tunnel_dst);
     }
 
+  mp->sw_if_index = htonl (sw_if_index);
   mp->salt = clib_host_to_net_u32 (sa->salt);
   mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
   mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
-  if (sa->use_esn)
+  if (ipsec_sa_is_set_USE_ESN (sa))
     {
       mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
       mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
     }
-  if (sa->use_anti_replay)
+  if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
     mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
-  mp->total_data_size = clib_host_to_net_u64 (sa->total_data_size);
-  mp->udp_encap = sa->udp_encap;
-
-  mp->tx_table_id =
-    htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
 
   vl_api_send_msg (reg, (u8 *) mp);
 }
@@ -728,7 +787,7 @@ vl_api_ipsec_tunnel_if_set_key_t_handler (vl_api_ipsec_tunnel_if_set_key_t *
       if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
 	  mp->alg >= IPSEC_CRYPTO_N_ALG)
 	{
-	  rv = VNET_API_ERROR_UNIMPLEMENTED;
+	  rv = VNET_API_ERROR_INVALID_ALGORITHM;
 	  goto out;
 	}
       break;
@@ -736,7 +795,7 @@ vl_api_ipsec_tunnel_if_set_key_t_handler (vl_api_ipsec_tunnel_if_set_key_t *
     case IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG:
       if (mp->alg >= IPSEC_INTEG_N_ALG)
 	{
-	  rv = VNET_API_ERROR_UNIMPLEMENTED;
+	  rv = VNET_API_ERROR_INVALID_ALGORITHM;
 	  goto out;
 	}
       break;
@@ -783,329 +842,6 @@ vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
   REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
 }
 
-
-static void
-vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp)
-{
-  vl_api_ikev2_profile_add_del_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-  u8 *tmp = format (0, "%s", mp->name);
-  error = ikev2_add_del_profile (vm, tmp, mp->is_add);
-  vec_free (tmp);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_PROFILE_ADD_DEL_REPLY);
-}
-
-static void
-  vl_api_ikev2_profile_set_auth_t_handler
-  (vl_api_ikev2_profile_set_auth_t * mp)
-{
-  vl_api_ikev2_profile_set_auth_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-  int data_len = ntohl (mp->data_len);
-  u8 *tmp = format (0, "%s", mp->name);
-  u8 *data = vec_new (u8, data_len);
-  clib_memcpy (data, mp->data, data_len);
-  error = ikev2_set_profile_auth (vm, tmp, mp->auth_method, data, mp->is_hex);
-  vec_free (tmp);
-  vec_free (data);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_AUTH_REPLY);
-}
-
-static void
-vl_api_ikev2_profile_set_id_t_handler (vl_api_ikev2_profile_set_id_t * mp)
-{
-  vl_api_ikev2_profile_add_del_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-  u8 *tmp = format (0, "%s", mp->name);
-  int data_len = ntohl (mp->data_len);
-  u8 *data = vec_new (u8, data_len);
-  clib_memcpy (data, mp->data, data_len);
-  error = ikev2_set_profile_id (vm, tmp, mp->id_type, data, mp->is_local);
-  vec_free (tmp);
-  vec_free (data);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_ID_REPLY);
-}
-
-static void
-vl_api_ikev2_profile_set_ts_t_handler (vl_api_ikev2_profile_set_ts_t * mp)
-{
-  vl_api_ikev2_profile_set_ts_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-  u8 *tmp = format (0, "%s", mp->name);
-  error = ikev2_set_profile_ts (vm, tmp, mp->proto, mp->start_port,
-				mp->end_port, (ip4_address_t) mp->start_addr,
-				(ip4_address_t) mp->end_addr, mp->is_local);
-  vec_free (tmp);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_TS_REPLY);
-}
-
-static void
-vl_api_ikev2_set_local_key_t_handler (vl_api_ikev2_set_local_key_t * mp)
-{
-  vl_api_ikev2_profile_set_ts_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-
-  error = ikev2_set_local_key (vm, mp->key_file);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY);
-}
-
-static void
-vl_api_ikev2_set_responder_t_handler (vl_api_ikev2_set_responder_t * mp)
-{
-  vl_api_ikev2_set_responder_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-
-  u8 *tmp = format (0, "%s", mp->name);
-  ip4_address_t ip4;
-  clib_memcpy (&ip4, mp->address, sizeof (ip4));
-
-  error = ikev2_set_profile_responder (vm, tmp, mp->sw_if_index, ip4);
-  vec_free (tmp);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_SET_RESPONDER_REPLY);
-}
-
-static void
-vl_api_ikev2_set_ike_transforms_t_handler (vl_api_ikev2_set_ike_transforms_t *
-					   mp)
-{
-  vl_api_ikev2_set_ike_transforms_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-
-  u8 *tmp = format (0, "%s", mp->name);
-
-  error =
-    ikev2_set_profile_ike_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg,
-				      mp->dh_group, mp->crypto_key_size);
-  vec_free (tmp);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_SET_IKE_TRANSFORMS_REPLY);
-}
-
-static void
-vl_api_ikev2_set_esp_transforms_t_handler (vl_api_ikev2_set_esp_transforms_t *
-					   mp)
-{
-  vl_api_ikev2_set_esp_transforms_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-
-  u8 *tmp = format (0, "%s", mp->name);
-
-  error =
-    ikev2_set_profile_esp_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg,
-				      mp->dh_group, mp->crypto_key_size);
-  vec_free (tmp);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_SET_ESP_TRANSFORMS_REPLY);
-}
-
-static void
-vl_api_ikev2_set_sa_lifetime_t_handler (vl_api_ikev2_set_sa_lifetime_t * mp)
-{
-  vl_api_ikev2_set_sa_lifetime_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-
-  u8 *tmp = format (0, "%s", mp->name);
-
-  error =
-    ikev2_set_profile_sa_lifetime (vm, tmp, mp->lifetime, mp->lifetime_jitter,
-				   mp->handover, mp->lifetime_maxdata);
-  vec_free (tmp);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_SET_SA_LIFETIME_REPLY);
-}
-
-static void
-vl_api_ikev2_initiate_sa_init_t_handler (vl_api_ikev2_initiate_sa_init_t * mp)
-{
-  vl_api_ikev2_initiate_sa_init_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-
-  u8 *tmp = format (0, "%s", mp->name);
-
-  error = ikev2_initiate_sa_init (vm, tmp);
-  vec_free (tmp);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_INITIATE_SA_INIT_REPLY);
-}
-
-static void
-vl_api_ikev2_initiate_del_ike_sa_t_handler (vl_api_ikev2_initiate_del_ike_sa_t
-					    * mp)
-{
-  vl_api_ikev2_initiate_del_ike_sa_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-
-  error = ikev2_initiate_delete_ike_sa (vm, mp->ispi);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_IKE_SA_REPLY);
-}
-
-static void
-  vl_api_ikev2_initiate_del_child_sa_t_handler
-  (vl_api_ikev2_initiate_del_child_sa_t * mp)
-{
-  vl_api_ikev2_initiate_del_child_sa_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-
-  error = ikev2_initiate_delete_child_sa (vm, mp->ispi);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_CHILD_SA_REPLY);
-}
-
-static void
-  vl_api_ikev2_initiate_rekey_child_sa_t_handler
-  (vl_api_ikev2_initiate_rekey_child_sa_t * mp)
-{
-  vl_api_ikev2_initiate_rekey_child_sa_reply_t *rmp;
-  int rv = 0;
-
-#if WITH_LIBSSL > 0
-  vlib_main_t *vm = vlib_get_main ();
-  clib_error_t *error;
-
-  error = ikev2_initiate_rekey_child_sa (vm, mp->ispi);
-  if (error)
-    rv = VNET_API_ERROR_UNSPECIFIED;
-#else
-  rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
-  REPLY_MACRO (VL_API_IKEV2_INITIATE_REKEY_CHILD_SA_REPLY);
-}
-
-/*
- * ipsec_api_hookup
- * Add vpe's API message handlers to the table.
- * vlib has already mapped shared memory and
- * added the client registration handlers.
- * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
- */
-#define vl_msg_name_crc_list
-#include <vnet/vnet_all_api_h.h>
-#undef vl_msg_name_crc_list
-
-static void
-setup_message_id_table (api_main_t * am)
-{
-#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
-  foreach_vl_msg_name_crc_ipsec;
-#undef _
-}
-
 static void
 vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
 {
@@ -1199,6 +935,25 @@ done:
   REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
 }
 
+/*
+ * ipsec_api_hookup
+ * Add vpe's API message handlers to the table.
+ * vlib has already mapped shared memory and
+ * added the client registration handlers.
+ * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
+ */
+#define vl_msg_name_crc_list
+#include <vnet/vnet_all_api_h.h>
+#undef vl_msg_name_crc_list
+
+static void
+setup_message_id_table (api_main_t * am)
+{
+#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
+  foreach_vl_msg_name_crc_ipsec;
+#undef _
+}
+
 static clib_error_t *
 ipsec_api_hookup (vlib_main_t * vm)
 {