X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_cli.c;h=711403ff81ab52c364372f39bcfd525f9e6cd598;hb=430ac939d115b59e3f7f704645c6f88878223e1b;hp=0e034402b5cbcfdc69cf9e22da53d94d56d4dfb2;hpb=b3eeb6a5dd17627f56f5a9f299950c96f952e7a1;p=vpp.git

diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 0e034402b5c..711403ff81a 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -96,9 +96,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
 	sa.protocol = IPSEC_PROTOCOL_ESP;
       else if (unformat (line_input, "ah"))
 	{
-	  //sa.protocol = IPSEC_PROTOCOL_AH;
-	  error = clib_error_return (0, "unsupported security protocol 'AH'");
-	  goto done;
+	  sa.protocol = IPSEC_PROTOCOL_AH;
 	}
       else
 	if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
@@ -339,6 +337,21 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
 	}
     }
 
+  /* Check if SA is for IPv6/AH which is not supported. Return error if TRUE. */
+  if (p.sa_id)
+    {
+      uword *p1;
+      ipsec_main_t *im = &ipsec_main;
+      ipsec_sa_t *sa = 0;
+      p1 = hash_get (im->sa_index_by_sa_id, p.sa_id);
+      sa = pool_elt_at_index (im->sad, p1[0]);
+      if (sa && sa->protocol == IPSEC_PROTOCOL_AH && is_add && p.is_ipv6)
+	{
+	  error = clib_error_return (0, "AH not supported for IPV6: '%U'",
+				     format_unformat_error, line_input);
+	  goto done;
+	}
+    }
   ipsec_add_del_policy (vm, &p, is_add);
   if (is_ip_any)
     {