2 * decap.c : IPSec tunnel support
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
22 #include <vnet/fib/fib.h>
24 #include <vnet/ipsec/ipsec.h>
27 set_interface_spd_command_fn (vlib_main_t * vm,
28 unformat_input_t * input,
29 vlib_cli_command_t * cmd)
31 unformat_input_t _line_input, *line_input = &_line_input;
32 ipsec_main_t *im = &ipsec_main;
33 u32 sw_if_index = (u32) ~ 0;
36 clib_error_t *error = NULL;
38 if (!unformat_user (input, unformat_line_input, line_input))
42 (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main,
43 &sw_if_index, &spd_id))
45 else if (unformat (line_input, "del"))
49 error = clib_error_return (0, "parse error: '%U'",
50 format_unformat_error, line_input);
54 ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
57 unformat_free (line_input);
63 VLIB_CLI_COMMAND (set_interface_spd_command, static) = {
64 .path = "set interface ipsec spd",
66 "set interface ipsec spd <int> <id>",
67 .function = set_interface_spd_command_fn,
72 ipsec_sa_add_del_command_fn (vlib_main_t * vm,
73 unformat_input_t * input,
74 vlib_cli_command_t * cmd)
76 unformat_input_t _line_input, *line_input = &_line_input;
77 ip46_address_t tun_src = { }, tun_dst =
80 ipsec_crypto_alg_t crypto_alg;
81 ipsec_integ_alg_t integ_alg;
82 ipsec_protocol_t proto;
83 ipsec_sa_flags_t flags;
91 flags = IPSEC_SA_FLAG_NONE;
92 proto = IPSEC_PROTOCOL_ESP;
94 if (!unformat_user (input, unformat_line_input, line_input))
97 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
99 if (unformat (line_input, "add %u", &id))
101 else if (unformat (line_input, "del %u", &id))
103 else if (unformat (line_input, "spi %u", &spi))
105 else if (unformat (line_input, "esp"))
106 proto = IPSEC_PROTOCOL_ESP;
107 else if (unformat (line_input, "ah"))
108 proto = IPSEC_PROTOCOL_AH;
109 else if (unformat (line_input, "crypto-key %U",
110 unformat_ipsec_key, &ck))
112 else if (unformat (line_input, "crypto-alg %U",
113 unformat_ipsec_crypto_alg, &crypto_alg))
115 else if (unformat (line_input, "integ-key %U", unformat_ipsec_key, &ik))
117 else if (unformat (line_input, "integ-alg %U",
118 unformat_ipsec_integ_alg, &integ_alg))
120 else if (unformat (line_input, "tunnel-src %U",
121 unformat_ip46_address, &tun_src, IP46_TYPE_ANY))
123 flags |= IPSEC_SA_FLAG_IS_TUNNEL;
124 if (!ip46_address_is_ip4 (&tun_src))
125 flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
127 else if (unformat (line_input, "tunnel-dst %U",
128 unformat_ip46_address, &tun_dst, IP46_TYPE_ANY))
130 else if (unformat (line_input, "udp-encap"))
131 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
134 error = clib_error_return (0, "parse error: '%U'",
135 format_unformat_error, line_input);
141 rv = ipsec_sa_add (id, spi, proto, crypto_alg,
142 &ck, integ_alg, &ik, flags,
143 0, &tun_src, &tun_dst, NULL);
145 rv = ipsec_sa_del (id);
148 clib_error_return (0, "failed");
151 unformat_free (line_input);
157 VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
160 "ipsec sa [add|del]",
161 .function = ipsec_sa_add_del_command_fn,
165 static clib_error_t *
166 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
167 unformat_input_t * input,
168 vlib_cli_command_t * cmd)
170 unformat_input_t _line_input, *line_input = &_line_input;
173 clib_error_t *error = NULL;
175 if (!unformat_user (input, unformat_line_input, line_input))
178 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
180 if (unformat (line_input, "add"))
182 else if (unformat (line_input, "del"))
184 else if (unformat (line_input, "%u", &spd_id))
188 error = clib_error_return (0, "parse error: '%U'",
189 format_unformat_error, line_input);
196 error = clib_error_return (0, "please specify SPD ID");
200 ipsec_add_del_spd (vm, spd_id, is_add);
203 unformat_free (line_input);
209 VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = {
212 "ipsec spd [add|del] <id>",
213 .function = ipsec_spd_add_del_command_fn,
218 static clib_error_t *
219 ipsec_policy_add_del_command_fn (vlib_main_t * vm,
220 unformat_input_t * input,
221 vlib_cli_command_t * cmd)
223 unformat_input_t _line_input, *line_input = &_line_input;
226 u32 tmp, tmp2, stat_index;
227 clib_error_t *error = NULL;
229 clib_memset (&p, 0, sizeof (p));
230 p.lport.stop = p.rport.stop = ~0;
231 p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
232 p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
233 p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
235 if (!unformat_user (input, unformat_line_input, line_input))
238 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
240 if (unformat (line_input, "add"))
242 else if (unformat (line_input, "del"))
244 else if (unformat (line_input, "spd %u", &p.id))
246 else if (unformat (line_input, "inbound"))
248 else if (unformat (line_input, "outbound"))
250 else if (unformat (line_input, "priority %d", &p.priority))
252 else if (unformat (line_input, "protocol %u", &tmp))
253 p.protocol = (u8) tmp;
256 (line_input, "action %U", unformat_ipsec_policy_action,
259 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
261 error = clib_error_return (0, "unsupported action: 'resolve'");
265 else if (unformat (line_input, "sa %u", &p.sa_id))
267 else if (unformat (line_input, "local-ip-range %U - %U",
268 unformat_ip4_address, &p.laddr.start.ip4,
269 unformat_ip4_address, &p.laddr.stop.ip4))
271 else if (unformat (line_input, "remote-ip-range %U - %U",
272 unformat_ip4_address, &p.raddr.start.ip4,
273 unformat_ip4_address, &p.raddr.stop.ip4))
275 else if (unformat (line_input, "local-ip-range %U - %U",
276 unformat_ip6_address, &p.laddr.start.ip6,
277 unformat_ip6_address, &p.laddr.stop.ip6))
281 else if (unformat (line_input, "remote-ip-range %U - %U",
282 unformat_ip6_address, &p.raddr.start.ip6,
283 unformat_ip6_address, &p.raddr.stop.ip6))
287 else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
293 if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
300 error = clib_error_return (0, "parse error: '%U'",
301 format_unformat_error, line_input);
306 /* Check if SA is for IPv6/AH which is not supported. Return error if TRUE. */
310 ipsec_main_t *im = &ipsec_main;
312 p1 = hash_get (im->sa_index_by_sa_id, p.sa_id);
316 clib_error_return (0, "SA with index %u not found", p.sa_id);
319 sa = pool_elt_at_index (im->sad, p1[0]);
320 if (sa && sa->protocol == IPSEC_PROTOCOL_AH && is_add && p.is_ipv6)
322 error = clib_error_return (0, "AH not supported for IPV6: '%U'",
323 format_unformat_error, line_input);
327 rv = ipsec_add_del_policy (vm, &p, is_add, &stat_index);
330 vlib_cli_output (vm, "policy-index:%d", stat_index);
332 vlib_cli_output (vm, "error:%d", rv);
335 unformat_free (line_input);
341 VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
342 .path = "ipsec policy",
344 "ipsec policy [add|del] spd <id> priority <n> ",
345 .function = ipsec_policy_add_del_command_fn,
349 static clib_error_t *
350 set_ipsec_sa_key_command_fn (vlib_main_t * vm,
351 unformat_input_t * input,
352 vlib_cli_command_t * cmd)
354 unformat_input_t _line_input, *line_input = &_line_input;
355 clib_error_t *error = NULL;
359 if (!unformat_user (input, unformat_line_input, line_input))
362 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
364 if (unformat (line_input, "%u", &id))
367 if (unformat (line_input, "crypto-key %U", unformat_ipsec_key, &ck))
369 else if (unformat (line_input, "integ-key %U", unformat_ipsec_key, &ik))
373 error = clib_error_return (0, "parse error: '%U'",
374 format_unformat_error, line_input);
379 ipsec_set_sa_key (id, &ck, &ik);
382 unformat_free (line_input);
388 VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = {
389 .path = "set ipsec sa",
391 "set ipsec sa <id> crypto-key <key> integ-key <key>",
392 .function = set_ipsec_sa_key_command_fn,
396 static clib_error_t *
397 show_ipsec_command_fn (vlib_main_t * vm,
398 unformat_input_t * input, vlib_cli_command_t * cmd)
400 ipsec_main_t *im = &ipsec_main;
401 u32 spd_id, sw_if_index, sai;
402 vnet_hw_interface_t *hi;
403 ipsec_tunnel_if_t *t;
409 pool_foreach_index (sai, im->sad, ({
410 vlib_cli_output(vm, "%U", format_ipsec_sa, sai);
412 pool_foreach_index (i, im->spds, ({
413 vlib_cli_output(vm, "%U", format_ipsec_spd, i);
416 vlib_cli_output (vm, "SPD Bindings:");
418 hash_foreach(sw_if_index, spd_id, im->spd_index_by_sw_if_index, ({
419 vlib_cli_output (vm, " %d -> %U", spd_id,
420 format_vnet_sw_if_index_name, im->vnet_main,
425 vlib_cli_output (vm, "tunnel interfaces");
427 pool_foreach (t, im->tunnel_interfaces, ({
428 if (t->hw_if_index == ~0)
430 hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
432 vlib_cli_output(vm, " %s", hi->name);
434 vlib_cli_output(vm, " out-bound sa");
435 vlib_cli_output(vm, " %U", format_ipsec_sa, t->output_sa_index);
437 vlib_cli_output(vm, " in-bound sa");
438 vlib_cli_output(vm, " %U", format_ipsec_sa, t->input_sa_index);
447 VLIB_CLI_COMMAND (show_ipsec_command, static) = {
448 .path = "show ipsec",
449 .short_help = "show ipsec [backends]",
450 .function = show_ipsec_command_fn,
454 static clib_error_t *
455 ipsec_show_backends_command_fn (vlib_main_t * vm,
456 unformat_input_t * input,
457 vlib_cli_command_t * cmd)
459 ipsec_main_t *im = &ipsec_main;
462 (void) unformat (input, "verbose %u", &verbose);
464 vlib_cli_output (vm, "IPsec AH backends available:");
465 u8 *s = format (NULL, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
466 ipsec_ah_backend_t *ab;
468 pool_foreach (ab, im->ah_backends, {
469 s = format (s, "%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
470 ab - im->ah_backends == im->ah_current_backend ? "yes" : "no");
473 n = vlib_get_node (vm, ab->ah4_encrypt_node_index);
474 s = format (s, " enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index);
475 n = vlib_get_node (vm, ab->ah4_decrypt_node_index);
476 s = format (s, " dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index);
477 n = vlib_get_node (vm, ab->ah6_encrypt_node_index);
478 s = format (s, " enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index);
479 n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
480 s = format (s, " dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
484 vlib_cli_output (vm, "%v", s);
486 vlib_cli_output (vm, "IPsec ESP backends available:");
487 s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
488 ipsec_esp_backend_t *eb;
490 pool_foreach (eb, im->esp_backends, {
491 s = format (s, "%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
492 eb - im->esp_backends == im->esp_current_backend ? "yes"
496 n = vlib_get_node (vm, eb->esp4_encrypt_node_index);
497 s = format (s, " enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index);
498 n = vlib_get_node (vm, eb->esp4_decrypt_node_index);
499 s = format (s, " dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index);
500 n = vlib_get_node (vm, eb->esp6_encrypt_node_index);
501 s = format (s, " enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index);
502 n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
503 s = format (s, " dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
507 vlib_cli_output (vm, "%v", s);
514 VLIB_CLI_COMMAND (ipsec_show_backends_command, static) = {
515 .path = "show ipsec backends",
516 .short_help = "show ipsec backends",
517 .function = ipsec_show_backends_command_fn,
521 static clib_error_t *
522 ipsec_select_backend_command_fn (vlib_main_t * vm,
523 unformat_input_t * input,
524 vlib_cli_command_t * cmd)
527 ipsec_main_t *im = &ipsec_main;
529 if (pool_elts (im->sad) > 0)
531 return clib_error_return (0,
532 "Cannot change IPsec backend, while %u SA entries are configured",
533 pool_elts (im->sad));
536 unformat_input_t _line_input, *line_input = &_line_input;
537 /* Get a line of input. */
538 if (!unformat_user (input, unformat_line_input, line_input))
541 if (unformat (line_input, "ah"))
543 if (unformat (line_input, "%u", &backend_index))
545 if (ipsec_select_ah_backend (im, backend_index) < 0)
547 return clib_error_return (0, "Invalid AH backend index `%u'",
553 return clib_error_return (0, "Invalid backend index `%U'",
554 format_unformat_error, line_input);
557 else if (unformat (line_input, "esp"))
559 if (unformat (line_input, "%u", &backend_index))
561 if (ipsec_select_esp_backend (im, backend_index) < 0)
563 return clib_error_return (0, "Invalid ESP backend index `%u'",
569 return clib_error_return (0, "Invalid backend index `%U'",
570 format_unformat_error, line_input);
575 return clib_error_return (0, "Unknown input `%U'",
576 format_unformat_error, line_input);
583 VLIB_CLI_COMMAND (ipsec_select_backend_command, static) = {
584 .path = "ipsec select backend",
585 .short_help = "ipsec select backend <ah|esp> <backend index>",
586 .function = ipsec_select_backend_command_fn,
591 static clib_error_t *
592 clear_ipsec_counters_command_fn (vlib_main_t * vm,
593 unformat_input_t * input,
594 vlib_cli_command_t * cmd)
596 vlib_clear_combined_counters (&ipsec_spd_policy_counters);
602 VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
603 .path = "clear ipsec counters",
604 .short_help = "clear ipsec counters",
605 .function = clear_ipsec_counters_command_fn,
609 static clib_error_t *
610 create_ipsec_tunnel_command_fn (vlib_main_t * vm,
611 unformat_input_t * input,
612 vlib_cli_command_t * cmd)
614 unformat_input_t _line_input, *line_input = &_line_input;
615 ipsec_add_del_tunnel_args_t a;
620 clib_error_t *error = NULL;
622 clib_memset (&a, 0, sizeof (a));
625 /* Get a line of input. */
626 if (!unformat_user (input, unformat_line_input, line_input))
629 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
632 (line_input, "local-ip %U", unformat_ip46_address, &a.local_ip,
635 ip46_address_is_ip4 (&a.local_ip) ? (ipv4_set = 1) : (ipv6_set = 1);
640 (line_input, "remote-ip %U", unformat_ip46_address, &a.remote_ip,
643 ip46_address_is_ip4 (&a.remote_ip) ? (ipv4_set = 1) : (ipv6_set =
647 else if (unformat (line_input, "local-spi %u", &a.local_spi))
649 else if (unformat (line_input, "remote-spi %u", &a.remote_spi))
651 else if (unformat (line_input, "instance %u", &a.show_instance))
653 else if (unformat (line_input, "udp-encap"))
655 else if (unformat (line_input, "use-esn"))
657 else if (unformat (line_input, "use-anti-replay"))
659 else if (unformat (line_input, "tx-table %u", &a.tx_table_id))
661 else if (unformat (line_input, "del"))
665 error = clib_error_return (0, "unknown input `%U'",
666 format_unformat_error, line_input);
673 error = clib_error_return (0, "mandatory argument(s) missing");
678 return clib_error_return (0, "currently only IPv4 supported");
680 if (ipv4_set && ipv6_set)
681 return clib_error_return (0, "both IPv4 and IPv6 addresses specified");
683 rv = ipsec_add_del_tunnel_if (&a);
689 case VNET_API_ERROR_INVALID_VALUE:
691 error = clib_error_return (0,
692 "IPSec tunnel interface already exists...");
694 error = clib_error_return (0, "IPSec tunnel interface not exists...");
697 error = clib_error_return (0, "ipsec_register_interface returned %d",
703 unformat_free (line_input);
709 VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
710 .path = "create ipsec tunnel",
711 .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> "
712 "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] "
713 "[tx-table <table-id>]",
714 .function = create_ipsec_tunnel_command_fn,
718 static clib_error_t *
719 set_interface_key_command_fn (vlib_main_t * vm,
720 unformat_input_t * input,
721 vlib_cli_command_t * cmd)
723 unformat_input_t _line_input, *line_input = &_line_input;
724 ipsec_main_t *im = &ipsec_main;
725 ipsec_if_set_key_type_t type = IPSEC_IF_SET_KEY_TYPE_NONE;
726 u32 hw_if_index = (u32) ~ 0;
729 clib_error_t *error = NULL;
731 if (!unformat_user (input, unformat_line_input, line_input))
734 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
736 if (unformat (line_input, "%U",
737 unformat_vnet_hw_interface, im->vnet_main, &hw_if_index))
741 (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg))
742 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO;
745 (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg))
746 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO;
749 (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg))
750 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG;
753 (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg))
754 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG;
755 else if (unformat (line_input, "%U", unformat_hex_string, &key))
759 error = clib_error_return (0, "parse error: '%U'",
760 format_unformat_error, line_input);
765 if (type == IPSEC_IF_SET_KEY_TYPE_NONE)
767 error = clib_error_return (0, "unknown key type");
771 if (alg > 0 && vec_len (key) == 0)
773 error = clib_error_return (0, "key is not specified");
777 if (hw_if_index == (u32) ~ 0)
779 error = clib_error_return (0, "interface not specified");
783 ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key);
787 unformat_free (line_input);
793 VLIB_CLI_COMMAND (set_interface_key_command, static) = {
794 .path = "set interface ipsec key",
796 "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
797 .function = set_interface_key_command_fn,
802 ipsec_cli_init (vlib_main_t * vm)
807 VLIB_INIT_FUNCTION (ipsec_cli_init);
811 * fd.io coding-style-patch-verification: ON
814 * eval: (c-set-style "gnu")