2 * decap.c : IPSec tunnel support
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
23 #include <vnet/ipsec/ipsec.h>
26 set_interface_spd_command_fn (vlib_main_t * vm,
27 unformat_input_t * input,
28 vlib_cli_command_t * cmd)
30 unformat_input_t _line_input, *line_input = &_line_input;
31 ipsec_main_t *im = &ipsec_main;
32 u32 sw_if_index = (u32) ~ 0;
35 clib_error_t *error = NULL;
37 if (!unformat_user (input, unformat_line_input, line_input))
41 (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main,
42 &sw_if_index, &spd_id))
44 else if (unformat (line_input, "del"))
48 error = clib_error_return (0, "parse error: '%U'",
49 format_unformat_error, line_input);
53 ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
56 unformat_free (line_input);
62 VLIB_CLI_COMMAND (set_interface_spd_command, static) = {
63 .path = "set interface ipsec spd",
65 "set interface ipsec spd <int> <id>",
66 .function = set_interface_spd_command_fn,
71 ipsec_sa_add_del_command_fn (vlib_main_t * vm,
72 unformat_input_t * input,
73 vlib_cli_command_t * cmd)
75 ipsec_main_t *im = &ipsec_main;
76 unformat_input_t _line_input, *line_input = &_line_input;
80 clib_error_t *error = NULL;
82 memset (&sa, 0, sizeof (sa));
84 if (!unformat_user (input, unformat_line_input, line_input))
87 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
89 if (unformat (line_input, "add %u", &sa.id))
91 else if (unformat (line_input, "del %u", &sa.id))
93 else if (unformat (line_input, "spi %u", &sa.spi))
95 else if (unformat (line_input, "esp"))
96 sa.protocol = IPSEC_PROTOCOL_ESP;
97 else if (unformat (line_input, "ah"))
99 sa.protocol = IPSEC_PROTOCOL_AH;
102 if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
103 sa.crypto_key_len = vec_len (ck);
106 (line_input, "crypto-alg %U", unformat_ipsec_crypto_alg,
109 if (sa.crypto_alg < IPSEC_CRYPTO_ALG_NONE ||
110 sa.crypto_alg >= IPSEC_CRYPTO_N_ALG)
112 error = clib_error_return (0, "unsupported crypto-alg: '%U'",
113 format_ipsec_crypto_alg,
119 if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
120 sa.integ_key_len = vec_len (ik);
121 else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
124 if (sa.integ_alg < IPSEC_INTEG_ALG_NONE ||
125 sa.integ_alg >= IPSEC_INTEG_N_ALG)
127 error = clib_error_return (0, "unsupported integ-alg: '%U'",
128 format_ipsec_integ_alg,
133 else if (unformat (line_input, "tunnel-src %U",
134 unformat_ip4_address, &sa.tunnel_src_addr.ip4))
136 else if (unformat (line_input, "tunnel-dst %U",
137 unformat_ip4_address, &sa.tunnel_dst_addr.ip4))
139 else if (unformat (line_input, "tunnel-src %U",
140 unformat_ip6_address, &sa.tunnel_src_addr.ip6))
143 sa.is_tunnel_ip6 = 1;
145 else if (unformat (line_input, "tunnel-dst %U",
146 unformat_ip6_address, &sa.tunnel_dst_addr.ip6))
149 sa.is_tunnel_ip6 = 1;
153 error = clib_error_return (0, "parse error: '%U'",
154 format_unformat_error, line_input);
159 if (sa.crypto_key_len > sizeof (sa.crypto_key))
160 sa.crypto_key_len = sizeof (sa.crypto_key);
162 if (sa.integ_key_len > sizeof (sa.integ_key))
163 sa.integ_key_len = sizeof (sa.integ_key);
166 strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
169 strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
173 ASSERT (im->cb.check_support_cb);
174 error = im->cb.check_support_cb (&sa);
179 ipsec_add_del_sa (vm, &sa, is_add, 0 /* enable nat traversal */ );
182 unformat_free (line_input);
188 VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
191 "ipsec sa [add|del]",
192 .function = ipsec_sa_add_del_command_fn,
196 static clib_error_t *
197 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
198 unformat_input_t * input,
199 vlib_cli_command_t * cmd)
201 unformat_input_t _line_input, *line_input = &_line_input;
204 clib_error_t *error = NULL;
206 if (!unformat_user (input, unformat_line_input, line_input))
209 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
211 if (unformat (line_input, "add"))
213 else if (unformat (line_input, "del"))
215 else if (unformat (line_input, "%u", &spd_id))
219 error = clib_error_return (0, "parse error: '%U'",
220 format_unformat_error, line_input);
227 error = clib_error_return (0, "please specify SPD ID");
231 ipsec_add_del_spd (vm, spd_id, is_add);
234 unformat_free (line_input);
240 VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = {
243 "ipsec spd [add|del] <id>",
244 .function = ipsec_spd_add_del_command_fn,
249 static clib_error_t *
250 ipsec_policy_add_del_command_fn (vlib_main_t * vm,
251 unformat_input_t * input,
252 vlib_cli_command_t * cmd)
254 unformat_input_t _line_input, *line_input = &_line_input;
259 clib_error_t *error = NULL;
261 memset (&p, 0, sizeof (p));
262 p.lport.stop = p.rport.stop = ~0;
263 p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
264 p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
265 p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
267 if (!unformat_user (input, unformat_line_input, line_input))
270 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
272 if (unformat (line_input, "add"))
274 else if (unformat (line_input, "del"))
276 else if (unformat (line_input, "spd %u", &p.id))
278 else if (unformat (line_input, "inbound"))
280 else if (unformat (line_input, "outbound"))
282 else if (unformat (line_input, "priority %d", &p.priority))
284 else if (unformat (line_input, "protocol %u", &tmp))
285 p.protocol = (u8) tmp;
288 (line_input, "action %U", unformat_ipsec_policy_action,
291 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
293 error = clib_error_return (0, "unsupported action: 'resolve'");
297 else if (unformat (line_input, "sa %u", &p.sa_id))
299 else if (unformat (line_input, "local-ip-range %U - %U",
300 unformat_ip4_address, &p.laddr.start.ip4,
301 unformat_ip4_address, &p.laddr.stop.ip4))
303 else if (unformat (line_input, "remote-ip-range %U - %U",
304 unformat_ip4_address, &p.raddr.start.ip4,
305 unformat_ip4_address, &p.raddr.stop.ip4))
307 else if (unformat (line_input, "local-ip-range %U - %U",
308 unformat_ip6_address, &p.laddr.start.ip6,
309 unformat_ip6_address, &p.laddr.stop.ip6))
314 else if (unformat (line_input, "remote-ip-range %U - %U",
315 unformat_ip6_address, &p.raddr.start.ip6,
316 unformat_ip6_address, &p.raddr.stop.ip6))
321 else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
327 if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
334 error = clib_error_return (0, "parse error: '%U'",
335 format_unformat_error, line_input);
340 /* Check if SA is for IPv6/AH which is not supported. Return error if TRUE. */
344 ipsec_main_t *im = &ipsec_main;
346 p1 = hash_get (im->sa_index_by_sa_id, p.sa_id);
350 clib_error_return (0, "SA with index %u not found", p.sa_id);
353 sa = pool_elt_at_index (im->sad, p1[0]);
354 if (sa && sa->protocol == IPSEC_PROTOCOL_AH && is_add && p.is_ipv6)
356 error = clib_error_return (0, "AH not supported for IPV6: '%U'",
357 format_unformat_error, line_input);
361 ipsec_add_del_policy (vm, &p, is_add);
365 ipsec_add_del_policy (vm, &p, is_add);
369 unformat_free (line_input);
375 VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
376 .path = "ipsec policy",
378 "ipsec policy [add|del] spd <id> priority <n> ",
379 .function = ipsec_policy_add_del_command_fn,
383 static clib_error_t *
384 set_ipsec_sa_key_command_fn (vlib_main_t * vm,
385 unformat_input_t * input,
386 vlib_cli_command_t * cmd)
388 unformat_input_t _line_input, *line_input = &_line_input;
391 clib_error_t *error = NULL;
393 memset (&sa, 0, sizeof (sa));
395 if (!unformat_user (input, unformat_line_input, line_input))
398 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
400 if (unformat (line_input, "%u", &sa.id))
403 if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
404 sa.crypto_key_len = vec_len (ck);
406 if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
407 sa.integ_key_len = vec_len (ik);
410 error = clib_error_return (0, "parse error: '%U'",
411 format_unformat_error, line_input);
416 if (sa.crypto_key_len > sizeof (sa.crypto_key))
417 sa.crypto_key_len = sizeof (sa.crypto_key);
419 if (sa.integ_key_len > sizeof (sa.integ_key))
420 sa.integ_key_len = sizeof (sa.integ_key);
423 strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
426 strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
428 ipsec_set_sa_key (vm, &sa);
431 unformat_free (line_input);
437 VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = {
438 .path = "set ipsec sa",
440 "set ipsec sa <id> crypto-key <key> integ-key <key>",
441 .function = set_ipsec_sa_key_command_fn,
445 static clib_error_t *
446 show_ipsec_command_fn (vlib_main_t * vm,
447 unformat_input_t * input, vlib_cli_command_t * cmd)
452 ipsec_main_t *im = &ipsec_main;
454 ipsec_tunnel_if_t *t;
455 vnet_hw_interface_t *hi;
460 pool_foreach (sa, im->sad, ({
462 vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s", sa->id, sa->spi,
463 sa->is_tunnel ? "tunnel" : "transport",
464 sa->protocol ? "esp" : "ah",
465 sa->udp_encap ? " udp-encap-enabled" : "");
466 if (sa->protocol == IPSEC_PROTOCOL_ESP) {
467 vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
468 format_ipsec_crypto_alg, sa->crypto_alg,
469 sa->crypto_alg ? " key " : "",
470 format_hex_bytes, sa->crypto_key, sa->crypto_key_len,
471 format_ipsec_integ_alg, sa->integ_alg,
472 sa->integ_alg ? " key " : "",
473 format_hex_bytes, sa->integ_key, sa->integ_key_len);
475 if (sa->is_tunnel && sa->is_tunnel_ip6) {
476 vlib_cli_output(vm, " tunnel src %U dst %U",
477 format_ip6_address, &sa->tunnel_src_addr.ip6,
478 format_ip6_address, &sa->tunnel_dst_addr.ip6);
479 } else if (sa->is_tunnel) {
480 vlib_cli_output(vm, " tunnel src %U dst %U",
481 format_ip4_address, &sa->tunnel_src_addr.ip4,
482 format_ip4_address, &sa->tunnel_dst_addr.ip4);
489 pool_foreach (spd, im->spds, ({
490 vlib_cli_output(vm, "spd %u", spd->id);
492 vlib_cli_output(vm, " outbound policies");
493 vec_foreach(i, spd->ipv4_outbound_policies)
495 p = pool_elt_at_index(spd->policies, *i);
496 vec_reset_length(protocol);
497 vec_reset_length(policy);
499 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
501 protocol = format(protocol, "any");
503 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
504 policy = format(policy, " sa %u", p->sa_id);
507 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
508 p->priority, format_ipsec_policy_action, p->policy,
510 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
511 format_ip4_address, &p->laddr.start.ip4,
512 format_ip4_address, &p->laddr.stop.ip4,
513 p->lport.start, p->lport.stop);
514 vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
515 format_ip4_address, &p->raddr.start.ip4,
516 format_ip4_address, &p->raddr.stop.ip4,
517 p->rport.start, p->rport.stop);
518 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
521 vec_foreach(i, spd->ipv6_outbound_policies)
523 p = pool_elt_at_index(spd->policies, *i);
524 vec_reset_length(protocol);
525 vec_reset_length(policy);
527 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
529 protocol = format(protocol, "any");
531 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
532 policy = format(policy, " sa %u", p->sa_id);
534 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
535 p->priority, format_ipsec_policy_action, p->policy,
537 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
538 format_ip6_address, &p->laddr.start.ip6,
539 format_ip6_address, &p->laddr.stop.ip6,
540 p->lport.start, p->lport.stop);
541 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
542 format_ip6_address, &p->raddr.start.ip6,
543 format_ip6_address, &p->raddr.stop.ip6,
544 p->rport.start, p->rport.stop);
545 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
548 vlib_cli_output(vm, " inbound policies");
549 vec_foreach(i, spd->ipv4_inbound_protect_policy_indices)
551 p = pool_elt_at_index(spd->policies, *i);
552 vec_reset_length(protocol);
553 vec_reset_length(policy);
555 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
557 protocol = format(protocol, "any");
559 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
560 policy = format(policy, " sa %u", p->sa_id);
562 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
563 p->priority, format_ipsec_policy_action, p->policy,
565 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
566 format_ip4_address, &p->laddr.start.ip4,
567 format_ip4_address, &p->laddr.stop.ip4,
568 p->lport.start, p->lport.stop);
569 vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
570 format_ip4_address, &p->raddr.start.ip4,
571 format_ip4_address, &p->raddr.stop.ip4,
572 p->rport.start, p->rport.stop);
573 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
576 vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
578 p = pool_elt_at_index(spd->policies, *i);
579 vec_reset_length(protocol);
580 vec_reset_length(policy);
582 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
584 protocol = format(protocol, "any");
586 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
587 policy = format(policy, " sa %u", p->sa_id);
589 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
590 p->priority, format_ipsec_policy_action, p->policy,
592 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
593 format_ip4_address, &p->laddr.start.ip4,
594 format_ip4_address, &p->laddr.stop.ip4,
595 p->lport.start, p->lport.stop);
596 vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
597 format_ip4_address, &p->raddr.start.ip4,
598 format_ip4_address, &p->raddr.stop.ip4,
599 p->rport.start, p->rport.stop);
600 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
603 vec_foreach(i, spd->ipv6_inbound_protect_policy_indices)
605 p = pool_elt_at_index(spd->policies, *i);
606 vec_reset_length(protocol);
607 vec_reset_length(policy);
609 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
611 protocol = format(protocol, "any");
613 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
614 policy = format(policy, " sa %u", p->sa_id);
616 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
617 p->priority, format_ipsec_policy_action, p->policy,
619 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
620 format_ip6_address, &p->laddr.start.ip6,
621 format_ip6_address, &p->laddr.stop.ip6,
622 p->lport.start, p->lport.stop);
623 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
624 format_ip6_address, &p->raddr.start.ip6,
625 format_ip6_address, &p->raddr.stop.ip6,
626 p->rport.start, p->rport.stop);
627 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
630 vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
632 p = pool_elt_at_index(spd->policies, *i);
633 vec_reset_length(protocol);
634 vec_reset_length(policy);
636 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
638 protocol = format(protocol, "any");
640 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
641 policy = format(policy, " sa %u", p->sa_id);
643 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
644 p->priority, format_ipsec_policy_action, p->policy,
646 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
647 format_ip6_address, &p->laddr.start.ip6,
648 format_ip6_address, &p->laddr.stop.ip6,
649 p->lport.start, p->lport.stop);
650 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
651 format_ip6_address, &p->raddr.start.ip6,
652 format_ip6_address, &p->raddr.stop.ip6,
653 p->rport.start, p->rport.stop);
654 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
660 vlib_cli_output (vm, "tunnel interfaces");
662 pool_foreach (t, im->tunnel_interfaces, ({
663 if (t->hw_if_index == ~0)
665 hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
666 vlib_cli_output(vm, " %s seq", hi->name);
667 sa = pool_elt_at_index(im->sad, t->output_sa_index);
668 vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u",
669 sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay);
670 vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
671 format_ip4_address, &sa->tunnel_src_addr.ip4);
672 vlib_cli_output(vm, " local-crypto %U %U",
673 format_ipsec_crypto_alg, sa->crypto_alg,
674 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
675 vlib_cli_output(vm, " local-integrity %U %U",
676 format_ipsec_integ_alg, sa->integ_alg,
677 format_hex_bytes, sa->integ_key, sa->integ_key_len);
678 sa = pool_elt_at_index(im->sad, t->input_sa_index);
679 vlib_cli_output(vm, " last-seq %u last-seq-hi %u esn %u anti-replay %u window %U",
680 sa->last_seq, sa->last_seq_hi, sa->use_esn,
682 format_ipsec_replay_window, sa->replay_window);
683 vlib_cli_output(vm, " remote-spi %u remote-ip %U", sa->spi,
684 format_ip4_address, &sa->tunnel_src_addr.ip4);
685 vlib_cli_output(vm, " remote-crypto %U %U",
686 format_ipsec_crypto_alg, sa->crypto_alg,
687 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
688 vlib_cli_output(vm, " remote-integrity %U %U",
689 format_ipsec_integ_alg, sa->integ_alg,
690 format_hex_bytes, sa->integ_key, sa->integ_key_len);
699 VLIB_CLI_COMMAND (show_ipsec_command, static) = {
700 .path = "show ipsec",
701 .short_help = "show ipsec",
702 .function = show_ipsec_command_fn,
706 static clib_error_t *
707 clear_ipsec_counters_command_fn (vlib_main_t * vm,
708 unformat_input_t * input,
709 vlib_cli_command_t * cmd)
711 ipsec_main_t *im = &ipsec_main;
716 pool_foreach (spd, im->spds, ({
717 pool_foreach(p, spd->policies, ({
718 p->counter.packets = p->counter.bytes = 0;
727 VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
728 .path = "clear ipsec counters",
729 .short_help = "clear ipsec counters",
730 .function = clear_ipsec_counters_command_fn,
734 static clib_error_t *
735 create_ipsec_tunnel_command_fn (vlib_main_t * vm,
736 unformat_input_t * input,
737 vlib_cli_command_t * cmd)
739 unformat_input_t _line_input, *line_input = &_line_input;
740 ipsec_add_del_tunnel_args_t a;
743 clib_error_t *error = NULL;
745 memset (&a, 0, sizeof (a));
748 /* Get a line of input. */
749 if (!unformat_user (input, unformat_line_input, line_input))
752 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
755 (line_input, "local-ip %U", unformat_ip4_address, &a.local_ip))
759 (line_input, "remote-ip %U", unformat_ip4_address, &a.remote_ip))
761 else if (unformat (line_input, "local-spi %u", &a.local_spi))
763 else if (unformat (line_input, "remote-spi %u", &a.remote_spi))
765 else if (unformat (line_input, "instance %u", &a.show_instance))
767 else if (unformat (line_input, "del"))
771 error = clib_error_return (0, "unknown input `%U'",
772 format_unformat_error, line_input);
779 error = clib_error_return (0, "mandatory argument(s) missing");
783 rv = ipsec_add_del_tunnel_if (&a);
789 case VNET_API_ERROR_INVALID_VALUE:
791 error = clib_error_return (0,
792 "IPSec tunnel interface already exists...");
794 error = clib_error_return (0, "IPSec tunnel interface not exists...");
797 error = clib_error_return (0, "ipsec_register_interface returned %d",
803 unformat_free (line_input);
809 VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
810 .path = "create ipsec tunnel",
811 .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>]",
812 .function = create_ipsec_tunnel_command_fn,
816 static clib_error_t *
817 set_interface_key_command_fn (vlib_main_t * vm,
818 unformat_input_t * input,
819 vlib_cli_command_t * cmd)
821 unformat_input_t _line_input, *line_input = &_line_input;
822 ipsec_main_t *im = &ipsec_main;
823 ipsec_if_set_key_type_t type = IPSEC_IF_SET_KEY_TYPE_NONE;
824 u32 hw_if_index = (u32) ~ 0;
827 clib_error_t *error = NULL;
829 if (!unformat_user (input, unformat_line_input, line_input))
832 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
834 if (unformat (line_input, "%U",
835 unformat_vnet_hw_interface, im->vnet_main, &hw_if_index))
839 (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg))
840 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO;
843 (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg))
844 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO;
847 (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg))
848 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG;
851 (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg))
852 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG;
853 else if (unformat (line_input, "%U", unformat_hex_string, &key))
857 error = clib_error_return (0, "parse error: '%U'",
858 format_unformat_error, line_input);
863 if (type == IPSEC_IF_SET_KEY_TYPE_NONE)
865 error = clib_error_return (0, "unknown key type");
869 if (alg > 0 && vec_len (key) == 0)
871 error = clib_error_return (0, "key is not specified");
875 if (hw_if_index == (u32) ~ 0)
877 error = clib_error_return (0, "interface not specified");
881 ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key);
885 unformat_free (line_input);
891 VLIB_CLI_COMMAND (set_interface_key_command, static) = {
892 .path = "set interface ipsec key",
894 "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
895 .function = set_interface_key_command_fn,
900 ipsec_cli_init (vlib_main_t * vm)
905 VLIB_INIT_FUNCTION (ipsec_cli_init);
909 * fd.io coding-style-patch-verification: ON
912 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob