static_always_inline u16
ikev2_get_port (ikev2_sa_t * sa)
{
- return sa->natt ? IKEV2_PORT_NATT : IKEV2_PORT;
+ return ikev2_natt_active (sa) ? IKEV2_PORT_NATT : IKEV2_PORT;
}
static_always_inline int
sa->profile_index = sai->profile_index;
sa->tun_itf = sai->tun_itf;
sa->is_tun_itf_set = sai->is_tun_itf_set;
+ sa->natt_state = sai->natt_state;
sa->i_id.data = _(sai->i_id.data);
sa->r_id.data = _(sai->r_id.data);
sa->i_auth.method = sai->i_auth.method;
udp->src_port);
if (clib_memcmp (src_sha, n->data, vec_len (src_sha)))
{
- sa->natt = 1;
+ if (sa->natt_state == IKEV2_NATT_ENABLED)
+ sa->natt_state = IKEV2_NATT_ACTIVE;
ikev2_elog_uint (IKEV2_LOG_DEBUG, "ispi %lx initiator"
" behind NAT", sa->ispi);
}
udp->dst_port);
if (clib_memcmp (dst_sha, n->data, vec_len (dst_sha)))
{
- sa->natt = 1;
+ if (sa->natt_state == IKEV2_NATT_ENABLED)
+ sa->natt_state = IKEV2_NATT_ACTIVE;
ikev2_elog_uint (IKEV2_LOG_DEBUG, "ispi %lx responder"
" (self) behind NAT", sa->ispi);
}
udp->dst_port);
if (clib_memcmp (dst_sha, n->data, vec_len (dst_sha)))
{
- sa->natt = 1;
+ if (sa->natt_state == IKEV2_NATT_ENABLED)
+ sa->natt_state = IKEV2_NATT_ACTIVE;
ikev2_elog_uint (IKEV2_LOG_DEBUG, "ispi %lx initiator"
" (self) behind NAT", sa->ispi);
}
a.flags |= IPSEC_SA_FLAG_IS_TUNNEL;
a.flags |= IPSEC_SA_FLAG_UDP_ENCAP;
}
- if (sa->natt)
+ if (ikev2_natt_active (sa))
a.flags |= IPSEC_SA_FLAG_UDP_ENCAP;
a.is_rekey = is_rekey;
a.salt_remote = child->salt_ei;
a.salt_local = child->salt_er;
}
- a.dst_port = sa->natt ? sa->dst_port : sa->ipsec_over_udp_port;
+ a.dst_port =
+ ikev2_natt_active (sa) ? sa->dst_port : sa->ipsec_over_udp_port;
a.src_port = sa->ipsec_over_udp_port;
}
clib_net_to_host_u16 (ikev2_get_port (sa0));
if (udp0->dst_port == clib_net_to_host_u16 (IKEV2_PORT_NATT)
- && sa0->natt)
+ && ikev2_natt_active (sa0))
{
if (!has_non_esp_marker)
slen = ikev2_insert_non_esp_marker (ike0, slen);
if (~0 == len)
return;
- if (sa->natt)
+ if (ikev2_natt_active (sa))
len = ikev2_insert_non_esp_marker (ike0, len);
if (sa->is_initiator)
sa.state = IKEV2_STATE_SA_INIT;
sa.tun_itf = p->tun_itf;
sa.udp_encap = p->udp_encap;
+ if (p->natt_disabled)
+ sa.natt_state = IKEV2_NATT_DISABLED;
sa.ipsec_over_udp_port = p->ipsec_over_udp_port;
sa.is_tun_itf_set = 1;
sa.initial_contact = 1;
if (~0 == len)
return;
- if (sa->natt)
+ if (ikev2_natt_active (sa))
len = ikev2_insert_non_esp_marker (ike0, len);
ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len,
ikev2_get_port (sa), sa->dst_port, sa->sw_if_index);
if (~0 == len)
return;
- if (sa->natt)
+ if (ikev2_natt_active (sa))
len = ikev2_insert_non_esp_marker (ike0, len);
ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len,
ikev2_get_port (sa), ikev2_get_port (sa), sa->sw_if_index);
return 0;
}
+clib_error_t *
+ikev2_profile_natt_disable (u8 * name)
+{
+ ikev2_profile_t *p = ikev2_profile_index_by_name (name);
+ if (!p)
+ return clib_error_return (0, "unknown profile %v", name);
+
+ p->natt_disabled = 1;
+ return 0;
+}
+
static void
ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
{
if (~0 == len)
return;
- if (sa->natt)
+ if (ikev2_natt_active (sa))
len = ikev2_insert_non_esp_marker (ike0, len);
if (sa->is_initiator)
Code Review / vpp.git / blobdiff