ikev2: fix udp encap

Type: fix

Change-Id: I8c66f79f2d8cfff7c6d45e1fc5b529ffb3941491
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>

diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index ad727a9..a2e4247 100644 (file)
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -1815,7 +1815,6 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
   ikev2_main_t *km = &ikev2_main;
   u32 sw_if_index;
   int rv = 0;
-  ip46_address_t zero_addr = ip46_address_initializer;
 
   if (~0 == a->sw_if_index)
     {
@@ -1864,16 +1863,16 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
                               a->local_spi,
                               IPSEC_PROTOCOL_ESP, a->encr_type,
                               &a->loc_ckey, a->integ_type, &a->loc_ikey,
-                              a->flags, 0, a->salt_local, &zero_addr,
-                              &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+                              a->flags, 0, a->salt_local, &a->local_ip,
+                              &a->remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
                               IP_DSCP_CS0, NULL, a->src_port, a->dst_port);
 
   rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi,
                               IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey,
                               a->integ_type, &a->rem_ikey,
                               (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
-                              a->salt_remote, &zero_addr,
-                              &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+                              a->salt_remote, &a->remote_ip,
+                              &a->local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
                               IP_DSCP_CS0, NULL,
                               a->ipsec_over_udp_port,
                               a->ipsec_over_udp_port);

diff --git a/src/plugins/ikev2/test/test_ikev2.py b/src/plugins/ikev2/test/test_ikev2.py
index d065d46..61dd53e 100644 (file)
--- a/src/plugins/ikev2/test/test_ikev2.py
+++ b/src/plugins/ikev2/test/test_ikev2.py
@@ -181,7 +181,9 @@ class IKEv2SA(object):
     def __init__(self, test, is_initiator=True, i_id=None, r_id=None,
                  spi=b'\x01\x02\x03\x04\x05\x06\x07\x08', id_type='fqdn',
                  nonce=None, auth_data=None, local_ts=None, remote_ts=None,
-                 auth_method='shared-key', priv_key=None, natt=False):
+                 auth_method='shared-key', priv_key=None, natt=False,
+                 udp_encap=False):
+        self.udp_encap = udp_encap
         self.natt = natt
         if natt:
             self.sport = 4500
@@ -662,6 +664,13 @@ class IkePeer(VppTestCase):
         assert(len(res) == tlen)
         return res
 
+    def verify_udp_encap(self, ipsec_sa):
+        e = VppEnum.vl_api_ipsec_sad_flags_t
+        if self.sa.udp_encap or self.sa.natt:
+            self.assertIn(e.IPSEC_API_SAD_FLAG_UDP_ENCAP, ipsec_sa.flags)
+        else:
+            self.assertNotIn(e.IPSEC_API_SAD_FLAG_UDP_ENCAP, ipsec_sa.flags)
+
     def verify_ipsec_sas(self, is_rekey=False):
         sas = self.vapi.ipsec_sa_dump()
         if is_rekey:
@@ -671,7 +680,6 @@ class IkePeer(VppTestCase):
         else:
             sa_count = 2
         self.assertEqual(len(sas), sa_count)
-        e = VppEnum.vl_api_ipsec_sad_flags_t
         if self.sa.is_initiator:
             if is_rekey:
                 sa0 = sas[0].entry
@@ -689,6 +697,8 @@ class IkePeer(VppTestCase):
 
         c = self.sa.child_sas[0]
 
+        self.verify_udp_encap(sa0)
+        self.verify_udp_encap(sa1)
         vpp_crypto_alg = self.vpp_enums[self.sa.vpp_esp_cypto_alg]
         self.assertEqual(sa0.crypto_algorithm, vpp_crypto_alg)
         self.assertEqual(sa1.crypto_algorithm, vpp_crypto_alg)
@@ -1332,13 +1342,17 @@ class Ikev2Params(object):
         if 'esp_transforms' in params:
             self.p.add_esp_transforms(params['esp_transforms'])
 
+        udp_encap = False if 'udp_encap' not in params else\
+            params['udp_encap']
+        if udp_encap:
+            self.p.set_udp_encap(True)
+
         self.sa = IKEv2SA(self, i_id=idi['data'], r_id=idr['data'],
                           is_initiator=is_init,
                           id_type=self.p.local_id['id_type'], natt=is_natt,
                           priv_key=client_priv, auth_method=auth_method,
-                          auth_data=auth_data,
+                          auth_data=auth_data, udp_encap=udp_encap,
                           local_ts=self.p.remote_ts, remote_ts=self.p.local_ts)
-
         if is_init:
             ike_crypto = ('AES-CBC', 32) if 'ike-crypto' not in params else\
                 params['ike-crypto']
@@ -1687,6 +1701,7 @@ class TestResponderRsaSign(TemplateResponder, Ikev2Params):
     """ test ikev2 responder - cert based auth """
     def config_tc(self):
         self.config_params({
+            'udp_encap': True,
             'auth': 'rsa-sig',
             'server-key': 'server-key.pem',
             'client-key': 'client-key.pem',