units "packets";
description "IKE rekey requests received";
};
- exchange_sa_req {
+ init_sa_req {
severity info;
type counter64;
units "packets";
u32 sw_if_index;
} ikev2_trace_t;
-typedef struct
-{
- u16 n_keepalives;
- u16 n_rekey_req;
- u16 n_exchange_sa_req;
- u16 n_ike_auth_req;
-} ikev2_stats_t;
-
static u8 *
format_ikev2_trace (u8 * s, va_list * args)
{
{
ASSERT (stats != 0);
stats->n_keepalives++;
+ sa->stats.n_keepalives++;
}
}
}
/* req is retransmit */
if (sa->state == IKEV2_STATE_SA_INIT)
{
+ sa->stats.n_init_retransmit++;
tmp = (ike_header_t *) sa->last_sa_init_res_packet_data;
u32 slen = clib_net_to_host_u32 (tmp->length);
ike->ispi = tmp->ispi;
/* retransmitted req */
if (msg_id == sa->last_msg_id)
{
+ sa->stats.n_retransmit++;
ike_header_t *tmp = (ike_header_t *) sa->last_res_packet_data;
u32 slen = clib_net_to_host_u32 (tmp->length);
ike->ispi = tmp->ispi;
s->n_keepalives);
vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_REKEY_REQ,
s->n_rekey_req);
- vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_EXCHANGE_SA_REQ,
- s->n_exchange_sa_req);
+ vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_INIT_SA_REQ,
+ s->n_sa_init_req);
vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_IKE_AUTH_REQ,
- s->n_ike_auth_req);
+ s->n_sa_auth_req);
}
static_always_inline uword
if (ike_hdr_is_initiator (ike0))
{
- stats->n_exchange_sa_req++;
+ sa0->stats.n_sa_init_req++;
+ stats->n_sa_init_req++;
if (ike0->rspi == 0)
{
if (is_ip4)
}
else
{
- stats->n_ike_auth_req++;
+ sa0->stats.n_sa_auth_req++;
+ stats->n_sa_auth_req++;
ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
slen =
ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
else
{
stats->n_rekey_req++;
+ sa0->stats.n_rekey_req++;
ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
slen =
ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
/* *INDENT-ON* */
}
+static void
+ikev2_copy_stats (vl_api_ikev2_sa_stats_t *dst, const ikev2_stats_t *src)
+{
+ dst->n_rekey_req = src->n_rekey_req;
+ dst->n_keepalives = src->n_keepalives;
+ dst->n_retransmit = src->n_retransmit;
+ dst->n_init_sa_retransmit = src->n_init_retransmit;
+ dst->n_sa_init_req = src->n_sa_init_req;
+ dst->n_sa_auth_req = src->n_sa_auth_req;
+}
+
static void
send_sa (ikev2_sa_t * sa, vl_api_ikev2_sa_dump_t * mp, u32 api_sa_index)
{
k->sk_pr_len = vec_len (sa->sk_pr);
clib_memcpy (&k->sk_pr, sa->sk_pr, k->sk_pr_len);
+ ikev2_copy_stats (&rsa->stats, &sa->stats);
+
vl_api_ikev2_sa_t_endian(rsa);
});
/* *INDENT-ON* */
format_ikev2_child_sa, child, child - sa->childs);
}
+ s = format (s, "Stats:\n");
+ s = format (s, " keepalives :%u\n", sa->stats.n_keepalives);
+ s = format (s, " rekey :%u\n", sa->stats.n_rekey_req);
+ s = format (s, " SA init :%u (retransmit: %u)\n", sa->stats.n_sa_init_req,
+ sa->stats.n_init_retransmit);
+ s = format (s, " retransmit: %u\n", sa->stats.n_retransmit);
+ s = format (s, " SA auth :%u\n", sa->stats.n_sa_auth_req);
+
return s;
}
#define ikev2_natt_active(_sa) ((_sa)->natt_state == IKEV2_NATT_ACTIVE)
+typedef struct
+{
+ u16 n_keepalives;
+ u16 n_rekey_req;
+ u16 n_sa_auth_req;
+ u16 n_sa_init_req;
+ u16 n_init_retransmit;
+ u16 n_retransmit;
+} ikev2_stats_t;
+
typedef struct
{
ikev2_state_t state;
/* is NAT traversal mode */
ikev2_natt_state_t natt_state;
u8 keys_generated;
+
+ ikev2_stats_t stats;
} ikev2_sa_t;
vl_api_ikev2_sa_transform_t esn;
};
+typedef ikev2_sa_stats
+{
+ u16 n_keepalives;
+ u16 n_rekey_req;
+ u16 n_sa_init_req;
+ u16 n_sa_auth_req;
+ u16 n_retransmit;
+ u16 n_init_sa_retransmit;
+};
+
typedef ikev2_sa
{
u32 sa_index;
vl_api_ikev2_sa_transform_t integrity;
vl_api_ikev2_sa_transform_t prf;
vl_api_ikev2_sa_transform_t dh;
+
+ vl_api_ikev2_sa_stats_t stats;
};
def verify_counters(self):
self.assert_counter(2, 'processed', self.IKE_NODE_SUFFIX)
- self.assert_counter(1, 'exchange_sa_req', self.IKE_NODE_SUFFIX)
+ self.assert_counter(1, 'init_sa_req', self.IKE_NODE_SUFFIX)
self.assert_counter(1, 'ike_auth_req', self.IKE_NODE_SUFFIX)
+ r = self.vapi.ikev2_sa_dump()
+ s = r[0].sa.stats
+ self.assertEqual(1, s.n_sa_auth_req)
+ self.assertEqual(1, s.n_sa_init_req)
+
def test_responder(self):
self.send_sa_init_req()
self.send_sa_auth()
self.sa.calc_child_keys()
self.verify_ike_sas()
self.verify_ipsec_sas(is_rekey=True)
+ self.assert_counter(1, 'rekey_req', 'ip4')
+ r = self.vapi.ikev2_sa_dump()
+ self.assertEqual(r[0].sa.stats.n_rekey_req, 1)
class TestResponderRsaSign(TemplateResponder, Ikev2Params):
plain = self.sa.hmac_and_decrypt(ih)
self.assertEqual(plain, b'')
self.assert_counter(1, 'keepalive', 'ip4')
+ r = self.vapi.ikev2_sa_dump()
+ self.assertEqual(1, r[0].sa.stats.n_keepalives)
def test_initiator(self):
super(TestInitiatorKeepaliveMsg, self).test_initiator()