ipsec: User can choose the UDP source port
Type: feature
thus allowing NAT traversal,
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 4a55a29..ad2665a 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -374,7 +374,8 @@
crypto_alg, &crypto_key,
integ_alg, &integ_key, flags,
0, mp->entry.salt, &tun_src, &tun_dst,
- &sa_index, IPSEC_UDP_PORT_NONE);
+ &sa_index, htons (mp->entry.udp_src_port),
+ htons (mp->entry.udp_dst_port));
else
rv = ipsec_sa_unlock_id (id);
@@ -665,7 +666,7 @@
(flags | IPSEC_SA_FLAG_IS_INBOUND),
ntohl (mp->tx_table_id),
mp->salt, &remote_ip, &local_ip, NULL,
- IPSEC_UDP_PORT_NONE);
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
if (rv)
goto done;
@@ -680,7 +681,7 @@
flags,
ntohl (mp->tx_table_id),
mp->salt, &local_ip, &remote_ip, NULL,
- IPSEC_UDP_PORT_NONE);
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
if (rv)
goto done;
@@ -816,6 +817,11 @@
ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
&mp->entry.tunnel_dst);
}
+ if (ipsec_sa_is_set_UDP_ENCAP (sa))
+ {
+ mp->entry.udp_src_port = sa->udp_hdr.src_port;
+ mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
+ }
mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));