Implemented IKEv2 initiator features:
- IKE_SA_INIT and IKE_AUTH initial exchanges
- Delete IKA SA
- Rekey and delete Child SA
- Child SAs lifetime policy
To set up one VPP instance as the initiator use the following CLI commands (or API equivalents):
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
and finally
ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange
Child SA re-keying process:
1. Child SA expires
2. A new Child SA is created using the Child SA rekey exchange
3. For a set time both SAs are alive
4. After the set time interval expires old SA is deleted
Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA)
CLI API additions:
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
ikev2 initiate sa-init <profile id>
ikev2 initiate del-child-sa <child sa ispi>
ikev2 initiate del-sa <sa ispi>
ikev2 initiate rekey-child-sa <profile id> <child sa ispi>
Sample configurations:
Responder:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.responder
ikev2 profile set pr1 id remote fqdn vpp.home.initiator
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
Initiator:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.initiator
ikev2 profile set pr1 id remote fqdn vpp.home.responder
ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20
ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 3073226..49b475c 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -58,7 +58,15 @@
_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \
_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \
_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \
-_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key)
+_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \
+_(IKEV2_SET_RESPONDER, ikev2_set_responder) \
+_(IKEV2_SET_IKE_TRANSFORMS, ikev2_set_ike_transforms) \
+_(IKEV2_SET_ESP_TRANSFORMS, ikev2_set_esp_transforms) \
+_(IKEV2_SET_SA_LIFETIME, ikev2_set_sa_lifetime) \
+_(IKEV2_INITIATE_SA_INIT, ikev2_initiate_sa_init) \
+_(IKEV2_INITIATE_DEL_IKE_SA, ikev2_initiate_del_ike_sa) \
+_(IKEV2_INITIATE_DEL_CHILD_SA, ikev2_initiate_del_child_sa) \
+_(IKEV2_INITIATE_REKEY_CHILD_SA, ikev2_initiate_rekey_child_sa)
static void vl_api_ipsec_spd_add_del_t_handler
(vl_api_ipsec_spd_add_del_t * mp)
@@ -461,6 +469,194 @@
REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY);
}
+static void
+vl_api_ikev2_set_responder_t_handler (vl_api_ikev2_set_responder_t * mp)
+{
+ vl_api_ikev2_set_responder_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+ ip4_address_t ip4;
+ clib_memcpy (&ip4, mp->address, sizeof (ip4));
+
+ error = ikev2_set_profile_responder (vm, tmp, mp->sw_if_index, ip4);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_RESPONDER_REPLY);
+}
+
+static void
+vl_api_ikev2_set_ike_transforms_t_handler (vl_api_ikev2_set_ike_transforms_t *
+ mp)
+{
+ vl_api_ikev2_set_ike_transforms_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error =
+ ikev2_set_profile_ike_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg,
+ mp->dh_group, mp->crypto_key_size);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_IKE_TRANSFORMS_REPLY);
+}
+
+static void
+vl_api_ikev2_set_esp_transforms_t_handler (vl_api_ikev2_set_esp_transforms_t *
+ mp)
+{
+ vl_api_ikev2_set_esp_transforms_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error =
+ ikev2_set_profile_esp_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg,
+ mp->dh_group, mp->crypto_key_size);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_ESP_TRANSFORMS_REPLY);
+}
+
+static void
+vl_api_ikev2_set_sa_lifetime_t_handler (vl_api_ikev2_set_sa_lifetime_t * mp)
+{
+ vl_api_ikev2_set_sa_lifetime_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error =
+ ikev2_set_profile_sa_lifetime (vm, tmp, mp->lifetime, mp->lifetime_jitter,
+ mp->handover, mp->lifetime_maxdata);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_SA_LIFETIME_REPLY);
+}
+
+static void
+vl_api_ikev2_initiate_sa_init_t_handler (vl_api_ikev2_initiate_sa_init_t * mp)
+{
+ vl_api_ikev2_initiate_sa_init_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error = ikev2_initiate_sa_init (vm, tmp);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_SA_INIT_REPLY);
+}
+
+static void
+vl_api_ikev2_initiate_del_ike_sa_t_handler (vl_api_ikev2_initiate_del_ike_sa_t
+ * mp)
+{
+ vl_api_ikev2_initiate_del_ike_sa_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ error = ikev2_initiate_delete_ike_sa (vm, mp->ispi);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_IKE_SA_REPLY);
+}
+
+static void
+ vl_api_ikev2_initiate_del_child_sa_t_handler
+ (vl_api_ikev2_initiate_del_child_sa_t * mp)
+{
+ vl_api_ikev2_initiate_del_child_sa_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ error = ikev2_initiate_delete_child_sa (vm, mp->ispi);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_CHILD_SA_REPLY);
+}
+
+static void
+ vl_api_ikev2_initiate_rekey_child_sa_t_handler
+ (vl_api_ikev2_initiate_rekey_child_sa_t * mp)
+{
+ vl_api_ikev2_initiate_rekey_child_sa_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ error = ikev2_initiate_rekey_child_sa (vm, mp->ispi);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_REKEY_CHILD_SA_REPLY);
+}
+
/*
* ipsec_api_hookup
* Add vpe's API message handlers to the table.