So far by suppressing depreciation messages, as there was no transition
period.
Type: make
Change-Id: I9887613fd71a22bf11bf22a04c129aca4a16867f
Signed-off-by: Damjan Marion <damarion@cisco.com>
- do not initialize resources if ikev2 is not used.
- process IKE packets only if we have profile(s) configured
Type: improvement
Change-Id: I57c95a888532eafd70989096c0555ebb1d7bef25
Signed-off-by: Benoît Ganne <bganne@cisco.com>
IDr is optional in IKE AUTH from the initiator. In that case, the
responder is free to use any matching profile and fills the
corresponding IDr in the response.
The initiator is then free to accept or reject it.
Type: improvement
Change-Id: I07a1c64a40ed22bd41767c259406238bbbab5cf4
Signed-off-by: Benoît Ganne <bganne@cisco.com>
The IDi is not mentioned in the RFC for the responder AUTH message, and
it confuses some IKE implementations.
Type: fix
Change-Id: I2bcefa1efd315412a6f5fa592668d4e0da510264
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Move control ping and change dependencies from vpe.api_types to
memclnt.api_types
Type: refactor
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I9f8bc442e28738c48d64d1f6794082c8c4f5725b
IKEv2 is not optimized for dataplane processing and do not really
benefit from aggressive inlining. Let the compiler decide to improve
build time (from 205s to 30s).
Type: refactor
Change-Id: I5286880b35d338d669ec9382bf049d4486c04947
Signed-off-by: Benoît Ganne <bganne@cisco.com>
- Generate copyright year and version
instead of using hard-coded data
Type: refactor
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I6058f5025323b3aa483f5df4a2c4371e27b5914e
Old auth data is needed when generating new one.
Type: fix
Change-Id: I15c62346dbb7ece8facdc7a05f30afd1a15a5648
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Type: refactor
this allows the ipsec_sa_get funtion to be moved from ipsec.h to
ipsec_sa.h where it belongs.
Also use ipsec_sa_get throughout the code base.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I2dce726c4f7052b5507dd8dcfead0ed5604357df
Type: refactor
IKEv2 registers the IPSec node as the port handler, so it can use the
IPSec functions to do that.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: If398dde0a8eb0407eba3ede62a3d5a8c12fe68a7
This fixes an issue when initiator is expecting request with intitial
msgid being 0 but 1 is received instead which results in retransmission
(instead of normally processing the new request).
Type: fix
Change-Id: I60062276bd93de78128847c5b15f5d6cecf1df65
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
When strongSwan rekeys it sends create child sa request first and then
delete request for the old child sa (or vice versa depending on
configuration) as opposed to sending just a single create child sa with
rekey notify message.
Type: fix
Change-Id: I1fa55a607ca623cd3a6d887436207153c6f6bbf6
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
If the multi-worker default VPP configuration is triggered by
setting VPP_WORKER_CONFIG="workers 2", some of the tests fail
for various reasons.
It's a substantial number, so this change marks all of the
testsets that have this issue, such that they can be addressed
later independently.
Type: test
Change-Id: I4f77196499edef3300afe7eabef9cbff91f794d3
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
support
Type: feature
attmpet 2. this includes changes in ah_encrypt that don't use
uninitialised memory when doing tunnel mode fixups.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
This reverts commit c7eaa711f3.
Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged.
Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Test whether responder sends info requests using correct ip table
Type: test
Change-Id: I9e97576f9d80686961f92de3cbc3e6f8d6341587
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Type: fix
In responder initialize msgid in requests to 1 as the previous value (0) was
causing retransmision on the initiator.
Change-Id: I8f5b84331ecac5943129f4c9a377076768fec455
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Remove assert condition ensuring that a packet was punted with reason
spi=0. We can't rely on data in punt_reason because it is defind in an
union. This patch adds a new IKE node that handles punted IKE packets
separately.
Type: fix
Change-Id: I2e1b44922e53e049bd8512fa5cb85cee6a2b8aa7
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
In responder mode we need to remember interface index from which IKE
session was initiated. Otherwise when sending keep alive packets to the
initiator, the default ip table is always used for lookup instead of the
one associated with the interface.
Type: fix
Change-Id: Iade3fc3a490b7ae83c3f6e9014d1f4204e476ac1
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
format_ip_address() to display {local,remote}_id does not work because
we do not store ip_address_t but ip{4,6}_address_t, hence we lack the
ip_address_family_t version field.
Update format_ikev2_id_type_and_data() to support all types and use it
instead.
Type: fix
Change-Id: I7a81beb0b22fcf1c5d1bf03a32a6cc4f030f4361
Signed-off-by: Benoît Ganne <bganne@cisco.com>
IPSec punting to IKEv2 is valid only for NAT-T in IPv4.
Fix coverity CID 214915.
Type: fix
Change-Id: I6f2db38abf179565316f50c5d47c78acce3a0d01
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Damjan Marion