32 u32 sw_if_index = (
u32) ~ 0;
41 &sw_if_index, &spd_id))
43 else if (
unformat (line_input,
"del"))
58 .path =
"set interface ipsec spd",
60 "set interface ipsec spd <int> <id>",
75 memset (&sa, 0,
sizeof (sa));
84 else if (
unformat (line_input,
"del %u", &sa.
id))
88 else if (
unformat (line_input,
"esp"))
90 else if (
unformat (line_input,
"ah"))
101 if (sa.
crypto_alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
112 if (sa.
integ_alg < IPSEC_INTEG_ALG_SHA1_96 ||
113 sa.
integ_alg > IPSEC_INTEG_ALG_SHA_512_256)
117 else if (
unformat (line_input,
"tunnel-src %U",
120 else if (
unformat (line_input,
"tunnel-dst %U",
123 else if (
unformat (line_input,
"tunnel-src %U",
129 else if (
unformat (line_input,
"tunnel-dst %U",
163 "ipsec sa [add|del]",
184 else if (
unformat (line_input,
"del"))
186 else if (
unformat (line_input,
"%u", &spd_id))
207 "ipsec spd [add|del] <id>",
224 memset (&p, 0,
sizeof (p));
237 else if (
unformat (line_input,
"del"))
239 else if (
unformat (line_input,
"spd %u", &p.
id))
241 else if (
unformat (line_input,
"inbound"))
243 else if (
unformat (line_input,
"outbound"))
247 else if (
unformat (line_input,
"protocol %u", &tmp))
254 if (p.
policy == IPSEC_POLICY_ACTION_RESOLVE)
259 else if (
unformat (line_input,
"local-ip-range %U - %U",
263 else if (
unformat (line_input,
"remote-ip-range %U - %U",
267 else if (
unformat (line_input,
"local-ip-range %U - %U",
274 else if (
unformat (line_input,
"remote-ip-range %U - %U",
281 else if (
unformat (line_input,
"local-port-range %u - %u", &tmp, &tmp2))
287 if (
unformat (line_input,
"remote-port-range %u - %u", &tmp, &tmp2))
310 .path =
"ipsec policy",
312 "ipsec policy [add|del] spd <id> priority <n> ",
326 memset (&sa, 0,
sizeof (sa));
367 .path =
"set ipsec sa",
369 "set ipsec sa <id> crypto-key <key> integ-key <key>",
389 vlib_cli_output(vm,
"sa %u spi %u mode %s protocol %s", sa->id, sa->spi,
390 sa->is_tunnel ?
"tunnel" :
"transport",
391 sa->protocol ?
"esp" :
"ah");
392 if (sa->protocol == IPSEC_PROTOCOL_ESP) {
393 vlib_cli_output(vm,
" crypto alg %U%s%U integrity alg %U%s%U",
394 format_ipsec_crypto_alg, sa->crypto_alg,
395 sa->crypto_alg ?
" key " :
"",
396 format_hex_bytes, sa->crypto_key, sa->crypto_key_len,
397 format_ipsec_integ_alg, sa->integ_alg,
398 sa->integ_alg ?
" key " :
"",
399 format_hex_bytes, sa->integ_key, sa->integ_key_len);
401 if (sa->is_tunnel && sa->is_tunnel_ip6) {
402 vlib_cli_output(vm,
" tunnel src %U dst %U",
403 format_ip6_address, &sa->tunnel_src_addr.ip6,
404 format_ip6_address, &sa->tunnel_dst_addr.ip6);
405 } else if (sa->is_tunnel) {
406 vlib_cli_output(vm,
" tunnel src %U dst %U",
407 format_ip4_address, &sa->tunnel_src_addr.ip4,
408 format_ip4_address, &sa->tunnel_dst_addr.ip4);
416 vlib_cli_output(vm,
"spd %u", spd->id);
418 vlib_cli_output(vm,
" outbound policies");
419 vec_foreach(i, spd->ipv4_outbound_policies)
421 p = pool_elt_at_index(spd->policies, *i);
422 vlib_cli_output(vm,
" priority %d action %U protocol %s%s",
424 format_ipsec_policy_action, p->policy,
426 format(0,
"%U", format_ip_protocol, p->protocol) :
428 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
429 format(0,
" sa %u", p->sa_id) :
431 vlib_cli_output(vm,
" local addr range %U - %U port range %u - %u",
432 format_ip4_address, &p->laddr.start.ip4,
433 format_ip4_address, &p->laddr.stop.ip4,
434 p->lport.start, p->lport.stop);
435 vlib_cli_output(vm,
" remte addr range %U - %U port range %u - %u",
436 format_ip4_address, &p->raddr.start.ip4,
437 format_ip4_address, &p->raddr.stop.ip4,
438 p->rport.start, p->rport.stop);
439 vlib_cli_output(vm,
" packets %u bytes %u", p->counter.packets,
444 p = pool_elt_at_index(spd->policies, *i);
445 vlib_cli_output(vm,
" priority %d action %U protocol %s%s",
447 format_ipsec_policy_action, p->policy,
449 format(0,
"%U", format_ip_protocol, p->protocol) :
451 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
452 format(0,
" sa %u", p->sa_id) :
454 vlib_cli_output(vm,
" local addr range %U - %U port range %u - %u",
455 format_ip6_address, &p->laddr.start.ip6,
456 format_ip6_address, &p->laddr.stop.ip6,
457 p->lport.start, p->lport.stop);
458 vlib_cli_output(vm,
" remote addr range %U - %U port range %u - %u",
459 format_ip6_address, &p->raddr.start.ip6,
460 format_ip6_address, &p->raddr.stop.ip6,
461 p->rport.start, p->rport.stop);
462 vlib_cli_output(vm,
" packets %u bytes %u", p->counter.packets,
466 vec_foreach(
i, spd->ipv4_inbound_protect_policy_indices)
475 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
476 format(0,
" sa %u", p->sa_id) :
481 p->lport.start, p->lport.stop);
485 p->rport.start, p->rport.stop);
489 vec_foreach(
i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
498 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
499 format(0,
" sa %u", p->sa_id) :
504 p->lport.start, p->lport.stop);
508 p->rport.start, p->rport.stop);
512 vec_foreach(
i, spd->ipv6_inbound_protect_policy_indices)
521 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
522 format(0,
" sa %u", p->sa_id) :
527 p->lport.start, p->lport.stop);
531 p->rport.start, p->rport.stop);
535 vec_foreach(
i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
544 p->policy == IPSEC_POLICY_ACTION_PROTECT ?
545 format(0,
" sa %u", p->sa_id) :
550 p->lport.start, p->lport.stop);
554 p->rport.start, p->rport.stop);
564 if (t->hw_if_index == ~0)
566 hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
567 vlib_cli_output(vm,
" %s seq", hi->name);
568 sa = pool_elt_at_index(im->sad, t->output_sa_index);
569 vlib_cli_output(vm,
" seq %u seq-hi %u esn %u anti-replay %u",
570 sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay);
571 vlib_cli_output(vm,
" local-spi %u local-ip %U", sa->spi,
572 format_ip4_address, &sa->tunnel_src_addr.ip4);
573 vlib_cli_output(vm,
" local-crypto %U %U",
574 format_ipsec_crypto_alg, sa->crypto_alg,
575 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
576 vlib_cli_output(vm,
" local-integrity %U %U",
577 format_ipsec_integ_alg, sa->integ_alg,
578 format_hex_bytes, sa->integ_key, sa->integ_key_len);
579 sa = pool_elt_at_index(im->sad, t->input_sa_index);
580 vlib_cli_output(vm,
" last-seq %u last-seq-hi %u esn %u anti-replay %u window %U",
581 sa->last_seq, sa->last_seq_hi, sa->use_esn,
583 format_ipsec_replay_window, sa->replay_window);
584 vlib_cli_output(vm,
" remote-spi %u remote-ip %U", sa->spi,
585 format_ip4_address, &sa->tunnel_src_addr.ip4);
586 vlib_cli_output(vm,
" remote-crypto %U %U",
587 format_ipsec_crypto_alg, sa->crypto_alg,
588 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
589 vlib_cli_output(vm,
" remote-integrity %U %U",
590 format_ipsec_integ_alg, sa->integ_alg,
591 format_hex_bytes, sa->integ_key, sa->integ_key_len);
599 .path =
"show ipsec",
600 .short_help =
"show ipsec",
616 pool_foreach(p, spd->policies, ({
617 p->counter.packets = p->counter.bytes = 0;
627 .path =
"clear ipsec counters",
628 .short_help =
"clear ipsec counters",
643 memset (&a, 0,
sizeof (a));
663 else if (
unformat (line_input,
"del"))
680 case VNET_API_ERROR_INVALID_VALUE:
683 "IPSec tunnel interface already exists...");
696 .path =
"create ipsec tunnel",
697 .short_help =
"create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi>",
710 u32 hw_if_index = (
u32) ~ 0;
750 if (alg > 0 &&
vec_len (key) == 0)
753 if (hw_if_index == (
u32) ~ 0)
764 .path =
"set interface ipsec key",
766 "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
unformat_function_t unformat_vnet_hw_interface
sll srl srl sll sra u16x4 i
ip46_address_t tunnel_src_addr
static clib_error_t * set_ipsec_sa_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
bad routing header type(not 4)") sr_error (NO_MORE_SEGMENTS
ipsec_integ_alg_t integ_alg
static clib_error_t * create_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
static clib_error_t * set_interface_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
unformat_function_t unformat_vnet_sw_interface
static vlib_cli_command_t set_interface_key_command
(constructor) VLIB_CLI_COMMAND (set_interface_key_command)
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
static vlib_cli_command_t show_ipsec_command
(constructor) VLIB_CLI_COMMAND (show_ipsec_command)
#define VLIB_INIT_FUNCTION(x)
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add)
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static vlib_cli_command_t create_ipsec_tunnel_command
(constructor) VLIB_CLI_COMMAND (create_ipsec_tunnel_command)
uword unformat_ipsec_policy_action(unformat_input_t *input, va_list *args)
static clib_error_t * ipsec_policy_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * set_interface_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_add_del_sa(vlib_main_t *vm, ipsec_sa_t *new_sa, int is_add)
ip46_address_range_t laddr
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
ip46_address_t tunnel_dst_addr
static clib_error_t * clear_ipsec_counters_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_set_sa_key(vlib_main_t *vm, ipsec_sa_t *sa_update)
clib_error_t * ipsec_cli_init(vlib_main_t *vm)
#define vec_free(V)
Free vector's memory (no header).
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
ip46_address_range_t raddr
ipsec_protocol_t protocol
VLIB_CLI_COMMAND(set_interface_ip_source_and_port_range_check_command, static)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
u8 * format_ipsec_policy_action(u8 *s, va_list *args)
static clib_error_t * ipsec_sa_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_crypto_alg_t crypto_alg
static clib_error_t * show_ipsec_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define vec_foreach(var, vec)
Vector iterator.
#define clib_error_return(e, args...)
static clib_error_t * ipsec_spd_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
int ipsec_set_interface_key(vnet_main_t *vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 *key)
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
static vlib_cli_command_t clear_ipsec_counters_command
(constructor) VLIB_CLI_COMMAND (clear_ipsec_counters_command)