FD.io VPP  v20.05-21-gb1500e9ff
Vector Packet Processing
ikev2_cli.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #include <vlib/vlib.h>
16 #include <vnet/vnet.h>
17 #include <vnet/pg/pg.h>
18 #include <vppinfra/error.h>
19 #include <vnet/udp/udp.h>
20 #include <vnet/ipsec/ipsec_sa.h>
21 #include <plugins/ikev2/ikev2.h>
22 #include <plugins/ikev2/ikev2_priv.h>
23 
24 u8 *
25 format_ikev2_id_type_and_data (u8 * s, va_list * args)
26 {
27  ikev2_id_t *id = va_arg (*args, ikev2_id_t *);
28 
29  if (id->type == 0 || vec_len (id->data) == 0)
30  return format (s, "none");
31 
32  s = format (s, "%U", format_ikev2_id_type, id->type);
33 
34  if (id->type == IKEV2_ID_TYPE_ID_FQDN ||
35  id->type == IKEV2_ID_TYPE_ID_RFC822_ADDR)
36  {
37  s = format (s, " %v", id->data);
38  }
39  else
40  {
41  s =
42  format (s, " %U", format_hex_bytes, &id->data,
43  (uword) (vec_len (id->data)));
44  }
45 
46  return s;
47 }
48 
49 
50 static clib_error_t *
51 show_ikev2_sa_command_fn (vlib_main_t * vm,
52  unformat_input_t * input, vlib_cli_command_t * cmd)
53 {
54  ikev2_main_t *km = &ikev2_main;
55  ikev2_main_per_thread_data_t *tkm;
56  ikev2_sa_t *sa;
57  ikev2_ts_t *ts;
58  ikev2_child_sa_t *child;
59  ikev2_sa_transform_t *tr;
60 
61  vec_foreach (tkm, km->per_thread_data)
62  {
63  /* *INDENT-OFF* */
64  pool_foreach (sa, tkm->sas, ({
65  u8 * s = 0;
66  vlib_cli_output(vm, " iip %U ispi %lx rip %U rspi %lx",
67  format_ip4_address, &sa->iaddr, sa->ispi,
68  format_ip4_address, &sa->raddr, sa->rspi);
69 
70  tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
71  s = format(s, "%U ", format_ikev2_sa_transform, tr);
72 
73  tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
74  s = format(s, "%U ", format_ikev2_sa_transform, tr);
75 
76  tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
77  s = format(s, "%U ", format_ikev2_sa_transform, tr);
78 
79  tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH);
80  s = format(s, "%U ", format_ikev2_sa_transform, tr);
81 
82  vlib_cli_output(vm, " %v", s);
83  vec_free(s);
84 
85  vlib_cli_output(vm, " nonce i:%U\n r:%U",
86  format_hex_bytes, sa->i_nonce, vec_len(sa->i_nonce),
87  format_hex_bytes, sa->r_nonce, vec_len(sa->r_nonce));
88 
89  vlib_cli_output(vm, " SK_d %U",
90  format_hex_bytes, sa->sk_d, vec_len(sa->sk_d));
91  vlib_cli_output(vm, " SK_a i:%U\n r:%U",
92  format_hex_bytes, sa->sk_ai, vec_len(sa->sk_ai),
93  format_hex_bytes, sa->sk_ar, vec_len(sa->sk_ar));
94  vlib_cli_output(vm, " SK_e i:%U\n r:%U",
95  format_hex_bytes, sa->sk_ei, vec_len(sa->sk_ei),
96  format_hex_bytes, sa->sk_er, vec_len(sa->sk_er));
97  vlib_cli_output(vm, " SK_p i:%U\n r:%U",
98  format_hex_bytes, sa->sk_pi, vec_len(sa->sk_pi),
99  format_hex_bytes, sa->sk_pr, vec_len(sa->sk_pr));
100 
101  vlib_cli_output(vm, " identifier (i) %U",
102  format_ikev2_id_type_and_data, &sa->i_id);
103  vlib_cli_output(vm, " identifier (r) %U",
104  format_ikev2_id_type_and_data, &sa->r_id);
105 
106  vec_foreach(child, sa->childs)
107  {
108  vlib_cli_output(vm, " child sa %u:", child - sa->childs);
109 
110  tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
111  s = format(s, "%U ", format_ikev2_sa_transform, tr);
112 
113  tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
114  s = format(s, "%U ", format_ikev2_sa_transform, tr);
115 
116  tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ESN);
117  s = format(s, "%U ", format_ikev2_sa_transform, tr);
118 
119  vlib_cli_output(vm, " %v", s);
120  vec_free(s);
121 
122  vlib_cli_output(vm, " spi(i) %lx spi(r) %lx",
123  child->i_proposals ? child->i_proposals[0].spi : 0,
124  child->r_proposals ? child->r_proposals[0].spi : 0);
125 
126  vlib_cli_output(vm, " SK_e i:%U\n r:%U",
127  format_hex_bytes, child->sk_ei, vec_len(child->sk_ei),
128  format_hex_bytes, child->sk_er, vec_len(child->sk_er));
129  if (child->sk_ai)
130  {
131  vlib_cli_output(vm, " SK_a i:%U\n r:%U",
132  format_hex_bytes, child->sk_ai, vec_len(child->sk_ai),
133  format_hex_bytes, child->sk_ar, vec_len(child->sk_ar));
134  vlib_cli_output(vm, " traffic selectors (i):");
135  }
136  vec_foreach(ts, child->tsi)
137  {
138  vlib_cli_output(vm, " %u type %u protocol_id %u addr "
139  "%U - %U port %u - %u",
140  ts - child->tsi,
141  ts->ts_type, ts->protocol_id,
142  format_ip4_address, &ts->start_addr,
143  format_ip4_address, &ts->end_addr,
144  clib_net_to_host_u16( ts->start_port),
145  clib_net_to_host_u16( ts->end_port));
146  }
147  vlib_cli_output(vm, " traffic selectors (r):");
148  vec_foreach(ts, child->tsr)
149  {
150  vlib_cli_output(vm, " %u type %u protocol_id %u addr "
151  "%U - %U port %u - %u",
152  ts - child->tsr,
153  ts->ts_type, ts->protocol_id,
154  format_ip4_address, &ts->start_addr,
155  format_ip4_address, &ts->end_addr,
156  clib_net_to_host_u16( ts->start_port),
157  clib_net_to_host_u16( ts->end_port));
158  }
159  }
160  vlib_cli_output(vm, "");
161  }));
162  /* *INDENT-ON* */
163  }
164  return 0;
165 }
166 
167 /* *INDENT-OFF* */
168 VLIB_CLI_COMMAND (show_ikev2_sa_command, static) = {
169  .path = "show ikev2 sa",
170  .short_help = "show ikev2 sa",
171  .function = show_ikev2_sa_command_fn,
172 };
173 /* *INDENT-ON* */
174 
175 static clib_error_t *
176 ikev2_profile_add_del_command_fn (vlib_main_t * vm,
177  unformat_input_t * input,
178  vlib_cli_command_t * cmd)
179 {
180  vnet_main_t *vnm = vnet_get_main ();
181  unformat_input_t _line_input, *line_input = &_line_input;
182  u8 *name = 0;
183  clib_error_t *r = 0;
184  u32 id_type;
185  u8 *data = 0;
186  u32 tmp1, tmp2, tmp3;
187  u64 tmp4, tmp5;
188  ip4_address_t ip4;
189  ip4_address_t end_addr;
190  u32 responder_sw_if_index = (u32) ~ 0;
191  u32 tun_sw_if_index = (u32) ~ 0;
192  ip4_address_t responder_ip4;
193  ikev2_transform_encr_type_t crypto_alg;
194  ikev2_transform_integ_type_t integ_alg;
195  ikev2_transform_dh_type_t dh_type;
196 
197  const char *valid_chars = "a-zA-Z0-9_";
198 
199  if (!unformat_user (input, unformat_line_input, line_input))
200  return 0;
201 
202  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
203  {
204  if (unformat (line_input, "add %U", unformat_token, valid_chars, &name))
205  {
206  r = ikev2_add_del_profile (vm, name, 1);
207  goto done;
208  }
209  else
210  if (unformat
211  (line_input, "del %U", unformat_token, valid_chars, &name))
212  {
213  r = ikev2_add_del_profile (vm, name, 0);
214  goto done;
215  }
216  else if (unformat (line_input, "set %U auth shared-key-mic string %v",
217  unformat_token, valid_chars, &name, &data))
218  {
219  r =
220  ikev2_set_profile_auth (vm, name,
221  IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data,
222  0);
223  goto done;
224  }
225  else if (unformat (line_input, "set %U auth shared-key-mic hex %U",
226  unformat_token, valid_chars, &name,
227  unformat_hex_string, &data))
228  {
229  r =
230  ikev2_set_profile_auth (vm, name,
231  IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data,
232  1);
233  goto done;
234  }
235  else if (unformat (line_input, "set %U auth rsa-sig cert-file %v",
236  unformat_token, valid_chars, &name, &data))
237  {
238  r =
239  ikev2_set_profile_auth (vm, name, IKEV2_AUTH_METHOD_RSA_SIG, data,
240  0);
241  goto done;
242  }
243  else if (unformat (line_input, "set %U id local %U %U",
244  unformat_token, valid_chars, &name,
245  unformat_ikev2_id_type, &id_type,
246  unformat_ip4_address, &ip4))
247  {
248  data = vec_new (u8, 4);
249  clib_memcpy (data, ip4.as_u8, 4);
250  r =
251  ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
252  goto done;
253  }
254  else if (unformat (line_input, "set %U id local %U 0x%U",
255  unformat_token, valid_chars, &name,
256  unformat_ikev2_id_type, &id_type,
257  unformat_hex_string, &data))
258  {
259  r =
260  ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
261  goto done;
262  }
263  else if (unformat (line_input, "set %U id local %U %v",
264  unformat_token, valid_chars, &name,
265  unformat_ikev2_id_type, &id_type, &data))
266  {
267  r =
268  ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
269  goto done;
270  }
271  else if (unformat (line_input, "set %U id remote %U %U",
272  unformat_token, valid_chars, &name,
273  unformat_ikev2_id_type, &id_type,
274  unformat_ip4_address, &ip4))
275  {
276  data = vec_new (u8, 4);
277  clib_memcpy (data, ip4.as_u8, 4);
278  r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
279  0);
280  goto done;
281  }
282  else if (unformat (line_input, "set %U id remote %U 0x%U",
283  unformat_token, valid_chars, &name,
284  unformat_ikev2_id_type, &id_type,
285  unformat_hex_string, &data))
286  {
287  r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
288  0);
289  goto done;
290  }
291  else if (unformat (line_input, "set %U id remote %U %v",
292  unformat_token, valid_chars, &name,
293  unformat_ikev2_id_type, &id_type, &data))
294  {
295  r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
296  0);
297  goto done;
298  }
299  else if (unformat (line_input, "set %U traffic-selector local "
300  "ip-range %U - %U port-range %u - %u protocol %u",
301  unformat_token, valid_chars, &name,
302  unformat_ip4_address, &ip4,
303  unformat_ip4_address, &end_addr,
304  &tmp1, &tmp2, &tmp3))
305  {
306  r =
307  ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2,
308  ip4, end_addr, /*local */ 1);
309  goto done;
310  }
311  else if (unformat (line_input, "set %U traffic-selector remote "
312  "ip-range %U - %U port-range %u - %u protocol %u",
313  unformat_token, valid_chars, &name,
314  unformat_ip4_address, &ip4,
315  unformat_ip4_address, &end_addr,
316  &tmp1, &tmp2, &tmp3))
317  {
318  r =
319  ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2,
320  ip4, end_addr, /*remote */ 0);
321  goto done;
322  }
323  else if (unformat (line_input, "set %U responder %U %U",
324  unformat_token, valid_chars, &name,
325  unformat_vnet_sw_interface, vnm,
326  &responder_sw_if_index, unformat_ip4_address,
327  &responder_ip4))
328  {
329  r =
330  ikev2_set_profile_responder (vm, name, responder_sw_if_index,
331  responder_ip4);
332  goto done;
333  }
334  else if (unformat (line_input, "set %U tunnel %U",
335  unformat_token, valid_chars, &name,
336  unformat_vnet_sw_interface, vnm, &tun_sw_if_index))
337  {
338  r = ikev2_set_profile_tunnel_interface (vm, name, tun_sw_if_index);
339  goto done;
340  }
341  else
342  if (unformat
343  (line_input,
344  "set %U ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U",
345  unformat_token, valid_chars, &name,
346  unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
347  unformat_ikev2_transform_integ_type, &integ_alg,
348  unformat_ikev2_transform_dh_type, &dh_type))
349  {
350  r =
351  ikev2_set_profile_ike_transforms (vm, name, crypto_alg, integ_alg,
352  dh_type, tmp1);
353  goto done;
354  }
355  else
356  if (unformat
357  (line_input,
358  "set %U esp-crypto-alg %U %u esp-integ-alg %U esp-dh %U",
359  unformat_token, valid_chars, &name,
360  unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
361  unformat_ikev2_transform_integ_type, &integ_alg,
362  unformat_ikev2_transform_dh_type, &dh_type))
363  {
364  r =
365  ikev2_set_profile_esp_transforms (vm, name, crypto_alg, integ_alg,
366  dh_type, tmp1);
367  goto done;
368  }
369  else if (unformat
370  (line_input,
371  "set %U esp-crypto-alg %U %u esp-dh %U",
372  unformat_token, valid_chars, &name,
373  unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
374  unformat_ikev2_transform_dh_type, &dh_type))
375  {
376  r =
377  ikev2_set_profile_esp_transforms (vm, name, crypto_alg, 0,
378  dh_type, tmp1);
379  goto done;
380  }
381  else if (unformat (line_input, "set %U sa-lifetime %lu %u %u %lu",
382  unformat_token, valid_chars, &name,
383  &tmp4, &tmp1, &tmp2, &tmp5))
384  {
385  r =
386  ikev2_set_profile_sa_lifetime (vm, name, tmp4, tmp1, tmp2, tmp5);
387  goto done;
388  }
389  else if (unformat (line_input, "set %U udp-encap",
390  unformat_token, valid_chars, &name))
391  {
392  r = ikev2_set_profile_udp_encap (vm, name);
393  goto done;
394  }
395  else if (unformat (line_input, "set %U ipsec-over-udp port %u",
396  unformat_token, valid_chars, &name, &tmp1))
397  {
398  int rv = ikev2_set_profile_ipsec_udp_port (vm, name, tmp1, 1);
399  if (rv)
400  r = clib_error_return (0, "Error: %U", format_vnet_api_errno, rv);
401  goto done;
402  }
403  else
404  break;
405  }
406 
407  r = clib_error_return (0, "parse error: '%U'",
408  format_unformat_error, line_input);
409 
410 done:
411  vec_free (name);
412  vec_free (data);
413  unformat_free (line_input);
414  return r;
415 }
416 
417 /* *INDENT-OFF* */
418 VLIB_CLI_COMMAND (ikev2_profile_add_del_command, static) = {
419  .path = "ikev2 profile",
420  .short_help =
421  "ikev2 profile [add|del] <id>\n"
422  "ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex]"
423  " <data>\n"
424  "ikev2 profile set <id> id <local|remote> <type> <data>\n"
425  "ikev2 profile set <id> tunnel <interface>\n"
426  "ikev2 profile set <id> udp-encap\n"
427  "ikev2 profile set <id> traffic-selector <local|remote> ip-range "
428  "<start-addr> - <end-addr> port-range <start-port> - <end-port> "
429  "protocol <protocol-number>\n"
430  "ikev2 profile set <id> responder <interface> <addr>\n"
431  "ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>\n"
432  "ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> "
433  "[esp-integ-alg <integ alg>] esp-dh <dh type>\n"
434  "ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>",
435  .function = ikev2_profile_add_del_command_fn,
436 };
437 /* *INDENT-ON* */
438 
439 static clib_error_t *
440 show_ikev2_profile_command_fn (vlib_main_t * vm,
441  unformat_input_t * input,
442  vlib_cli_command_t * cmd)
443 {
444  ikev2_main_t *km = &ikev2_main;
445  ikev2_profile_t *p;
446 
447  /* *INDENT-OFF* */
448  pool_foreach (p, km->profiles, ({
449  vlib_cli_output(vm, "profile %v", p->name);
450 
451  if (p->auth.data)
452  {
453  if (p->auth.hex)
454  vlib_cli_output(vm, " auth-method %U auth data 0x%U",
455  format_ikev2_auth_method, p->auth.method,
456  format_hex_bytes, p->auth.data, vec_len(p->auth.data));
457  else
458  vlib_cli_output(vm, " auth-method %U auth data %v",
459  format_ikev2_auth_method, p->auth.method, p->auth.data);
460  }
461 
462  if (p->loc_id.data)
463  {
464  if (p->loc_id.type == IKEV2_ID_TYPE_ID_IPV4_ADDR)
465  vlib_cli_output(vm, " local id-type %U data %U",
466  format_ikev2_id_type, p->loc_id.type,
467  format_ip4_address, p->loc_id.data);
468  else if (p->loc_id.type == IKEV2_ID_TYPE_ID_KEY_ID)
469  vlib_cli_output(vm, " local id-type %U data 0x%U",
470  format_ikev2_id_type, p->loc_id.type,
471  format_hex_bytes, p->loc_id.data,
472  vec_len(p->loc_id.data));
473  else
474  vlib_cli_output(vm, " local id-type %U data %v",
475  format_ikev2_id_type, p->loc_id.type, p->loc_id.data);
476  }
477 
478  if (p->rem_id.data)
479  {
480  if (p->rem_id.type == IKEV2_ID_TYPE_ID_IPV4_ADDR)
481  vlib_cli_output(vm, " remote id-type %U data %U",
482  format_ikev2_id_type, p->rem_id.type,
483  format_ip4_address, p->rem_id.data);
484  else if (p->rem_id.type == IKEV2_ID_TYPE_ID_KEY_ID)
485  vlib_cli_output(vm, " remote id-type %U data 0x%U",
486  format_ikev2_id_type, p->rem_id.type,
487  format_hex_bytes, p->rem_id.data,
488  vec_len(p->rem_id.data));
489  else
490  vlib_cli_output(vm, " remote id-type %U data %v",
491  format_ikev2_id_type, p->rem_id.type, p->rem_id.data);
492  }
493 
494  if (p->loc_ts.end_addr.as_u32)
495  vlib_cli_output(vm, " local traffic-selector addr %U - %U port %u - %u"
496  " protocol %u",
497  format_ip4_address, &p->loc_ts.start_addr,
498  format_ip4_address, &p->loc_ts.end_addr,
499  p->loc_ts.start_port, p->loc_ts.end_port,
500  p->loc_ts.protocol_id);
501 
502  if (p->rem_ts.end_addr.as_u32)
503  vlib_cli_output(vm, " remote traffic-selector addr %U - %U port %u - %u"
504  " protocol %u",
505  format_ip4_address, &p->rem_ts.start_addr,
506  format_ip4_address, &p->rem_ts.end_addr,
507  p->rem_ts.start_port, p->rem_ts.end_port,
508  p->rem_ts.protocol_id);
509  if (~0 != p->tun_itf)
510  vlib_cli_output(vm, " protected tunnel %U",
511  format_vnet_sw_if_index_name, vnet_get_main(), p->tun_itf);
512  if (p->udp_encap)
513  vlib_cli_output(vm, " udp-encap");
514 
515  if (p->dst_port != IPSEC_UDP_PORT_NONE)
516  vlib_cli_output(vm, " ipsec-over-udp port %d", p->dst_port);
517  }));
518  /* *INDENT-ON* */
519 
520  return 0;
521 }
522 
523 /* *INDENT-OFF* */
524 VLIB_CLI_COMMAND (show_ikev2_profile_command, static) = {
525  .path = "show ikev2 profile",
526  .short_help = "show ikev2 profile",
527  .function = show_ikev2_profile_command_fn,
528 };
529 /* *INDENT-ON* */
530 
531 static clib_error_t *
532 set_ikev2_liveness_period_fn (vlib_main_t * vm,
533  unformat_input_t * input,
534  vlib_cli_command_t * cmd)
535 {
536  unformat_input_t _line_input, *line_input = &_line_input;
537  clib_error_t *r = 0;
538  u32 period = 0, max_retries = 0;
539 
540  if (!unformat_user (input, unformat_line_input, line_input))
541  return 0;
542 
543  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
544  {
545  if (unformat (line_input, "%d %d", &period, &max_retries))
546  {
547  r = ikev2_set_liveness_params (period, max_retries);
548  goto done;
549  }
550  else
551  break;
552  }
553 
554  r = clib_error_return (0, "parse error: '%U'",
555  format_unformat_error, line_input);
556 
557 done:
558  unformat_free (line_input);
559  return r;
560 }
561 
562 /* *INDENT-OFF* */
563 VLIB_CLI_COMMAND (set_ikev2_liveness_command, static) = {
564  .path = "ikev2 set liveness",
565  .short_help = "ikev2 set liveness <period> <max-retires>",
566  .function = set_ikev2_liveness_period_fn,
567 };
568 /* *INDENT-ON* */
569 
570 static clib_error_t *
571 set_ikev2_local_key_command_fn (vlib_main_t * vm,
572  unformat_input_t * input,
573  vlib_cli_command_t * cmd)
574 {
575  unformat_input_t _line_input, *line_input = &_line_input;
576  clib_error_t *r = 0;
577  u8 *data = 0;
578 
579  if (!unformat_user (input, unformat_line_input, line_input))
580  return 0;
581 
582  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
583  {
584  if (unformat (line_input, "%s", &data))
585  {
586  r = ikev2_set_local_key (vm, data);
587  goto done;
588  }
589  else
590  break;
591  }
592 
593  r = clib_error_return (0, "parse error: '%U'",
594  format_unformat_error, line_input);
595 
596 done:
597  vec_free (data);
598  unformat_free (line_input);
599  return r;
600 }
601 
602 /* *INDENT-OFF* */
603 VLIB_CLI_COMMAND (set_ikev2_local_key_command, static) = {
604  .path = "set ikev2 local key",
605  .short_help =
606  "set ikev2 local key <file>",
607  .function = set_ikev2_local_key_command_fn,
608 };
609 /* *INDENT-ON* */
610 
611 
612 static clib_error_t *
613 ikev2_initiate_command_fn (vlib_main_t * vm,
614  unformat_input_t * input, vlib_cli_command_t * cmd)
615 {
616  unformat_input_t _line_input, *line_input = &_line_input;
617  clib_error_t *r = 0;
618  u8 *name = 0;
619  u32 tmp1;
620  u64 tmp2;
621 
622  const char *valid_chars = "a-zA-Z0-9_";
623 
624  if (!unformat_user (input, unformat_line_input, line_input))
625  return 0;
626 
627  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
628  {
629  if (unformat
630  (line_input, "sa-init %U", unformat_token, valid_chars, &name))
631  {
632  r = ikev2_initiate_sa_init (vm, name);
633  goto done;
634  }
635  else if (unformat (line_input, "del-child-sa %x", &tmp1))
636  {
637  r = ikev2_initiate_delete_child_sa (vm, tmp1);
638  goto done;
639  }
640  else if (unformat (line_input, "del-sa %lx", &tmp2))
641  {
642  r = ikev2_initiate_delete_ike_sa (vm, tmp2);
643  goto done;
644  }
645  else if (unformat (line_input, "rekey-child-sa %x", &tmp1))
646  {
647  r = ikev2_initiate_rekey_child_sa (vm, tmp1);
648  goto done;
649  }
650  else
651  break;
652  }
653 
654  r = clib_error_return (0, "parse error: '%U'",
655  format_unformat_error, line_input);
656 
657 done:
658  vec_free (name);
659  unformat_free (line_input);
660  return r;
661 }
662 
663 /* *INDENT-OFF* */
664 VLIB_CLI_COMMAND (ikev2_initiate_command, static) = {
665  .path = "ikev2 initiate",
666  .short_help =
667  "ikev2 initiate sa-init <profile id>\n"
668  "ikev2 initiate del-child-sa <child sa ispi>\n"
669  "ikev2 initiate del-sa <sa ispi>\n"
670  "ikev2 initiate rekey-child-sa <profile id> <child sa ispi>\n",
671  .function = ikev2_initiate_command_fn,
672 };
673 /* *INDENT-ON* */
674 
675 void
676 ikev2_cli_reference (void)
677 {
678 }
679 
680 static clib_error_t *
681 ikev2_set_log_level_command_fn (vlib_main_t * vm,
682  unformat_input_t * input,
683  vlib_cli_command_t * cmd)
684 {
685  unformat_input_t _line_input, *line_input = &_line_input;
686  u8 log_level = IKEV2_LOG_NONE;
687  clib_error_t *error = 0;
688 
689  /* Get a line of input. */
690  if (!unformat_user (input, unformat_line_input, line_input))
691  return 0;
692 
693  if (!unformat (line_input, "%d", &log_level))
694  {
695  error = clib_error_return (0, "unknown input '%U'",
696  format_unformat_error, line_input);
697  goto done;
698  }
699  int rc = ikev2_set_log_level (log_level);
700  if (rc < 0)
701  error = clib_error_return (0, "setting log level failed!");
702 
703 done:
704  unformat_free (line_input);
705  return error;
706 }
707 
708 /* *INDENT-OFF* */
709 VLIB_CLI_COMMAND (ikev2_set_log_level_command, static) = {
710  .path = "ikev2 set logging level",
711  .function = ikev2_set_log_level_command_fn,
712  .short_help = "ikev2 set logging level <0-5>",
713 };
714 /* *INDENT-ON* */
715 
716 /*
717  * fd.io coding-style-patch-verification: ON
718  *
719  * Local Variables:
720  * eval: (c-set-style "gnu")
721  * End:
722  */
ikev2_main_t::per_thread_data
ikev2_main_per_thread_data_t * per_thread_data
Definition: ikev2_priv.h:477
ikev2_profile_t
Definition: ikev2_priv.h:344
ikev2_profile_t::dst_port
u16 dst_port
Definition: ikev2_priv.h:361
unformat_token
unformat_function_t unformat_token
Definition: format.h:286
format_ikev2_id_type_and_data
u8 * format_ikev2_id_type_and_data(u8 *s, va_list *args)
Definition: ikev2_cli.c:25
ikev2_set_profile_responder
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
Definition: ikev2.c:3166
ikev2_id_t::type
ikev2_id_type_t type
Definition: ikev2_priv.h:287
ikev2_transform_integ_type_t
ikev2_transform_integ_type_t
Definition: ikev2.h:268
ikev2_add_del_profile
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
Definition: ikev2.c:3021
vnet_get_main
vnet_main_t * vnet_get_main(void)
Definition: misc.c:46
ikev2_set_profile_udp_encap
clib_error_t * ikev2_set_profile_udp_encap(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:3290
unformat_ikev2_transform_encr_type
uword unformat_ikev2_transform_encr_type(unformat_input_t *input, va_list *args)
ikev2_child_sa_t
Definition: ikev2_priv.h:291
ikev2_main_t::profiles
ikev2_profile_t * profiles
Definition: ikev2_priv.h:457
u64
unsigned long u64
Definition: types.h:89
ikev2_id_t
Definition: ikev2_priv.h:285
ikev2_initiate_delete_ike_sa
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
Definition: ikev2.c:3561
ikev2_ts_t
Definition: ikev2_priv.h:259
unformat_hex_string
unformat_function_t unformat_hex_string
Definition: format.h:289
unformat_ikev2_id_type
uword unformat_ikev2_id_type(unformat_input_t *input, va_list *args)
ikev2_set_profile_tunnel_interface
clib_error_t * ikev2_set_profile_tunnel_interface(vlib_main_t *vm, u8 *name, u32 sw_if_index)
Definition: ikev2.c:3237
set_ikev2_liveness_period_fn
static clib_error_t * set_ikev2_liveness_period_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:532
unformat_user
uword unformat_user(unformat_input_t *input, unformat_function_t *func,...)
Definition: unformat.c:989
ikev2_set_profile_sa_lifetime
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
Definition: ikev2.c:3306
format
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
unformat_vnet_sw_interface
unformat_function_t unformat_vnet_sw_interface
Definition: interface_funcs.h:445
ikev2_set_liveness_params
clib_error_t * ikev2_set_liveness_params(u32 period, u32 max_retries)
Definition: ikev2.c:3861
format_vnet_sw_if_index_name
format_function_t format_vnet_sw_if_index_name
Definition: interface_funcs.h:441
u8
unsigned char u8
Definition: types.h:56
ikev2_set_profile_ipsec_udp_port
vnet_api_error_t ikev2_set_profile_ipsec_udp_port(vlib_main_t *vm, u8 *name, u16 port, u8 is_set)
Definition: ikev2.c:3257
clib_memcpy
#define clib_memcpy(d, s, n)
Definition: string.h:180
ikev2_profile_t::rem_id
ikev2_id_t rem_id
Definition: ikev2_priv.h:351
ikev2_transform_dh_type_t
ikev2_transform_dh_type_t
Definition: ikev2.h:318
log_level
log_level
Definition: vpe_types.api:32
ikev2_main_t
Definition: ikev2_priv.h:454
show_ikev2_sa_command_fn
static clib_error_t * show_ikev2_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:51
format_ip4_address
format_function_t format_ip4_address
Definition: format.h:73
pool_foreach
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:513
unformat_ip4_address
unformat_function_t unformat_ip4_address
Definition: format.h:68
ikev2_initiate_sa_init
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:3329
unformat_ikev2_transform_dh_type
uword unformat_ikev2_transform_dh_type(unformat_input_t *input, va_list *args)
vec_new
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
Definition: vec.h:350
ikev2_set_profile_auth
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *auth_data, u8 data_hex_format)
Definition: ikev2.c:3056
ikev2_ts_t::start_addr
ip4_address_t start_addr
Definition: ikev2_priv.h:266
ikev2_profile_t::tun_itf
u32 tun_itf
Definition: ikev2_priv.h:363
format_hex_bytes
u8 * format_hex_bytes(u8 *s, va_list *va)
Definition: std-formats.c:84
clib_error_return
#define clib_error_return(e, args...)
Definition: error.h:99
ikev2_set_profile_esp_transforms
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:3212
ikev2_main_per_thread_data_t::sas
ikev2_sa_t * sas
Definition: ikev2_priv.h:448
ikev2_id_t::data
u8 * data
Definition: ikev2_priv.h:288
u32
unsigned int u32
Definition: types.h:88
ikev2_profile_t::loc_id
ikev2_id_t loc_id
Definition: ikev2_priv.h:350
unformat_line_input
unformat_function_t unformat_line_input
Definition: format.h:283
ip4_address_t
Definition: ip4_packet.h:49
ikev2_set_log_level
int ikev2_set_log_level(ikev2_log_level_t log_level)
Definition: ikev2.c:3846
ikev2_set_profile_id
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
Definition: ikev2.c:3088
ikev2_main
ikev2_main_t ikev2_main
Definition: ikev2.c:35
ikev2_profile_t::rem_ts
ikev2_ts_t rem_ts
Definition: ikev2_priv.h:353
unformat_input_t
struct _unformat_input_t unformat_input_t
u16
unsigned short u16
Definition: types.h:57
ikev2_ts_t::end_port
u16 end_port
Definition: ikev2_priv.h:265
ikev2_initiate_delete_child_sa
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3521
ip4
vl_api_ip4_address_t ip4
Definition: one.api:376
ikev2_sa_transform_t
Definition: ikev2_priv.h:227
format_vnet_api_errno
static u8 * format_vnet_api_errno(u8 *s, va_list *args)
Definition: api_errno.h:170
ikev2_ts_t::end_addr
ip4_address_t end_addr
Definition: ikev2_priv.h:267
vm
vlib_main_t * vm
Definition: in2out_ed.c:1599
ikev2_set_local_key
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
Definition: ikev2.c:2957
ikev2_set_profile_ts
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
Definition: ikev2.c:3127
ikev2_initiate_rekey_child_sa
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3671
ikev2_profile_t::udp_encap
u8 udp_encap
Definition: ikev2_priv.h:364
UNFORMAT_END_OF_INPUT
#define UNFORMAT_END_OF_INPUT
Definition: format.h:145
ikev2_sa_t
Definition: ikev2_priv.h:367
ikev2_transform_encr_type_t
ikev2_transform_encr_type_t
Definition: ikev2.h:227
vec_free
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:380
ipsec_sa.h
name
string name[64]
Definition: ip.api:44
ikev2_profile_t::loc_ts
ikev2_ts_t loc_ts
Definition: ikev2_priv.h:352
ikev2_priv.h
VLIB_CLI_COMMAND
#define VLIB_CLI_COMMAND(x,...)
Definition: cli.h:152
vnet_main_t
Definition: vnet.h:51
ikev2_ts_t::protocol_id
u8 protocol_id
Definition: ikev2_priv.h:262
vlib_cli_output
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
Definition: cli.c:689
data
u8 data[128]
Definition: ipsec_types.api:89
ikev2_main_per_thread_data_t
Definition: ikev2_priv.h:443
ip4_address_t::as_u8
u8 as_u8[4]
Definition: ip4_packet.h:54
unformat_ikev2_transform_integ_type
uword unformat_ikev2_transform_integ_type(unformat_input_t *input, va_list *args)
clib_error_t
Definition: clib_error.h:21
show_ikev2_profile_command_fn
static clib_error_t * show_ikev2_profile_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:440
vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:142
ikev2_ts_t::start_port
u16 start_port
Definition: ikev2_priv.h:264
vlib_main_t
Definition: main.h:83
uword
u64 uword
Definition: types.h:112
unformat_free
static void unformat_free(unformat_input_t *i)
Definition: format.h:163
ikev2_set_profile_ike_transforms
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:3187
vlib_cli_command_t
Definition: cli.h:91
set_ikev2_local_key_command_fn
static clib_error_t * set_ikev2_local_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:571
format_unformat_error
u8 * format_unformat_error(u8 *s, va_list *va)
Definition: unformat.c:91
vec_foreach
#define vec_foreach(var, vec)
Vector iterator.
Definition: vec_bootstrap.h:211
ikev2_cli_reference
void ikev2_cli_reference(void)
Definition: ikev2_cli.c:676
ikev2_set_log_level_command_fn
static clib_error_t * ikev2_set_log_level_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:681
ip4_address_t::as_u32
u32 as_u32
Definition: ip4_packet.h:56
ikev2_profile_add_del_command_fn
static clib_error_t * ikev2_profile_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:176
IPSEC_UDP_PORT_NONE
#define IPSEC_UDP_PORT_NONE
Definition: ipsec_sa.h:277
ikev2_initiate_command_fn
static clib_error_t * ikev2_initiate_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:613
unformat
uword unformat(unformat_input_t *i, const char *fmt,...)
Definition: unformat.c:978
format_ikev2_id_type
u8 * format_ikev2_id_type(u8 *s, va_list *args)
unformat_check_input
static uword unformat_check_input(unformat_input_t *i)
Definition: format.h:171