FD.io VPP  v20.09-rc2-28-g3c5414029
Vector Packet Processing
ikev2_cli.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #include <vlib/vlib.h>
16 #include <vnet/vnet.h>
17 #include <vnet/pg/pg.h>
18 #include <vppinfra/error.h>
19 #include <vnet/udp/udp.h>
20 #include <vnet/ipsec/ipsec_sa.h>
21 #include <plugins/ikev2/ikev2.h>
22 #include <plugins/ikev2/ikev2_priv.h>
23 
24 u8 *
25 format_ikev2_id_type_and_data (u8 * s, va_list * args)
26 {
27  ikev2_id_t *id = va_arg (*args, ikev2_id_t *);
28 
29  if (id->type == 0 || vec_len (id->data) == 0)
30  return format (s, "none");
31 
32  s = format (s, "%U", format_ikev2_id_type, id->type);
33 
34  if (id->type == IKEV2_ID_TYPE_ID_FQDN ||
35  id->type == IKEV2_ID_TYPE_ID_RFC822_ADDR)
36  {
37  s = format (s, " %v", id->data);
38  }
39  else
40  {
41  s =
42  format (s, " %U", format_hex_bytes, &id->data,
43  (uword) (vec_len (id->data)));
44  }
45 
46  return s;
47 }
48 
49 
50 static clib_error_t *
51 show_ikev2_sa_command_fn (vlib_main_t * vm,
52  unformat_input_t * input, vlib_cli_command_t * cmd)
53 {
54  ikev2_main_t *km = &ikev2_main;
55  ikev2_main_per_thread_data_t *tkm;
56  ikev2_sa_t *sa;
57  ikev2_ts_t *ts;
58  ikev2_child_sa_t *child;
59  ikev2_sa_transform_t *tr;
60 
61  vec_foreach (tkm, km->per_thread_data)
62  {
63  /* *INDENT-OFF* */
64  pool_foreach (sa, tkm->sas, ({
65  u8 * s = 0;
66  vlib_cli_output(vm, " iip %U ispi %lx rip %U rspi %lx",
67  format_ip4_address, &sa->iaddr, sa->ispi,
68  format_ip4_address, &sa->raddr, sa->rspi);
69 
70  tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
71  s = format(s, "%U ", format_ikev2_sa_transform, tr);
72 
73  tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
74  s = format(s, "%U ", format_ikev2_sa_transform, tr);
75 
76  tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
77  s = format(s, "%U ", format_ikev2_sa_transform, tr);
78 
79  tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH);
80  s = format(s, "%U ", format_ikev2_sa_transform, tr);
81 
82  vlib_cli_output(vm, " %v", s);
83  vec_free(s);
84 
85  vlib_cli_output(vm, " nonce i:%U\n r:%U",
86  format_hex_bytes, sa->i_nonce, vec_len(sa->i_nonce),
87  format_hex_bytes, sa->r_nonce, vec_len(sa->r_nonce));
88 
89  vlib_cli_output(vm, " SK_d %U",
90  format_hex_bytes, sa->sk_d, vec_len(sa->sk_d));
91  if (sa->sk_ai)
92  {
93  vlib_cli_output(vm, " SK_a i:%U\n r:%U",
94  format_hex_bytes, sa->sk_ai, vec_len(sa->sk_ai),
95  format_hex_bytes, sa->sk_ar, vec_len(sa->sk_ar));
96  }
97  vlib_cli_output(vm, " SK_e i:%U\n r:%U",
98  format_hex_bytes, sa->sk_ei, vec_len(sa->sk_ei),
99  format_hex_bytes, sa->sk_er, vec_len(sa->sk_er));
100  vlib_cli_output(vm, " SK_p i:%U\n r:%U",
101  format_hex_bytes, sa->sk_pi, vec_len(sa->sk_pi),
102  format_hex_bytes, sa->sk_pr, vec_len(sa->sk_pr));
103 
104  vlib_cli_output(vm, " identifier (i) %U",
105  format_ikev2_id_type_and_data, &sa->i_id);
106  vlib_cli_output(vm, " identifier (r) %U",
107  format_ikev2_id_type_and_data, &sa->r_id);
108 
109  vec_foreach(child, sa->childs)
110  {
111  vlib_cli_output(vm, " child sa %u:", child - sa->childs);
112 
113  tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
114  s = format(s, "%U ", format_ikev2_sa_transform, tr);
115 
116  tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
117  s = format(s, "%U ", format_ikev2_sa_transform, tr);
118 
119  tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ESN);
120  s = format(s, "%U ", format_ikev2_sa_transform, tr);
121 
122  vlib_cli_output(vm, " %v", s);
123  vec_free(s);
124 
125  vlib_cli_output(vm, " spi(i) %lx spi(r) %lx",
126  child->i_proposals ? child->i_proposals[0].spi : 0,
127  child->r_proposals ? child->r_proposals[0].spi : 0);
128 
129  vlib_cli_output(vm, " SK_e i:%U\n r:%U",
130  format_hex_bytes, child->sk_ei, vec_len(child->sk_ei),
131  format_hex_bytes, child->sk_er, vec_len(child->sk_er));
132  if (child->sk_ai)
133  {
134  vlib_cli_output(vm, " SK_a i:%U\n r:%U",
135  format_hex_bytes, child->sk_ai, vec_len(child->sk_ai),
136  format_hex_bytes, child->sk_ar, vec_len(child->sk_ar));
137  vlib_cli_output(vm, " traffic selectors (i):");
138  }
139  vec_foreach(ts, child->tsi)
140  {
141  vlib_cli_output(vm, " %u type %u protocol_id %u addr "
142  "%U - %U port %u - %u",
143  ts - child->tsi,
144  ts->ts_type, ts->protocol_id,
145  format_ip4_address, &ts->start_addr,
146  format_ip4_address, &ts->end_addr,
147  clib_net_to_host_u16( ts->start_port),
148  clib_net_to_host_u16( ts->end_port));
149  }
150  vlib_cli_output(vm, " traffic selectors (r):");
151  vec_foreach(ts, child->tsr)
152  {
153  vlib_cli_output(vm, " %u type %u protocol_id %u addr "
154  "%U - %U port %u - %u",
155  ts - child->tsr,
156  ts->ts_type, ts->protocol_id,
157  format_ip4_address, &ts->start_addr,
158  format_ip4_address, &ts->end_addr,
159  clib_net_to_host_u16( ts->start_port),
160  clib_net_to_host_u16( ts->end_port));
161  }
162  }
163  vlib_cli_output(vm, "");
164  }));
165  /* *INDENT-ON* */
166  }
167  return 0;
168 }
169 
170 /* *INDENT-OFF* */
171 VLIB_CLI_COMMAND (show_ikev2_sa_command, static) = {
172  .path = "show ikev2 sa",
173  .short_help = "show ikev2 sa",
174  .function = show_ikev2_sa_command_fn,
175 };
176 /* *INDENT-ON* */
177 
178 static clib_error_t *
179 ikev2_profile_add_del_command_fn (vlib_main_t * vm,
180  unformat_input_t * input,
181  vlib_cli_command_t * cmd)
182 {
183  vnet_main_t *vnm = vnet_get_main ();
184  unformat_input_t _line_input, *line_input = &_line_input;
185  u8 *name = 0;
186  clib_error_t *r = 0;
187  u32 id_type;
188  u8 *data = 0;
189  u32 tmp1, tmp2, tmp3;
190  u64 tmp4, tmp5;
191  ip4_address_t ip4;
192  ip4_address_t end_addr;
193  u32 responder_sw_if_index = (u32) ~ 0;
194  u32 tun_sw_if_index = (u32) ~ 0;
195  ip4_address_t responder_ip4;
196  ikev2_transform_encr_type_t crypto_alg;
197  ikev2_transform_integ_type_t integ_alg;
198  ikev2_transform_dh_type_t dh_type;
199 
200  const char *valid_chars = "a-zA-Z0-9_";
201 
202  if (!unformat_user (input, unformat_line_input, line_input))
203  return 0;
204 
205  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
206  {
207  if (unformat (line_input, "add %U", unformat_token, valid_chars, &name))
208  {
209  r = ikev2_add_del_profile (vm, name, 1);
210  goto done;
211  }
212  else
213  if (unformat
214  (line_input, "del %U", unformat_token, valid_chars, &name))
215  {
216  r = ikev2_add_del_profile (vm, name, 0);
217  goto done;
218  }
219  else if (unformat (line_input, "set %U auth shared-key-mic string %v",
220  unformat_token, valid_chars, &name, &data))
221  {
222  r =
223  ikev2_set_profile_auth (vm, name,
224  IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data,
225  0);
226  goto done;
227  }
228  else if (unformat (line_input, "set %U auth shared-key-mic hex %U",
229  unformat_token, valid_chars, &name,
230  unformat_hex_string, &data))
231  {
232  r =
233  ikev2_set_profile_auth (vm, name,
234  IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data,
235  1);
236  goto done;
237  }
238  else if (unformat (line_input, "set %U auth rsa-sig cert-file %v",
239  unformat_token, valid_chars, &name, &data))
240  {
241  r =
242  ikev2_set_profile_auth (vm, name, IKEV2_AUTH_METHOD_RSA_SIG, data,
243  0);
244  goto done;
245  }
246  else if (unformat (line_input, "set %U id local %U %U",
247  unformat_token, valid_chars, &name,
248  unformat_ikev2_id_type, &id_type,
249  unformat_ip4_address, &ip4))
250  {
251  data = vec_new (u8, 4);
252  clib_memcpy (data, ip4.as_u8, 4);
253  r =
254  ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
255  goto done;
256  }
257  else if (unformat (line_input, "set %U id local %U 0x%U",
258  unformat_token, valid_chars, &name,
259  unformat_ikev2_id_type, &id_type,
260  unformat_hex_string, &data))
261  {
262  r =
263  ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
264  goto done;
265  }
266  else if (unformat (line_input, "set %U id local %U %v",
267  unformat_token, valid_chars, &name,
268  unformat_ikev2_id_type, &id_type, &data))
269  {
270  r =
271  ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
272  goto done;
273  }
274  else if (unformat (line_input, "set %U id remote %U %U",
275  unformat_token, valid_chars, &name,
276  unformat_ikev2_id_type, &id_type,
277  unformat_ip4_address, &ip4))
278  {
279  data = vec_new (u8, 4);
280  clib_memcpy (data, ip4.as_u8, 4);
281  r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
282  0);
283  goto done;
284  }
285  else if (unformat (line_input, "set %U id remote %U 0x%U",
286  unformat_token, valid_chars, &name,
287  unformat_ikev2_id_type, &id_type,
288  unformat_hex_string, &data))
289  {
290  r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
291  0);
292  goto done;
293  }
294  else if (unformat (line_input, "set %U id remote %U %v",
295  unformat_token, valid_chars, &name,
296  unformat_ikev2_id_type, &id_type, &data))
297  {
298  r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
299  0);
300  goto done;
301  }
302  else if (unformat (line_input, "set %U traffic-selector local "
303  "ip-range %U - %U port-range %u - %u protocol %u",
304  unformat_token, valid_chars, &name,
305  unformat_ip4_address, &ip4,
306  unformat_ip4_address, &end_addr,
307  &tmp1, &tmp2, &tmp3))
308  {
309  r =
310  ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2,
311  ip4, end_addr, /*local */ 1);
312  goto done;
313  }
314  else if (unformat (line_input, "set %U traffic-selector remote "
315  "ip-range %U - %U port-range %u - %u protocol %u",
316  unformat_token, valid_chars, &name,
317  unformat_ip4_address, &ip4,
318  unformat_ip4_address, &end_addr,
319  &tmp1, &tmp2, &tmp3))
320  {
321  r =
322  ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2,
323  ip4, end_addr, /*remote */ 0);
324  goto done;
325  }
326  else if (unformat (line_input, "set %U responder %U %U",
327  unformat_token, valid_chars, &name,
328  unformat_vnet_sw_interface, vnm,
329  &responder_sw_if_index, unformat_ip4_address,
330  &responder_ip4))
331  {
332  r =
333  ikev2_set_profile_responder (vm, name, responder_sw_if_index,
334  responder_ip4);
335  goto done;
336  }
337  else if (unformat (line_input, "set %U tunnel %U",
338  unformat_token, valid_chars, &name,
339  unformat_vnet_sw_interface, vnm, &tun_sw_if_index))
340  {
341  r = ikev2_set_profile_tunnel_interface (vm, name, tun_sw_if_index);
342  goto done;
343  }
344  else
345  if (unformat
346  (line_input,
347  "set %U ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U",
348  unformat_token, valid_chars, &name,
349  unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
350  unformat_ikev2_transform_integ_type, &integ_alg,
351  unformat_ikev2_transform_dh_type, &dh_type))
352  {
353  r =
354  ikev2_set_profile_ike_transforms (vm, name, crypto_alg, integ_alg,
355  dh_type, tmp1);
356  goto done;
357  }
358  else
359  if (unformat
360  (line_input,
361  "set %U ike-crypto-alg %U %u ike-dh %U",
362  unformat_token, valid_chars, &name,
363  unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
364  unformat_ikev2_transform_dh_type, &dh_type))
365  {
366  r =
367  ikev2_set_profile_ike_transforms (vm, name, crypto_alg,
368  IKEV2_TRANSFORM_INTEG_TYPE_NONE,
369  dh_type, tmp1);
370  goto done;
371  }
372  else
373  if (unformat
374  (line_input,
375  "set %U esp-crypto-alg %U %u esp-integ-alg %U",
376  unformat_token, valid_chars, &name,
377  unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
378  unformat_ikev2_transform_integ_type, &integ_alg))
379  {
380  r =
381  ikev2_set_profile_esp_transforms (vm, name, crypto_alg, integ_alg,
382  tmp1);
383  goto done;
384  }
385  else if (unformat
386  (line_input,
387  "set %U esp-crypto-alg %U %u",
388  unformat_token, valid_chars, &name,
389  unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1))
390  {
391  r =
392  ikev2_set_profile_esp_transforms (vm, name, crypto_alg, 0, tmp1);
393  goto done;
394  }
395  else if (unformat (line_input, "set %U sa-lifetime %lu %u %u %lu",
396  unformat_token, valid_chars, &name,
397  &tmp4, &tmp1, &tmp2, &tmp5))
398  {
399  r =
400  ikev2_set_profile_sa_lifetime (vm, name, tmp4, tmp1, tmp2, tmp5);
401  goto done;
402  }
403  else if (unformat (line_input, "set %U udp-encap",
404  unformat_token, valid_chars, &name))
405  {
406  r = ikev2_set_profile_udp_encap (vm, name);
407  goto done;
408  }
409  else if (unformat (line_input, "set %U ipsec-over-udp port %u",
410  unformat_token, valid_chars, &name, &tmp1))
411  {
412  int rv = ikev2_set_profile_ipsec_udp_port (vm, name, tmp1, 1);
413  if (rv)
414  r = clib_error_return (0, "Error: %U", format_vnet_api_errno, rv);
415  goto done;
416  }
417  else
418  break;
419  }
420 
421  r = clib_error_return (0, "parse error: '%U'",
422  format_unformat_error, line_input);
423 
424 done:
425  vec_free (name);
426  vec_free (data);
427  unformat_free (line_input);
428  return r;
429 }
430 
431 /* *INDENT-OFF* */
432 VLIB_CLI_COMMAND (ikev2_profile_add_del_command, static) = {
433  .path = "ikev2 profile",
434  .short_help =
435  "ikev2 profile [add|del] <id>\n"
436  "ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex]"
437  " <data>\n"
438  "ikev2 profile set <id> id <local|remote> <type> <data>\n"
439  "ikev2 profile set <id> tunnel <interface>\n"
440  "ikev2 profile set <id> udp-encap\n"
441  "ikev2 profile set <id> traffic-selector <local|remote> ip-range "
442  "<start-addr> - <end-addr> port-range <start-port> - <end-port> "
443  "protocol <protocol-number>\n"
444  "ikev2 profile set <id> responder <interface> <addr>\n"
445  "ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>\n"
446  "ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> "
447  "[esp-integ-alg <integ alg>]\n"
448  "ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>",
449  .function = ikev2_profile_add_del_command_fn,
450 };
451 /* *INDENT-ON* */
452 
453 static clib_error_t *
454 show_ikev2_profile_command_fn (vlib_main_t * vm,
455  unformat_input_t * input,
456  vlib_cli_command_t * cmd)
457 {
458  ikev2_main_t *km = &ikev2_main;
459  ikev2_profile_t *p;
460 
461  /* *INDENT-OFF* */
462  pool_foreach (p, km->profiles, ({
463  vlib_cli_output(vm, "profile %v", p->name);
464 
465  if (p->auth.data)
466  {
467  if (p->auth.hex)
468  vlib_cli_output(vm, " auth-method %U auth data 0x%U",
469  format_ikev2_auth_method, p->auth.method,
470  format_hex_bytes, p->auth.data, vec_len(p->auth.data));
471  else
472  vlib_cli_output(vm, " auth-method %U auth data %v",
473  format_ikev2_auth_method, p->auth.method, p->auth.data);
474  }
475 
476  if (p->loc_id.data)
477  {
478  if (p->loc_id.type == IKEV2_ID_TYPE_ID_IPV4_ADDR)
479  vlib_cli_output(vm, " local id-type %U data %U",
480  format_ikev2_id_type, p->loc_id.type,
481  format_ip4_address, p->loc_id.data);
482  else if (p->loc_id.type == IKEV2_ID_TYPE_ID_KEY_ID)
483  vlib_cli_output(vm, " local id-type %U data 0x%U",
484  format_ikev2_id_type, p->loc_id.type,
485  format_hex_bytes, p->loc_id.data,
486  vec_len(p->loc_id.data));
487  else
488  vlib_cli_output(vm, " local id-type %U data %v",
489  format_ikev2_id_type, p->loc_id.type, p->loc_id.data);
490  }
491 
492  if (p->rem_id.data)
493  {
494  if (p->rem_id.type == IKEV2_ID_TYPE_ID_IPV4_ADDR)
495  vlib_cli_output(vm, " remote id-type %U data %U",
496  format_ikev2_id_type, p->rem_id.type,
497  format_ip4_address, p->rem_id.data);
498  else if (p->rem_id.type == IKEV2_ID_TYPE_ID_KEY_ID)
499  vlib_cli_output(vm, " remote id-type %U data 0x%U",
500  format_ikev2_id_type, p->rem_id.type,
501  format_hex_bytes, p->rem_id.data,
502  vec_len(p->rem_id.data));
503  else
504  vlib_cli_output(vm, " remote id-type %U data %v",
505  format_ikev2_id_type, p->rem_id.type, p->rem_id.data);
506  }
507 
508  if (p->loc_ts.end_addr.as_u32)
509  vlib_cli_output(vm, " local traffic-selector addr %U - %U port %u - %u"
510  " protocol %u",
511  format_ip4_address, &p->loc_ts.start_addr,
512  format_ip4_address, &p->loc_ts.end_addr,
513  p->loc_ts.start_port, p->loc_ts.end_port,
514  p->loc_ts.protocol_id);
515 
516  if (p->rem_ts.end_addr.as_u32)
517  vlib_cli_output(vm, " remote traffic-selector addr %U - %U port %u - %u"
518  " protocol %u",
519  format_ip4_address, &p->rem_ts.start_addr,
520  format_ip4_address, &p->rem_ts.end_addr,
521  p->rem_ts.start_port, p->rem_ts.end_port,
522  p->rem_ts.protocol_id);
523  if (~0 != p->tun_itf)
524  vlib_cli_output(vm, " protected tunnel %U",
525  format_vnet_sw_if_index_name, vnet_get_main(), p->tun_itf);
526  if (~0 != p->responder.sw_if_index)
527  vlib_cli_output(vm, " responder %U %U",
528  format_vnet_sw_if_index_name, vnet_get_main(), p->responder.sw_if_index,
529  format_ip4_address, &p->responder.ip4);
530  if (p->udp_encap)
531  vlib_cli_output(vm, " udp-encap");
532 
533  if (p->ipsec_over_udp_port != IPSEC_UDP_PORT_NONE)
534  vlib_cli_output(vm, " ipsec-over-udp port %d", p->ipsec_over_udp_port);
535 
536  if (p->ike_ts.crypto_alg || p->ike_ts.integ_alg || p->ike_ts.dh_type || p->ike_ts.crypto_key_size)
537  vlib_cli_output(vm, " ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U",
538  format_ikev2_transform_encr_type, p->ike_ts.crypto_alg, p->ike_ts.crypto_key_size,
539  format_ikev2_transform_integ_type, p->ike_ts.integ_alg,
540  format_ikev2_transform_dh_type, p->ike_ts.dh_type);
541 
542  if (p->esp_ts.crypto_alg || p->esp_ts.integ_alg || p->esp_ts.dh_type)
543  vlib_cli_output(vm, " esp-crypto-alg %U %u esp-integ-alg %U",
544  format_ikev2_transform_encr_type, p->esp_ts.crypto_alg, p->esp_ts.crypto_key_size,
545  format_ikev2_transform_integ_type, p->esp_ts.integ_alg);
546 
547  vlib_cli_output(vm, " lifetime %d jitter %d handover %d maxdata %d",
548  p->lifetime, p->lifetime_jitter, p->handover, p->lifetime_maxdata);
549  }));
550  /* *INDENT-ON* */
551 
552  return 0;
553 }
554 
555 /* *INDENT-OFF* */
556 VLIB_CLI_COMMAND (show_ikev2_profile_command, static) = {
557  .path = "show ikev2 profile",
558  .short_help = "show ikev2 profile",
559  .function = show_ikev2_profile_command_fn,
560 };
561 /* *INDENT-ON* */
562 
563 static clib_error_t *
564 set_ikev2_liveness_period_fn (vlib_main_t * vm,
565  unformat_input_t * input,
566  vlib_cli_command_t * cmd)
567 {
568  unformat_input_t _line_input, *line_input = &_line_input;
569  clib_error_t *r = 0;
570  u32 period = 0, max_retries = 0;
571 
572  if (!unformat_user (input, unformat_line_input, line_input))
573  return 0;
574 
575  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
576  {
577  if (unformat (line_input, "%d %d", &period, &max_retries))
578  {
579  r = ikev2_set_liveness_params (period, max_retries);
580  goto done;
581  }
582  else
583  break;
584  }
585 
586  r = clib_error_return (0, "parse error: '%U'",
587  format_unformat_error, line_input);
588 
589 done:
590  unformat_free (line_input);
591  return r;
592 }
593 
594 /* *INDENT-OFF* */
595 VLIB_CLI_COMMAND (set_ikev2_liveness_command, static) = {
596  .path = "ikev2 set liveness",
597  .short_help = "ikev2 set liveness <period> <max-retires>",
598  .function = set_ikev2_liveness_period_fn,
599 };
600 /* *INDENT-ON* */
601 
602 static clib_error_t *
603 set_ikev2_local_key_command_fn (vlib_main_t * vm,
604  unformat_input_t * input,
605  vlib_cli_command_t * cmd)
606 {
607  unformat_input_t _line_input, *line_input = &_line_input;
608  clib_error_t *r = 0;
609  u8 *data = 0;
610 
611  if (!unformat_user (input, unformat_line_input, line_input))
612  return 0;
613 
614  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
615  {
616  if (unformat (line_input, "%s", &data))
617  {
618  r = ikev2_set_local_key (vm, data);
619  goto done;
620  }
621  else
622  break;
623  }
624 
625  r = clib_error_return (0, "parse error: '%U'",
626  format_unformat_error, line_input);
627 
628 done:
629  vec_free (data);
630  unformat_free (line_input);
631  return r;
632 }
633 
634 /* *INDENT-OFF* */
635 VLIB_CLI_COMMAND (set_ikev2_local_key_command, static) = {
636  .path = "set ikev2 local key",
637  .short_help =
638  "set ikev2 local key <file>",
639  .function = set_ikev2_local_key_command_fn,
640 };
641 /* *INDENT-ON* */
642 
643 
644 static clib_error_t *
645 ikev2_initiate_command_fn (vlib_main_t * vm,
646  unformat_input_t * input, vlib_cli_command_t * cmd)
647 {
648  unformat_input_t _line_input, *line_input = &_line_input;
649  clib_error_t *r = 0;
650  u8 *name = 0;
651  u32 tmp1;
652  u64 tmp2;
653 
654  const char *valid_chars = "a-zA-Z0-9_";
655 
656  if (!unformat_user (input, unformat_line_input, line_input))
657  return 0;
658 
659  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
660  {
661  if (unformat
662  (line_input, "sa-init %U", unformat_token, valid_chars, &name))
663  {
664  r = ikev2_initiate_sa_init (vm, name);
665  goto done;
666  }
667  else if (unformat (line_input, "del-child-sa %x", &tmp1))
668  {
669  r = ikev2_initiate_delete_child_sa (vm, tmp1);
670  goto done;
671  }
672  else if (unformat (line_input, "del-sa %lx", &tmp2))
673  {
674  r = ikev2_initiate_delete_ike_sa (vm, tmp2);
675  goto done;
676  }
677  else if (unformat (line_input, "rekey-child-sa %x", &tmp1))
678  {
679  r = ikev2_initiate_rekey_child_sa (vm, tmp1);
680  goto done;
681  }
682  else
683  break;
684  }
685 
686  r = clib_error_return (0, "parse error: '%U'",
687  format_unformat_error, line_input);
688 
689 done:
690  vec_free (name);
691  unformat_free (line_input);
692  return r;
693 }
694 
695 /* *INDENT-OFF* */
696 VLIB_CLI_COMMAND (ikev2_initiate_command, static) = {
697  .path = "ikev2 initiate",
698  .short_help =
699  "ikev2 initiate sa-init <profile id>\n"
700  "ikev2 initiate del-child-sa <child sa ispi>\n"
701  "ikev2 initiate del-sa <sa ispi>\n"
702  "ikev2 initiate rekey-child-sa <profile id> <child sa ispi>\n",
703  .function = ikev2_initiate_command_fn,
704 };
705 /* *INDENT-ON* */
706 
707 void
708 ikev2_cli_reference (void)
709 {
710 }
711 
712 static clib_error_t *
713 ikev2_set_log_level_command_fn (vlib_main_t * vm,
714  unformat_input_t * input,
715  vlib_cli_command_t * cmd)
716 {
717  unformat_input_t _line_input, *line_input = &_line_input;
718  u32 log_level = IKEV2_LOG_NONE;
719  clib_error_t *error = 0;
720 
721  /* Get a line of input. */
722  if (!unformat_user (input, unformat_line_input, line_input))
723  return 0;
724 
725  if (!unformat (line_input, "%d", &log_level))
726  {
727  error = clib_error_return (0, "unknown input '%U'",
728  format_unformat_error, line_input);
729  goto done;
730  }
731  int rc = ikev2_set_log_level (log_level);
732  if (rc < 0)
733  error = clib_error_return (0, "setting log level failed!");
734 
735 done:
736  unformat_free (line_input);
737  return error;
738 }
739 
740 /* *INDENT-OFF* */
741 VLIB_CLI_COMMAND (ikev2_set_log_level_command, static) = {
742  .path = "ikev2 set logging level",
743  .function = ikev2_set_log_level_command_fn,
744  .short_help = "ikev2 set logging level <0-5>",
745 };
746 /* *INDENT-ON* */
747 
748 /*
749  * fd.io coding-style-patch-verification: ON
750  *
751  * Local Variables:
752  * eval: (c-set-style "gnu")
753  * End:
754  */
ikev2_main_t::per_thread_data
ikev2_main_per_thread_data_t * per_thread_data
Definition: ikev2_priv.h:489
ikev2_profile_t
Definition: ikev2_priv.h:344
unformat_token
unformat_function_t unformat_token
Definition: format.h:286
format_ikev2_id_type_and_data
u8 * format_ikev2_id_type_and_data(u8 *s, va_list *args)
Definition: ikev2_cli.c:25
ikev2_set_profile_responder
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
Definition: ikev2.c:3520
ikev2_sa_t::r_id
ikev2_id_t r_id
Definition: ikev2_priv.h:404
ikev2_id_t::type
ikev2_id_type_t type
Definition: ikev2_priv.h:287
ikev2_profile_t::ike_ts
ikev2_transforms_set ike_ts
Definition: ikev2_priv.h:354
ikev2_profile_t::lifetime
u64 lifetime
Definition: ikev2_priv.h:356
ikev2_transform_integ_type_t
ikev2_transform_integ_type_t
Definition: ikev2.h:276
ikev2_add_del_profile
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
Definition: ikev2.c:3372
vnet_get_main
vnet_main_t * vnet_get_main(void)
Definition: misc.c:46
ikev2_set_profile_udp_encap
clib_error_t * ikev2_set_profile_udp_encap(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:3642
unformat_ikev2_transform_encr_type
uword unformat_ikev2_transform_encr_type(unformat_input_t *input, va_list *args)
ikev2_child_sa_t
Definition: ikev2_priv.h:291
ikev2_transforms_set::dh_type
ikev2_transform_dh_type_t dh_type
Definition: ikev2_priv.h:280
ikev2_main_t::profiles
ikev2_profile_t * profiles
Definition: ikev2_priv.h:469
u64
unsigned long u64
Definition: types.h:89
ikev2_id_t
Definition: ikev2_priv.h:285
ikev2_initiate_delete_ike_sa
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
Definition: ikev2.c:3921
ikev2_ts_t
Definition: ikev2_priv.h:259
unformat_hex_string
unformat_function_t unformat_hex_string
Definition: format.h:289
unformat_ikev2_id_type
uword unformat_ikev2_id_type(unformat_input_t *input, va_list *args)
ikev2_transforms_set::crypto_key_size
u32 crypto_key_size
Definition: ikev2_priv.h:281
ikev2_transforms_set::crypto_alg
ikev2_transform_encr_type_t crypto_alg
Definition: ikev2_priv.h:278
ikev2_set_profile_tunnel_interface
clib_error_t * ikev2_set_profile_tunnel_interface(vlib_main_t *vm, u8 *name, u32 sw_if_index)
Definition: ikev2.c:3589
set_ikev2_liveness_period_fn
static clib_error_t * set_ikev2_liveness_period_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:564
ikev2_sa_t::sk_pi
u8 * sk_pi
Definition: ikev2_priv.h:395
unformat_user
uword unformat_user(unformat_input_t *input, unformat_function_t *func,...)
Definition: unformat.c:989
ikev2_responder_t::ip4
ip4_address_t ip4
Definition: ikev2_priv.h:273
vm
vlib_main_t * vm
Definition: in2out_ed.c:1582
ikev2_set_profile_sa_lifetime
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
Definition: ikev2.c:3658
format
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
unformat_vnet_sw_interface
unformat_function_t unformat_vnet_sw_interface
Definition: interface_funcs.h:450
ikev2_profile_t::lifetime_maxdata
u64 lifetime_maxdata
Definition: ikev2_priv.h:357
ikev2_set_liveness_params
clib_error_t * ikev2_set_liveness_params(u32 period, u32 max_retries)
Definition: ikev2.c:4207
ikev2_profile_t::ipsec_over_udp_port
u16 ipsec_over_udp_port
Definition: ikev2_priv.h:360
format_vnet_sw_if_index_name
format_function_t format_vnet_sw_if_index_name
Definition: interface_funcs.h:446
u8
unsigned char u8
Definition: types.h:56
ikev2_set_profile_ipsec_udp_port
vnet_api_error_t ikev2_set_profile_ipsec_udp_port(vlib_main_t *vm, u8 *name, u16 port, u8 is_set)
Definition: ikev2.c:3609
data
u8 data[128]
Definition: ipsec_types.api:89
clib_memcpy
#define clib_memcpy(d, s, n)
Definition: string.h:180
ikev2_profile_t::rem_id
ikev2_id_t rem_id
Definition: ikev2_priv.h:350
ikev2_transform_dh_type_t
ikev2_transform_dh_type_t
Definition: ikev2.h:326
log_level
log_level
Definition: vpe_types.api:32
ikev2_main_t
Definition: ikev2_priv.h:466
show_ikev2_sa_command_fn
static clib_error_t * show_ikev2_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:51
format_ip4_address
format_function_t format_ip4_address
Definition: format.h:73
ikev2_ts_t::ts_type
u8 ts_type
Definition: ikev2_priv.h:261
pool_foreach
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:513
unformat_ip4_address
unformat_function_t unformat_ip4_address
Definition: format.h:68
ikev2_profile_t::lifetime_jitter
u32 lifetime_jitter
Definition: ikev2_priv.h:358
ikev2_initiate_sa_init
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:3681
unformat_ikev2_transform_dh_type
uword unformat_ikev2_transform_dh_type(unformat_input_t *input, va_list *args)
vec_new
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
Definition: vec.h:350
ikev2_set_profile_auth
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *auth_data, u8 data_hex_format)
Definition: ikev2.c:3408
ikev2_ts_t::start_addr
ip4_address_t start_addr
Definition: ikev2_priv.h:266
ikev2_profile_t::tun_itf
u32 tun_itf
Definition: ikev2_priv.h:362
format_hex_bytes
u8 * format_hex_bytes(u8 *s, va_list *va)
Definition: std-formats.c:84
clib_error_return
#define clib_error_return(e, args...)
Definition: error.h:99
ikev2_main_per_thread_data_t::sas
ikev2_sa_t * sas
Definition: ikev2_priv.h:453
ikev2_transforms_set::integ_alg
ikev2_transform_integ_type_t integ_alg
Definition: ikev2_priv.h:279
ikev2_id_t::data
u8 * data
Definition: ikev2_priv.h:288
u32
unsigned int u32
Definition: types.h:88
ikev2_set_profile_esp_transforms
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, u32 crypto_key_size)
Definition: ikev2.c:3566
ikev2_profile_t::loc_id
ikev2_id_t loc_id
Definition: ikev2_priv.h:349
unformat_line_input
unformat_function_t unformat_line_input
Definition: format.h:283
ikev2_profile_t::responder
ikev2_responder_t responder
Definition: ikev2_priv.h:353
ip4_address_t
Definition: ip4_packet.h:50
ikev2_set_log_level
int ikev2_set_log_level(ikev2_log_level_t log_level)
Definition: ikev2.c:4192
ikev2_set_profile_id
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
Definition: ikev2.c:3442
ikev2_main
ikev2_main_t ikev2_main
Definition: ikev2.c:36
integ_alg
u8 integ_alg
Definition: ikev2_types.api:59
ikev2_profile_t::rem_ts
ikev2_ts_t rem_ts
Definition: ikev2_priv.h:352
unformat_input_t
struct _unformat_input_t unformat_input_t
u16
unsigned short u16
Definition: types.h:57
ikev2_ts_t::end_port
u16 end_port
Definition: ikev2_priv.h:265
ikev2_initiate_delete_child_sa
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3881
ip4
vl_api_ip4_address_t ip4
Definition: one.api:376
ikev2_sa_transform_t
Definition: ikev2_priv.h:227
format_vnet_api_errno
static u8 * format_vnet_api_errno(u8 *s, va_list *args)
Definition: api_errno.h:172
ikev2_ts_t::end_addr
ip4_address_t end_addr
Definition: ikev2_priv.h:267
ikev2_set_local_key
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
Definition: ikev2.c:3204
ikev2_set_profile_ts
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
Definition: ikev2.c:3481
ikev2_sa_t::sk_ei
u8 * sk_ei
Definition: ikev2_priv.h:393
ikev2_initiate_rekey_child_sa
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3998
ikev2_profile_t::udp_encap
u8 udp_encap
Definition: ikev2_priv.h:363
UNFORMAT_END_OF_INPUT
#define UNFORMAT_END_OF_INPUT
Definition: format.h:145
ikev2_sa_t
Definition: ikev2_priv.h:366
ikev2_transform_encr_type_t
ikev2_transform_encr_type_t
Definition: ikev2.h:235
ikev2_child_sa_t::tsi
ikev2_ts_t * tsi
Definition: ikev2_priv.h:298
vec_free
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:380
ikev2_sa_t::sk_er
u8 * sk_er
Definition: ikev2_priv.h:394
ipsec_sa.h
name
string name[64]
Definition: ip.api:44
ikev2_profile_t::loc_ts
ikev2_ts_t loc_ts
Definition: ikev2_priv.h:351
ikev2_priv.h
format_ikev2_transform_encr_type
u8 * format_ikev2_transform_encr_type(u8 *s, va_list *args)
VLIB_CLI_COMMAND
#define VLIB_CLI_COMMAND(x,...)
Definition: cli.h:158
vnet_main_t
Definition: vnet.h:54
ikev2_ts_t::protocol_id
u8 protocol_id
Definition: ikev2_priv.h:262
vlib_cli_output
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
Definition: cli.c:696
ikev2_main_per_thread_data_t
Definition: ikev2_priv.h:448
ip4_address_t::as_u8
u8 as_u8[4]
Definition: ip4_packet.h:55
unformat_ikev2_transform_integ_type
uword unformat_ikev2_transform_integ_type(unformat_input_t *input, va_list *args)
ikev2_profile_t::handover
u32 handover
Definition: ikev2_priv.h:359
format_ikev2_transform_dh_type
u8 * format_ikev2_transform_dh_type(u8 *s, va_list *args)
clib_error_t
Definition: clib_error.h:21
show_ikev2_profile_command_fn
static clib_error_t * show_ikev2_profile_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:454
format_ikev2_transform_integ_type
u8 * format_ikev2_transform_integ_type(u8 *s, va_list *args)
vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:142
ikev2_ts_t::start_port
u16 start_port
Definition: ikev2_priv.h:264
ikev2_sa_t::sk_pr
u8 * sk_pr
Definition: ikev2_priv.h:396
vlib_main_t
Definition: main.h:120
uword
u64 uword
Definition: types.h:112
unformat_free
static void unformat_free(unformat_input_t *i)
Definition: format.h:163
ikev2_set_profile_ike_transforms
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:3541
ikev2_sa_t::i_id
ikev2_id_t i_id
Definition: ikev2_priv.h:403
vlib_cli_command_t
Definition: cli.h:91
ikev2_child_sa_t::tsr
ikev2_ts_t * tsr
Definition: ikev2_priv.h:299
ikev2_sa_t::childs
ikev2_child_sa_t * childs
Definition: ikev2_priv.h:434
set_ikev2_local_key_command_fn
static clib_error_t * set_ikev2_local_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:603
end_addr
vl_api_ip4_address_t end_addr
Definition: ikev2_types.api:38
format_unformat_error
u8 * format_unformat_error(u8 *s, va_list *va)
Definition: unformat.c:91
vec_foreach
#define vec_foreach(var, vec)
Vector iterator.
Definition: vec_bootstrap.h:212
ikev2_responder_t::sw_if_index
u32 sw_if_index
Definition: ikev2_priv.h:272
ikev2_cli_reference
void ikev2_cli_reference(void)
Definition: ikev2_cli.c:708
ikev2_set_log_level_command_fn
static clib_error_t * ikev2_set_log_level_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:713
ip4_address_t::as_u32
u32 as_u32
Definition: ip4_packet.h:57
ikev2_profile_add_del_command_fn
static clib_error_t * ikev2_profile_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:179
ikev2_profile_t::esp_ts
ikev2_transforms_set esp_ts
Definition: ikev2_priv.h:355
IPSEC_UDP_PORT_NONE
#define IPSEC_UDP_PORT_NONE
Definition: ipsec_sa.h:277
ikev2_initiate_command_fn
static clib_error_t * ikev2_initiate_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ikev2_cli.c:645
unformat
uword unformat(unformat_input_t *i, const char *fmt,...)
Definition: unformat.c:978
format_ikev2_id_type
u8 * format_ikev2_id_type(u8 *s, va_list *args)
unformat_check_input
static uword unformat_check_input(unformat_input_t *i)
Definition: format.h:171