Line data Source code
1 : /*
2 : * Copyright (c) 2015 Cisco and/or its affiliates.
3 : * Licensed under the Apache License, Version 2.0 (the "License");
4 : * you may not use this file except in compliance with the License.
5 : * You may obtain a copy of the License at:
6 : *
7 : * http://www.apache.org/licenses/LICENSE-2.0
8 : *
9 : * Unless required by applicable law or agreed to in writing, software
10 : * distributed under the License is distributed on an "AS IS" BASIS,
11 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 : * See the License for the specific language governing permissions and
13 : * limitations under the License.
14 : */
15 : #include <vlib/vlib.h>
16 : #include <vnet/vnet.h>
17 : #include <vppinfra/error.h>
18 : #include <vnet/ipsec/ipsec_sa.h>
19 : #include <plugins/ikev2/ikev2.h>
20 : #include <plugins/ikev2/ikev2_priv.h>
21 :
22 : u8 *
23 0 : format_ikev2_id_type_and_data (u8 * s, va_list * args)
24 : {
25 0 : ikev2_id_t *id = va_arg (*args, ikev2_id_t *);
26 :
27 0 : if (id->type == 0 || vec_len (id->data) == 0)
28 0 : return format (s, "none");
29 :
30 0 : s = format (s, "id-type %U data ", format_ikev2_id_type, id->type);
31 :
32 0 : switch (id->type)
33 : {
34 0 : case IKEV2_ID_TYPE_ID_IPV4_ADDR:
35 0 : s = format (s, "%U", format_ip4_address, id->data);
36 0 : break;
37 0 : case IKEV2_ID_TYPE_ID_IPV6_ADDR:
38 0 : s = format (s, "%U", format_ip6_address, id->data);
39 0 : break;
40 0 : case IKEV2_ID_TYPE_ID_FQDN: /* fallthrough */
41 : case IKEV2_ID_TYPE_ID_RFC822_ADDR:
42 0 : s = format (s, "%v", id->data);
43 0 : break;
44 0 : default:
45 0 : s = format (s, "0x%U", format_hex_bytes, &id->data,
46 0 : (uword) (vec_len (id->data)));
47 0 : break;
48 : }
49 :
50 0 : return s;
51 : }
52 :
53 : static u8 *
54 0 : format_ikev2_traffic_selector (u8 * s, va_list * va)
55 : {
56 0 : ikev2_ts_t *ts = va_arg (*va, ikev2_ts_t *);
57 0 : u32 index = va_arg (*va, u32);
58 :
59 0 : s = format (s, "%u type %u protocol_id %u addr "
60 : "%U - %U port %u - %u\n",
61 0 : index, ts->ts_type, ts->protocol_id,
62 : format_ip_address, &ts->start_addr,
63 : format_ip_address, &ts->end_addr,
64 0 : clib_net_to_host_u16 (ts->start_port),
65 0 : clib_net_to_host_u16 (ts->end_port));
66 0 : return s;
67 : }
68 :
69 : static u8 *
70 0 : format_ikev2_child_sa (u8 * s, va_list * va)
71 : {
72 0 : ikev2_child_sa_t *child = va_arg (*va, ikev2_child_sa_t *);
73 0 : u32 index = va_arg (*va, u32);
74 : ikev2_ts_t *ts;
75 : ikev2_sa_transform_t *tr;
76 0 : u8 *c = 0;
77 :
78 0 : u32 indent = format_get_indent (s);
79 0 : indent += 1;
80 :
81 0 : s = format (s, "child sa %u:", index);
82 :
83 0 : tr = ikev2_sa_get_td_for_type (child->r_proposals,
84 : IKEV2_TRANSFORM_TYPE_ENCR);
85 0 : c = format (c, "%U ", format_ikev2_sa_transform, tr);
86 :
87 0 : tr = ikev2_sa_get_td_for_type (child->r_proposals,
88 : IKEV2_TRANSFORM_TYPE_INTEG);
89 0 : c = format (c, "%U ", format_ikev2_sa_transform, tr);
90 :
91 0 : tr = ikev2_sa_get_td_for_type (child->r_proposals,
92 : IKEV2_TRANSFORM_TYPE_ESN);
93 0 : c = format (c, "%U ", format_ikev2_sa_transform, tr);
94 :
95 0 : s = format (s, "%v\n", c);
96 0 : vec_free (c);
97 :
98 0 : s = format (s, "%Uspi(i) %lx spi(r) %lx\n", format_white_space, indent,
99 0 : child->i_proposals ? child->i_proposals[0].spi : 0,
100 0 : child->r_proposals ? child->r_proposals[0].spi : 0);
101 :
102 0 : s = format (s, "%USK_e i:%U\n%Ur:%U\n",
103 : format_white_space, indent,
104 0 : format_hex_bytes, child->sk_ei, vec_len (child->sk_ei),
105 : format_white_space, indent + 6,
106 0 : format_hex_bytes, child->sk_er, vec_len (child->sk_er));
107 0 : if (child->sk_ai)
108 : {
109 0 : s = format (s, "%USK_a i:%U\n%Ur:%U\n",
110 : format_white_space, indent,
111 0 : format_hex_bytes, child->sk_ai, vec_len (child->sk_ai),
112 : format_white_space, indent + 6,
113 0 : format_hex_bytes, child->sk_ar, vec_len (child->sk_ar));
114 : }
115 0 : s = format (s, "%Utraffic selectors (i):", format_white_space, indent);
116 0 : vec_foreach (ts, child->tsi)
117 0 : s = format (s, "%U", format_ikev2_traffic_selector, ts, ts - child->tsi);
118 0 : s = format (s, "%Utraffic selectors (r):", format_white_space, indent);
119 0 : vec_foreach (ts, child->tsr)
120 0 : s = format (s, "%U", format_ikev2_traffic_selector, ts, ts - child->tsr);
121 0 : return s;
122 : }
123 :
124 : static char *stateNames[] = {
125 : #define _(v, f, s) s,
126 : foreach_ikev2_state
127 : #undef _
128 : };
129 :
130 : static u8 *
131 0 : format_ikev2_sa (u8 * s, va_list * va)
132 : {
133 0 : ikev2_sa_t *sa = va_arg (*va, ikev2_sa_t *);
134 0 : int details = va_arg (*va, int);
135 : ikev2_sa_transform_t *tr;
136 : ikev2_child_sa_t *child;
137 0 : u32 indent = 1;
138 :
139 0 : s = format (s, "iip %U ispi %lx rip %U rspi %lx",
140 : format_ip_address, &sa->iaddr, sa->ispi,
141 : format_ip_address, &sa->raddr, sa->rspi);
142 0 : if (!details)
143 0 : return s;
144 :
145 0 : s = format (s, "\n%U", format_white_space, indent);
146 :
147 0 : tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
148 0 : s = format (s, "%U ", format_ikev2_sa_transform, tr);
149 :
150 0 : tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
151 0 : s = format (s, "%U ", format_ikev2_sa_transform, tr);
152 :
153 0 : tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
154 0 : s = format (s, "%U ", format_ikev2_sa_transform, tr);
155 :
156 0 : tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH);
157 0 : s = format (s, "%U", format_ikev2_sa_transform, tr);
158 :
159 0 : if (sa->state <= IKEV2_STATE_NO_PROPOSAL_CHOSEN)
160 : {
161 0 : s = format (s, "\n state: %s", stateNames[sa->state]);
162 : }
163 :
164 0 : s = format (s, "\n%U", format_white_space, indent);
165 :
166 0 : s = format (s, "nonce i:%U\n%Ur:%U\n",
167 0 : format_hex_bytes, sa->i_nonce, vec_len (sa->i_nonce),
168 : format_white_space, indent + 6,
169 0 : format_hex_bytes, sa->r_nonce, vec_len (sa->r_nonce));
170 :
171 0 : s = format (s, "%USK_d %U\n", format_white_space, indent,
172 0 : format_hex_bytes, sa->sk_d, vec_len (sa->sk_d));
173 0 : if (sa->sk_ai)
174 : {
175 0 : s = format (s, "%USK_a i:%U\n%Ur:%U\n",
176 : format_white_space, indent,
177 0 : format_hex_bytes, sa->sk_ai, vec_len (sa->sk_ai),
178 : format_white_space, indent + 6,
179 0 : format_hex_bytes, sa->sk_ar, vec_len (sa->sk_ar));
180 : }
181 0 : s = format (s, "%USK_e i:%U\n%Ur:%U\n",
182 : format_white_space, indent,
183 0 : format_hex_bytes, sa->sk_ei, vec_len (sa->sk_ei),
184 : format_white_space, indent + 6,
185 0 : format_hex_bytes, sa->sk_er, vec_len (sa->sk_er));
186 0 : s = format (s, "%USK_p i:%U\n%Ur:%U\n",
187 : format_white_space, indent,
188 0 : format_hex_bytes, sa->sk_pi, vec_len (sa->sk_pi),
189 : format_white_space, indent + 6,
190 0 : format_hex_bytes, sa->sk_pr, vec_len (sa->sk_pr));
191 :
192 0 : s = format (s, "%Uidentifier (i) %U\n",
193 : format_white_space, indent,
194 : format_ikev2_id_type_and_data, &sa->i_id);
195 0 : s = format (s, "%Uidentifier (r) %U\n",
196 : format_white_space, indent,
197 : format_ikev2_id_type_and_data, &sa->r_id);
198 :
199 0 : vec_foreach (child, sa->childs)
200 : {
201 0 : s = format (s, "%U%U", format_white_space, indent + 2,
202 0 : format_ikev2_child_sa, child, child - sa->childs);
203 : }
204 :
205 0 : s = format (s, "Stats:\n");
206 0 : s = format (s, " keepalives :%u\n", sa->stats.n_keepalives);
207 0 : s = format (s, " rekey :%u\n", sa->stats.n_rekey_req);
208 0 : s = format (s, " SA init :%u (retransmit: %u)\n", sa->stats.n_sa_init_req,
209 0 : sa->stats.n_init_retransmit);
210 0 : s = format (s, " retransmit: %u\n", sa->stats.n_retransmit);
211 0 : s = format (s, " SA auth :%u\n", sa->stats.n_sa_auth_req);
212 :
213 0 : return s;
214 : }
215 :
216 : static clib_error_t *
217 0 : show_ikev2_sa_command_fn (vlib_main_t * vm,
218 : unformat_input_t * input, vlib_cli_command_t * cmd)
219 : {
220 0 : unformat_input_t _line_input, *line_input = &_line_input;
221 0 : ikev2_main_t *km = &ikev2_main;
222 : ikev2_main_per_thread_data_t *tkm;
223 : ikev2_sa_t *sa;
224 : u64 rspi;
225 0 : u8 *s = 0;
226 0 : int details = 0, show_one = 0;
227 :
228 0 : if (unformat_user (input, unformat_line_input, line_input))
229 : {
230 0 : while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
231 : {
232 0 : if (unformat (line_input, "rspi %lx", &rspi))
233 : {
234 0 : show_one = 1;
235 : }
236 0 : else if (unformat (line_input, "details"))
237 0 : details = 1;
238 : else
239 0 : break;
240 : }
241 0 : unformat_free (line_input);
242 : }
243 :
244 0 : vec_foreach (tkm, km->per_thread_data)
245 : {
246 : /* *INDENT-OFF* */
247 0 : pool_foreach (sa, tkm->sas) {
248 0 : if (show_one)
249 : {
250 0 : if (sa->rspi == rspi)
251 : {
252 0 : s = format (s, "%U\n", format_ikev2_sa, sa, 1);
253 0 : break;
254 : }
255 : }
256 : else
257 0 : s = format (s, "%U\n", format_ikev2_sa, sa, details);
258 : }
259 : /* *INDENT-ON* */
260 : }
261 :
262 0 : vlib_cli_output (vm, "%v", s);
263 0 : vec_free (s);
264 0 : return 0;
265 : }
266 :
267 : /* *INDENT-OFF* */
268 202345 : VLIB_CLI_COMMAND (show_ikev2_sa_command, static) = {
269 : .path = "show ikev2 sa",
270 : .short_help = "show ikev2 sa [rspi <rspi>] [details]",
271 : .function = show_ikev2_sa_command_fn,
272 : };
273 : /* *INDENT-ON* */
274 :
275 : static clib_error_t *
276 18 : ikev2_disable_dpd_command_fn (vlib_main_t * vm,
277 : unformat_input_t * input,
278 : vlib_cli_command_t * cmd)
279 : {
280 18 : ikev2_disable_dpd ();
281 18 : return 0;
282 : }
283 :
284 : /* *INDENT-OFF* */
285 202345 : VLIB_CLI_COMMAND (ikev2_cli_disable_dpd_command, static) = {
286 : .path = "ikev2 dpd disable",
287 : .short_help = "ikev2 dpd disable",
288 : .function = ikev2_disable_dpd_command_fn,
289 : };
290 : /* *INDENT-ON* */
291 :
292 : static uword
293 0 : unformat_ikev2_token (unformat_input_t * input, va_list * va)
294 : {
295 0 : u8 **string_return = va_arg (*va, u8 **);
296 0 : const char *token_chars = "a-zA-Z0-9_";
297 0 : if (*string_return)
298 : {
299 : /* if string_return was already allocated (eg. because of a previous
300 : * partial match with a successful unformat_token()), we must free it
301 : * before reusing the pointer, otherwise we'll be leaking memory
302 : */
303 0 : vec_free (*string_return);
304 0 : *string_return = 0;
305 : }
306 0 : return unformat_user (input, unformat_token, token_chars, string_return);
307 : }
308 :
309 : static clib_error_t *
310 0 : ikev2_profile_add_del_command_fn (vlib_main_t * vm,
311 : unformat_input_t * input,
312 : vlib_cli_command_t * cmd)
313 : {
314 0 : vnet_main_t *vnm = vnet_get_main ();
315 0 : unformat_input_t _line_input, *line_input = &_line_input;
316 0 : u8 *name = 0;
317 0 : clib_error_t *r = 0;
318 : u32 id_type;
319 0 : u8 *data = 0;
320 : u32 tmp1, tmp2, tmp3;
321 : u64 tmp4, tmp5;
322 : ip_address_t ip, end_addr;
323 0 : u32 responder_sw_if_index = (u32) ~ 0;
324 0 : u32 tun_sw_if_index = (u32) ~ 0;
325 : ikev2_transform_encr_type_t crypto_alg;
326 : ikev2_transform_integ_type_t integ_alg;
327 : ikev2_transform_dh_type_t dh_type;
328 :
329 0 : if (!unformat_user (input, unformat_line_input, line_input))
330 0 : return 0;
331 :
332 0 : while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
333 : {
334 0 : if (unformat (line_input, "add %U", unformat_ikev2_token, &name))
335 : {
336 0 : r = ikev2_add_del_profile (vm, name, 1);
337 0 : goto done;
338 : }
339 0 : else if (unformat (line_input, "del %U", unformat_ikev2_token, &name))
340 : {
341 0 : r = ikev2_add_del_profile (vm, name, 0);
342 0 : goto done;
343 : }
344 0 : else if (unformat (line_input, "set %U auth shared-key-mic string %v",
345 : unformat_ikev2_token, &name, &data))
346 : {
347 : r =
348 0 : ikev2_set_profile_auth (vm, name,
349 : IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data,
350 : 0);
351 0 : goto done;
352 : }
353 0 : else if (unformat (line_input, "set %U auth shared-key-mic hex %U",
354 : unformat_ikev2_token, &name,
355 : unformat_hex_string, &data))
356 : {
357 : r =
358 0 : ikev2_set_profile_auth (vm, name,
359 : IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data,
360 : 1);
361 0 : goto done;
362 : }
363 0 : else if (unformat (line_input, "set %U auth rsa-sig cert-file %v",
364 : unformat_ikev2_token, &name, &data))
365 : {
366 : r =
367 0 : ikev2_set_profile_auth (vm, name, IKEV2_AUTH_METHOD_RSA_SIG, data,
368 : 0);
369 0 : goto done;
370 : }
371 0 : else if (unformat (line_input, "set %U id local %U %U",
372 : unformat_ikev2_token, &name,
373 : unformat_ikev2_id_type, &id_type,
374 : unformat_ip_address, &ip))
375 : {
376 0 : data = vec_new (u8, ip_address_size (&ip));
377 0 : clib_memcpy (data, ip_addr_bytes (&ip), ip_address_size (&ip));
378 : r =
379 0 : ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
380 0 : goto done;
381 : }
382 0 : else if (unformat (line_input, "set %U id local %U 0x%U",
383 : unformat_ikev2_token, &name,
384 : unformat_ikev2_id_type, &id_type,
385 : unformat_hex_string, &data))
386 : {
387 : r =
388 0 : ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
389 0 : goto done;
390 : }
391 0 : else if (unformat (line_input, "set %U id local %U %v",
392 : unformat_ikev2_token, &name,
393 : unformat_ikev2_id_type, &id_type, &data))
394 : {
395 : r =
396 0 : ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
397 0 : goto done;
398 : }
399 0 : else if (unformat (line_input, "set %U id remote %U %U",
400 : unformat_ikev2_token, &name,
401 : unformat_ikev2_id_type, &id_type,
402 : unformat_ip_address, &ip))
403 : {
404 0 : data = vec_new (u8, ip_address_size (&ip));
405 0 : clib_memcpy (data, ip_addr_bytes (&ip), ip_address_size (&ip));
406 0 : r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
407 : 0);
408 0 : goto done;
409 : }
410 0 : else if (unformat (line_input, "set %U id remote %U 0x%U",
411 : unformat_ikev2_token, &name,
412 : unformat_ikev2_id_type, &id_type,
413 : unformat_hex_string, &data))
414 : {
415 0 : r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
416 : 0);
417 0 : goto done;
418 : }
419 0 : else if (unformat (line_input, "set %U id remote %U %v",
420 : unformat_ikev2_token, &name,
421 : unformat_ikev2_id_type, &id_type, &data))
422 : {
423 0 : r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
424 : 0);
425 0 : goto done;
426 : }
427 0 : else if (unformat (line_input, "set %U traffic-selector local "
428 : "ip-range %U - %U port-range %u - %u protocol %u",
429 : unformat_ikev2_token, &name,
430 : unformat_ip_address, &ip,
431 : unformat_ip_address, &end_addr, &tmp1, &tmp2, &tmp3))
432 : {
433 : r =
434 0 : ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2,
435 : ip, end_addr, /*local */ 1);
436 0 : goto done;
437 : }
438 0 : else if (unformat (line_input, "set %U traffic-selector remote "
439 : "ip-range %U - %U port-range %u - %u protocol %u",
440 : unformat_ikev2_token, &name,
441 : unformat_ip_address, &ip,
442 : unformat_ip_address, &end_addr, &tmp1, &tmp2, &tmp3))
443 : {
444 : r =
445 0 : ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2,
446 : ip, end_addr, /*remote */ 0);
447 0 : goto done;
448 : }
449 0 : else if (unformat (line_input, "set %U responder %U %U",
450 : unformat_ikev2_token, &name,
451 : unformat_vnet_sw_interface, vnm,
452 : &responder_sw_if_index, unformat_ip_address, &ip))
453 : {
454 : r =
455 0 : ikev2_set_profile_responder (vm, name, responder_sw_if_index, ip);
456 0 : goto done;
457 : }
458 0 : else if (unformat (line_input, "set %U responder %U %v",
459 : unformat_ikev2_token, &name,
460 : unformat_vnet_sw_interface, vnm,
461 : &responder_sw_if_index, &data))
462 : {
463 0 : r = ikev2_set_profile_responder_hostname (vm, name, data,
464 : responder_sw_if_index);
465 0 : goto done;
466 : }
467 0 : else if (unformat (line_input, "set %U tunnel %U",
468 : unformat_ikev2_token, &name,
469 : unformat_vnet_sw_interface, vnm, &tun_sw_if_index))
470 : {
471 0 : r = ikev2_set_profile_tunnel_interface (vm, name, tun_sw_if_index);
472 0 : goto done;
473 : }
474 : else
475 0 : if (unformat
476 : (line_input,
477 : "set %U ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U",
478 : unformat_ikev2_token, &name,
479 : unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
480 : unformat_ikev2_transform_integ_type, &integ_alg,
481 : unformat_ikev2_transform_dh_type, &dh_type))
482 : {
483 : r =
484 0 : ikev2_set_profile_ike_transforms (vm, name, crypto_alg, integ_alg,
485 : dh_type, tmp1);
486 0 : goto done;
487 : }
488 : else
489 0 : if (unformat
490 : (line_input,
491 : "set %U ike-crypto-alg %U %u ike-dh %U",
492 : unformat_ikev2_token, &name,
493 : unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
494 : unformat_ikev2_transform_dh_type, &dh_type))
495 : {
496 : r =
497 0 : ikev2_set_profile_ike_transforms (vm, name, crypto_alg,
498 : IKEV2_TRANSFORM_INTEG_TYPE_NONE,
499 : dh_type, tmp1);
500 0 : goto done;
501 : }
502 : else
503 0 : if (unformat
504 : (line_input,
505 : "set %U esp-crypto-alg %U %u esp-integ-alg %U",
506 : unformat_ikev2_token, &name,
507 : unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
508 : unformat_ikev2_transform_integ_type, &integ_alg))
509 : {
510 : r =
511 0 : ikev2_set_profile_esp_transforms (vm, name, crypto_alg, integ_alg,
512 : tmp1);
513 0 : goto done;
514 : }
515 0 : else if (unformat
516 : (line_input,
517 : "set %U esp-crypto-alg %U %u",
518 : unformat_ikev2_token, &name,
519 : unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1))
520 : {
521 : r =
522 0 : ikev2_set_profile_esp_transforms (vm, name, crypto_alg, 0, tmp1);
523 0 : goto done;
524 : }
525 0 : else if (unformat (line_input, "set %U sa-lifetime %lu %u %u %lu",
526 : unformat_ikev2_token, &name,
527 : &tmp4, &tmp1, &tmp2, &tmp5))
528 : {
529 : r =
530 0 : ikev2_set_profile_sa_lifetime (vm, name, tmp4, tmp1, tmp2, tmp5);
531 0 : goto done;
532 : }
533 0 : else if (unformat (line_input, "set %U udp-encap",
534 : unformat_ikev2_token, &name))
535 : {
536 0 : r = ikev2_set_profile_udp_encap (vm, name);
537 0 : goto done;
538 : }
539 0 : else if (unformat (line_input, "set %U ipsec-over-udp port %u",
540 : unformat_ikev2_token, &name, &tmp1))
541 : {
542 0 : int rv = ikev2_set_profile_ipsec_udp_port (vm, name, tmp1, 1);
543 0 : if (rv)
544 0 : r = clib_error_return (0, "Error: %U", format_vnet_api_errno, rv);
545 0 : goto done;
546 : }
547 0 : else if (unformat (line_input, "set %U disable natt",
548 : unformat_ikev2_token, &name))
549 : {
550 0 : r = ikev2_profile_natt_disable (name);
551 0 : goto done;
552 : }
553 : else
554 0 : break;
555 : }
556 :
557 0 : r = clib_error_return (0, "parse error: '%U'",
558 : format_unformat_error, line_input);
559 :
560 0 : done:
561 0 : vec_free (name);
562 0 : vec_free (data);
563 0 : unformat_free (line_input);
564 0 : return r;
565 : }
566 :
567 : /* *INDENT-OFF* */
568 202345 : VLIB_CLI_COMMAND (ikev2_profile_add_del_command, static) = {
569 : .path = "ikev2 profile",
570 : .short_help =
571 : "ikev2 profile [add|del] <id>\n"
572 : "ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex]"
573 : " <data>\n"
574 : "ikev2 profile set <id> id <local|remote> <type> <data>\n"
575 : "ikev2 profile set <id> tunnel <interface>\n"
576 : "ikev2 profile set <id> udp-encap\n"
577 : "ikev2 profile set <id> traffic-selector <local|remote> ip-range "
578 : "<start-addr> - <end-addr> port-range <start-port> - <end-port> "
579 : "protocol <protocol-number>\n"
580 : "ikev2 profile set <id> responder <interface> <addr>\n"
581 : "ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>\n"
582 : "ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> "
583 : "[esp-integ-alg <integ alg>]\n"
584 : "ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>"
585 : "ikev2 profile set <id> disable natt\n",
586 : .function = ikev2_profile_add_del_command_fn,
587 : };
588 : /* *INDENT-ON* */
589 :
590 : static clib_error_t *
591 0 : show_ikev2_profile_command_fn (vlib_main_t * vm,
592 : unformat_input_t * input,
593 : vlib_cli_command_t * cmd)
594 : {
595 0 : ikev2_main_t *km = &ikev2_main;
596 : ikev2_profile_t *p;
597 :
598 : /* *INDENT-OFF* */
599 0 : pool_foreach (p, km->profiles) {
600 0 : vlib_cli_output(vm, "profile %v", p->name);
601 :
602 0 : if (p->auth.data)
603 : {
604 0 : if (p->auth.hex)
605 0 : vlib_cli_output(vm, " auth-method %U auth data 0x%U",
606 0 : format_ikev2_auth_method, p->auth.method,
607 0 : format_hex_bytes, p->auth.data, vec_len(p->auth.data));
608 : else
609 0 : vlib_cli_output(vm, " auth-method %U auth data %v",
610 0 : format_ikev2_auth_method, p->auth.method, p->auth.data);
611 : }
612 :
613 0 : if (p->loc_id.data)
614 0 : vlib_cli_output(vm, " local %U", format_ikev2_id_type_and_data, &p->loc_id);
615 :
616 0 : if (p->rem_id.data)
617 0 : vlib_cli_output(vm, " remote %U", format_ikev2_id_type_and_data, &p->rem_id);
618 :
619 0 : if (!ip_address_is_zero (&p->loc_ts.start_addr))
620 0 : vlib_cli_output(vm, " local traffic-selector addr %U - %U port %u - %u"
621 : " protocol %u",
622 : format_ip_address, &p->loc_ts.start_addr,
623 : format_ip_address, &p->loc_ts.end_addr,
624 0 : p->loc_ts.start_port, p->loc_ts.end_port,
625 0 : p->loc_ts.protocol_id);
626 :
627 0 : if (!ip_address_is_zero (&p->rem_ts.start_addr))
628 0 : vlib_cli_output(vm, " remote traffic-selector addr %U - %U port %u - %u"
629 : " protocol %u",
630 : format_ip_address, &p->rem_ts.start_addr,
631 : format_ip_address, &p->rem_ts.end_addr,
632 0 : p->rem_ts.start_port, p->rem_ts.end_port,
633 0 : p->rem_ts.protocol_id);
634 0 : if (~0 != p->tun_itf)
635 0 : vlib_cli_output(vm, " protected tunnel %U",
636 : format_vnet_sw_if_index_name, vnet_get_main(), p->tun_itf);
637 0 : if (~0 != p->responder.sw_if_index)
638 0 : vlib_cli_output (vm, " responder %U %U %v",
639 : format_vnet_sw_if_index_name, vnet_get_main (),
640 : p->responder.sw_if_index, format_ip_address,
641 : &p->responder.addr, p->responder.hostname);
642 0 : if (p->udp_encap)
643 0 : vlib_cli_output(vm, " udp-encap");
644 :
645 0 : if (p->natt_disabled)
646 0 : vlib_cli_output(vm, " NAT-T disabled");
647 :
648 0 : if (p->ipsec_over_udp_port != IPSEC_UDP_PORT_NONE)
649 0 : vlib_cli_output(vm, " ipsec-over-udp port %d", p->ipsec_over_udp_port);
650 :
651 0 : if (p->ike_ts.crypto_alg || p->ike_ts.integ_alg || p->ike_ts.dh_type || p->ike_ts.crypto_key_size)
652 0 : vlib_cli_output(vm, " ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U",
653 0 : format_ikev2_transform_encr_type, p->ike_ts.crypto_alg, p->ike_ts.crypto_key_size,
654 0 : format_ikev2_transform_integ_type, p->ike_ts.integ_alg,
655 0 : format_ikev2_transform_dh_type, p->ike_ts.dh_type);
656 :
657 0 : if (p->esp_ts.crypto_alg || p->esp_ts.integ_alg || p->esp_ts.dh_type)
658 0 : vlib_cli_output(vm, " esp-crypto-alg %U %u esp-integ-alg %U",
659 0 : format_ikev2_transform_encr_type, p->esp_ts.crypto_alg, p->esp_ts.crypto_key_size,
660 0 : format_ikev2_transform_integ_type, p->esp_ts.integ_alg);
661 :
662 0 : vlib_cli_output(vm, " lifetime %d jitter %d handover %d maxdata %d",
663 : p->lifetime, p->lifetime_jitter, p->handover, p->lifetime_maxdata);
664 : }
665 : /* *INDENT-ON* */
666 :
667 0 : return 0;
668 : }
669 :
670 : /* *INDENT-OFF* */
671 202345 : VLIB_CLI_COMMAND (show_ikev2_profile_command, static) = {
672 : .path = "show ikev2 profile",
673 : .short_help = "show ikev2 profile",
674 : .function = show_ikev2_profile_command_fn,
675 : };
676 : /* *INDENT-ON* */
677 :
678 : static clib_error_t *
679 0 : set_ikev2_liveness_period_fn (vlib_main_t * vm,
680 : unformat_input_t * input,
681 : vlib_cli_command_t * cmd)
682 : {
683 0 : unformat_input_t _line_input, *line_input = &_line_input;
684 0 : clib_error_t *r = 0;
685 0 : u32 period = 0, max_retries = 0;
686 :
687 0 : if (!unformat_user (input, unformat_line_input, line_input))
688 0 : return 0;
689 :
690 0 : while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
691 : {
692 0 : if (unformat (line_input, "%d %d", &period, &max_retries))
693 : {
694 0 : r = ikev2_set_liveness_params (period, max_retries);
695 0 : goto done;
696 : }
697 : else
698 0 : break;
699 : }
700 :
701 0 : r = clib_error_return (0, "parse error: '%U'",
702 : format_unformat_error, line_input);
703 :
704 0 : done:
705 0 : unformat_free (line_input);
706 0 : return r;
707 : }
708 :
709 : /* *INDENT-OFF* */
710 202345 : VLIB_CLI_COMMAND (set_ikev2_liveness_command, static) = {
711 : .path = "ikev2 set liveness",
712 : .short_help = "ikev2 set liveness <period> <max-retires>",
713 : .function = set_ikev2_liveness_period_fn,
714 : };
715 : /* *INDENT-ON* */
716 :
717 : static clib_error_t *
718 0 : set_ikev2_local_key_command_fn (vlib_main_t * vm,
719 : unformat_input_t * input,
720 : vlib_cli_command_t * cmd)
721 : {
722 0 : unformat_input_t _line_input, *line_input = &_line_input;
723 0 : clib_error_t *r = 0;
724 0 : u8 *data = 0;
725 :
726 0 : if (!unformat_user (input, unformat_line_input, line_input))
727 0 : return 0;
728 :
729 0 : while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
730 : {
731 0 : if (unformat (line_input, "%s", &data))
732 : {
733 0 : r = ikev2_set_local_key (vm, data);
734 0 : goto done;
735 : }
736 : else
737 0 : break;
738 : }
739 :
740 0 : r = clib_error_return (0, "parse error: '%U'",
741 : format_unformat_error, line_input);
742 :
743 0 : done:
744 0 : vec_free (data);
745 0 : unformat_free (line_input);
746 0 : return r;
747 : }
748 :
749 : /* *INDENT-OFF* */
750 202345 : VLIB_CLI_COMMAND (set_ikev2_local_key_command, static) = {
751 : .path = "set ikev2 local key",
752 : .short_help =
753 : "set ikev2 local key <file>",
754 : .function = set_ikev2_local_key_command_fn,
755 : };
756 : /* *INDENT-ON* */
757 :
758 :
759 : static clib_error_t *
760 0 : ikev2_initiate_command_fn (vlib_main_t * vm,
761 : unformat_input_t * input, vlib_cli_command_t * cmd)
762 : {
763 0 : unformat_input_t _line_input, *line_input = &_line_input;
764 0 : clib_error_t *r = 0;
765 0 : u8 *name = 0;
766 : u32 tmp1;
767 : u64 tmp2;
768 :
769 0 : if (!unformat_user (input, unformat_line_input, line_input))
770 0 : return 0;
771 :
772 0 : while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
773 : {
774 0 : if (unformat (line_input, "sa-init %U", unformat_ikev2_token, &name))
775 : {
776 0 : r = ikev2_initiate_sa_init (vm, name);
777 0 : goto done;
778 : }
779 0 : else if (unformat (line_input, "del-child-sa %x", &tmp1))
780 : {
781 0 : r = ikev2_initiate_delete_child_sa (vm, tmp1);
782 0 : goto done;
783 : }
784 0 : else if (unformat (line_input, "del-sa %lx", &tmp2))
785 : {
786 0 : r = ikev2_initiate_delete_ike_sa (vm, tmp2);
787 0 : goto done;
788 : }
789 0 : else if (unformat (line_input, "rekey-child-sa %x", &tmp1))
790 : {
791 0 : r = ikev2_initiate_rekey_child_sa (vm, tmp1);
792 0 : goto done;
793 : }
794 : else
795 0 : break;
796 : }
797 :
798 0 : r = clib_error_return (0, "parse error: '%U'",
799 : format_unformat_error, line_input);
800 :
801 0 : done:
802 0 : vec_free (name);
803 0 : unformat_free (line_input);
804 0 : return r;
805 : }
806 :
807 : /* *INDENT-OFF* */
808 202345 : VLIB_CLI_COMMAND (ikev2_initiate_command, static) = {
809 : .path = "ikev2 initiate",
810 : .short_help =
811 : "ikev2 initiate sa-init <profile id>\n"
812 : "ikev2 initiate del-child-sa <child sa ispi>\n"
813 : "ikev2 initiate del-sa <sa ispi>\n"
814 : "ikev2 initiate rekey-child-sa <child sa ispi>\n",
815 : .function = ikev2_initiate_command_fn,
816 : };
817 : /* *INDENT-ON* */
818 :
819 : static clib_error_t *
820 20 : ikev2_set_log_level_command_fn (vlib_main_t * vm,
821 : unformat_input_t * input,
822 : vlib_cli_command_t * cmd)
823 : {
824 20 : unformat_input_t _line_input, *line_input = &_line_input;
825 20 : u32 log_level = IKEV2_LOG_NONE;
826 20 : clib_error_t *error = 0;
827 :
828 : /* Get a line of input. */
829 20 : if (!unformat_user (input, unformat_line_input, line_input))
830 0 : return 0;
831 :
832 20 : if (!unformat (line_input, "%d", &log_level))
833 : {
834 0 : error = clib_error_return (0, "unknown input '%U'",
835 : format_unformat_error, line_input);
836 0 : goto done;
837 : }
838 20 : int rc = ikev2_set_log_level (log_level);
839 20 : if (rc < 0)
840 0 : error = clib_error_return (0, "setting log level failed!");
841 :
842 20 : done:
843 20 : unformat_free (line_input);
844 20 : return error;
845 : }
846 :
847 : /* *INDENT-OFF* */
848 202345 : VLIB_CLI_COMMAND (ikev2_set_log_level_command, static) = {
849 : .path = "ikev2 set logging level",
850 : .function = ikev2_set_log_level_command_fn,
851 : .short_help = "ikev2 set logging level <0-5>",
852 : };
853 : /* *INDENT-ON* */
854 :
855 : /*
856 : * fd.io coding-style-patch-verification: ON
857 : *
858 : * Local Variables:
859 : * eval: (c-set-style "gnu")
860 : * End:
861 : */
|
