Line data Source code
1 : /*
2 : * Copyright (c) 2015 Cisco and/or its affiliates.
3 : * Licensed under the Apache License, Version 2.0 (the "License");
4 : * you may not use this file except in compliance with the License.
5 : * You may obtain a copy of the License at:
6 : *
7 : * http://www.apache.org/licenses/LICENSE-2.0
8 : *
9 : * Unless required by applicable law or agreed to in writing, software
10 : * distributed under the License is distributed on an "AS IS" BASIS,
11 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 : * See the License for the specific language governing permissions and
13 : * limitations under the License.
14 : */
15 : #include <vlib/vlib.h>
16 : #include <vnet/vnet.h>
17 : #include <vppinfra/error.h>
18 : #include <vnet/ipsec/ipsec_sa.h>
19 : #include <plugins/ikev2/ikev2.h>
20 : #include <plugins/ikev2/ikev2_priv.h>
21 :
22 : u8 *
23 0 : format_ikev2_id_type_and_data (u8 * s, va_list * args)
24 : {
25 0 : ikev2_id_t *id = va_arg (*args, ikev2_id_t *);
26 :
27 0 : if (id->type == 0 || vec_len (id->data) == 0)
28 0 : return format (s, "none");
29 :
30 0 : s = format (s, "id-type %U data ", format_ikev2_id_type, id->type);
31 :
32 0 : switch (id->type)
33 : {
34 0 : case IKEV2_ID_TYPE_ID_IPV4_ADDR:
35 0 : s = format (s, "%U", format_ip4_address, id->data);
36 0 : break;
37 0 : case IKEV2_ID_TYPE_ID_IPV6_ADDR:
38 0 : s = format (s, "%U", format_ip6_address, id->data);
39 0 : break;
40 0 : case IKEV2_ID_TYPE_ID_FQDN: /* fallthrough */
41 : case IKEV2_ID_TYPE_ID_RFC822_ADDR:
42 0 : s = format (s, "%v", id->data);
43 0 : break;
44 0 : default:
45 0 : s = format (s, "0x%U", format_hex_bytes, &id->data,
46 0 : (uword) (vec_len (id->data)));
47 0 : break;
48 : }
49 :
50 0 : return s;
51 : }
52 :
53 : static u8 *
54 0 : format_ikev2_traffic_selector (u8 * s, va_list * va)
55 : {
56 0 : ikev2_ts_t *ts = va_arg (*va, ikev2_ts_t *);
57 0 : u32 index = va_arg (*va, u32);
58 :
59 0 : s = format (s, "%u type %u protocol_id %u addr "
60 : "%U - %U port %u - %u\n",
61 0 : index, ts->ts_type, ts->protocol_id,
62 : format_ip_address, &ts->start_addr,
63 : format_ip_address, &ts->end_addr,
64 0 : clib_net_to_host_u16 (ts->start_port),
65 0 : clib_net_to_host_u16 (ts->end_port));
66 0 : return s;
67 : }
68 :
69 : static u8 *
70 0 : format_ikev2_child_sa (u8 * s, va_list * va)
71 : {
72 0 : ikev2_child_sa_t *child = va_arg (*va, ikev2_child_sa_t *);
73 0 : u32 index = va_arg (*va, u32);
74 : ikev2_ts_t *ts;
75 : ikev2_sa_transform_t *tr;
76 0 : u8 *c = 0;
77 :
78 0 : u32 indent = format_get_indent (s);
79 0 : indent += 1;
80 :
81 0 : s = format (s, "child sa %u:", index);
82 :
83 0 : tr = ikev2_sa_get_td_for_type (child->r_proposals,
84 : IKEV2_TRANSFORM_TYPE_ENCR);
85 0 : c = format (c, "%U ", format_ikev2_sa_transform, tr);
86 :
87 0 : tr = ikev2_sa_get_td_for_type (child->r_proposals,
88 : IKEV2_TRANSFORM_TYPE_INTEG);
89 0 : c = format (c, "%U ", format_ikev2_sa_transform, tr);
90 :
91 0 : tr = ikev2_sa_get_td_for_type (child->r_proposals,
92 : IKEV2_TRANSFORM_TYPE_ESN);
93 0 : c = format (c, "%U ", format_ikev2_sa_transform, tr);
94 :
95 0 : s = format (s, "%v\n", c);
96 0 : vec_free (c);
97 :
98 0 : s = format (s, "%Uspi(i) %lx spi(r) %lx\n", format_white_space, indent,
99 0 : child->i_proposals ? child->i_proposals[0].spi : 0,
100 0 : child->r_proposals ? child->r_proposals[0].spi : 0);
101 :
102 0 : s = format (s, "%USK_e i:%U\n%Ur:%U\n",
103 : format_white_space, indent,
104 0 : format_hex_bytes, child->sk_ei, vec_len (child->sk_ei),
105 : format_white_space, indent + 6,
106 0 : format_hex_bytes, child->sk_er, vec_len (child->sk_er));
107 0 : if (child->sk_ai)
108 : {
109 0 : s = format (s, "%USK_a i:%U\n%Ur:%U\n",
110 : format_white_space, indent,
111 0 : format_hex_bytes, child->sk_ai, vec_len (child->sk_ai),
112 : format_white_space, indent + 6,
113 0 : format_hex_bytes, child->sk_ar, vec_len (child->sk_ar));
114 : }
115 0 : s = format (s, "%Utraffic selectors (i):", format_white_space, indent);
116 0 : vec_foreach (ts, child->tsi)
117 0 : s = format (s, "%U", format_ikev2_traffic_selector, ts, ts - child->tsi);
118 0 : s = format (s, "%Utraffic selectors (r):", format_white_space, indent);
119 0 : vec_foreach (ts, child->tsr)
120 0 : s = format (s, "%U", format_ikev2_traffic_selector, ts, ts - child->tsr);
121 0 : return s;
122 : }
123 :
124 : static u8 *
125 0 : format_ikev2_sa (u8 * s, va_list * va)
126 : {
127 0 : ikev2_sa_t *sa = va_arg (*va, ikev2_sa_t *);
128 0 : int details = va_arg (*va, int);
129 : ikev2_sa_transform_t *tr;
130 : ikev2_child_sa_t *child;
131 0 : u32 indent = 1;
132 :
133 0 : s = format (s, "iip %U ispi %lx rip %U rspi %lx",
134 : format_ip_address, &sa->iaddr, sa->ispi,
135 : format_ip_address, &sa->raddr, sa->rspi);
136 0 : if (!details)
137 0 : return s;
138 :
139 0 : s = format (s, "\n%U", format_white_space, indent);
140 :
141 0 : tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
142 0 : s = format (s, "%U ", format_ikev2_sa_transform, tr);
143 :
144 0 : tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
145 0 : s = format (s, "%U ", format_ikev2_sa_transform, tr);
146 :
147 0 : tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
148 0 : s = format (s, "%U ", format_ikev2_sa_transform, tr);
149 :
150 0 : tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH);
151 0 : s = format (s, "%U", format_ikev2_sa_transform, tr);
152 :
153 0 : s = format (s, "\n%U", format_white_space, indent);
154 :
155 0 : s = format (s, "nonce i:%U\n%Ur:%U\n",
156 0 : format_hex_bytes, sa->i_nonce, vec_len (sa->i_nonce),
157 : format_white_space, indent + 6,
158 0 : format_hex_bytes, sa->r_nonce, vec_len (sa->r_nonce));
159 :
160 0 : s = format (s, "%USK_d %U\n", format_white_space, indent,
161 0 : format_hex_bytes, sa->sk_d, vec_len (sa->sk_d));
162 0 : if (sa->sk_ai)
163 : {
164 0 : s = format (s, "%USK_a i:%U\n%Ur:%U\n",
165 : format_white_space, indent,
166 0 : format_hex_bytes, sa->sk_ai, vec_len (sa->sk_ai),
167 : format_white_space, indent + 6,
168 0 : format_hex_bytes, sa->sk_ar, vec_len (sa->sk_ar));
169 : }
170 0 : s = format (s, "%USK_e i:%U\n%Ur:%U\n",
171 : format_white_space, indent,
172 0 : format_hex_bytes, sa->sk_ei, vec_len (sa->sk_ei),
173 : format_white_space, indent + 6,
174 0 : format_hex_bytes, sa->sk_er, vec_len (sa->sk_er));
175 0 : s = format (s, "%USK_p i:%U\n%Ur:%U\n",
176 : format_white_space, indent,
177 0 : format_hex_bytes, sa->sk_pi, vec_len (sa->sk_pi),
178 : format_white_space, indent + 6,
179 0 : format_hex_bytes, sa->sk_pr, vec_len (sa->sk_pr));
180 :
181 0 : s = format (s, "%Uidentifier (i) %U\n",
182 : format_white_space, indent,
183 : format_ikev2_id_type_and_data, &sa->i_id);
184 0 : s = format (s, "%Uidentifier (r) %U\n",
185 : format_white_space, indent,
186 : format_ikev2_id_type_and_data, &sa->r_id);
187 :
188 0 : vec_foreach (child, sa->childs)
189 : {
190 0 : s = format (s, "%U%U", format_white_space, indent + 2,
191 0 : format_ikev2_child_sa, child, child - sa->childs);
192 : }
193 :
194 0 : s = format (s, "Stats:\n");
195 0 : s = format (s, " keepalives :%u\n", sa->stats.n_keepalives);
196 0 : s = format (s, " rekey :%u\n", sa->stats.n_rekey_req);
197 0 : s = format (s, " SA init :%u (retransmit: %u)\n", sa->stats.n_sa_init_req,
198 0 : sa->stats.n_init_retransmit);
199 0 : s = format (s, " retransmit: %u\n", sa->stats.n_retransmit);
200 0 : s = format (s, " SA auth :%u\n", sa->stats.n_sa_auth_req);
201 :
202 0 : return s;
203 : }
204 :
205 : static clib_error_t *
206 0 : show_ikev2_sa_command_fn (vlib_main_t * vm,
207 : unformat_input_t * input, vlib_cli_command_t * cmd)
208 : {
209 0 : unformat_input_t _line_input, *line_input = &_line_input;
210 0 : ikev2_main_t *km = &ikev2_main;
211 : ikev2_main_per_thread_data_t *tkm;
212 : ikev2_sa_t *sa;
213 : u64 rspi;
214 0 : u8 *s = 0;
215 0 : int details = 0, show_one = 0;
216 :
217 0 : if (unformat_user (input, unformat_line_input, line_input))
218 : {
219 0 : while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
220 : {
221 0 : if (unformat (line_input, "rspi %lx", &rspi))
222 : {
223 0 : show_one = 1;
224 : }
225 0 : else if (unformat (line_input, "details"))
226 0 : details = 1;
227 : else
228 0 : break;
229 : }
230 0 : unformat_free (line_input);
231 : }
232 :
233 0 : vec_foreach (tkm, km->per_thread_data)
234 : {
235 : /* *INDENT-OFF* */
236 0 : pool_foreach (sa, tkm->sas) {
237 0 : if (show_one)
238 : {
239 0 : if (sa->rspi == rspi)
240 : {
241 0 : s = format (s, "%U\n", format_ikev2_sa, sa, 1);
242 0 : break;
243 : }
244 : }
245 : else
246 0 : s = format (s, "%U\n", format_ikev2_sa, sa, details);
247 : }
248 : /* *INDENT-ON* */
249 : }
250 :
251 0 : vlib_cli_output (vm, "%v", s);
252 0 : vec_free (s);
253 0 : return 0;
254 : }
255 :
256 : /* *INDENT-OFF* */
257 192247 : VLIB_CLI_COMMAND (show_ikev2_sa_command, static) = {
258 : .path = "show ikev2 sa",
259 : .short_help = "show ikev2 sa [rspi <rspi>] [details]",
260 : .function = show_ikev2_sa_command_fn,
261 : };
262 : /* *INDENT-ON* */
263 :
264 : static clib_error_t *
265 18 : ikev2_disable_dpd_command_fn (vlib_main_t * vm,
266 : unformat_input_t * input,
267 : vlib_cli_command_t * cmd)
268 : {
269 18 : ikev2_disable_dpd ();
270 18 : return 0;
271 : }
272 :
273 : /* *INDENT-OFF* */
274 192247 : VLIB_CLI_COMMAND (ikev2_cli_disable_dpd_command, static) = {
275 : .path = "ikev2 dpd disable",
276 : .short_help = "ikev2 dpd disable",
277 : .function = ikev2_disable_dpd_command_fn,
278 : };
279 : /* *INDENT-ON* */
280 :
281 : static uword
282 0 : unformat_ikev2_token (unformat_input_t * input, va_list * va)
283 : {
284 0 : u8 **string_return = va_arg (*va, u8 **);
285 0 : const char *token_chars = "a-zA-Z0-9_";
286 0 : if (*string_return)
287 : {
288 : /* if string_return was already allocated (eg. because of a previous
289 : * partial match with a successful unformat_token()), we must free it
290 : * before reusing the pointer, otherwise we'll be leaking memory
291 : */
292 0 : vec_free (*string_return);
293 0 : *string_return = 0;
294 : }
295 0 : return unformat_user (input, unformat_token, token_chars, string_return);
296 : }
297 :
298 : static clib_error_t *
299 0 : ikev2_profile_add_del_command_fn (vlib_main_t * vm,
300 : unformat_input_t * input,
301 : vlib_cli_command_t * cmd)
302 : {
303 0 : vnet_main_t *vnm = vnet_get_main ();
304 0 : unformat_input_t _line_input, *line_input = &_line_input;
305 0 : u8 *name = 0;
306 0 : clib_error_t *r = 0;
307 : u32 id_type;
308 0 : u8 *data = 0;
309 : u32 tmp1, tmp2, tmp3;
310 : u64 tmp4, tmp5;
311 : ip_address_t ip, end_addr;
312 0 : u32 responder_sw_if_index = (u32) ~ 0;
313 0 : u32 tun_sw_if_index = (u32) ~ 0;
314 : ikev2_transform_encr_type_t crypto_alg;
315 : ikev2_transform_integ_type_t integ_alg;
316 : ikev2_transform_dh_type_t dh_type;
317 :
318 0 : if (!unformat_user (input, unformat_line_input, line_input))
319 0 : return 0;
320 :
321 0 : while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
322 : {
323 0 : if (unformat (line_input, "add %U", unformat_ikev2_token, &name))
324 : {
325 0 : r = ikev2_add_del_profile (vm, name, 1);
326 0 : goto done;
327 : }
328 0 : else if (unformat (line_input, "del %U", unformat_ikev2_token, &name))
329 : {
330 0 : r = ikev2_add_del_profile (vm, name, 0);
331 0 : goto done;
332 : }
333 0 : else if (unformat (line_input, "set %U auth shared-key-mic string %v",
334 : unformat_ikev2_token, &name, &data))
335 : {
336 : r =
337 0 : ikev2_set_profile_auth (vm, name,
338 : IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data,
339 : 0);
340 0 : goto done;
341 : }
342 0 : else if (unformat (line_input, "set %U auth shared-key-mic hex %U",
343 : unformat_ikev2_token, &name,
344 : unformat_hex_string, &data))
345 : {
346 : r =
347 0 : ikev2_set_profile_auth (vm, name,
348 : IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data,
349 : 1);
350 0 : goto done;
351 : }
352 0 : else if (unformat (line_input, "set %U auth rsa-sig cert-file %v",
353 : unformat_ikev2_token, &name, &data))
354 : {
355 : r =
356 0 : ikev2_set_profile_auth (vm, name, IKEV2_AUTH_METHOD_RSA_SIG, data,
357 : 0);
358 0 : goto done;
359 : }
360 0 : else if (unformat (line_input, "set %U id local %U %U",
361 : unformat_ikev2_token, &name,
362 : unformat_ikev2_id_type, &id_type,
363 : unformat_ip_address, &ip))
364 : {
365 0 : data = vec_new (u8, ip_address_size (&ip));
366 0 : clib_memcpy (data, ip_addr_bytes (&ip), ip_address_size (&ip));
367 : r =
368 0 : ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
369 0 : goto done;
370 : }
371 0 : else if (unformat (line_input, "set %U id local %U 0x%U",
372 : unformat_ikev2_token, &name,
373 : unformat_ikev2_id_type, &id_type,
374 : unformat_hex_string, &data))
375 : {
376 : r =
377 0 : ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
378 0 : goto done;
379 : }
380 0 : else if (unformat (line_input, "set %U id local %U %v",
381 : unformat_ikev2_token, &name,
382 : unformat_ikev2_id_type, &id_type, &data))
383 : {
384 : r =
385 0 : ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
386 0 : goto done;
387 : }
388 0 : else if (unformat (line_input, "set %U id remote %U %U",
389 : unformat_ikev2_token, &name,
390 : unformat_ikev2_id_type, &id_type,
391 : unformat_ip_address, &ip))
392 : {
393 0 : data = vec_new (u8, ip_address_size (&ip));
394 0 : clib_memcpy (data, ip_addr_bytes (&ip), ip_address_size (&ip));
395 0 : r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
396 : 0);
397 0 : goto done;
398 : }
399 0 : else if (unformat (line_input, "set %U id remote %U 0x%U",
400 : unformat_ikev2_token, &name,
401 : unformat_ikev2_id_type, &id_type,
402 : unformat_hex_string, &data))
403 : {
404 0 : r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
405 : 0);
406 0 : goto done;
407 : }
408 0 : else if (unformat (line_input, "set %U id remote %U %v",
409 : unformat_ikev2_token, &name,
410 : unformat_ikev2_id_type, &id_type, &data))
411 : {
412 0 : r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
413 : 0);
414 0 : goto done;
415 : }
416 0 : else if (unformat (line_input, "set %U traffic-selector local "
417 : "ip-range %U - %U port-range %u - %u protocol %u",
418 : unformat_ikev2_token, &name,
419 : unformat_ip_address, &ip,
420 : unformat_ip_address, &end_addr, &tmp1, &tmp2, &tmp3))
421 : {
422 : r =
423 0 : ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2,
424 : ip, end_addr, /*local */ 1);
425 0 : goto done;
426 : }
427 0 : else if (unformat (line_input, "set %U traffic-selector remote "
428 : "ip-range %U - %U port-range %u - %u protocol %u",
429 : unformat_ikev2_token, &name,
430 : unformat_ip_address, &ip,
431 : unformat_ip_address, &end_addr, &tmp1, &tmp2, &tmp3))
432 : {
433 : r =
434 0 : ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2,
435 : ip, end_addr, /*remote */ 0);
436 0 : goto done;
437 : }
438 0 : else if (unformat (line_input, "set %U responder %U %U",
439 : unformat_ikev2_token, &name,
440 : unformat_vnet_sw_interface, vnm,
441 : &responder_sw_if_index, unformat_ip_address, &ip))
442 : {
443 : r =
444 0 : ikev2_set_profile_responder (vm, name, responder_sw_if_index, ip);
445 0 : goto done;
446 : }
447 0 : else if (unformat (line_input, "set %U responder %U %v",
448 : unformat_ikev2_token, &name,
449 : unformat_vnet_sw_interface, vnm,
450 : &responder_sw_if_index, &data))
451 : {
452 0 : r = ikev2_set_profile_responder_hostname (vm, name, data,
453 : responder_sw_if_index);
454 0 : goto done;
455 : }
456 0 : else if (unformat (line_input, "set %U tunnel %U",
457 : unformat_ikev2_token, &name,
458 : unformat_vnet_sw_interface, vnm, &tun_sw_if_index))
459 : {
460 0 : r = ikev2_set_profile_tunnel_interface (vm, name, tun_sw_if_index);
461 0 : goto done;
462 : }
463 : else
464 0 : if (unformat
465 : (line_input,
466 : "set %U ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U",
467 : unformat_ikev2_token, &name,
468 : unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
469 : unformat_ikev2_transform_integ_type, &integ_alg,
470 : unformat_ikev2_transform_dh_type, &dh_type))
471 : {
472 : r =
473 0 : ikev2_set_profile_ike_transforms (vm, name, crypto_alg, integ_alg,
474 : dh_type, tmp1);
475 0 : goto done;
476 : }
477 : else
478 0 : if (unformat
479 : (line_input,
480 : "set %U ike-crypto-alg %U %u ike-dh %U",
481 : unformat_ikev2_token, &name,
482 : unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
483 : unformat_ikev2_transform_dh_type, &dh_type))
484 : {
485 : r =
486 0 : ikev2_set_profile_ike_transforms (vm, name, crypto_alg,
487 : IKEV2_TRANSFORM_INTEG_TYPE_NONE,
488 : dh_type, tmp1);
489 0 : goto done;
490 : }
491 : else
492 0 : if (unformat
493 : (line_input,
494 : "set %U esp-crypto-alg %U %u esp-integ-alg %U",
495 : unformat_ikev2_token, &name,
496 : unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1,
497 : unformat_ikev2_transform_integ_type, &integ_alg))
498 : {
499 : r =
500 0 : ikev2_set_profile_esp_transforms (vm, name, crypto_alg, integ_alg,
501 : tmp1);
502 0 : goto done;
503 : }
504 0 : else if (unformat
505 : (line_input,
506 : "set %U esp-crypto-alg %U %u",
507 : unformat_ikev2_token, &name,
508 : unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1))
509 : {
510 : r =
511 0 : ikev2_set_profile_esp_transforms (vm, name, crypto_alg, 0, tmp1);
512 0 : goto done;
513 : }
514 0 : else if (unformat (line_input, "set %U sa-lifetime %lu %u %u %lu",
515 : unformat_ikev2_token, &name,
516 : &tmp4, &tmp1, &tmp2, &tmp5))
517 : {
518 : r =
519 0 : ikev2_set_profile_sa_lifetime (vm, name, tmp4, tmp1, tmp2, tmp5);
520 0 : goto done;
521 : }
522 0 : else if (unformat (line_input, "set %U udp-encap",
523 : unformat_ikev2_token, &name))
524 : {
525 0 : r = ikev2_set_profile_udp_encap (vm, name);
526 0 : goto done;
527 : }
528 0 : else if (unformat (line_input, "set %U ipsec-over-udp port %u",
529 : unformat_ikev2_token, &name, &tmp1))
530 : {
531 0 : int rv = ikev2_set_profile_ipsec_udp_port (vm, name, tmp1, 1);
532 0 : if (rv)
533 0 : r = clib_error_return (0, "Error: %U", format_vnet_api_errno, rv);
534 0 : goto done;
535 : }
536 0 : else if (unformat (line_input, "set %U disable natt",
537 : unformat_ikev2_token, &name))
538 : {
539 0 : r = ikev2_profile_natt_disable (name);
540 0 : goto done;
541 : }
542 : else
543 0 : break;
544 : }
545 :
546 0 : r = clib_error_return (0, "parse error: '%U'",
547 : format_unformat_error, line_input);
548 :
549 0 : done:
550 0 : vec_free (name);
551 0 : vec_free (data);
552 0 : unformat_free (line_input);
553 0 : return r;
554 : }
555 :
556 : /* *INDENT-OFF* */
557 192247 : VLIB_CLI_COMMAND (ikev2_profile_add_del_command, static) = {
558 : .path = "ikev2 profile",
559 : .short_help =
560 : "ikev2 profile [add|del] <id>\n"
561 : "ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex]"
562 : " <data>\n"
563 : "ikev2 profile set <id> id <local|remote> <type> <data>\n"
564 : "ikev2 profile set <id> tunnel <interface>\n"
565 : "ikev2 profile set <id> udp-encap\n"
566 : "ikev2 profile set <id> traffic-selector <local|remote> ip-range "
567 : "<start-addr> - <end-addr> port-range <start-port> - <end-port> "
568 : "protocol <protocol-number>\n"
569 : "ikev2 profile set <id> responder <interface> <addr>\n"
570 : "ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>\n"
571 : "ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> "
572 : "[esp-integ-alg <integ alg>]\n"
573 : "ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>"
574 : "ikev2 profile set <id> disable natt\n",
575 : .function = ikev2_profile_add_del_command_fn,
576 : };
577 : /* *INDENT-ON* */
578 :
579 : static clib_error_t *
580 0 : show_ikev2_profile_command_fn (vlib_main_t * vm,
581 : unformat_input_t * input,
582 : vlib_cli_command_t * cmd)
583 : {
584 0 : ikev2_main_t *km = &ikev2_main;
585 : ikev2_profile_t *p;
586 :
587 : /* *INDENT-OFF* */
588 0 : pool_foreach (p, km->profiles) {
589 0 : vlib_cli_output(vm, "profile %v", p->name);
590 :
591 0 : if (p->auth.data)
592 : {
593 0 : if (p->auth.hex)
594 0 : vlib_cli_output(vm, " auth-method %U auth data 0x%U",
595 0 : format_ikev2_auth_method, p->auth.method,
596 0 : format_hex_bytes, p->auth.data, vec_len(p->auth.data));
597 : else
598 0 : vlib_cli_output(vm, " auth-method %U auth data %v",
599 0 : format_ikev2_auth_method, p->auth.method, p->auth.data);
600 : }
601 :
602 0 : if (p->loc_id.data)
603 0 : vlib_cli_output(vm, " local %U", format_ikev2_id_type_and_data, &p->loc_id);
604 :
605 0 : if (p->rem_id.data)
606 0 : vlib_cli_output(vm, " remote %U", format_ikev2_id_type_and_data, &p->rem_id);
607 :
608 0 : if (!ip_address_is_zero (&p->loc_ts.start_addr))
609 0 : vlib_cli_output(vm, " local traffic-selector addr %U - %U port %u - %u"
610 : " protocol %u",
611 : format_ip_address, &p->loc_ts.start_addr,
612 : format_ip_address, &p->loc_ts.end_addr,
613 0 : p->loc_ts.start_port, p->loc_ts.end_port,
614 0 : p->loc_ts.protocol_id);
615 :
616 0 : if (!ip_address_is_zero (&p->rem_ts.start_addr))
617 0 : vlib_cli_output(vm, " remote traffic-selector addr %U - %U port %u - %u"
618 : " protocol %u",
619 : format_ip_address, &p->rem_ts.start_addr,
620 : format_ip_address, &p->rem_ts.end_addr,
621 0 : p->rem_ts.start_port, p->rem_ts.end_port,
622 0 : p->rem_ts.protocol_id);
623 0 : if (~0 != p->tun_itf)
624 0 : vlib_cli_output(vm, " protected tunnel %U",
625 : format_vnet_sw_if_index_name, vnet_get_main(), p->tun_itf);
626 0 : if (~0 != p->responder.sw_if_index)
627 0 : vlib_cli_output (vm, " responder %U %U %v",
628 : format_vnet_sw_if_index_name, vnet_get_main (),
629 : p->responder.sw_if_index, format_ip_address,
630 : &p->responder.addr, p->responder.hostname);
631 0 : if (p->udp_encap)
632 0 : vlib_cli_output(vm, " udp-encap");
633 :
634 0 : if (p->natt_disabled)
635 0 : vlib_cli_output(vm, " NAT-T disabled");
636 :
637 0 : if (p->ipsec_over_udp_port != IPSEC_UDP_PORT_NONE)
638 0 : vlib_cli_output(vm, " ipsec-over-udp port %d", p->ipsec_over_udp_port);
639 :
640 0 : if (p->ike_ts.crypto_alg || p->ike_ts.integ_alg || p->ike_ts.dh_type || p->ike_ts.crypto_key_size)
641 0 : vlib_cli_output(vm, " ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U",
642 0 : format_ikev2_transform_encr_type, p->ike_ts.crypto_alg, p->ike_ts.crypto_key_size,
643 0 : format_ikev2_transform_integ_type, p->ike_ts.integ_alg,
644 0 : format_ikev2_transform_dh_type, p->ike_ts.dh_type);
645 :
646 0 : if (p->esp_ts.crypto_alg || p->esp_ts.integ_alg || p->esp_ts.dh_type)
647 0 : vlib_cli_output(vm, " esp-crypto-alg %U %u esp-integ-alg %U",
648 0 : format_ikev2_transform_encr_type, p->esp_ts.crypto_alg, p->esp_ts.crypto_key_size,
649 0 : format_ikev2_transform_integ_type, p->esp_ts.integ_alg);
650 :
651 0 : vlib_cli_output(vm, " lifetime %d jitter %d handover %d maxdata %d",
652 : p->lifetime, p->lifetime_jitter, p->handover, p->lifetime_maxdata);
653 : }
654 : /* *INDENT-ON* */
655 :
656 0 : return 0;
657 : }
658 :
659 : /* *INDENT-OFF* */
660 192247 : VLIB_CLI_COMMAND (show_ikev2_profile_command, static) = {
661 : .path = "show ikev2 profile",
662 : .short_help = "show ikev2 profile",
663 : .function = show_ikev2_profile_command_fn,
664 : };
665 : /* *INDENT-ON* */
666 :
667 : static clib_error_t *
668 0 : set_ikev2_liveness_period_fn (vlib_main_t * vm,
669 : unformat_input_t * input,
670 : vlib_cli_command_t * cmd)
671 : {
672 0 : unformat_input_t _line_input, *line_input = &_line_input;
673 0 : clib_error_t *r = 0;
674 0 : u32 period = 0, max_retries = 0;
675 :
676 0 : if (!unformat_user (input, unformat_line_input, line_input))
677 0 : return 0;
678 :
679 0 : while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
680 : {
681 0 : if (unformat (line_input, "%d %d", &period, &max_retries))
682 : {
683 0 : r = ikev2_set_liveness_params (period, max_retries);
684 0 : goto done;
685 : }
686 : else
687 0 : break;
688 : }
689 :
690 0 : r = clib_error_return (0, "parse error: '%U'",
691 : format_unformat_error, line_input);
692 :
693 0 : done:
694 0 : unformat_free (line_input);
695 0 : return r;
696 : }
697 :
698 : /* *INDENT-OFF* */
699 192247 : VLIB_CLI_COMMAND (set_ikev2_liveness_command, static) = {
700 : .path = "ikev2 set liveness",
701 : .short_help = "ikev2 set liveness <period> <max-retires>",
702 : .function = set_ikev2_liveness_period_fn,
703 : };
704 : /* *INDENT-ON* */
705 :
706 : static clib_error_t *
707 0 : set_ikev2_local_key_command_fn (vlib_main_t * vm,
708 : unformat_input_t * input,
709 : vlib_cli_command_t * cmd)
710 : {
711 0 : unformat_input_t _line_input, *line_input = &_line_input;
712 0 : clib_error_t *r = 0;
713 0 : u8 *data = 0;
714 :
715 0 : if (!unformat_user (input, unformat_line_input, line_input))
716 0 : return 0;
717 :
718 0 : while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
719 : {
720 0 : if (unformat (line_input, "%s", &data))
721 : {
722 0 : r = ikev2_set_local_key (vm, data);
723 0 : goto done;
724 : }
725 : else
726 0 : break;
727 : }
728 :
729 0 : r = clib_error_return (0, "parse error: '%U'",
730 : format_unformat_error, line_input);
731 :
732 0 : done:
733 0 : vec_free (data);
734 0 : unformat_free (line_input);
735 0 : return r;
736 : }
737 :
738 : /* *INDENT-OFF* */
739 192247 : VLIB_CLI_COMMAND (set_ikev2_local_key_command, static) = {
740 : .path = "set ikev2 local key",
741 : .short_help =
742 : "set ikev2 local key <file>",
743 : .function = set_ikev2_local_key_command_fn,
744 : };
745 : /* *INDENT-ON* */
746 :
747 :
748 : static clib_error_t *
749 0 : ikev2_initiate_command_fn (vlib_main_t * vm,
750 : unformat_input_t * input, vlib_cli_command_t * cmd)
751 : {
752 0 : unformat_input_t _line_input, *line_input = &_line_input;
753 0 : clib_error_t *r = 0;
754 0 : u8 *name = 0;
755 : u32 tmp1;
756 : u64 tmp2;
757 :
758 0 : if (!unformat_user (input, unformat_line_input, line_input))
759 0 : return 0;
760 :
761 0 : while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
762 : {
763 0 : if (unformat (line_input, "sa-init %U", unformat_ikev2_token, &name))
764 : {
765 0 : r = ikev2_initiate_sa_init (vm, name);
766 0 : goto done;
767 : }
768 0 : else if (unformat (line_input, "del-child-sa %x", &tmp1))
769 : {
770 0 : r = ikev2_initiate_delete_child_sa (vm, tmp1);
771 0 : goto done;
772 : }
773 0 : else if (unformat (line_input, "del-sa %lx", &tmp2))
774 : {
775 0 : r = ikev2_initiate_delete_ike_sa (vm, tmp2);
776 0 : goto done;
777 : }
778 0 : else if (unformat (line_input, "rekey-child-sa %x", &tmp1))
779 : {
780 0 : r = ikev2_initiate_rekey_child_sa (vm, tmp1);
781 0 : goto done;
782 : }
783 : else
784 0 : break;
785 : }
786 :
787 0 : r = clib_error_return (0, "parse error: '%U'",
788 : format_unformat_error, line_input);
789 :
790 0 : done:
791 0 : vec_free (name);
792 0 : unformat_free (line_input);
793 0 : return r;
794 : }
795 :
796 : /* *INDENT-OFF* */
797 192247 : VLIB_CLI_COMMAND (ikev2_initiate_command, static) = {
798 : .path = "ikev2 initiate",
799 : .short_help =
800 : "ikev2 initiate sa-init <profile id>\n"
801 : "ikev2 initiate del-child-sa <child sa ispi>\n"
802 : "ikev2 initiate del-sa <sa ispi>\n"
803 : "ikev2 initiate rekey-child-sa <child sa ispi>\n",
804 : .function = ikev2_initiate_command_fn,
805 : };
806 : /* *INDENT-ON* */
807 :
808 : static clib_error_t *
809 20 : ikev2_set_log_level_command_fn (vlib_main_t * vm,
810 : unformat_input_t * input,
811 : vlib_cli_command_t * cmd)
812 : {
813 20 : unformat_input_t _line_input, *line_input = &_line_input;
814 20 : u32 log_level = IKEV2_LOG_NONE;
815 20 : clib_error_t *error = 0;
816 :
817 : /* Get a line of input. */
818 20 : if (!unformat_user (input, unformat_line_input, line_input))
819 0 : return 0;
820 :
821 20 : if (!unformat (line_input, "%d", &log_level))
822 : {
823 0 : error = clib_error_return (0, "unknown input '%U'",
824 : format_unformat_error, line_input);
825 0 : goto done;
826 : }
827 20 : int rc = ikev2_set_log_level (log_level);
828 20 : if (rc < 0)
829 0 : error = clib_error_return (0, "setting log level failed!");
830 :
831 20 : done:
832 20 : unformat_free (line_input);
833 20 : return error;
834 : }
835 :
836 : /* *INDENT-OFF* */
837 192247 : VLIB_CLI_COMMAND (ikev2_set_log_level_command, static) = {
838 : .path = "ikev2 set logging level",
839 : .function = ikev2_set_log_level_command_fn,
840 : .short_help = "ikev2 set logging level <0-5>",
841 : };
842 : /* *INDENT-ON* */
843 :
844 : /*
845 : * fd.io coding-style-patch-verification: ON
846 : *
847 : * Local Variables:
848 : * eval: (c-set-style "gnu")
849 : * End:
850 : */
|
