Skip to content
This repository was archived by the owner on Jan 5, 2026. It is now read-only.

Add support for VXLAN+IPSEC usecase for tunnel and transport mode #27

Draft
nupuruttarwar wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add support for VXLAN+IPSEC usecase for tunnel and transport mode #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 14 additions & 13 deletions ipsec_offload_plugin/ipsec_offload.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,23 @@
# conf file for ipsec_offlaod plugin
gnmi_server=127.0.0.1:9339
p4rt_server=localhost:9559
gnmi_server=5.5.5.5:9339
p4rt_server=5.5.5.5:9559
cli_cert=/usr/share/stratum/certs/client.crt
cli_key=/usr/share/stratum/certs/client.key
ca_cert=/usr/share/stratum/certs/ca.crt

# P4 table and action names as per p4info file
tx_spd=crypto_tunnel_control.ipsec_tx_spd_table
tx_sa_classification=crypto_tunnel_control.ipsec_tx_sa_classification_table
tx_spd=linux_networking_control.ipsec_tx_spd_table
tx_sa_classification=linux_networking_control.ipsec_tx_sa_classification_table
rx_sa_classification=MainControlDecrypt.ipsec_rx_sa_classification_table
encap_mod=crypto_tunnel_control.outer_ipv4_encap_mod_table
decap_mod=crypto_tunnel_control.outer_ipv4_decap_mod_table
post_decrypt=crypto_tunnel_control.ipsec_rx_post_decrypt_table
encap_mod=linux_networking_control.vxlan_ipsec_tunnel_encap_mod_table
decap_mod=linux_networking_control.outer_ipv4_decap_mod_table
post_decrypt=linux_networking_control.tep_term_with_ipsec_tunnel

tx_transport_action=crypto_tunnel_control.ipsec_tx_transport
tx_tunnel_action=crypto_tunnel_control.ipsec_tx_tunnel
tx_transport_action=linux_networking_control.ipsec_tx_transport
tx_transport_udp_action=linux_networking_control.ipsec_tx_transport_udp
tx_tunnel_action=linux_networking_control.tx_ipsec_tunnel_with_underlay
rx_tunnel_action=MainControlDecrypt.ipsec_decrypt
protect_action=crypto_tunnel_control.ipsec_protect
encap_mod_action=crypto_tunnel_control.encap_outer_ipv4_mod
decap_mod_action=crypto_tunnel_control.decap_outer_ipv4_mod
rx_post_decrypt_action=crypto_tunnel_control.ipsec_tunnel_post_decrypt
protect_action=linux_networking_control.ipsec_protect
encap_mod_action=linux_networking_control.vxlan_ipsec_tunnel_encap_mod
decap_mod_action=linux_networking_control.decap_outer_ipv4_mod
rx_post_decrypt_action=linux_networking_control.decap_ipsec_tunnel_hdr
47 changes: 34 additions & 13 deletions ipsec_offload_plugin/ipsec_offload/ipsec_offload.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ enum ipsec_status ipsec_rx_post_decrypt_table(enum ipsec_table_op table_op,
char crypto_status,
uint16_t crypt_tag,
char dst_ip_addr[16],
char dst_ip_mask[16],
char src_ip_addr[16],
uint32_t match_priority,
uint32_t mod_blob_ptr);
enum ipsec_status ipsec_outer_ipv4_encap_mod_table(enum ipsec_table_op table_op,
Expand All @@ -82,8 +82,7 @@ enum ipsec_status ipsec_outer_ipv4_encap_mod_table(enum ipsec_table_op table_op,
uint32_t proto,
char smac[16],
char dmac[16]);
enum ipsec_status ipsec_outer_ipv4_decap_mod_table(
enum ipsec_table_op table_op,
enum ipsec_status ipsec_outer_ipv4_decap_mod_table(enum ipsec_table_op table_op,
uint32_t mod_blob_ptr,
char inner_smac[16],
char inner_dmac[16]);
Expand Down Expand Up @@ -695,10 +694,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
IPSEC_TABLE_ADD,
0, 0, 2 /*As of now SAD table programs req-id a 2 hence changing it to 2.
This can be changed to offload id once map ingress SPI to egress*/,
dst, mac_mask, 1, offload_id);
dst, src, 1, offload_id);
if(err != IPSEC_SUCCESS)
DBG2(DBG_KNL, "Inline_crypto_ipsec ipsec_rx_post_decrypt_tabl:"
"add entry failed err_code[ %d]", err);

}

} else if(id->dir == POLICY_OUT) {
Expand All @@ -713,6 +713,16 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
memcpy(dst, ts_dst.ptr, ts_src.len);
memcpy(src_outer, ts_src_outer.ptr, ts_src_outer.len);
memcpy(dst_outer, ts_dst_outer.ptr, ts_dst_outer.len);
char dst_ip_mask[16] = {0};
char src_ip_mask[16] = {0};
host_t *net_host;
uint8_t netbits;

id->src_ts->to_subnet(id->dst_ts, &net_host, &netbits);
memset(src_ip_mask, 0xFF, netbits/8);

id->dst_ts->to_subnet(id->dst_ts, &net_host, &netbits);
memset(dst_ip_mask, 0xFF, netbits/8);

fill_entry_selector_policy(&entry_key.sel, id, data);
current_entry = this->ipsec_offload_params->get(this->ipsec_offload_params,
Expand Down Expand Up @@ -751,7 +761,6 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
if(err != IPSEC_SUCCESS)
DBG2(DBG_KNL, "Inline_crypto_ipsec add_with_encap_outer_ipv4_mod:"
"add entry failed err_code[ %d]", err);

}

this->ipsec_offload_params->remove(this->ipsec_offload_params, current_entry);
Expand Down Expand Up @@ -794,6 +803,17 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
char inner_smac[16] = {0x00, 0x02, 0x00, 0x00, 0x03, 0x18};
char inner_dmac[16] = {0xb4, 0x96, 0x91, 0x9f, 0x67, 0x31};

char dst_ip_mask[16] = {0};
char src_ip_mask[16] = {0};
host_t *net_host;
uint8_t netbits;

id->src_ts->to_subnet(id->dst_ts, &net_host, &netbits);
memset(src_ip_mask, 0xFF, netbits/8);

id->dst_ts->to_subnet(id->dst_ts, &net_host, &netbits);
memset(dst_ip_mask, 0xFF, netbits/8);

DBG2(DBG_KNL, "Del Policy dir=%d START", id->dir);

if(id->dir == POLICY_IN)
Expand All @@ -818,21 +838,21 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
spi, offload_id);
if(err != IPSEC_SUCCESS)
DBG2(DBG_KNL, "Inline_crypto_ipsec ipsec_rx_sa_classification_table:"
"add entry failed err_code[ %d]", err);
"del entry failed err_code[ %d]", err);

if (data->sa->mode == MODE_TUNNEL) {
err = ipsec_outer_ipv4_decap_mod_table(IPSEC_TABLE_DEL,
offload_id,
inner_dmac, inner_smac);
if(err != IPSEC_SUCCESS)
DBG2(DBG_KNL, "Inline_crypto_ipsec ipsec_outer_ipv4_decap_mod_table:"
"add entry failed err_code[ %d]", err);
"del entry failed err_code[ %d]", err);
err = ipsec_rx_post_decrypt_table(IPSEC_TABLE_DEL,
0, 0, 2, dst, mac_mask,
0, 0, 2, dst, src,
1, offload_id);
if(err != IPSEC_SUCCESS)
DBG2(DBG_KNL, "Inline_crypto_ipsec iipsec_rx_post_decrypt_tabl:"
"add entry failed err_code[ %d]", err);
DBG2(DBG_KNL, "Inline_crypto_ipsec ipsec_rx_post_decrypt_table:"
"del entry failed err_code[ %d]", err);
}

memset(mask, 0xFF, sizeof(uint32_t));
Expand All @@ -845,21 +865,22 @@ METHOD(kernel_ipsec_t, del_policy, status_t,

/* for Tx table dst = src in inbound */
err = ipsec_tx_sa_classification_table(IPSEC_TABLE_DEL,
src, dst, 1,
src, dest, 1,
offload_id, offload_id,
id->src_ts->get_protocol(id->src_ts),
data->sa->mode == MODE_TUNNEL);
if(err == IPSEC_FAILURE)
DBG2(DBG_KNL, "Inline_crypto_ipsec ipsec_tx_sa_classification_table:"
"add entry failed");
"del entry failed");

if (data->sa->mode == MODE_TUNNEL) {
err = ipsec_outer_ipv4_encap_mod_table(IPSEC_TABLE_DEL,
offload_id, dst_outer, src_outer,
id->src_ts->get_protocol(id->src_ts),
inner_smac, inner_dmac);
if(err != IPSEC_SUCCESS)
DBG2(DBG_KNL, "Inline_crypto_ipsec add_with_encap_outer_ipv4_mod:"
"add entry failed err_code[ %d]", err);
"del entry failed err_code[ %d]", err);

}

Expand Down
Loading