From 73083503f2b6e3873ef6bad7ac0ed8865e825eef Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 15 Jun 2021 11:10:40 +0200 Subject: [PATCH] vici: Make UDP encapsulation for per-CPU SAs configurable --- src/libcharon/plugins/vici/vici_config.c | 14 +++++++++++++- src/swanctl/swanctl.opt | 17 ++++++++++++++--- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 146c07db0c..a85cccd9d5 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -583,7 +583,9 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " proposals = %#P", data->proposals); DBG2(DBG_CFG, " local_ts = %#R", data->local_ts); DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts); - DBG2(DBG_CFG, " per_cpu_sas = %u", has_opt(cfg, OPT_PER_CPU_SAS)); + DBG2(DBG_CFG, " per_cpu_sas = %s", + has_opt(cfg, OPT_PER_CPU_SAS_ENCAP) ? "encap" : + has_opt(cfg, OPT_PER_CPU_SAS) ? "1" : "0"); DBG2(DBG_CFG, " hw_offload = %N", hw_offload_names, cfg->hw_offload); DBG2(DBG_CFG, " sha256_96 = %u", has_opt(cfg, OPT_SHA256_96)); DBG2(DBG_CFG, " copy_df = %u", !has_opt(cfg, OPT_NO_COPY_DF)); @@ -1067,6 +1069,16 @@ CALLBACK(parse_opt_copy_ecn, bool, CALLBACK(parse_opt_cpus, bool, child_cfg_option_t *out, chunk_t v) { + enum_map_t map[] = { + { "encap", OPT_PER_CPU_SAS|OPT_PER_CPU_SAS_ENCAP }, + }; + int d; + + if (parse_map(map, countof(map), &d, v)) + { + *out |= d; + return TRUE; + } return parse_option(out, OPT_PER_CPU_SAS, v, TRUE); } diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 4c60c0d0b2..cabc90f8c9 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -162,7 +162,7 @@ connections..fragmentation = yes Use IKE UDP datagram fragmentation (_yes_, _accept_, _no_ or _force_). Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 - fragmentation). Acceptable values are _yes_ (the default), _accept_, + fragmentation). Acceptable values are _yes_ (the default), _accept_, _force_ and _no_. If set to _yes_, and the peer supports it, oversized IKE messages will be sent in fragments. If set to _accept_, support for fragmentation is announced to the peer but the daemon does not send its own @@ -833,7 +833,7 @@ connections..children..rekey_time = 1h or life_time - 10% lifetime. If **life_time** is explicitly configured, **rekey_time** defaults to 10% - less than that, otherwise, CHILD_SA rekeying is scheduled every hour, minus + less than that, otherwise, CHILD_SA rekeying is scheduled every hour, minus **rand_time**. connections..children..life_time = rekey_time + 10% @@ -1128,6 +1128,17 @@ connections..children..replay_window = 32 connections..children..per_cpu_sas = no Enable per-CPU CHILD_SAs. Requires _trap_ in **start_action**. + Enable per-CPU CHILD_SAs. Requires _trap_ in **start_action**. + + The value _encap_ enables a special type of UDP encapsulation (requires + enabling **encap** for the connection if there is no NAT), where a random + source port is used for each outbound per-CPU SA (the destination port for + all of them remains 4500). This allows using the port for RSS if the SPI + can't be used. Note that this type of behavior is not standardized and not + negotiated. So regardless of whether the option is enabled, inbound per-CPU + SAs with UDP-encapsulation always have the source port set to 0 as the + peer's random port is unknown if it has this option enabled. + connections..children..hw_offload = no Enable hardware offload for this CHILD_SA, if supported by the IPsec implementation. @@ -1291,7 +1302,7 @@ secrets.ppk { # } secrets.ppk.secret = Value of the PPK. - Value of the PPK. It may either be an ASCII string, a hex encoded string if + Value of the PPK. It may either be an ASCII string, a hex encoded string if it has a _0x_ prefix or a Base64 encoded string if it has a _0s_ prefix in its value. Should have at least 256 bits of entropy for 128-bit security. -- 2.47.2