summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8e26204)
raw | patch | inline | side by side (parent: 8e26204)
| author | Tinku Mannan <tmannan@ti.com> | |
| Wed, 5 Nov 2014 18:56:33 +0000 (13:56 -0500) | ||
| committer | Tinku Mannan <tmannan@ti.com> | |
| Wed, 5 Nov 2014 18:59:05 +0000 (13:59 -0500) |
| ti/runtime/netapi/makefile_armv7 | patch | blob | history | |
| ti/runtime/netapi/netapi_sec.h | patch | blob | history | |
| ti/runtime/netapi/src/netapi_sec.c | patch | blob | history | |
| ti/runtime/netapi/tools/ipsec_tools/sample_evm_ipsec.conf | [new file with mode: 0755] | patch | blob |
| ti/runtime/netapi/tools/ipsec_tools/sample_pc_ipsec.conf | [new file with mode: 0755] | patch | blob |
index e093546076f01bf170a8b2daa70e1269032990b4..c38056006357f1d3ac0bd3cbf3db4367bc08cf31 100755 (executable)
install -c -m 755 tools/eqos/parse_ale.awk $(SYSCONFDIR)/transportnetlib/test
$(CP) test/eqos_config1.txt $(SYSCONFDIR)/transportnetlib/test
$(CP) test/eqos_config2.txt $(SYSCONFDIR)/transportnetlib/test
+ install -c -m 755 tools/ipsec_tools/sample_evm_ipsec.conf $(SYSCONFDIR)/transportnetlib/test
+
installdemo:
install -d $(INSTALL_BIN_BASE_DIR)
install -c -m 755 $(ARMV7BINDIR)/netapi/demo/transport_dpi_demo $(INSTALL_BIN_BASE_DIR)/
index 600404292370c6441dc4ff669f068a43a86b4c77..d447c6d694b34c966a3ca9dea4d2aa45cb831475 100755 (executable)
NETCP_CFG_APP_ID_T appId,
nwalChanCxtInfo_t* pInfo);
+typedef struct {
+ uint32_t spi; /**< IPSec Security Parameter index */
+ nwalIpAddr_t src; /**< Source IP Address */
+ nwalIpAddr_t dst; /**< Destination Address */
+ nwal_IpSecProto proto; /**< IpSec Proto */
+ uint8_t inUse;
+ uint8_t ref_count;
+ NETCP_CFG_SA_T app_id;
+} NETAPI_SA_INFO_LOCAL_T;
#ifdef __cplusplus
}
index e64d2977704269353fa0ced303f05899e5408f79..b7442b30a7fd765f5c835e2c52da332bd38da756 100755 (executable)
#include "netapi.h"
+NETAPI_SA_INFO_LOCAL_T netapi_sa_db[TUNE_NETAPI_MAX_SA];
/********************************************************************
* FUNCTION PURPOSE: API to add an IPSEC SA
********************************************************************
nwalSaIpSecId_t nwalSaIpSecId;
uint32_t swInfo0 = 0;
uint32_t swInfo1 = 0;
-
+ int sa_db_slot;
+ int free_sa_db_slot = 0;
nwalCreateSAParams_t createParam =
{
/* mac handle */
return -1;
}
+ /* prior to building table, will need to store SA entry in local database,
+ * and make sure this SA has not been already offloaded, if already off-loaded,
+ * just return app_id associated with the SA */
+
+ for(sa_db_slot=0; sa_db_slot < TUNE_NETAPI_MAX_SA; sa_db_slot++)
+ {
+ if (netapi_sa_db[sa_db_slot].inUse)
+ {
+ if (sa_info->ipType == nwal_IPV4)
+ {
+ if (netapi_sa_db[sa_db_slot].spi != sa_info->spi)
+ continue;
+ if(memcmp(&netapi_sa_db[sa_db_slot].dst.ipv4,
+ &sa_info->dst.ipv4, sizeof(sa_info->dst.ipv4)))
+ continue;
+
+ netapi_sa_db[sa_db_slot].ref_count++;
+ return netapi_sa_db[sa_db_slot].app_id;
+ }
+ else if (sa_info->ipType == nwal_IPV6)
+ {
+ if (netapi_sa_db[sa_db_slot].spi != sa_info->spi)
+ continue;
+ if(memcmp(&netapi_sa_db[sa_db_slot].dst.ipv6,
+ &sa_info->dst.ipv6, sizeof(sa_info->dst.ipv6)))
+ continue;
+
+ netapi_sa_db[sa_db_slot].ref_count++;
+ return netapi_sa_db[sa_db_slot].app_id;
+ }
+ else
+ {
+ *perr = NETAPI_ERR_BAD_INPUT;
+ return -1;
+ }
+ }
+ else
+ {
+ /* found free slot */
+ free_sa_db_slot = sa_db_slot;
+ }
+ }
+ saInfo.spi = sa_info->spi;
+
+ memcpy(&saInfo.dst, &sa_info->dst, sizeof( nwalIpAddr_t));
+
/* reserve a slot */
tunnelId = netapip_netcpCfgFindSaSlot(n,
&netapi_get_global()->nwal_context,
swInfo0,
swInfo1,
p_user_data);
+ netapi_sa_db[free_sa_db_slot].app_id = appId;
+ netapi_sa_db[free_sa_db_slot].inUse = 1;
+ netapi_sa_db[free_sa_db_slot].spi = sa_info->spi;
+ netapi_sa_db[free_sa_db_slot].ref_count++;
+ memcpy(&(netapi_sa_db[free_sa_db_slot].dst), &sa_info->dst,sizeof( nwalIpAddr_t));
return (appId);
}
void * handle_inflow;
void * handle_sideband;
int have_to_wait = 1;
+ int sa_db_slot;
+ *perr =0;
+ for(sa_db_slot=0; sa_db_slot < TUNE_NETAPI_MAX_SA; sa_db_slot++)
+ {
+ if((netapi_sa_db[sa_db_slot].inUse) &&
+ (netapi_sa_db[sa_db_slot].app_id == sa_app_id))
+ {
+ if(!netapi_sa_db[sa_db_slot].ref_count)
+ {
+ *perr = NETAPI_ERR_NOTFOUND;
+ return;
+ }
+ netapi_sa_db[sa_db_slot].ref_count--;
+ if(netapi_sa_db[sa_db_slot].ref_count)
+ {
+ return;
+ }
+ else
+ {
+ netapi_sa_db[sa_db_slot].inUse = 0;
+ break;
+ }
+ }
+ }
handle_inflow = netapip_netcpCfgGetSaHandles(&netapi_get_global()->nwal_context,
tunnelId, &handle_sideband);
- *perr =0;
+
if(handle_inflow)
{
diff --git a/ti/runtime/netapi/tools/ipsec_tools/sample_evm_ipsec.conf b/ti/runtime/netapi/tools/ipsec_tools/sample_evm_ipsec.conf
--- /dev/null
@@ -0,0 +1,83 @@
+# ipsec.conf - strongSwan IPsec configuration file\r
+# The following variables will have to be replaced by the automation setup:\r
+# %LOCAL_IP_ADDRESS% = IP address for the side where the ipsec.conf file will reside\r
+# %LOCAL_IP_SUBNET% = IP address or the public side NAT address for the side where the ipsec.conf file will reside\r
+# %CERT_FILE_PATH_NAME% = Certification file and path name. (alpha side = /home/gguser/ipsec/alphaCert.der, beta side = /etc/ipsec.d/certs/betaCert.der)\r
+# %LOCAL_CN% = Local network name (alpha.test.org or beta.test.org)\r
+# %REMOTE_CN% = Remote network name (beta.test.org or alpha.test.org)\r
+# %REMOTE_IP_ADDRESS% = IP address for the remote side\r
+# %REMOTE_IP_SUBNET% = IP address or the public side NAT address for the remote side\r
+# %IKE_LIFETIME% = IKE rekey lifetime (48H for 48 hours)\r
+# %LIFETIME% = Rekey lifetime (48H for 48 hours)"\r
+# %LOCAL_IPV6_ADDRESS% = Local side IPV6 address (2000::1)\r
+# %REMOTE_IPV6_ADDRESS% = Remote side IPV6 address (2000::2)\r
+# %CONNECTION_SIDE% = Connection side indicator. (Alpha for alpha side, Beta for beta side)\r
+# %CONNECTION_NAME% = Connection side name. (Udp, Tcp, Sctp, Link, Conn ...)\r
+# %PROTOCOL% = Protocol to be used for link (udp, tcp, sctp ...)\r
+# %ESP_ENCRYPTION% = Esp encryption to be used (aes128, aes192, 3des ...)\r
+# %ESP_INTEGRITY% = Esp integrity to be used (sha1, aesxcbc ...)\r
+\r
+# basic configuration\r
+config setup\r
+ strictcrlpolicy=no\r
+ charondebug=all\r
+\r
+# Add connections here.\r
+conn %default\r
+ left=192.168.1.50\r
+ leftcert=/etc/ipsec.d/certs/betaCert.der\r
+ leftid="C=US, O=Test, CN=beta.test.org"\r
+ right=192.168.1.84\r
+ rightid="C=US, O=Test, CN=alpha.test.org"\r
+ keyexchange=ikev2\r
+ ike=aes128-sha1-modp2048!\r
+ type=tunnel\r
+ esp=aes128-sha1-modp2048-noesn!\r
+ margintime=1h\r
+ ikelifetime=168h\r
+ lifetime=168h\r
+ reauth=no\r
+\r
+conn Beta-Conn1\r
+ leftsubnet=192.168.1.50/32[udp],192.168.1.51/32[udp]\r
+ rightsubnet=192.168.1.84/32[udp],192.168.1.85/32[udp]\r
+ auto=add\r
+\r
+conn Beta-Conn9\r
+ leftprotoport=udp\r
+ leftsubnet=192.168.1.51/32\r
+ rightprotoport=udp\r
+ rightsubnet=192.168.1.85/32\r
+ auto=add\r
+\r
+conn Beta-Conn2\r
+ leftprotoport=udp\r
+ leftsubnet=2000::3/64\r
+ rightprotoport=udp\r
+ rightsubnet=2000::1/64\r
+ auto=add\r
+\r
+conn Beta-Conn3\r
+ leftprotoport=udp\r
+ leftsubnet=192.168.1.50/32\r
+ rightprotoport=udp\r
+ rightsubnet=192.168.1.84/32\r
+ type=passthrough\r
+ authby=never\r
+ auto=add\r
+\r
+conn Beta-Conn4\r
+ leftprotoport=udp\r
+ leftsubnet=2000::3/64\r
+ rightprotoport=udp\r
+ rightsubnet=2000::1/64\r
+ type=passthrough\r
+ authby=never\r
+ auto=add\r
+\r
+conn Beta-Icmp1\r
+ leftprotoport=icmp\r
+ leftsubnet=192.168.1.50/32\r
+ rightprotoport=icmp\r
+ rightsubnet=192.168.1.84/32\r
+ auto=add\r
diff --git a/ti/runtime/netapi/tools/ipsec_tools/sample_pc_ipsec.conf b/ti/runtime/netapi/tools/ipsec_tools/sample_pc_ipsec.conf
--- /dev/null
@@ -0,0 +1,84 @@
+# ipsec.conf - strongSwan IPsec configuration file
+# The following variables will have to be replaced by the automation setup:
+# %LOCAL_IP_ADDRESS% = IP address for the side where the ipsec.conf file will reside
+# %LOCAL_IP_SUBNET% = IP address or the public side NAT address for the side where the ipsec.conf file will reside
+# %CERT_FILE_PATH_NAME% = Certification file and path name. (alpha side = /home/gguser/ipsec/alphaCert.der, beta side = /etc/ipsec.d/certs/betaCert.der)
+# %LOCAL_CN% = Local network name (alpha.test.org or beta.test.org)
+# %REMOTE_CN% = Remote network name (beta.test.org or alpha.test.org)
+# %REMOTE_IP_ADDRESS% = IP address for the remote side
+# %REMOTE_IP_SUBNET% = IP address or the public side NAT address for the remote side
+# %IKE_LIFETIME% = IKE rekey lifetime (48H for 48 hours)
+# %LIFETIME% = Rekey lifetime (48H for 48 hours)"
+# %LOCAL_IPV6_ADDRESS% = Local side IPV6 address (2000::1)
+# %REMOTE_IPV6_ADDRESS% = Remote side IPV6 address (2000::2)
+# %CONNECTION_SIDE% = Connection side indicator. (Alpha for alpha side, Beta for beta side)
+# %CONNECTION_NAME% = Connection side name. (Udp, Tcp, Sctp, Link, Conn ...)
+# %PROTOCOL% = Protocol to be used for link (udp, tcp, sctp ...)
+# %ESP_ENCRYPTION% = Esp encryption to be used (aes128, aes192, 3des ...)
+# %ESP_INTEGRITY% = Esp integrity to be used (sha1, aesxcbc ...)
+
+# basic configuration
+config setup
+ strictcrlpolicy=no
+ charondebug=all
+
+# Add connections here.
+conn %default
+ left=192.168.1.84
+ leftcert=/etc/ipsec.d/certs/alphaCert.der
+ leftid="C=US, O=Test, CN=alpha.test.org"
+ right=192.168.1.50
+ rightid="C=US, O=Test, CN=beta.test.org"
+ keyexchange=ikev2
+ ike=aes128-sha1-modp2048!
+ type=tunnel
+ esp=aes128-sha1-modp2048-noesn!
+ margintime=1h
+ ikelifetime=168h
+ lifetime=168h
+ reauth=no
+
+conn Alpha-Conn1
+ leftsubnet=192.168.1.84/32[udp],192.168.1.85/32[udp]
+ rightsubnet=192.168.1.50/32[udp],192.168.1.51/32[udp]
+ auto=add
+
+conn Alpha-Conn9
+ leftprotoport=udp
+ leftsubnet=192.168.1.85/32
+ rightprotoport=udp
+ rightsubnet=192.168.1.51/32
+ auto=add
+
+conn Alpha-Conn2
+ leftprotoport=udp
+ leftsubnet=2000::1/64
+ rightprotoport=udp
+ rightsubnet=2000::3/64
+ auto=add
+
+conn Alpha-Conn3
+ leftprotoport=udp
+ leftsubnet=192.168.1.84/32
+ rightprotoport=udp
+ rightsubnet=192.168.1.50/32
+ type=passthrough
+ authby=never
+ auto=add
+
+conn Alpha-Conn4
+ leftprotoport=udp
+ leftsubnet=2000::1/64
+ rightprotoport=udp
+ rightsubnet=2000::3/64
+ type=passthrough
+ authby=never
+ auto=add
+
+conn Alpha-Icmp1
+ leftprotoport=icmp
+ leftsubnet=192.168.1.84/32
+ rightprotoport=icmp
+ rightsubnet=192.168.1.50/32
+ auto=add
+