summaryrefslogtreecommitdiff
path: root/sbin/ipsecadm
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2003-12-02 23:16:30 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2003-12-02 23:16:30 +0000
commit7827007d3935fef762fc37ed47e44956982e543a (patch)
tree32503217eaf3f477211d64e2f795e83f59c1a618 /sbin/ipsecadm
parentefce987ff534832e2def76f49222eb98d59aefaa (diff)
UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@
Diffstat (limited to 'sbin/ipsecadm')
-rw-r--r--sbin/ipsecadm/ipsecadm.87
-rw-r--r--sbin/ipsecadm/ipsecadm.c30
-rw-r--r--sbin/ipsecadm/pfkdump.c12
3 files changed, 45 insertions, 4 deletions
diff --git a/sbin/ipsecadm/ipsecadm.8 b/sbin/ipsecadm/ipsecadm.8
index 75a09c0fe88..948efd103d0 100644
--- a/sbin/ipsecadm/ipsecadm.8
+++ b/sbin/ipsecadm/ipsecadm.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecadm.8,v 1.62 2003/07/24 08:03:19 itojun Exp $
+.\" $OpenBSD: ipsecadm.8,v 1.63 2003/12/02 23:16:29 markus Exp $
.\"
.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
@@ -90,6 +90,7 @@ modifiers are:
.Fl authkey ,
.Fl authkeyfile ,
.Fl forcetunnel ,
+.Fl udpencap ,
.Fl key ,
and
.Fl keyfile .
@@ -382,6 +383,10 @@ and
options.
Notice that the IPsec stack will perform IP-inside-IP encapsulation
when deemed necessary, even if this flag has not been set.
+.It Fl udpencap
+Enable ESP-inside-UDP encapsulation.
+The UDP destination port must be specified on the command line.
+This port will be used for sending encapsulated UDP packets.
.It Fl enc
The encryption algorithm to be used with the SA.
Possible values are:
diff --git a/sbin/ipsecadm/ipsecadm.c b/sbin/ipsecadm/ipsecadm.c
index 08e24e36d67..f12c49e0896 100644
--- a/sbin/ipsecadm/ipsecadm.c
+++ b/sbin/ipsecadm/ipsecadm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecadm.c,v 1.70 2003/09/23 18:09:20 itojun Exp $ */
+/* $OpenBSD: ipsecadm.c,v 1.71 2003/12/02 23:16:29 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -286,6 +286,7 @@ usage(void)
"\t -src <ip>\t\t\tsource address to be used\n"
"\t -halfiv\t\t\tuse 4-byte IV in old ESP\n"
"\t -forcetunnel\t\t\tforce IP-in-IP encapsulation\n"
+ "\t -udpencap <port>\t\tenable ESP-in-UDP encapsulation\n"
"\t -dst <ip>\t\t\tdestination address to be used\n"
"\t -proto <val>\t\t\tsecurity protocol\n"
"\t -proxy <ip>\t\t\tproxy address to be used\n"
@@ -309,7 +310,7 @@ usage(void)
"\t -dontacq\t\t\trequire, without using key mgmt.\n"
"\t -in\t\t\t\tspecify incoming-packet policy\n"
"\t -out\t\t\t\tspecify outgoing-packet policy\n"
- "\t -[ah|esp|ip4|ipcomp]\t\t\tflush a particular protocol\n"
+ "\t -[ah|esp|ip4|ipcomp]\t\tflush a particular protocol\n"
"\t -srcid\t\t\tsource identity for flows\n"
"\t -dstid\t\t\tdestination identity for flows\n"
"\t -srcid_type\t\t\tsource identity type\n"
@@ -345,6 +346,7 @@ main(int argc, char *argv[])
struct sadb_ident sid1, sid2;
struct sadb_key skey1, skey2;
struct sadb_protocol sprotocol, sprotocol2;
+ struct sadb_x_udpencap udpencap; /* Peer UDP Port */
u_char realkey[8192], realakey[8192];
struct iovec iov[30];
struct addrinfo hints, *res;
@@ -375,6 +377,7 @@ main(int argc, char *argv[])
memset(realakey, 0, sizeof(realakey));
memset(&sid1, 0, sizeof(sid1));
memset(&sid2, 0, sizeof(sid2));
+ memset(&udpencap, 0, sizeof(udpencap));
src = (union sockaddr_union *) srcbuf;
dst = (union sockaddr_union *) dstbuf;
@@ -921,6 +924,24 @@ main(int argc, char *argv[])
sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
continue;
}
+ if (!strcmp(argv[i] + 1, "udpencap") &&
+ udpencap.sadb_x_udpencap_port == 0 && (i + 1 < argc)) {
+ if (!(mode & ESP_NEW)) {
+ fprintf(stderr, "%s: option udpencap can "
+ "be used only with new ESP\n", argv[0]);
+ exit(1);
+ }
+ sa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
+ udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
+ udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8;
+ udpencap.sadb_x_udpencap_port =
+ strtoul(argv[i + 1], NULL, 10);
+ udpencap.sadb_x_udpencap_port =
+ htons(udpencap.sadb_x_udpencap_port);
+ udpencap.sadb_x_udpencap_reserved = 0;
+ i++;
+ continue;
+ }
if (!strcmp(argv[i] + 1, "halfiv")) {
if (!(mode & ESP_OLD)) {
fprintf(stderr,
@@ -1520,6 +1541,11 @@ argfail:
skey2.sadb_key_bits = 8 * alen;
smsg.sadb_msg_len += skey2.sadb_key_len;
}
+ if (sa.sadb_sa_flags & SADB_X_SAFLAGS_UDPENCAP) {
+ iov[cnt].iov_base = &udpencap;
+ iov[cnt++].iov_len = sizeof(udpencap);
+ smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len;
+ }
} else {
switch (mode & CMD_MASK) {
case GRP_SPI:
diff --git a/sbin/ipsecadm/pfkdump.c b/sbin/ipsecadm/pfkdump.c
index 08853fe3655..3e9532a936a 100644
--- a/sbin/ipsecadm/pfkdump.c
+++ b/sbin/ipsecadm/pfkdump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkdump.c,v 1.8 2003/07/29 18:38:36 deraadt Exp $ */
+/* $OpenBSD: pfkdump.c,v 1.9 2003/12/02 23:16:29 markus Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
@@ -52,6 +52,7 @@ void print_ident(struct sadb_ext *, struct sadb_msg *);
void print_policy(struct sadb_ext *, struct sadb_msg *);
void print_cred(struct sadb_ext *, struct sadb_msg *);
void print_auth(struct sadb_ext *, struct sadb_msg *);
+void print_udpenc(struct sadb_ext *, struct sadb_msg *);
struct idname *lookup(struct idname [], u_int8_t);
char *lookup_name(struct idname [], u_int8_t);
@@ -104,6 +105,7 @@ struct idname ext_types[] = {
{ SADB_X_EXT_LOCAL_AUTH, "x_local_auth", print_auth },
{ SADB_X_EXT_REMOTE_AUTH, "x_remote_auth", print_auth },
{ SADB_X_EXT_SUPPORTED_COMP, "x_supported_comp", print_supp },
+ { SADB_X_EXT_UDPENCAP, "x_udpencap", print_udpenc },
{ 0, NULL, NULL }
};
@@ -533,6 +535,14 @@ print_auth(struct sadb_ext *ext, struct sadb_msg *msg)
}
void
+print_udpenc(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+ struct sadb_x_udpencap *x_udpencap = (struct sadb_x_udpencap *) ext;
+
+ printf("udpencap port %u\n", ntohs(x_udpencap->sadb_x_udpencap_port));
+}
+
+void
msg_send(int pfkey, u_int8_t satype, u_int8_t mtype)
{
struct sadb_msg msg;