xfrm: allow to enable udp encapsulation without userspace socket
It is currently not possible to enable UDP encapsulation in xfrm without
a userspace process that listen on the specified UDP listener port in
the SA.
People have work around this by creating dummy userspace daemons such as
the one in the smallish perl program (see the script at the bottom of
this link):
http://techblog.newsnow.co.uk/2011/11/simple-udp-esp-encapsulation-nat-t-for.html
This patch enabled two new encapsulation modes:
- espinudp-tx, for the sender side, this requires the source and
destination ports to be specified, to be placed in the UDP header.
- espinudp-rx, for the receiver side, this requires only the source port
which is used for the listener in-kernel UDP socket.
The following example shows how to enable the standalone UDP
encapsulation:
ip xfrm state add src 192.168.10.10 dst 192.168.10.11 proto esp spi 1 \
encap espinudp-tx 9999 9999 0.0.0.0 \
if_id 0x1 reqid 1 replay-window 1 mode tunnel aead 'rfc4106(gcm(aes))' \
0x1111111111111111111111111111111111111111 96 \
sel src 10.141.10.0/24 dst 10.141.11.0/24
ip xfrm state add src 192.168.10.11 dst 192.168.10.10 proto esp spi 2 \
encap espinudp-rx 9999 0 0.0.0.0 \
if_id 0x1 reqid 2 replay-window 10 mode tunnel aead 'rfc4106(gcm(aes))' \
0x2222222222222222222222222222222222222222 96
7 files changed
