WindNet

WTN-79
WindNet IPsec/IKE 1.0
A simple transport example that demonstrates IPsec using either the Manual Key Manager (MKM), or Internet Key Exchange (IKE)
Copyright © 1984-2001 Wind River Systems Inc.
ALL RIGHTS RESERVED.
Abstract
This Technical Note describes how to install, build, and configure the WindNet
IP Security (IPsec)/Internet Key Exchange (IKE) 1.0 components. The purpose
of this Technical Note is to provide a sequential set of instructions to shorten the
time necessary to get these protocols running using a minimum set of hardware
(two reference boards communicating via Ethernet). This procedure was tested
successfully between two PowerPC 604-based targets, and between two
PowerPC 860-based targets.
1.0 INSTALLATION
Install these components in the following order:
1. Tornado II for PowerPC (part no: TDK-12839-ZC-01)
2. Additional Board Support Packages (BSPs)
3. Tornado 2.0.2 Update (available via download from WindSurf)
o Note: This patch includes the Network Protocol Toolkit
4. IPsec/IKE 1.0 (part no: TDK-13696)
Alternatively, the following components may be installed:
1. Tornado
2.0.2 for PowerPC (part no: TDK-12839-ZC-02)
2. Additional Board Support Packages (BSPs)
3. IPsec/IKE 1.0 (part no: TDK-13696)
?If the reference boards use different processor families, a separate installation tree may be used for each board.
2.0 BUILDING THE IPSEC/IKE SOURCE CODE COMPONENTS
The source code components must be built by the developer by first adjusting the Makefiles and header files as necessary, followed by building each directory specified in the Release Notes.
2.1 ADJUSTING THE MAKFILES AND HEADER FILES
1. Add one of the following two lines to: /target/src/wrn/wncrypto/openssl/crypto/md32_common.h
#define B_ENDIAN /* for PowerPC for example */
2. Add the following flag to the ADDED_CFLAGS line in:
/target/src/wrn/nvram/Makefile, and
/target/src/wrn/rwutils/Makefile
-D__BIG_ENUMS__
3. Add the following lines in: /target/src/wrn/spd/spd_sa_proposals.c
#define WN_NO_TUNNEL
#define WN_P2_LIFE_TIME_IN_SECS 60*60
#define WN_NO_P2_LIFE_KB
3.0 USING THE BUILD SCRIPTS ON SOLARIS OR WINDOWS
The WindNet IPsec/IKE source code components may be built manually as described in the WindNet IPsec/IKE 1.0 Release Notes. Alternatively, the build procedure may be automated using the set of unsupported build scripts provided by Wind River customer support. Copy these scripts to the host.
3.1 WINDOWS HOSTS
Two scripts (libIpsecIkeClean.bat, and libIpsecIkeBuild.bat) are offered to clean and then build the IPsec/IKE software components. They may be used as follows:
1. Edit each script to specify the WIND_BASE directory (e.g. C:\Tornado).
set WIND_BASE=C:\Tornado
2. Open a dos shell, and use the libIPsecIkeClean script to clean all the objects
libIPsecIkeClean <CPU-TYPE>
?For example: libIPsecIkeClean PPC860
3. Use the libIPsecIkeBuild script to build the IPsec/IKE source code components
libIPsecIkeBuild <CPU-TYPE>
?For example: libIPsecIkeBuild PPC860
?Expect to see warnings…
3.2 SOLARIS HOSTS
Three scripts (t2env, libIpsecIkeClean, and libIpsecIkeBuild) are offered to clean and then build the IPsec/IKE software components. They may be used as follows:
1. Edit the t2env script to specify the WIND_HOST_TYPE, the WIND_BASE directory,
WIND_REGISTRY, the LD_LIBRARY_PATH, and the PATH. An example is shown below: setenv WIND_HOST_TYPE sun4-solaris2
setenv WIND_BASE /usr/local/tornado
setenv WIND_REGISTRY hostname
setenv LD_LIBRARY_PATH
${LD_LIBRARY_PATH}:${WIND_BASE}/host/${WIND_HOST_TYPE}/lib
setenv PATH ${WIND_BASE}/host/${WIND_HOST_TYPE}/bin
2. Edit the libIPsecIkeClean and libIPsecIkeBuild scripts to reflect the correct location of the t2env
script.
3. Open a Unix shell, and use the libIPsecIkeClean script to clean all the objects
libIPsecIkeClean <CPU-TYPE>
?For example: libIPsecIkeClean PPC860
4. Use the libIPsecIkeBuild script to build the IPsec/IKE source code components
libIPsecIkeBuild <CPU-TYPE>
?For example: libIPsecIkeBuild PPC860
4.0 USING THE TORNADO II PROJECT FACILITY
IPsec components may be included into the vxWorks images using either the Tornado II Project Facility or the command-line build method. This section describes how to include IPsec/IKE components using the Project Facility.
1) Create two new bootable projects – based on the two BSPs.
2) For each bootable project, include the IPsec/IKE components as shown in Figure 1:
Figure 1: Including WindNet IPsec/IKE Components
3) Turn off Automatic Initialization of the IPsec/IKE by setting all five of the following parameters
from a “1”to a “0”as shown below. Be sure to click on “Apply”after all these parameters are set to zero:
Figure 2: Turning Off IPsec/IKE Automatic Initialization
4) The IPsec/IKE configuration file (shown in Appendix A) may be used to configure IPsec/IKE for
each reference board. The configuration file (ipsecDemo.c) may be added to the bootable
project, and then modified as needed by simply editing the source file (modifying the IP
addresses as necessary). The sample configuration file will transport packets between targets using either MKM or IKE. It also allows the bypassing of Wind Debug (WDB) packets by default, so the host can connect to the targets via a target server and use any of the Tornado II
development tools. This configuration is illustrated below:
Figure 4: Simple Network Configuration
5) Add the ipsecDemo.c file to each bootable project.
6) Adjust ipsecDemo.c as necessary to match the IP addresses if they are different than in Figure 4
7) Add vxBlaster.c, and vxBlastee.c to each project. These files are available for download from
Windsurf, and they will be used to test the throughput across the encrypted link later.
8) Re-build each bootable project.
9) Create a target server for each target.
10) Configure the bootline of each target to retrieve each bootable vxWorks image from the host
via the File Transfer Protocol (FTP).
11) Enable the FTP server on the host, and boot each target.
12) Launch each target server.
Proceed to section 6, which describes how to initialize the IPsec/IKE components.
5.0 USING THE COMMAND-LINE BUILD METHOD
The command-line build method may be used as an alternative to the project facility. Instead of creating two bootable projects using the project facility, the config.h header file within each BSP may be modified to include the necessary IPsec/IKE components.
1. Compile the ipsecDemo.c file, and store the object in each BSP directory
make ipsecDemo.o
2. Add the ipsecDemo.o to the MACH_EXTRA line in each BSP Makefile:
MACH_EXTRA = ipsecDemo.o
3. The following text should be added to the config.h file within each BSP:
/************ IPsec Components ***************/
#define INCLUDE_RWLIB
#define INCLUDE_IP_SECURITY_PROTOCOL
#define IPSEC_AUTO_START 0
#define INCLUDE_SECURITY_ASSOCIATION_DATABASE
#define SADB_AUTO_START 0
#define INCLUDE_SECURITY_POLICY_DATABASE
#define SPD_AUTO_START 0
#define INCLUDE_SOFTWARE_CRYPTO
#define INCLUDE_INTERNET_KEY_EXCHANGE
#define IKE_AUTO_START 0
#define INCLUDE_MKM
#define MKM_AUTO_START 0
/****************************************************/
/***** Include The Ping Client ******/
#define INCLUDE_PING
/*************************************/
/* Include Network Show Routines: ****/
#define INCLUDE_NET_SHOW
/*************************************/
/*************************************/
/*#define INCLUDE_WDB_TSFS*/
#define INCLUDE_LOADER
/*************************************/
/****** Include the target shell ******/
#define INCLUDE_SHELL
#define INCLUDE_SHELL_BANNER
#undef SHELL_STACK_SIZE
#define SHELL_STACK_SIZE (20000)
/*************************************/
/** Include a network symbol table ***/
#define INCLUDE_CPLUS_DEMANGLER
#define INCLUDE_STARTUP_SCRIPT
#define INCLUDE_STAT_SYM_TBL
#define INCLUDE_SYM_TBL
#define INCLUDE_NET_SYM_TBL
/*************************************/
3. Build a vxWorks image for each target:
(On a Windows host, first run $WIND_BASE\host\x86-win32\bin> torVars.bat)
(On a Unix host, first run $WIND_BASE/host/sun4_solaris/bin> source ./torvars.csh ) From the command line, type the following in each directory:
make CPU=<CPUTYPE> TOOL=gnu vxWorks
(substitute the appropriate processor type, and tool-chain)
Proceed to the next section, which describes how to initialize the IPsec/IKE components.
6.0 INITIALIZING IPSEC/IKE
Before initializing IPsec/IKE, communications between targets should be tested using the ping client. This will identify any unforeseen problems. For example, some reference boards are produced with a programmable mac address. In some cases, two identical reference boards may use the same mac address, and not be able to communicate as a result. In this case it is necessary to adjust the mac address from the boot prompt using the “n”command prior to loading the vxWorks image onto the target.
Once the targets have booted the IPsec/IKE components may be initialized as follows:
6.1 INITIALIZING IPSEC with MKM:
1. Inside the WindShell communicating with board # 1, type the following:
-> ipsecDemoInit(1,1)
?In this case, the first “1”is the board number, and the second “1”specifies the
using Authentication Header (AH) in transport mode with Message Digest 5
(MD5) via MKM. A “2”as the second parameter would specify AH in transport
mode with the Secure Hash Algorithm (SHA) via MKM.
2. Inside the WindShell communicating with board #2, type the following:
-> ipsecDemoInit(2,1)
?In this case, the “2”is the board number, and the “1”specifies the using AH in
transport mode with MD5 via MKM.
3. Verify that the IPsec/IKE components are initialized using the following show commands:
-> sadbShow
-> ipsecShow
4. Wind River supplies sample client/server code located on WindSurf known as
Blaster/Blastee. This code may be used to verify the successful transport of a Transmission Control Protocol (TCP) connection across the test link. The following steps describe this test procedure:
1. Start the server from the WindShell associated with Board #2:
-> sp (blastee, 7000, 1000, 16000)
2. Start the client from the WindShell associated with Board #1:
-> sp (blaster, "192.168.0.22", 7000, 1000, 16000)
3. Watch for the throughput results from the target shell associated with Board #2.
?Note: The WDB traffic will decrease the throughput results recorded by
Blaster/Blastee. For more accurate results, the target servers should be
shutdown, and the tasks should be spawned through target shells (via the
serial lines) versus WindShells.
Appendix B contains the expected output seen within the WindShell for this example.
6.2 INITIALIZING IPSEC with IKE:
1. Inside the WindShell communicating with board # 1, type the following:
-> ipsecDemoInit(1,3)
?The “1”is the board number, and the “3”specifies the use of the IKE per the
Security Policy Database (SPD) configuration. By default out of the box, IKE will
negotiate to use Encapsulation Security Payload (ESP) in transport mode with
the SHA and triple Data Encryption Standard (3DES).
2. Inside the WindShell communicating with board #2, type the following:
-> ipsecDemoInit(2,3)
?The “2”is the board number, and the “3”specifies the use of the IKE per the SPD
configuration.
3. Verify that the IPsec/IKE components are initialized using the following show commands:
-> sadbShow
-> ipsecShow
4. Wind River supplies sample client/server code located on WindSurf known as
Blaster/Blastee. This code may be used to verify the successful transport of a TCP
connection across the test link. The following steps describe this test procedure:
1. Start the server from the WindShell associated with Board #2:
-> sp (blastee, 7000, 1000, 16000)
2. Start the client from the WindShell associated with Board #1:
-> sp (blaster, "192.168.0.22", 7000, 1000, 16000)
3. Watch for the throughput results from the target shell associated with Board #2.
4. Note: The WDB traffic will decrease the throughput results recorded by
Blaster/Blastee. For more accurate results, the target servers should be
shutdown, and the tasks should be spawned through target shells (via the serial
lines) versus WindShells.
Appendix C contains the expected output seen within the WindShell for this example.
APPENDIX A
(IPsec Configuration File)
/* ipsecDemo.c - IPSec demo */
/* Copyright 2001 Wind River Systems, Inc. */
/*
modification history
--------------------
01c,10apr01,jhl fixed AH SHA mode, key was too short
01b,06apr01,jhl renamed to ipsecDemo.c, added MODE_MKM_AH_SHA
01a,12feb01,jhl created
*/
/* See README_DEMO.txt in this directory for usage info */
/************************************************************************* * INCLUDE FILES
************************************************************************** */
#include "vxWorks.h"
#include "taskLib.h"
/**********************************************************************
* DEFINES
***********************************************************************/
#define BOARD_ONE 1
#define BOARD_TWO 2
#define MODE_MKM_AH_MD5 1
#define MODE_MKM_AH_SHA 2
#define MODE_IKE 3
/************************************************************************ * GLOBAL DATA
*************************************************************************/ /****************************************
* MKM Configuration for Board One
****************************************/
/****************************************
* AH in transport mode with MD5
****************************************/
char mkmCfg_AH_MD5_BoardOne[4000] = {
"[[Manual Key Manager = Section Start ]]\n"
"MKM = enabled\n"
/* note reversal of addresses from other board */
"MKM Source IP Address and Mask = 00,192.168.0.21,255.255.255.255\n"
"MKM Destination IP Address and Mask =
00,192.168.0.22,255.255.255.255\n"
"MKM Transform Set = 00,AH\n"
"MKM AH Transform = 00,AH_HMAC_MD5\n"
/* note reversal of SPIs from other board */
/* HMAC MD5 keys are 128 bits (16 bytes) */
"MKM Inbound AH Transform Key Data = 00, 768,
123456789ABCDEF0FEDCBA9876543210\n"
"MKM Outbound AH Transform Key Data = 00, 770,
123456789ABCDEF0FEDCBA9876543210\n"
"MKM IPsec Mode = 00,Transport\n"
"MKM Anti Replay Enabled = 00,enabled\n"
};
/****************************************
* AH in transport mode with SHA
****************************************/
char mkmCfg_AH_SHA_BoardOne[4000] = {
"[[Manual Key Manager = Section Start ]]\n"
"MKM = enabled\n"
/* note reversal of addresses from other board */
"MKM Source IP Address and Mask = 00,192.168.0.21,255.255.255.255\n" "MKM Destination IP Address and Mask =
00,192.168.0.22,255.255.255.255\n"
"MKM Transform Set = 00,AH\n"
"MKM AH Transform = 00,AH_HMAC_SHA\n"
/* note reversal of SPIs from other board */
/* HMAC SHA keys are 160 bits (20 bytes) */
"MKM Inbound AH Transform Key Data = 00, 768,
123456789ABCDEF0FEDCBA987654321012345678\n"
"MKM Outbound AH Transform Key Data = 00, 770,
123456789ABCDEF0FEDCBA987654321012345678\n"
"MKM IPsec Mode = 00,Transport\n"
"MKM Anti Replay Enabled = 00,enabled\n"
};
/****************************************
* MKM Configuration for Board Two
****************************************/
/****************************************
* AH in transport mode with MD5
****************************************/
char mkmCfg_AH_MD5_BoardTwo[4000] = {
"[[Manual Key Manager = Section Start ]]\n"
"MKM = enabled\n"
/* note reversal of addresses from other board */
"MKM Source IP Address and Mask = 00,192.168.0.22,255.255.255.255\n" "MKM Destination IP Address and Mask =
00,192.168.0.21,255.255.255.255\n"
"MKM Transform Set = 00,AH\n"
"MKM AH Transform = 00,AH_HMAC_MD5\n"
/* note reversal of SPIs from other board */
/* HMAC MD5 keys are 128 bits (16 bytes) */
"MKM Inbound AH Transform Key Data = 00, 770,
123456789ABCDEF0FEDCBA9876543210\n"
"MKM Outbound AH Transform Key Data = 00, 768,
123456789ABCDEF0FEDCBA9876543210\n"
"MKM IPsec Mode = 00,Transport\n"
"MKM Anti Replay Enabled = 00,enabled\n"
};
/****************************************
* AH in transport mode with SHA
****************************************/
char mkmCfg_AH_SHA_BoardTwo[4000] = {
"[[Manual Key Manager = Section Start ]]\n"
"MKM = enabled\n"
/* note reversal of addresses from other board */
"MKM Source IP Address and Mask = 00,192.168.0.22,255.255.255.255\n" "MKM Destination IP Address and Mask =
00,192.168.0.21,255.255.255.255\n"
"MKM Transform Set = 00,AH\n"
"MKM AH Transform = 00,AH_HMAC_SHA\n"
/* note reversal of SPIs from other board */
/* HMAC SHA keys are 160 bits (20 bytes) */
"MKM Inbound AH Transform Key Data = 00, 770,
123456789ABCDEF0FEDCBA987654321012345678\n"
"MKM Outbound AH Transform Key Data = 00, 768,
123456789ABCDEF0FEDCBA987654321012345678\n"
"MKM IPsec Mode = 00,Transport\n"
"MKM Anti Replay Enabled = 00,enabled\n"
};
/****************************************
* IKE Configuration for Board One
****************************************/
char ikeCfgBoardOne[4000] = {
"[[IKE Application = Section Start]]\n"
"IKE = enabled\n"
"IKE Printf = enabled\n"
"IKE Error Printf = enabled\n"
"IKE Warning Printf = enabled\n"
"IKE Initialization Printf = enabled\n"
"IKE Debug Printf = enabled\n"
"IKE Key Printf = enabled\n"
"IKE Notification Printf = enabled\n"
"IKE Phase I Printf = enabled\n"
"IKE Phase II Printf = enabled\n"
"IKE Phase II ID Printf = enabled\n"
"IKE Delete Printf = enabled\n"
/* note change of IP address between boards */
"IKE Client IP Address = 192.168.0.21\n"
"IKE Number of Retransmissions = 3\n"
"IKE Timeout in milliseconds = 10000\n"
};
/****************************************
* IKE Configuration for Board Two
****************************************/
char ikeCfgBoardTwo[4000] = {
"[[IKE Application = Section Start]]\n"
"IKE = enabled\n"
"IKE Printf = enabled\n"
"IKE Error Printf = enabled\n"
"IKE Warning Printf = enabled\n"
"IKE Initialization Printf = enabled\n"
"IKE Debug Printf = enabled\n"
"IKE Key Printf = enabled\n"
"IKE Notification Printf = enabled\n"
"IKE Phase I Printf = enabled\n"
"IKE Phase II Printf = enabled\n"
"IKE Phase II ID Printf = enabled\n"
"IKE Delete Printf = enabled\n"
/* note change of IP address between boards */
"IKE Client IP Address = 192.168.0.22\n"
"IKE Number of Retransmissions = 3\n"
"IKE Timeout in milliseconds = 10000\n"
};
/****************************************
* SPD Configuration for Board One
****************************************/
char spdCfgBoardOne[4000] = {
"[[Security Policy Database = Section Start]]\n"
"SPD Printf = enabled\n"
"SPD Error Printf = enabled\n"
"SPD Warning Printf = enabled\n"
"SPD Initialization Printf = enabled\n"
"SPD Debug Printf = enabled\n"
"SPD Override Packet Address Selectors in Phase II IDs = enabled\n" "SPD Override Packet Protocol Selector in Phase II IDs = enabled\n" "SPD Override Packet Port Selectors in Phase II IDs = enabled\n"
"SPD Pre-Shared Key = 192.168.0.22,itsasecret\n"
/* covers limited broadcasts */
"SPD Policy = 0.0.0.0-
255.255.255.255,255.255.255.255:255.255.255.255,ANY,ANY,ANY,bypass\n" /* covers class D address (i.e. all multicast addresses) */
"SPD Policy = 0.0.0.0-255.255.255.255,224.0.0.0-
239.255.255.255,ANY,ANY,ANY,bypass\n"
/* covers class E address (i.e. all reserved addresses) */
"SPD Policy = 0.0.0.0-255.255.255.255,240.0.0.0-
247.255.255.255,ANY,ANY,ANY,discard\n"
/* WDB network connection. DO NOT REMOVE!!!!!!!*/
"SPD Policy = 0.0.0.0-255.255.255.255,0.0.0.0-
255.255.255.255,17,17185,ANY,bypass\n"
"SPD Policy = 0.0.0.0-255.255.255.255,0.0.0.0-
255.255.255.255,17,ANY,17185,bypass\n"
/* policies for demo */
/* transport mode for everything to other board, except for what is bypassed */
/* note reversal of addresses from other board */
"SPD Policy =
192.168.0.21,192.168.0.22,ANY,ANY,ANY,apply,transport\r\n"
/* bypass ICMP between both boards */
/* "SPD Policy = 192.168.0.21,192.168.0.22,1,ANY,ANY,bypass\n"
* "SPD Policy = 192.168.0.22,192.168.0.21,1,ANY,ANY,bypass\n"
*/
/* bypass TCP on port 8000 for blaster/blastee */
"SPD Policy = 192.168.0.21,192.168.0.22,6,ANY,8000,bypass\n"
"SPD Policy = 192.168.0.22,192.168.0.21,6,8000,ANY,bypass\n"
/* apply transport TCP on port 7000 for blaster/blastee */
/* note reversal of addresses from other board */
/* "SPD Policy =
192.168.0.21,192.168.0.22,6,ANY,7000,apply,transport\n"
*/
};
/****************************************
* SPD Configuration for Board Two
****************************************/
char spdCfgBoardTwo[4000] = {
"[[Security Policy Database = Section Start]]\n"
"SPD Printf = enabled\n"
"SPD Error Printf = enabled\n"
"SPD Warning Printf = enabled\n"
"SPD Initialization Printf = enabled\n"
"SPD Debug Printf = enabled\n"
"SPD Override Packet Address Selectors in Phase II IDs = enabled\n"
"SPD Override Packet Protocol Selector in Phase II IDs = enabled\n"
"SPD Override Packet Port Selectors in Phase II IDs = enabled\n"
"SPD Pre-Shared Key = 192.168.0.21,itsasecret\n"
/* covers limited broadcasts */
"SPD Policy = 0.0.0.0-
255.255.255.255,255.255.255.255:255.255.255.255,ANY,ANY,ANY,bypass\n"
/* covers class D address (i.e. all multicast addresses) */
"SPD Policy = 0.0.0.0-255.255.255.255,224.0.0.0-
239.255.255.255,ANY,ANY,ANY,bypass\n"
/* covers class E address (i.e. all reserved addresses) */
"SPD Policy = 0.0.0.0-255.255.255.255,240.0.0.0-
247.255.255.255,ANY,ANY,ANY,discard\n"
/* WDB network connection. DO NOT REMOVE!!!!!!!*/
"SPD Policy = 0.0.0.0-255.255.255.255,0.0.0.0-
255.255.255.255,17,17185,ANY,bypass\n"
"SPD Policy = 0.0.0.0-255.255.255.255,0.0.0.0-
255.255.255.255,17,ANY,17185,bypass\n"
/* policies for demo */
/* transport mode for everything to other board, except for what is bypassed */
/* note reversal of addresses from other board */
"SPD Policy =
192.168.0.22,192.168.0.21,ANY,ANY,ANY,apply,transport\r\n"
/* bypass ICMP between both boards */
/* "SPD Policy = 192.168.0.21,192.168.0.22,1,ANY,ANY,bypass\n"
* "SPD Policy = 192.168.0.22,192.168.0.21,1,ANY,ANY,bypass\n"
*/
/* bypass TCP on port 8000 for blaster/blastee */
"SPD Policy = 192.168.0.21,192.168.0.22,6,ANY,8000,bypass\n"
"SPD Policy = 192.168.0.22,192.168.0.21,6,8000,ANY,bypass\n"
/* apply transport TCP on port 7000 for blaster/blastee */
/* note reversal of addresses from other board */
/* "SPD Policy = 192.168.0.22,192.168.0.21,6,7000,ANY,apply,transport\n" */
};
/************************************************************************* **
* EXTERNAL PROTOTYPES
************************************************************************** */
IMPORT STATUS sadbInit(char* sadbCfg);
IMPORT STATUS spdInit(char* spdCfg);
IMPORT STATUS ipsecInit(char* ipsecCfg);
IMPORT STATUS mkmInit(char* mkmInit);
/************************************************************************* **
* INTERNAL PROTOTYPES
************************************************************************** */
STATUS ipsecDemoInit(int boardNum, int mode);
/************************************************************************* **
* FUNCTIONS
************************************************************************** */
/************************************************************************* **
* ipsecDemoInit()
************************************************************************** */
STATUS ipsecDemoInit(int boardNum, int mode)
{
STATUS status;
char* pConfig;
/****************************************
* validate parameters
****************************************/
if ( ( (boardNum != BOARD_ONE)
&& (boardNum != BOARD_TWO)
)
|| ( (mode != MODE_MKM_AH_MD5)
&& (mode != MODE_MKM_AH_SHA)
&& (mode != MODE_IKE)
)
){
printf("ERROR: USAGE: ipsecDemoInit(boardNum, mode)\n");
printf(" where boardNum is %d or %d\n");
printf(" and mode is %d (AH MD5), %d (AH SHA) or %d (IKE)\n", BOARD_ONE,
BOARD_TWO,
MODE_MKM_AH_MD5,
MODE_MKM_AH_SHA,
MODE_IKE);
return ERROR;
}
/****************************************
* initialize SADB
****************************************/
status = sadbInit(NULL); /* default SADB initialization */
taskDelay(100); /* give SADB task some time to run */ if ( status != OK ){
printf("ERROR: sadbInit() failed\n");
return ERROR;
}
/****************************************
* initialize SPD
****************************************/
pConfig = (boardNum == BOARD_ONE) ? spdCfgBoardOne : spdCfgBoardTwo;
status = spdInit(pConfig);
if ( status != OK ){
printf("ERROR: spdInit() failed\n");
return ERROR;
}
/****************************************
* initialize IPSec
****************************************/
status = ipsecInit(NULL); /* default IPSec initialization */
if ( status != OK ){
printf("ERROR: ipsecInit() failed\n");
return ERROR;
}
if ( mode == MODE_MKM_AH_MD5
|| mode == MODE_MKM_AH_SHA
){
/****************************************
* initialize MKM
****************************************/
switch ( mode ){
case MODE_MKM_AH_MD5:
pConfig = (boardNum == BOARD_ONE) ? mkmCfg_AH_MD5_BoardOne :
mkmCfg_AH_MD5_BoardTwo;
break;
case MODE_MKM_AH_SHA:
pConfig = (boardNum == BOARD_ONE) ? mkmCfg_AH_SHA_BoardOne
:
mkmCfg_AH_SHA_BoardTwo;
break;
}
status = mkmInit(pConfig);
if ( status != OK ){
printf("ERROR: mkmInit() failed\n");
return ERROR;
}
}
if ( mode == MODE_IKE ){
/****************************************
* initialize IKE
****************************************/
pConfig = (boardNum == BOARD_ONE) ? ikeCfgBoardOne : ikeCfgBoardTwo;
status = ikeInit(pConfig);
taskDelay(100); /* give IKE task some time to run */ if ( status != OK ){
printf("ERROR: ikeInit() failed\n");
return ERROR;
}
}
/****************************************
* initialization complete
****************************************/
return OK;
}
/************************************************************************* **
* END OF FILE
************************************************************************** */。