vici: Make UDP encapsulation for per-CPU SAs configurable

src/libcharon/plugins/vici/vici_config.c

@@ -583,7 +583,9 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   proposals = %#P", data->proposals);
 	DBG2(DBG_CFG, "   local_ts = %#R", data->local_ts);
 	DBG2(DBG_CFG, "   remote_ts = %#R", data->remote_ts);
-	DBG2(DBG_CFG, "   per_cpu_sas = %u", has_opt(cfg, OPT_PER_CPU_SAS));
+	DBG2(DBG_CFG, "   per_cpu_sas = %s",
+		 has_opt(cfg, OPT_PER_CPU_SAS_ENCAP) ? "encap" :
+		 has_opt(cfg, OPT_PER_CPU_SAS) ? "1" : "0");
 	DBG2(DBG_CFG, "   hw_offload = %N", hw_offload_names, cfg->hw_offload);
 	DBG2(DBG_CFG, "   sha256_96 = %u", has_opt(cfg, OPT_SHA256_96));
 	DBG2(DBG_CFG, "   copy_df = %u", !has_opt(cfg, OPT_NO_COPY_DF));
@@ -1067,6 +1069,16 @@ CALLBACK(parse_opt_copy_ecn, bool,
 CALLBACK(parse_opt_cpus, bool,
 	child_cfg_option_t *out, chunk_t v)
 {
+	enum_map_t map[] = {
+		{ "encap",	OPT_PER_CPU_SAS|OPT_PER_CPU_SAS_ENCAP	},
+	};
+	int d;
+
+	if (parse_map(map, countof(map), &d, v))
+	{
+		*out |= d;
+		return TRUE;
+	}
 	return parse_option(out, OPT_PER_CPU_SAS, v, TRUE);
 }
 

src/swanctl/swanctl.opt

@@ -162,7 +162,7 @@ connections.<conn>.fragmentation = yes
 	Use IKE UDP datagram fragmentation (_yes_, _accept_, _no_ or _force_).
 
 	Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
-	fragmentation).  Acceptable  values  are _yes_ (the default), _accept_,
+	fragmentation).  Acceptable values are _yes_ (the default), _accept_,
 	_force_ and _no_. If set to _yes_, and the peer supports it, oversized IKE
 	messages will be sent in fragments. If set to _accept_, support for
 	fragmentation is announced to the peer but the daemon does not send its own
@@ -833,7 +833,7 @@ connections.<conn>.children.<child>.rekey_time = 1h or life_time - 10%
 	lifetime.
 
 	If **life_time** is explicitly configured, **rekey_time** defaults to 10%
-	less than that,	otherwise, CHILD_SA rekeying is scheduled every hour, minus
+	less than that, otherwise, CHILD_SA rekeying is scheduled every hour, minus
 	**rand_time**.
 
 connections.<conn>.children.<child>.life_time = rekey_time + 10%
@@ -1128,6 +1128,17 @@ connections.<conn>.children.<child>.replay_window = 32
 connections.<conn>.children.<child>.per_cpu_sas = no
 	Enable per-CPU CHILD_SAs. Requires _trap_ in **start_action**.
 
+	Enable per-CPU CHILD_SAs. Requires _trap_ in **start_action**.
+
+	The value _encap_ enables a special type of UDP encapsulation (requires
+	enabling **encap** for the connection if there is no NAT), where a random
+	source port is used for each outbound per-CPU SA (the destination port for
+	all of them remains 4500). This allows using the port for RSS if the SPI
+	can't be used. Note that this type of behavior is not standardized and not
+	negotiated. So regardless of whether the option is enabled, inbound per-CPU
+	SAs with UDP-encapsulation always have the source port set to 0 as the
+	peer's random port is unknown if it has this option enabled.
+
 connections.<conn>.children.<child>.hw_offload = no
 	Enable hardware offload for this CHILD_SA, if supported by the IPsec
 	implementation.
@@ -1291,7 +1302,7 @@ secrets.ppk<suffix> { # }
 secrets.ppk<suffix>.secret =
 	Value of the PPK.
 
-	Value of the PPK. It may either be an ASCII string,	a hex encoded string if
+	Value of the PPK. It may either be an ASCII string, a hex encoded string if
 	it has a _0x_ prefix or a Base64 encoded string if it has a _0s_ prefix in
 	its value. Should have at least 256 bits of entropy for 128-bit security.