[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC
Ilan Tayari
ilant at mellanox.com
Tue Jul 4 05:51:38 UTC 2017
> -----Original Message-----
> From: Antony Antony [mailto:antony at phenome.org]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
>
> Hi Ilan,
>
> offload patches are in the libreswan master now.
>
> thanks,
> -antony
Thank you, Antony.
We'll give this a try too.
We'll be in touch regarding the next steps of development of this feature.
Ilan.
>
> On Sun, Jul 02, 2017 at 06:30:51AM +0000, Ilan Tayari wrote:
> > > -----Original Message-----
> > > From: Antony Antony [mailto:antony at phenome.org]
> > > Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-
> offload
> > > on the NIC
> > >
> > > On Thu, Jun 29, 2017 at 04:51:12PM +0000, Ilan Tayari wrote:
> > > > > Here are a couple of proposed changes, untested, after a closer
> > > review.
> > > > >
> > > > > 1. rename option to "nic-offload". Libreswan is moving away from
> "_"
> > > > > 2. whack --nic-offload
> > > > > 3. nic-offload:yes; in "ipsec staus" connection
> > > > > 4. there is one coding style change I made.
> > > > >
> > > >
> > >
> > > > I just tested this.
> > > >
> > > > 1. I would squash your patch 0001 into my patch, no need to put this
> > > naming back-and-forth into git history
> > >
> > > good.
> > >
> > > > 2. ipsec status shows nic-offload:yes
> > >
> > > > 000 "myconn": nflog-group: unset; mark: unset; vti-iface:unset;
> vti-
> > > routing:no; vti-shared:no; nic-offload:yes;
> > >
> > > looks good. thanks for testing.
> > >
> > > > 3. I'll try to get whack command line switch to work next week.
> > > > Do you have an example of command to add a connection with specific
> > > phase2alg using whack?
> > >
> > > try: this line for both ends.
> > >
> > > ipsec whack --psk --encrypt --name myconn --tunnel --host
> "192.168.7.1" \
> > > --to --host "192.168.7.11" --esp aes_gcm256-null --nic-offload
> > >
> > > ipsec auto --up myconn
> >
> > This works well. Sets up offload properly.
> > Traffic is crypto-offloaded.
> >
> > >
> > > and to delete
> > >
> > > ipsec auto --delete myconn
> >
> > This too. I added and deleted several times with some variations.
> >
> > >
> > > If it is ikev2 add both of these " --ikev2-allow --ikev2-propose"
> >
> > This also worked well. I also tried transport mode.
> >
> > >
> > > -antony
More information about the Swan-dev
mailing list