[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC
antony at phenome.org
Wed Jun 28 07:39:55 UTC 2017
On Wed, Jun 28, 2017 at 05:31:06AM +0000, Ilan Tayari wrote:
> > -----Original Message-----
> > From: Antony Antony [mailto:antony at phenome.org]
> > Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> > on the NIC
> > I guess this is could be applied. However, please hold on, lets update
> > xfrm.h first.
> > I plan to update linux26/xfrm.h with history from kernel commits.
> > It should happen before this patch. Otherwise it hard to know how upto
> > date
> > xfrm.h is.
> Yes, I suppose xfrm.h update should come separately and before.
> I don't mind rebasing and re-submitting after you do that.
> Do you have an approximation when this would happen?
I am working on it. I tested an updated xfrm.h on F25 and was going to push
changes this morning then I noticed it break on Fedora 22. F22 is our
testing environment. I have to resolve this first. Possibly breaks on
RHEL/CentOS 6.x too.
In file included from
/usr/include/netinet/in.h:99:5: error: expected identifier before numeric
IPPROTO_HOPOPTS = 0, /* IPv6 Hop-by-Hop options. */
> > Another comment. It would be nice to add whack option?
> I'll take some time to understand whack better and come up with something.
> You're talking about the command line tool, right?
> > How would XFRM_MSG_GETSA work? I am guessing you have a running system.
> > Could you share output of
> > ipsec whack --trafficstatus
> # ipsec whack --trafficstatus
> 006 #24: "myconn", type=ESP, add_time=1498620457, inBytes=13407272, outBytes=288772244, id='192.168.7.11'
This looks good.
> iproute2 does show it, btw:
> # ip x s
> src 192.168.7.11 dst 192.168.7.1
> proto esp spi 0xe1fe6a81 reqid 16389 mode tunnel
> replay-window 32 flag af-unspec
> aead rfc4106(gcm(aes)) 0xcb294e1c525e72b11f4e80bd0fffe854775e0a171660aefe0dd618ad074dc50fecf7d087 128
> anti-replay context: seq 0x3ef28, oseq 0x0, bitmap 0xffffffff
> crypto offload parameters: dev ens8 dir in
something like the above line could be added to ipsec status output.
I could possibly help you with this if you could test it.
More information about the Swan-dev