[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC
Ilan Tayari
ilant at mellanox.com
Thu Jun 29 16:51:12 UTC 2017
> -----Original Message-----
> From: Antony Antony [mailto:antony at phenome.org]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
>
> Hi Ilan,
> Here are a couple of proposed changes, untested, after a closer review.
>
> 1. rename option to "nic-offload". Libreswan is moving away from "_"
> 2. whack --nic-offload
> 3. nic-offload:yes; in "ipsec staus" connection
> 4. there is one coding style change I made.
>
> On Wed, Jun 28, 2017 at 05:31:06AM +0000, Ilan Tayari wrote:
> > > I guess this is could be applied. However, please hold on, lets update
> > > xfrm.h first.
> > >
> > > I plan to update linux26/xfrm.h with history from kernel commits.
> > > It should happen before this patch. Otherwise it hard to know how upto
> > > date
> > > xfrm.h is.
>
> > Yes, I suppose xfrm.h update should come separately and before.
> > I don't mind rebasing and re-submitting after you do that.
> > Do you have an approximation when this would happen?
>
> I pushed this change yesterday. Rebase should work.
>
> > > Another comment. It would be nice to add whack option?
> >
> > I'll take some time to understand whack better and come up with
> something.
> > You're talking about the command line tool, right?
>
> see the attached proposed patch. It is not tested, I don't have a card.
>
I just tested this.
1. I would squash your patch 0001 into my patch, no need to put this naming back-and-forth into git history
2. ipsec status shows nic-offload:yes
000 "myconn": 192.168.7.1<192.168.7.1>...192.168.7.11<192.168.7.11>; erouted; eroute owner: #2
000 "myconn": oriented; my_ip=unset; their_ip=unset
000 "myconn": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "myconn": our auth:secret, their auth:secret
000 "myconn": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "myconn": labeled_ipsec:no;
000 "myconn": policy_label:unset;
000 "myconn": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "myconn": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "myconn": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "myconn": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "myconn": conn_prio: 32,32; interface: ens8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "myconn": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:yes;
000 "myconn": our idtype: ID_IPV4_ADDR; our id=192.168.7.1; their idtype: ID_IPV4_ADDR; their id:192.168.7.11
000 "myconn": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "myconn": IKE algorithm newest: AES_CBC_256-SHA2_256-MODP2048
000 "myconn": ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)
000 "myconn": ESP algorithms loaded: AES_GCM_C(20)_256-NONE(0)
000 "myconn": ESP algorithm newest: AES_GCM_C_256-NONE; pfsgroup=<Phase1>
3. I'll try to get whack command line switch to work next week.
Do you have an example of command to add a connection with specific phase2alg using whack?
More information about the Swan-dev
mailing list