[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

Ilan Tayari ilant at mellanox.com
Thu Jun 29 16:51:12 UTC 2017


> -----Original Message-----
> From: Antony Antony [mailto:antony at phenome.org]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
> 
> Hi Ilan,
> Here are a couple of proposed changes, untested, after a closer review.
> 
> 1. rename option to "nic-offload". Libreswan is moving away from "_"
> 2. whack --nic-offload
> 3. nic-offload:yes;  in "ipsec staus" connection
> 4. there is one coding style change I made.
> 
> On Wed, Jun 28, 2017 at 05:31:06AM +0000, Ilan Tayari wrote:
> > > I guess this is could be applied. However, please hold on, lets update
> > > xfrm.h first.
> > >
> > > I plan to update linux26/xfrm.h with history from kernel commits.
> > > It should happen before this patch. Otherwise it hard to know how upto
> > > date
> > > xfrm.h is.
> 
> > Yes, I suppose xfrm.h update should come separately and before.
> > I don't mind rebasing and re-submitting after you do that.
> > Do you have an approximation when this would happen?
> 
> I pushed this change yesterday. Rebase should work.
> 
> > > Another comment. It would be nice to add whack option?
> >
> > I'll take some time to understand whack better and come up with
> something.
> > You're talking about the command line tool, right?
> 
> see the attached proposed patch. It is not tested, I don't have a card.
> 

I just tested this.

1. I would squash your patch 0001 into my patch, no need to put this naming back-and-forth into git history

2. ipsec status shows nic-offload:yes

000 "myconn": 192.168.7.1<192.168.7.1>...192.168.7.11<192.168.7.11>; erouted; eroute owner: #2
000 "myconn":     oriented; my_ip=unset; their_ip=unset
000 "myconn":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "myconn":   our auth:secret, their auth:secret
000 "myconn":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "myconn":   labeled_ipsec:no;
000 "myconn":   policy_label:unset;
000 "myconn":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "myconn":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "myconn":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "myconn":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "myconn":   conn_prio: 32,32; interface: ens8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "myconn":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:yes;
000 "myconn":   our idtype: ID_IPV4_ADDR; our id=192.168.7.1; their idtype: ID_IPV4_ADDR; their id:192.168.7.11
000 "myconn":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "myconn":   IKE algorithm newest: AES_CBC_256-SHA2_256-MODP2048
000 "myconn":   ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)
000 "myconn":   ESP algorithms loaded: AES_GCM_C(20)_256-NONE(0)
000 "myconn":   ESP algorithm newest: AES_GCM_C_256-NONE; pfsgroup=<Phase1>

3. I'll try to get whack command line switch to work next week.
Do you have an example of command to add a connection with specific phase2alg using whack?



More information about the Swan-dev mailing list