[Swan] How to tell if an IPSec tunnel uses HW offloading
Antony Antony
antony at phenome.org
Tue Jun 6 17:09:35 EEST 2023
try AES GCM?
The output from the 'ip xfrm state' indicates that libreswan negotiated AES
CBC tunnel mode? However, does your NIC supports AES CBC offloading?
Notably, the more commonly supported offloads are AES GCM 128 and 256 bits.
In theory, CBC SHA1 offloading is possible using Intel QAT, although we have
yet to see a working 'ip xfrm' output for this case.
> Here is the output of ip xfrm state:
>
> sudo ip xfrm state
> src 172.22.18.101 dst 172.22.18.102
> proto esp spi 0xe0781b7a reqid 16397 mode tunnel
> replay-window 32 flag af-unspec
> output-mark 0x1/0xffffffff
> auth-trunc hmac(sha1) 0x4e600d5ce6efed7b9bfa002ed914480e87f4369e 96
> enc cbc(aes)
> 0xa6895360297ca6d9cc0710d52952591275c4b4b5451dea0fee83ba6a31f257bd
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> if_id 0x1
> src 172.22.18.102 dst 172.22.18.101
> proto esp spi 0xfc324c0b reqid 16397 mode tunnel
> replay-window 32 flag af-unspec
> output-mark 0x1/0xffffffff
> auth-trunc hmac(sha1) 0x53ef3194493fc012d0ccb898bdd765017df2b8f3 96
> enc cbc(aes)
> 0x89cbea5c80239e1d58ade4b7f5f58f7da406e062b889418ff7f3035f3c19994a
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> if_id 0x1
When offload works "ip xfrm state" should show "crypto offload parameters:"
and the offload direction. "dev %s dir %s".
> conn vpnclient.gwn02.xyz.com
> right=172.22.18.101
> rightid="@vpnserver.gwn01.xyz.com"
> rightsubnet=172.16.10.101/24
> rightrsasigkey=%cert
>
> left=172.22.18.102
> leftrsasigkey=%cert
> leftid="%fromcert"
> leftcert=vpnclient.gwn02.xyz.com
> leftsourceip=172.16.20.102
> leftsubnet=0.0.0.0/0
> ipsec-interface=1
>
> dpddelay=5
> dpdtimeout=30
> dpdaction=restart
>
> rekey=yes
> auto=start
> ikelifetime=86400s
> salifetime=3600s
> phase2=esp
> fragmentation=yes
> ike=aes256-sha1
> phase2alg=aes256-sha1
cahnge the the above line?
esp=aes_gcm128-null
-antony
More information about the Swan
mailing list