[Openswan Users] Fwd: How openswan work with ocf and ixp4xx hardware acceleration?

David McCullough David_Mccullough at securecomputing.com
Wed Jan 27 05:43:41 EST 2010 

Jivin mix.kao lays it down ...
> Hi Paul,
> 
> I have set the HAVE_OCF?=true in openswan Makefile.inc
> 
> When i start the openswan with command ipsec setup start, i noticed the 
> _startklips script always do modprobe to load crypto modules like md5, 
> des, cbc, twofish....
> 
> 
> # first load any crypto modules we might need for acceleration
>          modprobe -q padlock 2>/dev/null
>          modprobe -q padlock-aes 2>/dev/null
>          modprobe -q padlock-sha 2>/dev/null
>          # load the most common ciphers/algo's
>          # aes-x86_64 has higher priority in via crypto api
>          for crypto in aes-x86_64 aes aes_generic des sha512 sha256 md5 
> cbc xcbc ecb twofish blowfish serpent ccm
>                  do
>                          echo -n "$crypto "
>                          modprobe -q $crypto 2> /dev/null
> done
> 
> 
> And i can see the current modules by lsmodAnd i can see the current 
> modules by lsmod
> 
> Is the module status ok to have the OCF support?
> Or i still don't get OCF support?


To get OCF support on an IXP you need to load the modules in the following
order early in the boot before starting pluto/ipsec etc:

	modprobe ocf
	modprobe ixp4xx
	modprobe cryptodev
	modprobe ipsec

You need to have OCF/ixp4xx loaded before klips so that the ALG support is
detected fully.

The KLIPS config should look something like like:

	CONFIG_KLIPS=m
	# KLIPS options
	CONFIG_KLIPS_ESP=y
	CONFIG_KLIPS_AH=y
	# CONFIG_KLIPS_AUTH_HMAC_MD5 is not set
	# CONFIG_KLIPS_AUTH_HMAC_SHA1 is not set
	# CONFIG_KLIPS_ALG is not set
	# CONFIG_KLIPS_ENC_3DES is not set
	CONFIG_KLIPS_IPCOMP=y
	CONFIG_KLIPS_OCF=y
	CONFIG_KLIPS_DEBUG=y
	CONFIG_KLIPS_IF_MAX=4

Cheers,
Davidm

	
> 
> Module                  Size  Used by
> ecb                     1152  0
> cbc                     1696  0
> md5                     3872  0
> cryptomgr              71408  0
> crypto_blkcipher        6468  3 ecb,cbc,cryptomgr
> aead                    3200  1 cryptomgr
> des_generic            16128  0
> crypto_algapi           7680  7 
> ecb,cbc,md5,cryptomgr,crypto_blkcipher,aead,des_generic
> ipsec                 337716  2
> ixp4xx                  6992  0
> cryptodev               9732  0
> ocf                    15304  2 ixp4xx,cryptodev
> nfnetlink_log           5064  0
> nfnetlink               1528  1 nfnetlink_log
> iptable_filter           896  0
> ip_tables               8080  1 iptable_filter
> ebtable_filter           768  1
> ebtables               13504  1 ebtable_filter
> ipt_ULOG                3780  0
> nf_nat_ftp              1216  0
> nf_conntrack_ftp        4512  1 nf_nat_ftp
> nf_nat                  9582  1 nf_nat_ftp
> xt_recent               4920  0
> x_tables                7044  4 ip_tables,ebtables,ipt_ULOG,xt_recent
> ixp400_eth             16368  1
> ixp400_oslinux        196804  2 ixp4xx,ixp400_eth
> loop                    8908  2
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 

-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

More information about the Users mailing list