[Openswan Users] Fwd: How openswan work with ocf and ixp4xx hardware acceleration?

mix.kao mix.kao at cipherium.com.tw
Wed Jan 27 06:39:57 EST 2010


Hello David,

Before i start openswan, i do

insmod ocf.ko
insmod cryptodev.ko
insmod ixp4xx.ko
insmod ipsec.ko

or

insmod ocf.ko
insmod ixp4xx.ko
insmod cryptodev.ko
insmod ipsec.ko

then ipsec setup start

the same result of lsmod below

 >> Module                  Size  Used by
 >> ecb                     1152  0
 >> cbc                     1696  0
 >> md5                     3872  0
 >> cryptomgr              71408  0
 >> crypto_blkcipher        6468  3 ecb,cbc,cryptomgr
 >> aead                    3200  1 cryptomgr
 >> des_generic            16128  0
 >> crypto_algapi           7680  7
 >> ecb,cbc,md5,cryptomgr,crypto_blkcipher,aead,des_generic
 >> ipsec                 337716  2
 >> ixp4xx                  6992  0
 >> cryptodev               9732  0
 >> ocf                    15304  2 ixp4xx,cryptodev
 >> nfnetlink_log           5064  0
 >> nfnetlink               1528  1 nfnetlink_log
 >> iptable_filter           896  0
 >> ip_tables               8080  1 iptable_filter
 >> ebtable_filter           768  1
 >> ebtables               13504  1 ebtable_filter
 >> ipt_ULOG                3780  0
 >> nf_nat_ftp              1216  0
 >> nf_conntrack_ftp        4512  1 nf_nat_ftp
 >> nf_nat                  9582  1 nf_nat_ftp
 >> xt_recent               4920  0
 >> x_tables                7044  4 ip_tables,ebtables,ipt_ULOG,xt_recent
 >> ixp400_eth             16368  1
 >> ixp400_oslinux        196804  2 ixp4xx,ixp400_eth
 >> loop                    8908  2

i manually remove modules below:
rmmod ecb cbc md5 cryptomgr crypto_blkcipher aead des_generic crypto_algapi

then built the tunnel between two box use point to point tunnel mode

one of config likes below

ipsec.conf

version 2.0

config setup
         interfaces="ipsec1=eth2"
         protostack=klips
         klipsdebug=verbose
         #plutodebug=verbose
         #uniqueids=yes
         #plutostderrlog="/tmp/pluto.log"

conn mix
         ike=des
         esp=aes
         authby=secret
         pfs=no
         auto=add
         keyingtries=3
         rekey=no
         ikelifetime=8h
         keylife=1h
         type=tunnel
         left=10.2.3.156
         right=10.30.17.95


ipsec.secrets

10.2.3.156 10.30.17.95 : PSK "12345"


then two box can ping each other, capture the packet will get ESP

after manually remove kernel cryptoapi related modules

Module                  Size  Used by
ipsec                 337716  2
cryptodev               9732  0
ixp4xx                  6992  0
ocf                    15304  2 cryptodev,ixp4xx
nfnetlink_log           5064  0
nfnetlink               1528  1 nfnetlink_log
iptable_filter           896  0
ip_tables               8080  1 iptable_filter
ebtable_filter           768  1
ebtables               13504  1 ebtable_filter
ipt_ULOG                3780  0
nf_nat_ftp              1216  0
nf_conntrack_ftp        4512  1 nf_nat_ftp
nf_nat                  9582  1 nf_nat_ftp
xt_recent               4920  0
x_tables                7044  4 ip_tables,ebtables,ipt_ULOG,xt_recent
ixp400_eth             16368  1
ixp400_oslinux        196804  2 ixp4xx,ixp400_eth
loop                    8908  2


Can i say now the crypto is calculated by hardware?



Thanks a lot~



On 01/27/2010 06:43 PM, David McCullough wrote:
>
> Jivin mix.kao lays it down ...
>> Hi Paul,
>>
>> I have set the HAVE_OCF?=true in openswan Makefile.inc
>>
>> When i start the openswan with command ipsec setup start, i noticed the
>> _startklips script always do modprobe to load crypto modules like md5,
>> des, cbc, twofish....
>>
>>
>> # first load any crypto modules we might need for acceleration
>>           modprobe -q padlock 2>/dev/null
>>           modprobe -q padlock-aes 2>/dev/null
>>           modprobe -q padlock-sha 2>/dev/null
>>           # load the most common ciphers/algo's
>>           # aes-x86_64 has higher priority in via crypto api
>>           for crypto in aes-x86_64 aes aes_generic des sha512 sha256 md5
>> cbc xcbc ecb twofish blowfish serpent ccm
>>                   do
>>                           echo -n "$crypto "
>>                           modprobe -q $crypto 2>  /dev/null
>> done
>>
>>
>> And i can see the current modules by lsmodAnd i can see the current
>> modules by lsmod
>>
>> Is the module status ok to have the OCF support?
>> Or i still don't get OCF support?
>
>
> To get OCF support on an IXP you need to load the modules in the following
> order early in the boot before starting pluto/ipsec etc:
>
> 	modprobe ocf
> 	modprobe ixp4xx
> 	modprobe cryptodev
> 	modprobe ipsec
>
> You need to have OCF/ixp4xx loaded before klips so that the ALG support is
> detected fully.
>
> The KLIPS config should look something like like:
>
> 	CONFIG_KLIPS=m
> 	# KLIPS options
> 	CONFIG_KLIPS_ESP=y
> 	CONFIG_KLIPS_AH=y
> 	# CONFIG_KLIPS_AUTH_HMAC_MD5 is not set
> 	# CONFIG_KLIPS_AUTH_HMAC_SHA1 is not set
> 	# CONFIG_KLIPS_ALG is not set
> 	# CONFIG_KLIPS_ENC_3DES is not set
> 	CONFIG_KLIPS_IPCOMP=y
> 	CONFIG_KLIPS_OCF=y
> 	CONFIG_KLIPS_DEBUG=y
> 	CONFIG_KLIPS_IF_MAX=4
>
> Cheers,
> Davidm
>
> 	
>>
>> Module                  Size  Used by
>> ecb                     1152  0
>> cbc                     1696  0
>> md5                     3872  0
>> cryptomgr              71408  0
>> crypto_blkcipher        6468  3 ecb,cbc,cryptomgr
>> aead                    3200  1 cryptomgr
>> des_generic            16128  0
>> crypto_algapi           7680  7
>> ecb,cbc,md5,cryptomgr,crypto_blkcipher,aead,des_generic
>> ipsec                 337716  2
>> ixp4xx                  6992  0
>> cryptodev               9732  0
>> ocf                    15304  2 ixp4xx,cryptodev
>> nfnetlink_log           5064  0
>> nfnetlink               1528  1 nfnetlink_log
>> iptable_filter           896  0
>> ip_tables               8080  1 iptable_filter
>> ebtable_filter           768  1
>> ebtables               13504  1 ebtable_filter
>> ipt_ULOG                3780  0
>> nf_nat_ftp              1216  0
>> nf_conntrack_ftp        4512  1 nf_nat_ftp
>> nf_nat                  9582  1 nf_nat_ftp
>> xt_recent               4920  0
>> x_tables                7044  4 ip_tables,ebtables,ipt_ULOG,xt_recent
>> ixp400_eth             16368  1
>> ixp400_oslinux        196804  2 ixp4xx,ixp400_eth
>> loop                    8908  2
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>



More information about the Users mailing list