[Openswan Users] Fwd: How openswan work with ocf and ixp4xx hardware acceleration?
mix.kao
mix.kao at cipherium.com.tw
Wed Jan 27 06:39:57 EST 2010
Hello David,
Before i start openswan, i do
insmod ocf.ko
insmod cryptodev.ko
insmod ixp4xx.ko
insmod ipsec.ko
or
insmod ocf.ko
insmod ixp4xx.ko
insmod cryptodev.ko
insmod ipsec.ko
then ipsec setup start
the same result of lsmod below
>> Module Size Used by
>> ecb 1152 0
>> cbc 1696 0
>> md5 3872 0
>> cryptomgr 71408 0
>> crypto_blkcipher 6468 3 ecb,cbc,cryptomgr
>> aead 3200 1 cryptomgr
>> des_generic 16128 0
>> crypto_algapi 7680 7
>> ecb,cbc,md5,cryptomgr,crypto_blkcipher,aead,des_generic
>> ipsec 337716 2
>> ixp4xx 6992 0
>> cryptodev 9732 0
>> ocf 15304 2 ixp4xx,cryptodev
>> nfnetlink_log 5064 0
>> nfnetlink 1528 1 nfnetlink_log
>> iptable_filter 896 0
>> ip_tables 8080 1 iptable_filter
>> ebtable_filter 768 1
>> ebtables 13504 1 ebtable_filter
>> ipt_ULOG 3780 0
>> nf_nat_ftp 1216 0
>> nf_conntrack_ftp 4512 1 nf_nat_ftp
>> nf_nat 9582 1 nf_nat_ftp
>> xt_recent 4920 0
>> x_tables 7044 4 ip_tables,ebtables,ipt_ULOG,xt_recent
>> ixp400_eth 16368 1
>> ixp400_oslinux 196804 2 ixp4xx,ixp400_eth
>> loop 8908 2
i manually remove modules below:
rmmod ecb cbc md5 cryptomgr crypto_blkcipher aead des_generic crypto_algapi
then built the tunnel between two box use point to point tunnel mode
one of config likes below
ipsec.conf
version 2.0
config setup
interfaces="ipsec1=eth2"
protostack=klips
klipsdebug=verbose
#plutodebug=verbose
#uniqueids=yes
#plutostderrlog="/tmp/pluto.log"
conn mix
ike=des
esp=aes
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=tunnel
left=10.2.3.156
right=10.30.17.95
ipsec.secrets
10.2.3.156 10.30.17.95 : PSK "12345"
then two box can ping each other, capture the packet will get ESP
after manually remove kernel cryptoapi related modules
Module Size Used by
ipsec 337716 2
cryptodev 9732 0
ixp4xx 6992 0
ocf 15304 2 cryptodev,ixp4xx
nfnetlink_log 5064 0
nfnetlink 1528 1 nfnetlink_log
iptable_filter 896 0
ip_tables 8080 1 iptable_filter
ebtable_filter 768 1
ebtables 13504 1 ebtable_filter
ipt_ULOG 3780 0
nf_nat_ftp 1216 0
nf_conntrack_ftp 4512 1 nf_nat_ftp
nf_nat 9582 1 nf_nat_ftp
xt_recent 4920 0
x_tables 7044 4 ip_tables,ebtables,ipt_ULOG,xt_recent
ixp400_eth 16368 1
ixp400_oslinux 196804 2 ixp4xx,ixp400_eth
loop 8908 2
Can i say now the crypto is calculated by hardware?
Thanks a lot~
On 01/27/2010 06:43 PM, David McCullough wrote:
>
> Jivin mix.kao lays it down ...
>> Hi Paul,
>>
>> I have set the HAVE_OCF?=true in openswan Makefile.inc
>>
>> When i start the openswan with command ipsec setup start, i noticed the
>> _startklips script always do modprobe to load crypto modules like md5,
>> des, cbc, twofish....
>>
>>
>> # first load any crypto modules we might need for acceleration
>> modprobe -q padlock 2>/dev/null
>> modprobe -q padlock-aes 2>/dev/null
>> modprobe -q padlock-sha 2>/dev/null
>> # load the most common ciphers/algo's
>> # aes-x86_64 has higher priority in via crypto api
>> for crypto in aes-x86_64 aes aes_generic des sha512 sha256 md5
>> cbc xcbc ecb twofish blowfish serpent ccm
>> do
>> echo -n "$crypto "
>> modprobe -q $crypto 2> /dev/null
>> done
>>
>>
>> And i can see the current modules by lsmodAnd i can see the current
>> modules by lsmod
>>
>> Is the module status ok to have the OCF support?
>> Or i still don't get OCF support?
>
>
> To get OCF support on an IXP you need to load the modules in the following
> order early in the boot before starting pluto/ipsec etc:
>
> modprobe ocf
> modprobe ixp4xx
> modprobe cryptodev
> modprobe ipsec
>
> You need to have OCF/ixp4xx loaded before klips so that the ALG support is
> detected fully.
>
> The KLIPS config should look something like like:
>
> CONFIG_KLIPS=m
> # KLIPS options
> CONFIG_KLIPS_ESP=y
> CONFIG_KLIPS_AH=y
> # CONFIG_KLIPS_AUTH_HMAC_MD5 is not set
> # CONFIG_KLIPS_AUTH_HMAC_SHA1 is not set
> # CONFIG_KLIPS_ALG is not set
> # CONFIG_KLIPS_ENC_3DES is not set
> CONFIG_KLIPS_IPCOMP=y
> CONFIG_KLIPS_OCF=y
> CONFIG_KLIPS_DEBUG=y
> CONFIG_KLIPS_IF_MAX=4
>
> Cheers,
> Davidm
>
>
>>
>> Module Size Used by
>> ecb 1152 0
>> cbc 1696 0
>> md5 3872 0
>> cryptomgr 71408 0
>> crypto_blkcipher 6468 3 ecb,cbc,cryptomgr
>> aead 3200 1 cryptomgr
>> des_generic 16128 0
>> crypto_algapi 7680 7
>> ecb,cbc,md5,cryptomgr,crypto_blkcipher,aead,des_generic
>> ipsec 337716 2
>> ixp4xx 6992 0
>> cryptodev 9732 0
>> ocf 15304 2 ixp4xx,cryptodev
>> nfnetlink_log 5064 0
>> nfnetlink 1528 1 nfnetlink_log
>> iptable_filter 896 0
>> ip_tables 8080 1 iptable_filter
>> ebtable_filter 768 1
>> ebtables 13504 1 ebtable_filter
>> ipt_ULOG 3780 0
>> nf_nat_ftp 1216 0
>> nf_conntrack_ftp 4512 1 nf_nat_ftp
>> nf_nat 9582 1 nf_nat_ftp
>> xt_recent 4920 0
>> x_tables 7044 4 ip_tables,ebtables,ipt_ULOG,xt_recent
>> ixp400_eth 16368 1
>> ixp400_oslinux 196804 2 ixp4xx,ixp400_eth
>> loop 8908 2
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>
More information about the Users
mailing list