[Openswan Users] Fwd: How openswan work with ocf and ixp4xx hardware acceleration?

David McCullough David_Mccullough at securecomputing.com
Wed Jan 27 07:05:51 EST 2010 

Jivin mix.kao lays it down ...
> Hello David,
> 
> Before i start openswan, i do
> 
> insmod ocf.ko
> insmod cryptodev.ko
> insmod ixp4xx.ko
> insmod ipsec.ko
> 
> or
> 
> insmod ocf.ko
> insmod ixp4xx.ko
> insmod cryptodev.ko
> insmod ipsec.ko
> 
> then ipsec setup start
> 
> the same result of lsmod below
> 
>  >> Module                  Size  Used by
>  >> ecb                     1152  0
>  >> cbc                     1696  0
>  >> md5                     3872  0
>  >> cryptomgr              71408  0
>  >> crypto_blkcipher        6468  3 ecb,cbc,cryptomgr
>  >> aead                    3200  1 cryptomgr
>  >> des_generic            16128  0
>  >> crypto_algapi           7680  7
>  >> ecb,cbc,md5,cryptomgr,crypto_blkcipher,aead,des_generic
>  >> ipsec                 337716  2
>  >> ixp4xx                  6992  0
>  >> cryptodev               9732  0
>  >> ocf                    15304  2 ixp4xx,cryptodev
>  >> nfnetlink_log           5064  0
>  >> nfnetlink               1528  1 nfnetlink_log
>  >> iptable_filter           896  0
>  >> ip_tables               8080  1 iptable_filter
>  >> ebtable_filter           768  1
>  >> ebtables               13504  1 ebtable_filter
>  >> ipt_ULOG                3780  0
>  >> nf_nat_ftp              1216  0
>  >> nf_conntrack_ftp        4512  1 nf_nat_ftp
>  >> nf_nat                  9582  1 nf_nat_ftp
>  >> xt_recent               4920  0
>  >> x_tables                7044  4 ip_tables,ebtables,ipt_ULOG,xt_recent
>  >> ixp400_eth             16368  1
>  >> ixp400_oslinux        196804  2 ixp4xx,ixp400_eth
>  >> loop                    8908  2

Thats fine.

> i manually remove modules below:
> rmmod ecb cbc md5 cryptomgr crypto_blkcipher aead des_generic crypto_algapi

You do not need to do this.

> then built the tunnel between two box use point to point tunnel mode
> 
> one of config likes below
> 
> ipsec.conf
> 
> version 2.0
> 
> config setup
>          interfaces="ipsec1=eth2"
>          protostack=klips
>          klipsdebug=verbose
>          #plutodebug=verbose
>          #uniqueids=yes
>          #plutostderrlog="/tmp/pluto.log"
> 
> conn mix
>          ike=des
>          esp=aes
>          authby=secret
>          pfs=no
>          auto=add
>          keyingtries=3
>          rekey=no
>          ikelifetime=8h
>          keylife=1h
>          type=tunnel
>          left=10.2.3.156
>          right=10.30.17.95
> 
> 
> ipsec.secrets
> 
> 10.2.3.156 10.30.17.95 : PSK "12345"
> 
> 
> then two box can ping each other, capture the packet will get ESP
> 
> after manually remove kernel cryptoapi related modules
> 
> Module                  Size  Used by
> ipsec                 337716  2
> cryptodev               9732  0
> ixp4xx                  6992  0
> ocf                    15304  2 cryptodev,ixp4xx
> nfnetlink_log           5064  0
> nfnetlink               1528  1 nfnetlink_log
> iptable_filter           896  0
> ip_tables               8080  1 iptable_filter
> ebtable_filter           768  1
> ebtables               13504  1 ebtable_filter
> ipt_ULOG                3780  0
> nf_nat_ftp              1216  0
> nf_conntrack_ftp        4512  1 nf_nat_ftp
> nf_nat                  9582  1 nf_nat_ftp
> xt_recent               4920  0
> x_tables                7044  4 ip_tables,ebtables,ipt_ULOG,xt_recent
> ixp400_eth             16368  1
> ixp400_oslinux        196804  2 ixp4xx,ixp400_eth
> loop                    8908  2
> 
> 
> Can i say now the crypto is calculated by hardware?

You can be sure that OCF acceleration is active  a couple of ways.
You can enable klips debug (klipsdebug --all) and look for ocf callbacks etc
in the kernel trace when you do a ping.

The easier way is just enable debug in the ixp4xx driver:

	echo 1 > /sys/modules/ixp4xx/parameters/ixp_debug

Send some pings and check for ixp4xx kernel debug.  You can turn it off then
with:

	echo 0 > /sys/modules/ixp4xx/parameters/ixp_debug

Cheers,
Davidm

> On 01/27/2010 06:43 PM, David McCullough wrote:
> >
> > Jivin mix.kao lays it down ...
> >> Hi Paul,
> >>
> >> I have set the HAVE_OCF?=true in openswan Makefile.inc
> >>
> >> When i start the openswan with command ipsec setup start, i noticed the
> >> _startklips script always do modprobe to load crypto modules like md5,
> >> des, cbc, twofish....
> >>
> >>
> >> # first load any crypto modules we might need for acceleration
> >>           modprobe -q padlock 2>/dev/null
> >>           modprobe -q padlock-aes 2>/dev/null
> >>           modprobe -q padlock-sha 2>/dev/null
> >>           # load the most common ciphers/algo's
> >>           # aes-x86_64 has higher priority in via crypto api
> >>           for crypto in aes-x86_64 aes aes_generic des sha512 sha256 md5
> >> cbc xcbc ecb twofish blowfish serpent ccm
> >>                   do
> >>                           echo -n "$crypto "
> >>                           modprobe -q $crypto 2>  /dev/null
> >> done
> >>
> >>
> >> And i can see the current modules by lsmodAnd i can see the current
> >> modules by lsmod
> >>
> >> Is the module status ok to have the OCF support?
> >> Or i still don't get OCF support?
> >
> >
> > To get OCF support on an IXP you need to load the modules in the following
> > order early in the boot before starting pluto/ipsec etc:
> >
> > 	modprobe ocf
> > 	modprobe ixp4xx
> > 	modprobe cryptodev
> > 	modprobe ipsec
> >
> > You need to have OCF/ixp4xx loaded before klips so that the ALG support is
> > detected fully.
> >
> > The KLIPS config should look something like like:
> >
> > 	CONFIG_KLIPS=m
> > 	# KLIPS options
> > 	CONFIG_KLIPS_ESP=y
> > 	CONFIG_KLIPS_AH=y
> > 	# CONFIG_KLIPS_AUTH_HMAC_MD5 is not set
> > 	# CONFIG_KLIPS_AUTH_HMAC_SHA1 is not set
> > 	# CONFIG_KLIPS_ALG is not set
> > 	# CONFIG_KLIPS_ENC_3DES is not set
> > 	CONFIG_KLIPS_IPCOMP=y
> > 	CONFIG_KLIPS_OCF=y
> > 	CONFIG_KLIPS_DEBUG=y
> > 	CONFIG_KLIPS_IF_MAX=4
> >
> > Cheers,
> > Davidm
> >
> > 	
> >>
> >> Module                  Size  Used by
> >> ecb                     1152  0
> >> cbc                     1696  0
> >> md5                     3872  0
> >> cryptomgr              71408  0
> >> crypto_blkcipher        6468  3 ecb,cbc,cryptomgr
> >> aead                    3200  1 cryptomgr
> >> des_generic            16128  0
> >> crypto_algapi           7680  7
> >> ecb,cbc,md5,cryptomgr,crypto_blkcipher,aead,des_generic
> >> ipsec                 337716  2
> >> ixp4xx                  6992  0
> >> cryptodev               9732  0
> >> ocf                    15304  2 ixp4xx,cryptodev
> >> nfnetlink_log           5064  0
> >> nfnetlink               1528  1 nfnetlink_log
> >> iptable_filter           896  0
> >> ip_tables               8080  1 iptable_filter
> >> ebtable_filter           768  1
> >> ebtables               13504  1 ebtable_filter
> >> ipt_ULOG                3780  0
> >> nf_nat_ftp              1216  0
> >> nf_conntrack_ftp        4512  1 nf_nat_ftp
> >> nf_nat                  9582  1 nf_nat_ftp
> >> xt_recent               4920  0
> >> x_tables                7044  4 ip_tables,ebtables,ipt_ULOG,xt_recent
> >> ixp400_eth             16368  1
> >> ixp400_oslinux        196804  2 ixp4xx,ixp400_eth
> >> loop                    8908  2
> >> _______________________________________________
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >> Building and Integrating Virtual Private Networks with Openswan:
> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >>
> >>
> >
> 
> 
> 

-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

More information about the Users mailing list