From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by dpdk.org (Postfix) with ESMTP id 6E0A72904 for ; Tue, 2 Jan 2018 08:47:02 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Jan 2018 23:47:00 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.45,495,1508828400"; d="scan'208";a="6666473" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga002.fm.intel.com with ESMTP; 01 Jan 2018 23:47:00 -0800 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 1 Jan 2018 23:47:00 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.213]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.218]) with mapi id 14.03.0319.002; Tue, 2 Jan 2018 15:46:58 +0800 From: "Liu, Yong" To: "Xu, GangX" , "dts@dpdk.org" CC: "Xu, GangX" Thread-Topic: [dts] [PATCH V1] add inline_ipsec test plan Thread-Index: AQHTgIvAPzAlXhNenEm3H2e9fSS6iqNgOP8Q Date: Tue, 2 Jan 2018 07:46:57 +0000 Message-ID: <86228AFD5BCD8E4EBFD2B90117B5E81E62F3CCB6@SHSMSX103.ccr.corp.intel.com> References: <1514541643-92480-1-git-send-email-gangx.xu@intel.com> In-Reply-To: <1514541643-92480-1-git-send-email-gangx.xu@intel.com> Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZmU1ZjIyMGYtNGZhMi00YjBjLWIyYjItNDZlNjMyNzNhMjE1IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJrSnBKZG9SMFwvamxMWitEaHQxXC9oY1ZGYmZ3ZGtlMXZYcUdQdmZyb0VibWNIa2dGblBHVnN6YmlOYjk5SVlqQzUifQ== x-ctpclassification: CTP_IC dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dts] [PATCH V1] add inline_ipsec test plan X-BeenThere: dts@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: test suite reviews and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jan 2018 07:47:03 -0000 Gang, some comments are inline. > -----Original Message----- > From: dts [mailto:dts-bounces@dpdk.org] On Behalf Of xu,gang > Sent: Friday, December 29, 2017 6:01 PM > To: dts@dpdk.org > Cc: Xu, GangX > Subject: [dts] [PATCH V1] add inline_ipsec test plan >=20 > Signed-off-by: xu,gang > --- > test_plans/inline_ipsec_test_plan.rst | 355 > ++++++++++++++++++++++++++++++++++ > 1 file changed, 355 insertions(+) > create mode 100644 test_plans/inline_ipsec_test_plan.rst >=20 > diff --git a/test_plans/inline_ipsec_test_plan.rst > b/test_plans/inline_ipsec_test_plan.rst > new file mode 100644 > index 0000000..bc10111 > --- /dev/null > +++ b/test_plans/inline_ipsec_test_plan.rst > @@ -0,0 +1,355 @@ > +.. Copyright (c) <2017>, Intel Corporation > + All rights reserved. > + > + Redistribution and use in source and binary forms, with or without > + modification, are permitted provided that the following conditions > + are met: > + > + - Redistributions of source code must retain the above copyright > + notice, this list of conditions and the following disclaimer. > + > + - Redistributions in binary form must reproduce the above copyright > + notice, this list of conditions and the following disclaimer in > + the documentation and/or other materials provided with the > + distribution. > + > + - Neither the name of Intel Corporation nor the names of its > + contributors may be used to endorse or promote products derived > + from this software without specific prior written permission. > + > + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + "AS IS" AND ANY EXPR ESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS > + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE > + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, > + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES > + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR > + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) > + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, > + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) > + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED > + OF THE POSSIBILITY OF SUCH DAMAGE. > + > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > +Inline IPsec Test Plan > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > +This test plan describe the method of validation inline hardware > acceleration > +of symmetric crypto processing of IPsec flows on Intel=C2=AE 82599 10 Gb= E > +Controller (IXGBE) within the cryptodev framework. > + > +***Limitation: > +AES-GCM 128 ESP Tunnel/Transport mode and Authentication only mode are > +supported.*** > + > +Ref links: > +https://tools.ietf.org/html/rfc4301 > + > +https://tools.ietf.org/html/rfc4302 > + > +https://tools.ietf.org/html/rfc4303 > + > +http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html > + > +Abbr: > +ESP: Encapsulating Security Payload:: > + > + 0 1 2 3 > + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- > -- > + | Security Parameters Index (SPI) | > ^Int. > + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > |Cov- > + | Sequence Number | > |ered > + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | > ---- > + | Payload Data* (variable) | | > ^ > + ~ ~ | > | > + | | > |Conf. > + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > |Cov- > + | | Padding (0-255 bytes) | > |ered* > + +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | > | > + | | Pad Length | Next Header | v > v > + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- > ---- > + | Integrity Check Value-ICV (variable) | > + ~ ~ > + | | > + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > + > + > +SPI: Security Parameters Index > + > +The SPI is an arbitrary 32-bit value that is used by a receiver to > identify > +the SA to which an incoming packet is bound. > + > +Sequence Number: > + > +This unsigned 32-bit field contains a counter value that increases by > +one for each packet sent > + > +AES: Advanced Encryption Standard > + > +GCM: Galois Counter Mode > + > +Prerequisites > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > +2 * 10Gb Ethernet ports of the DUT are directly connected in full-duple= x > to > +different ports of the peer traffic generator. > + > +Bind two ports to vfio-pci. > +modprobe vfio-pci > + > + > +Test Case: Inline cfg parsing > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > +Create inline ipsec configuration file like below:: > + > + #SP IPv4 rules > + sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport > 0:65535 dport 0:65535 > + > + #SA rules > + sa out 1005 aead_algo aes-128-gcm aead_key > 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ > + mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > + port_id 1 \ > + type inline-crypto-offload \ > + > + sa in 5 aead_algo aes-128-gcm aead_key > 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ > + mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > + port_id 1 \ > + type inline-crypto-offload \ > + > + #Routing rules > + rt ipv4 dst 172.16.2.5/32 port 1 > + rt ipv4 dst 192.168.105.10/32 port 0 > + > +Starting ipsec-secgw sample and make sure SP/SA/RT rules loaded > successfully. > + > +Check ipsec-secgw can detect invalid cipher algo. > + > +Check ipsec-secgw can detect invalid auth algo. > + > +Check ipsec-secgw can detect invalid key format. > + > + > +Test Case: IPSec Encryption > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D > +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected > mode:: > + > + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev > + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u > + 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./enc.cfg > + > +Use scapy to listen on unprotected port > +sudo python ./scapy_receive.py -i ens802f1 > + Gang, please do not use your own script in the test plan. Others can't get = the idea what is happening in your script. > +Send burst(32) normal packets with dst ip (192.168.105.0) to protected > port. > + sudo python ./scapy_send.py -i ens802f0 -s 32 -c 1 -e 0 > + Same as previous.=20 > +Check burst esp packets received from unprotected port. > +tcpdump -Xvvvi ens802f1 > + > +[root@dpdk98 scripts]# tcpdump -Xvvvi ens802f1 > +tcpdump: listening on ens802f1, link-type EN10MB (Ethernet), capture siz= e > 262144 bytes > +06:10:25.674233 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto > ESP (50), length 108) > + 172.16.1.5 > 172.16.2.5: ESP(spi=3D0x000003ed,seq=3D0x9), length 88 > + 0x0000: 4500 006c 0000 0000 4032 1f36 ac10 0105 E..l....@2.6..= .. > + 0x0010: ac10 0205 0000 03ed 0000 0009 0000 0000 ..............= .. > + 0x0020: 0000 0009 4468 a4af 5853 7545 b21d > 977c ....Dh..XSuE...| > + 0x0030: b911 7ec6 74a0 3349 b986 02d2 a322 > d050 ..~.t.3I.....".P > + 0x0040: 8a0d 4ffc ef4d 6246 86fe 26f0 9377 84b5 ..O..MbF..&..w= .. > + 0x0050: 8b06 c7e0 05d3 1ac5 1a30 1a93 8660 4292 .........0...`= B. > + 0x0060: 999a c84d 49ed ff95 89a1 6917 ...MI.....i. > + > + > +Check esp packets' format is correct. > + > +See decrypted packets on scapy output > +[root@dpdk98 scripts]# sudo python ./scapy_receive.py -i ens802f1 Please remove prompt like "[root@dpdk98 scripts]" and please just show scap= y dump command here. > +###[ IP ]### > + version =3D 4 > + ihl =3D 5 > + tos =3D 0x0 > + len =3D 52 > + id =3D 1 > + flags =3D > + frag =3D 0 > + ttl =3D 63 > + proto =3D ip > + chksum =3D 0x2764 > + src =3D 192.168.105.10 > + dst =3D 192.168.105.10 > + \options \ > +###[ Raw ]### > + load =3D '|->test-test-test-test-test-t<-|' > + > + Please optimize the format, before the output should be the indent. > +Test Case: IPSec Encryption with Jumboframe > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected > mode:: > + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev > + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u > + 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./enc.cfg > + > +Use scapy to listen on unprotected port > + > +Default frame size is 1518, send burst(1000) packets with dst ip > (192.168.105.0) to protected port. > + > +Check burst esp packets received from unprotected port. > + > +Check esp packets' format is correct. > + > +See decrypted packets on scapy output > + > +Send burst(8192) jumbo packets with dst ip (192.168.105.0) to protected > port. > + > +Check burst esp packets can't be received from unprotected port. > + > +Set jumbo frames size as 9000, start it with port 1 assigned to > unprotected mode:: > + > + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev > + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u > + 0x2 -j 9000 --config=3D"(0,0,20),(1,0,21)" -f ./enc.cfg > + > +Use scapy to listen on unprotected port > + > +Send burst(8192) jumbo packets with dst ip (192.168.105.0) to protected > port. > + > +Check burst jumbo packets received from unprotected port. > + > +Check esp packets' format is correct. > + > +See decrypted packets on scapy output > + > +Send burst(9000) jumbo packets with dst ip (192.168.105.0) to protected > port. > + > +Check burst jumbo packets can't be received from unprotected port. > + > + > +Test Case: IPSec Encryption with RSS > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > +Create configuration file with multiple SP/SA/RT rules for different ip > address. > + > +Start ipsec-secgw with two queues enabled on each port and port 1 > assigned to unprotected mode:: > + > + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev > + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u > + 0x2 --config=3D"(0,0,20),(0,1,20),(1,0,21),(1,1,21)" -f ./enc_rss.cfg > + > +Use scapy to listen on unprotected port > +sudo python ./scapy_receive_enc_rss.py -i ens802f1 > + > +Send burst(32) packets with different dst ip to protected port. > +sudo python ./scapy_send_enc_rss.py -i ens802f0 -s 32 -c 1 -e 0 > + > +Check burst esp packets received from queue 0 and queue 1 on unprotected > port. > +tcpdump -Xvvvi ens802f1 > + > +Check esp packets' format is correct. > + > +See decrypted packets on scapy output > + > + > +Test Case: IPSec Decryption > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D > +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected > mode:: > + > + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev > + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u > + 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./dec.cfg > + > +Send two burst(32) esp packets to unprotected port. > +sudo python ./scapy_send.py -i ens802f1 -s 32 -c 1 -e 1 > + > +First one will produce an error "IPSEC_ESP: failed crypto op" in the > IPsec application, > +but it will setup the SA. Second one will decrypt and send back the > decrypted packet. > + > +Check burst packets which have been decapsulated received from protected > port > +tcpdump -Xvvvi ens802f0 > + > +Test Case: IPSec Decryption with wrong key > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected > mode:: > + > + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev > + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u > + 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./dec.cfg > + > +Change dec.cfg key is not same with send packet encrypted key > + > +Send one burst(32) esp packets to unprotected port. > + > +IPsec application will produce an error "IPSEC_ESP: failed crypto op" , > +but it will setup the SA. > + > +Send one burst(32) esp packets to unprotected port. > + > +Check burst packets which have been decapsulated can't be received from > protected port, > +IPsec application will produce error "IPSEC_ESP: failed crypto op". > + > + > +Test Case: IPSec Decryption with Jumboframe > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected > mode:: > + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev > + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u > + 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./dec.cfg > +Default frame size is 1518, Send two burst(1000) esp packets to > unprotected port. > + > +First one will produce an error "IPSEC_ESP: failed crypto op" in the > IPsec application, > +but it will setup the SA. Second one will decrypt and send back the > decrypted packet. > + > +Check burst(1000) packets which have been decapsulated received from > protected port. > + > +Send burst(8192) esp packets to unprotected port. > + > +Check burst(8192) packets which have been decapsulated can't be received > from protected port. > + > +Set jumbo frames size as 9000, start it with port 1 assigned to > unprotected mode:: > + > + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev > + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u > + 0x2 -j 9000 --config=3D"(0,0,20),(1,0,21)" -f ./dec.cfg > + > +Send two burst(8192) esp packets to unprotected port. > + > +First one will produce an error "IPSEC_ESP: failed crypto op" in the > IPsec application, > +but it will setup the SA. Second one will decrypt and send back the > decrypted packet. > + > +Check burst(8192) packets which have been decapsulated received from > protected port. > + > +Send burst(9000) esp packets to unprotected port. > + > +Check burst(9000) packets which have been decapsulated can't be received > from protected port. > + > + > +Test Case: IPSec Decryption with RSS > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > +Create configuration file with multiple SA rule for different ip address= . > + > +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected > mode:: > + > + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev > + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u > + 0x2 -config=3D"(0,0,20),(0,1,20),(1,0,21),(1,1,21)" -f ./dec_rss.cfg > + > +Send two burst(32) esp packets with different ip to unprotected port. > + > +First one will produce an error "IPSEC_ESP: failed crypto op" in the > IPsec application, > +but it will setup the SA. Second one will decrypt and send back the > decrypted packet. > + > +Check burst(32) packets which have been decapsulated received from queue > 0 and > +1 on protected port. > + > + > +Test Case: IPSec Encryption/Decryption simultaneously > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected > mode:: > + > + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 > + --vdev "crypto_null" --log-level 8 --socket-mem 1024,1 > + -- -p 0xf -P -u 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./enc_dec.= cfg > + > +Send normal and esp packets to protected and unprotected ports > simultaneously. > + > +Note when testing inbound IPSec, first one will produce an error > "IPSEC_ESP: > +invalid padding" in the IPsec application, but it will setup the SA. > Second > +one will decrypt and send back the decrypted packet. > + > +Check esp and normal packets received from unprotected and protected > ports. > -- > 1.9.3