[dpdk-users] IPSEC-SECGW sample application

[dpdk-users] IPSEC-SECGW sample application

[Avi Cohen (A)]

Hello
I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
I have 2 ports port 0 is protected and port 1 is unprotected 
Traffic is received in the unprotected and should be sent to the protected  port  for encryption
But the traffic processing for the traffic received in the unprotected port is going through the **process_pkts_inbound ** .
I expect that the traffic should be directed to the  **process_pkts_outbound**  [where ESP headers are added etc.]
Can someone help ?


This is the config file:

#SP rules
sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 
#SA rules
sa in 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
type inline-protocol-offload port_id 0
#Routing rules
rt ipv4 dst 172.16.2.5/32 port 0
rt ipv4 dst 1.1.2.0/24 port 0
rt ipv4 dst 1.1.1.0/24 port 0


and this is the command line to run the applic:

./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 --config="(0,0,1),(1,0,1)" -f ../ep1.cfg


Best Regards
Avi

Re: [dpdk-users] IPSEC-SECGW sample application

[Gowda, Sandesh]

Hi Avi,

 The application classifies the ports as Protected and Unprotected. Thus, traffic received on an Unprotected or Protected port is consider Inbound or Outbound respectively.
( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html  )

 The Packets sent on a  Unprotected network requires Encryption whereas packets on Protected Network can be plain text.
 This is the expected behavior.

 Regards,
 Sandesh


 

-----Original Message-----
From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
Sent: Sunday, January 07, 2018 9:12 PM
To: users@dpdk.org
Subject: [dpdk-users] IPSEC-SECGW sample application


Hello
I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
I have 2 ports port 0 is protected and port 1 is unprotected Traffic is received in the unprotected and should be sent to the protected  port  for encryption But the traffic processing for the traffic received in the unprotected port is going through the **process_pkts_inbound ** .
I expect that the traffic should be directed to the  **process_pkts_outbound**  [where ESP headers are added etc.] Can someone help ?


This is the config file:

#SP rules
sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 
#SA rules
sa in 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
type inline-protocol-offload port_id 0
#Routing rules
rt ipv4 dst 172.16.2.5/32 port 0
rt ipv4 dst 1.1.2.0/24 port 0
rt ipv4 dst 1.1.1.0/24 port 0


and this is the command line to run the applic:

./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 --config="(0,0,1),(1,0,1)" -f ../ep1.cfg


Best Regards
Avi

Re: [dpdk-users] IPSEC-SECGW sample application

[Avi Cohen (A)]

Hi  Sandesh
Thank you - I already understood that. 
I see in the documentation that this app. Supports only **complete offload**. But Intel NICS x540 and 82599 which supports ipsec offload requires that the SW will  add/remove the ESP headers 
How can I run this app with x540 nic ?
Best Regards
Avi



> -----Original Message-----
> From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> Sent: Monday, 08 January, 2018 10:47 AM
> To: Avi Cohen (A); users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
> 
> 
> Hi Avi,
> 
>  The application classifies the ports as Protected and Unprotected. Thus, traffic
> received on an Unprotected or Protected port is consider Inbound or Outbound
> respectively.
> ( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html  )
> 
>  The Packets sent on a  Unprotected network requires Encryption whereas
> packets on Protected Network can be plain text.
>  This is the expected behavior.
> 
>  Regards,
>  Sandesh
> 
> 
> 
> 
> -----Original Message-----
> From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
> Sent: Sunday, January 07, 2018 9:12 PM
> To: users@dpdk.org
> Subject: [dpdk-users] IPSEC-SECGW sample application
> 
> 
> Hello
> I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> I have 2 ports port 0 is protected and port 1 is unprotected Traffic is received in
> the unprotected and should be sent to the protected  port  for encryption But
> the traffic processing for the traffic received in the unprotected port is going
> through the **process_pkts_inbound ** .
> I expect that the traffic should be directed to the  **process_pkts_outbound**
> [where ESP headers are added etc.] Can someone help ?
> 
> 
> This is the config file:
> 
> #SP rules
> sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules sa in 5
> cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo
> sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel
> src 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0 #Routing
> rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst 1.1.2.0/24 port 0 rt ipv4 dst
> 1.1.1.0/24 port 0
> 
> 
> and this is the command line to run the applic:
> 
> ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> 
> 
> Best Regards
> Avi

Re: [dpdk-users] IPSEC-SECGW sample application

[Avi Cohen (A)]

 
 Hi  Sandesh  [I added one more question]
 Thank you - I already understood that.
1.  I see in the documentation that this app. Supports only **complete offload**.
 But Intel NICS x540 and 82599 which supports ipsec offload requires that the
 SW will  add/remove the ESP headers How can I run this app with x540 nic ?

 2. I added support for ESP header and trailer insertion for inline-protocol-offload for intel x540
Can you tell me the exact command line to run the application for this mode ?   is vdev required ?
 Best Regards
 Avi
> 
> 
> 
> > -----Original Message-----
> > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > Sent: Monday, 08 January, 2018 10:47 AM
> > To: Avi Cohen (A); users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> >
> > Hi Avi,
> >
> >  The application classifies the ports as Protected and Unprotected. Thus,
> traffic
> > received on an Unprotected or Protected port is consider Inbound or
> Outbound
> > respectively.
> > ( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html  )
> >
> >  The Packets sent on a  Unprotected network requires Encryption whereas
> > packets on Protected Network can be plain text.
> >  This is the expected behavior.
> >
> >  Regards,
> >  Sandesh
> >
> >
> >
> >
> > -----Original Message-----
> > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
> > Sent: Sunday, January 07, 2018 9:12 PM
> > To: users@dpdk.org
> > Subject: [dpdk-users] IPSEC-SECGW sample application
> >
> >
> > Hello
> > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > I have 2 ports port 0 is protected and port 1 is unprotected Traffic is received
> in
> > the unprotected and should be sent to the protected  port  for encryption But
> > the traffic processing for the traffic received in the unprotected port is going
> > through the **process_pkts_inbound ** .
> > I expect that the traffic should be directed to the
> **process_pkts_outbound**
> > [where ESP headers are added etc.] Can someone help ?
> >
> >
> > This is the config file:
> >
> > #SP rules
> > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules sa in 5
> > cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo
> > sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel
> > src 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0 #Routing
> > rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst 1.1.2.0/24 port 0 rt ipv4 dst
> > 1.1.1.0/24 port 0
> >
> >
> > and this is the command line to run the applic:
> >
> > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> >
> >
> > Best Regards
> > Avi

Re: [dpdk-users] IPSEC-SECGW sample application

[Gowda, Sandesh]

Hi Avi,

 My response inline.

> 1.  I see in the documentation that this app. Supports only **complete
> offload**.
>  But Intel NICS x540 and 82599 which supports ipsec offload requires that the
> SW will  add/remove the ESP headers How can I run this app with x540 nic ?

The SA rule "type" field lets you choose the kind of offload. 
Following is the description from the ipsecgw app guide:

<type>

Action type to specify the security action. This option specify the SA to be performed with look aside protocol offload to HW accelerator or protocol offload on ethernet device or inline crypto processing on the ethernet device during transmission.
Optional: Yes, default type no-offload
Available options:
lookaside-protocol-offload: look aside protocol offload to HW accelerator
inline-protocol-offload: inline protocol offload on ethernet device
inline-crypto-offload: inline crypto processing on ethernet device
no-offload: no offloading to hardware

Correct your SA rules to have the desired "type" field.

The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC with IPSec feature provided the VFs as correctly bound to DPDK.

 
>  2. I added support for ESP header and trailer insertion for inline-protocol-
> offload for intel x540
> Can you tell me the exact command line to run the application for this mode ?
> is vdev required ?

 The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC with IPSec feature provided the VFs as correctly bound to DPDK. 
Please try running a more basic L2Fwd Crypto application on your NIC to make sure the Crypto feature works.

 Regards,
 Sandesh



> -----Original Message-----
> From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> Sent: Monday, January 08, 2018 10:05 PM
> To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
> 
> 
>  Hi  Sandesh  [I added one more question]  Thank you - I already understood
> that.
> 1.  I see in the documentation that this app. Supports only **complete
> offload**.
>  But Intel NICS x540 and 82599 which supports ipsec offload requires that the
> SW will  add/remove the ESP headers How can I run this app with x540 nic ?
> 
>  2. I added support for ESP header and trailer insertion for inline-protocol-
> offload for intel x540
> Can you tell me the exact command line to run the application for this mode ?
> is vdev required ?
>  Best Regards
>  Avi
> >
> >
> >
> > > -----Original Message-----
> > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > Sent: Monday, 08 January, 2018 10:47 AM
> > > To: Avi Cohen (A); users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > >
> > > Hi Avi,
> > >
> > >  The application classifies the ports as Protected and Unprotected.
> > > Thus,
> > traffic
> > > received on an Unprotected or Protected port is consider Inbound or
> > Outbound
> > > respectively.
> > > ( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > )
> > >
> > >  The Packets sent on a  Unprotected network requires Encryption
> > > whereas packets on Protected Network can be plain text.
> > >  This is the expected behavior.
> > >
> > >  Regards,
> > >  Sandesh
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > (A)
> > > Sent: Sunday, January 07, 2018 9:12 PM
> > > To: users@dpdk.org
> > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > >
> > >
> > > Hello
> > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > I have 2 ports port 0 is protected and port 1 is unprotected Traffic
> > > is received
> > in
> > > the unprotected and should be sent to the protected  port  for
> > > encryption But the traffic processing for the traffic received in
> > > the unprotected port is going through the **process_pkts_inbound ** .
> > > I expect that the traffic should be directed to the
> > **process_pkts_outbound**
> > > [where ESP headers are added etc.] Can someone help ?
> > >
> > >
> > > This is the config file:
> > >
> > > #SP rules
> > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules sa
> > > in 5 cipher_algo aes-128-cbc cipher_key
> > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0
> > > #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > 1.1.1.0/24 port 0
> > >
> > >
> > > and this is the command line to run the applic:
> > >
> > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > >
> > >
> > > Best Regards
> > > Avi

Re: [dpdk-users] IPSEC-SECGW sample application

[Avi Cohen (A)]

Thank you Sandesh
I'm trying to run the l2fwd-crypto sample app.  but  got this error msg :
"No crypto devices available
EAL: Error - exiting with code: 1
 Cause: Failed to initialize crypto devices"

My setup include 2 physical ports (intel x540)  bound to dpdk - these Nics are ipsec offload capable.

The cmd-line I use is:
./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain CIPHER_HASH --cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE --auth_algo aes-xcbc-mac --auth_key 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f

Best Regards
Avi


> -----Original Message-----
> From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> Sent: Monday, 08 January, 2018 7:23 PM
> To: Avi Cohen (A); users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
> 
> Hi Avi,
> 
>  My response inline.
> 
> > 1.  I see in the documentation that this app. Supports only **complete
> > offload**.
> >  But Intel NICS x540 and 82599 which supports ipsec offload requires
> > that the SW will  add/remove the ESP headers How can I run this app with
> x540 nic ?
> 
> The SA rule "type" field lets you choose the kind of offload.
> Following is the description from the ipsecgw app guide:
> 
> <type>
> 
> Action type to specify the security action. This option specify the SA to be
> performed with look aside protocol offload to HW accelerator or protocol
> offload on ethernet device or inline crypto processing on the ethernet device
> during transmission.
> Optional: Yes, default type no-offload
> Available options:
> lookaside-protocol-offload: look aside protocol offload to HW accelerator
> inline-protocol-offload: inline protocol offload on ethernet device
> inline-crypto-offload: inline crypto processing on ethernet device
> no-offload: no offloading to hardware
> 
> Correct your SA rules to have the desired "type" field.
> 
> The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC
> with IPSec feature provided the VFs as correctly bound to DPDK.
> 
> 
> >  2. I added support for ESP header and trailer insertion for
> > inline-protocol- offload for intel x540 Can you tell me the exact
> > command line to run the application for this mode ?
> > is vdev required ?
> 
>  The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC
> with IPSec feature provided the VFs as correctly bound to DPDK.
> Please try running a more basic L2Fwd Crypto application on your NIC to make
> sure the Crypto feature works.
> 
>  Regards,
>  Sandesh
> 
> 
> 
> > -----Original Message-----
> > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > Sent: Monday, January 08, 2018 10:05 PM
> > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> >
> >  Hi  Sandesh  [I added one more question]  Thank you - I already
> > understood that.
> > 1.  I see in the documentation that this app. Supports only **complete
> > offload**.
> >  But Intel NICS x540 and 82599 which supports ipsec offload requires
> > that the SW will  add/remove the ESP headers How can I run this app with
> x540 nic ?
> >
> >  2. I added support for ESP header and trailer insertion for
> > inline-protocol- offload for intel x540 Can you tell me the exact
> > command line to run the application for this mode ?
> > is vdev required ?
> >  Best Regards
> >  Avi
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > To: Avi Cohen (A); users@dpdk.org
> > > > Subject: RE: IPSEC-SECGW sample application
> > > >
> > > >
> > > > Hi Avi,
> > > >
> > > >  The application classifies the ports as Protected and Unprotected.
> > > > Thus,
> > > traffic
> > > > received on an Unprotected or Protected port is consider Inbound
> > > > or
> > > Outbound
> > > > respectively.
> > > > ( Refer :
> > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > )
> > > >
> > > >  The Packets sent on a  Unprotected network requires Encryption
> > > > whereas packets on Protected Network can be plain text.
> > > >  This is the expected behavior.
> > > >
> > > >  Regards,
> > > >  Sandesh
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > > (A)
> > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > To: users@dpdk.org
> > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > >
> > > >
> > > > Hello
> > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > > I have 2 ports port 0 is protected and port 1 is unprotected
> > > > Traffic is received
> > > in
> > > > the unprotected and should be sent to the protected  port  for
> > > > encryption But the traffic processing for the traffic received in
> > > > the unprotected port is going through the **process_pkts_inbound ** .
> > > > I expect that the traffic should be directed to the
> > > **process_pkts_outbound**
> > > > [where ESP headers are added etc.] Can someone help ?
> > > >
> > > >
> > > > This is the config file:
> > > >
> > > > #SP rules
> > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules
> > > > sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0
> > > > #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > 1.1.1.0/24 port 0
> > > >
> > > >
> > > > and this is the command line to run the applic:
> > > >
> > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > >
> > > >
> > > > Best Regards
> > > > Avi

Re: [dpdk-users] IPSEC-SECGW sample application

[De Lara Guarch, Pablo]

Hi Avi,

> -----Original Message-----
> From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
> Sent: Tuesday, January 9, 2018 9:39 AM
> To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> Subject: Re: [dpdk-users] IPSEC-SECGW sample application
> 
> Thank you Sandesh
> I'm trying to run the l2fwd-crypto sample app.  but  got this error msg :
> "No crypto devices available
> EAL: Error - exiting with code: 1
>  Cause: Failed to initialize crypto devices"
> 
> My setup include 2 physical ports (intel x540)  bound to dpdk - these Nics
> are ipsec offload capable.

L2fwd-crypto does not support inline IPSec. For this application,
you can only use crypto devices (under crypto folder).

Pablo

> 
> The cmd-line I use is:
> ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain CIPHER_HASH --
> cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key
> 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE --
> auth_algo aes-xcbc-mac --auth_key
> 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
> 
> Best Regards
> Avi
> 
> 
> > -----Original Message-----
> > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > Sent: Monday, 08 January, 2018 7:23 PM
> > To: Avi Cohen (A); users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> > Hi Avi,
> >
> >  My response inline.
> >
> > > 1.  I see in the documentation that this app. Supports only
> > > **complete offload**.
> > >  But Intel NICS x540 and 82599 which supports ipsec offload requires
> > > that the SW will  add/remove the ESP headers How can I run this app
> > > with
> > x540 nic ?
> >
> > The SA rule "type" field lets you choose the kind of offload.
> > Following is the description from the ipsecgw app guide:
> >
> > <type>
> >
> > Action type to specify the security action. This option specify the SA
> > to be performed with look aside protocol offload to HW accelerator or
> > protocol offload on ethernet device or inline crypto processing on the
> > ethernet device during transmission.
> > Optional: Yes, default type no-offload Available options:
> > lookaside-protocol-offload: look aside protocol offload to HW
> > accelerator
> > inline-protocol-offload: inline protocol offload on ethernet device
> > inline-crypto-offload: inline crypto processing on ethernet device
> > no-offload: no offloading to hardware
> >
> > Correct your SA rules to have the desired "type" field.
> >
> > The ipsecgw application must work fine for QAT PCIe as well as
> > Ethernet NIC with IPSec feature provided the VFs as correctly bound to
> DPDK.
> >
> >
> > >  2. I added support for ESP header and trailer insertion for
> > > inline-protocol- offload for intel x540 Can you tell me the exact
> > > command line to run the application for this mode ?
> > > is vdev required ?
> >
> >  The ipsecgw application must work fine for QAT PCIe as well as
> > Ethernet NIC with IPSec feature provided the VFs as correctly bound to
> DPDK.
> > Please try running a more basic L2Fwd Crypto application on your NIC
> > to make sure the Crypto feature works.
> >
> >  Regards,
> >  Sandesh
> >
> >
> >
> > > -----Original Message-----
> > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > > Sent: Monday, January 08, 2018 10:05 PM
> > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > >
> > >  Hi  Sandesh  [I added one more question]  Thank you - I already
> > > understood that.
> > > 1.  I see in the documentation that this app. Supports only
> > > **complete offload**.
> > >  But Intel NICS x540 and 82599 which supports ipsec offload requires
> > > that the SW will  add/remove the ESP headers How can I run this app
> > > with
> > x540 nic ?
> > >
> > >  2. I added support for ESP header and trailer insertion for
> > > inline-protocol- offload for intel x540 Can you tell me the exact
> > > command line to run the application for this mode ?
> > > is vdev required ?
> > >  Best Regards
> > >  Avi
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > Subject: RE: IPSEC-SECGW sample application
> > > > >
> > > > >
> > > > > Hi Avi,
> > > > >
> > > > >  The application classifies the ports as Protected and Unprotected.
> > > > > Thus,
> > > > traffic
> > > > > received on an Unprotected or Protected port is consider Inbound
> > > > > or
> > > > Outbound
> > > > > respectively.
> > > > > ( Refer :
> > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > > )
> > > > >
> > > > >  The Packets sent on a  Unprotected network requires Encryption
> > > > > whereas packets on Protected Network can be plain text.
> > > > >  This is the expected behavior.
> > > > >
> > > > >  Regards,
> > > > >  Sandesh
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi
> > > > > Cohen
> > > > > (A)
> > > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > > To: users@dpdk.org
> > > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > > >
> > > > >
> > > > > Hello
> > > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > > > I have 2 ports port 0 is protected and port 1 is unprotected
> > > > > Traffic is received
> > > > in
> > > > > the unprotected and should be sent to the protected  port  for
> > > > > encryption But the traffic processing for the traffic received
> > > > > in the unprotected port is going through the
> **process_pkts_inbound ** .
> > > > > I expect that the traffic should be directed to the
> > > > **process_pkts_outbound**
> > > > > [where ESP headers are added etc.] Can someone help ?
> > > > >
> > > > >
> > > > > This is the config file:
> > > > >
> > > > > #SP rules
> > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA
> > > > > rules sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id
> > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > > 1.1.1.0/24 port 0
> > > > >
> > > > >
> > > > > and this is the command line to run the applic:
> > > > >
> > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > > >
> > > > >
> > > > > Best Regards
> > > > > Avi

Re: [dpdk-users] IPSEC-SECGW sample application

[Avi Cohen (A)]

Thank you Sandesh and Pablo
I went back to the ipsec-secgw app.
with gdb  I saw that the ixgbe driver is complaining about the aead algo, so I only changed  the sa configuration
I added the aead algo to the sa - and now ipsec offload is working fine.

sa in 105 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 

Best Regards
Avi
> -----Original Message-----
> From: De Lara Guarch, Pablo [mailto:pablo.de.lara.guarch@intel.com]
> Sent: Tuesday, 09 January, 2018 12:00 PM
> To: Avi Cohen (A); Gowda, Sandesh; users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
> 
> Hi Avi,
> 
> > -----Original Message-----
> > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
> > Sent: Tuesday, January 9, 2018 9:39 AM
> > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > Subject: Re: [dpdk-users] IPSEC-SECGW sample application
> >
> > Thank you Sandesh
> > I'm trying to run the l2fwd-crypto sample app.  but  got this error msg :
> > "No crypto devices available
> > EAL: Error - exiting with code: 1
> >  Cause: Failed to initialize crypto devices"
> >
> > My setup include 2 physical ports (intel x540)  bound to dpdk - these
> > Nics are ipsec offload capable.
> 
> L2fwd-crypto does not support inline IPSec. For this application, you can only
> use crypto devices (under crypto folder).
> 
> Pablo
> 
> >
> > The cmd-line I use is:
> > ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain
> > CIPHER_HASH -- cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key
> > 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE --
> > auth_algo aes-xcbc-mac --auth_key
> > 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
> >
> > Best Regards
> > Avi
> >
> >
> > > -----Original Message-----
> > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > Sent: Monday, 08 January, 2018 7:23 PM
> > > To: Avi Cohen (A); users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > > Hi Avi,
> > >
> > >  My response inline.
> > >
> > > > 1.  I see in the documentation that this app. Supports only
> > > > **complete offload**.
> > > >  But Intel NICS x540 and 82599 which supports ipsec offload
> > > > requires that the SW will  add/remove the ESP headers How can I
> > > > run this app with
> > > x540 nic ?
> > >
> > > The SA rule "type" field lets you choose the kind of offload.
> > > Following is the description from the ipsecgw app guide:
> > >
> > > <type>
> > >
> > > Action type to specify the security action. This option specify the
> > > SA to be performed with look aside protocol offload to HW
> > > accelerator or protocol offload on ethernet device or inline crypto
> > > processing on the ethernet device during transmission.
> > > Optional: Yes, default type no-offload Available options:
> > > lookaside-protocol-offload: look aside protocol offload to HW
> > > accelerator
> > > inline-protocol-offload: inline protocol offload on ethernet device
> > > inline-crypto-offload: inline crypto processing on ethernet device
> > > no-offload: no offloading to hardware
> > >
> > > Correct your SA rules to have the desired "type" field.
> > >
> > > The ipsecgw application must work fine for QAT PCIe as well as
> > > Ethernet NIC with IPSec feature provided the VFs as correctly bound
> > > to
> > DPDK.
> > >
> > >
> > > >  2. I added support for ESP header and trailer insertion for
> > > > inline-protocol- offload for intel x540 Can you tell me the exact
> > > > command line to run the application for this mode ?
> > > > is vdev required ?
> > >
> > >  The ipsecgw application must work fine for QAT PCIe as well as
> > > Ethernet NIC with IPSec feature provided the VFs as correctly bound
> > > to
> > DPDK.
> > > Please try running a more basic L2Fwd Crypto application on your NIC
> > > to make sure the Crypto feature works.
> > >
> > >  Regards,
> > >  Sandesh
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > > > Sent: Monday, January 08, 2018 10:05 PM
> > > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > > Subject: RE: IPSEC-SECGW sample application
> > > >
> > > >
> > > >  Hi  Sandesh  [I added one more question]  Thank you - I already
> > > > understood that.
> > > > 1.  I see in the documentation that this app. Supports only
> > > > **complete offload**.
> > > >  But Intel NICS x540 and 82599 which supports ipsec offload
> > > > requires that the SW will  add/remove the ESP headers How can I
> > > > run this app with
> > > x540 nic ?
> > > >
> > > >  2. I added support for ESP header and trailer insertion for
> > > > inline-protocol- offload for intel x540 Can you tell me the exact
> > > > command line to run the application for this mode ?
> > > > is vdev required ?
> > > >  Best Regards
> > > >  Avi
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > > Subject: RE: IPSEC-SECGW sample application
> > > > > >
> > > > > >
> > > > > > Hi Avi,
> > > > > >
> > > > > >  The application classifies the ports as Protected and Unprotected.
> > > > > > Thus,
> > > > > traffic
> > > > > > received on an Unprotected or Protected port is consider
> > > > > > Inbound or
> > > > > Outbound
> > > > > > respectively.
> > > > > > ( Refer :
> > > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > > > )
> > > > > >
> > > > > >  The Packets sent on a  Unprotected network requires
> > > > > > Encryption whereas packets on Protected Network can be plain text.
> > > > > >  This is the expected behavior.
> > > > > >
> > > > > >  Regards,
> > > > > >  Sandesh
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi
> > > > > > Cohen
> > > > > > (A)
> > > > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > > > To: users@dpdk.org
> > > > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > > > >
> > > > > >
> > > > > > Hello
> > > > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > > > > I have 2 ports port 0 is protected and port 1 is unprotected
> > > > > > Traffic is received
> > > > > in
> > > > > > the unprotected and should be sent to the protected  port  for
> > > > > > encryption But the traffic processing for the traffic received
> > > > > > in the unprotected port is going through the
> > **process_pkts_inbound ** .
> > > > > > I expect that the traffic should be directed to the
> > > > > **process_pkts_outbound**
> > > > > > [where ESP headers are added etc.] Can someone help ?
> > > > > >
> > > > > >
> > > > > > This is the config file:
> > > > > >
> > > > > > #SP rules
> > > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA
> > > > > > rules sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload
> > > > > > port_id
> > > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > > > 1.1.1.0/24 port 0
> > > > > >
> > > > > >
> > > > > > and this is the command line to run the applic:
> > > > > >
> > > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > > > >
> > > > > >
> > > > > > Best Regards
> > > > > > Avi

Re: [dpdk-users] IPSEC-SECGW sample application

[Avi Cohen (A)]

Hi Sandesh
The ipsec-secgw is generally working except for the cksm.
e.g. when I send icmp echo request - I see bad checksum in the destination machine
is HW cksm offload coexists  with ipsec offload ? other ?
Best Regards
Avi  

> -----Original Message-----
> From: Avi Cohen (A)
> Sent: Tuesday, 09 January, 2018 5:15 PM
> To: 'De Lara Guarch, Pablo'; Gowda, Sandesh; users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
> 
> Thank you Sandesh and Pablo
> I went back to the ipsec-secgw app.
> with gdb  I saw that the ixgbe driver is complaining about the aead algo, so I
> only changed  the sa configuration I added the aead algo to the sa - and now
> ipsec offload is working fine.
> 
> sa in 105 aead_algo aes-128-gcm \
> aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ mode
> ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
> 
> Best Regards
> Avi
> > -----Original Message-----
> > From: De Lara Guarch, Pablo [mailto:pablo.de.lara.guarch@intel.com]
> > Sent: Tuesday, 09 January, 2018 12:00 PM
> > To: Avi Cohen (A); Gowda, Sandesh; users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> > Hi Avi,
> >
> > > -----Original Message-----
> > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > (A)
> > > Sent: Tuesday, January 9, 2018 9:39 AM
> > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > Subject: Re: [dpdk-users] IPSEC-SECGW sample application
> > >
> > > Thank you Sandesh
> > > I'm trying to run the l2fwd-crypto sample app.  but  got this error msg :
> > > "No crypto devices available
> > > EAL: Error - exiting with code: 1
> > >  Cause: Failed to initialize crypto devices"
> > >
> > > My setup include 2 physical ports (intel x540)  bound to dpdk -
> > > these Nics are ipsec offload capable.
> >
> > L2fwd-crypto does not support inline IPSec. For this application, you
> > can only use crypto devices (under crypto folder).
> >
> > Pablo
> >
> > >
> > > The cmd-line I use is:
> > > ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain
> > > CIPHER_HASH -- cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key
> > > 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE
> > > -- auth_algo aes-xcbc-mac --auth_key
> > > 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
> > >
> > > Best Regards
> > > Avi
> > >
> > >
> > > > -----Original Message-----
> > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > Sent: Monday, 08 January, 2018 7:23 PM
> > > > To: Avi Cohen (A); users@dpdk.org
> > > > Subject: RE: IPSEC-SECGW sample application
> > > >
> > > > Hi Avi,
> > > >
> > > >  My response inline.
> > > >
> > > > > 1.  I see in the documentation that this app. Supports only
> > > > > **complete offload**.
> > > > >  But Intel NICS x540 and 82599 which supports ipsec offload
> > > > > requires that the SW will  add/remove the ESP headers How can I
> > > > > run this app with
> > > > x540 nic ?
> > > >
> > > > The SA rule "type" field lets you choose the kind of offload.
> > > > Following is the description from the ipsecgw app guide:
> > > >
> > > > <type>
> > > >
> > > > Action type to specify the security action. This option specify
> > > > the SA to be performed with look aside protocol offload to HW
> > > > accelerator or protocol offload on ethernet device or inline
> > > > crypto processing on the ethernet device during transmission.
> > > > Optional: Yes, default type no-offload Available options:
> > > > lookaside-protocol-offload: look aside protocol offload to HW
> > > > accelerator
> > > > inline-protocol-offload: inline protocol offload on ethernet
> > > > device
> > > > inline-crypto-offload: inline crypto processing on ethernet device
> > > > no-offload: no offloading to hardware
> > > >
> > > > Correct your SA rules to have the desired "type" field.
> > > >
> > > > The ipsecgw application must work fine for QAT PCIe as well as
> > > > Ethernet NIC with IPSec feature provided the VFs as correctly
> > > > bound to
> > > DPDK.
> > > >
> > > >
> > > > >  2. I added support for ESP header and trailer insertion for
> > > > > inline-protocol- offload for intel x540 Can you tell me the
> > > > > exact command line to run the application for this mode ?
> > > > > is vdev required ?
> > > >
> > > >  The ipsecgw application must work fine for QAT PCIe as well as
> > > > Ethernet NIC with IPSec feature provided the VFs as correctly
> > > > bound to
> > > DPDK.
> > > > Please try running a more basic L2Fwd Crypto application on your
> > > > NIC to make sure the Crypto feature works.
> > > >
> > > >  Regards,
> > > >  Sandesh
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > > > > Sent: Monday, January 08, 2018 10:05 PM
> > > > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > > > Subject: RE: IPSEC-SECGW sample application
> > > > >
> > > > >
> > > > >  Hi  Sandesh  [I added one more question]  Thank you - I already
> > > > > understood that.
> > > > > 1.  I see in the documentation that this app. Supports only
> > > > > **complete offload**.
> > > > >  But Intel NICS x540 and 82599 which supports ipsec offload
> > > > > requires that the SW will  add/remove the ESP headers How can I
> > > > > run this app with
> > > > x540 nic ?
> > > > >
> > > > >  2. I added support for ESP header and trailer insertion for
> > > > > inline-protocol- offload for intel x540 Can you tell me the
> > > > > exact command line to run the application for this mode ?
> > > > > is vdev required ?
> > > > >  Best Regards
> > > > >  Avi
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > > > Subject: RE: IPSEC-SECGW sample application
> > > > > > >
> > > > > > >
> > > > > > > Hi Avi,
> > > > > > >
> > > > > > >  The application classifies the ports as Protected and Unprotected.
> > > > > > > Thus,
> > > > > > traffic
> > > > > > > received on an Unprotected or Protected port is consider
> > > > > > > Inbound or
> > > > > > Outbound
> > > > > > > respectively.
> > > > > > > ( Refer :
> > > > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > > > > )
> > > > > > >
> > > > > > >  The Packets sent on a  Unprotected network requires
> > > > > > > Encryption whereas packets on Protected Network can be plain text.
> > > > > > >  This is the expected behavior.
> > > > > > >
> > > > > > >  Regards,
> > > > > > >  Sandesh
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi
> > > > > > > Cohen
> > > > > > > (A)
> > > > > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > > > > To: users@dpdk.org
> > > > > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > > > > >
> > > > > > >
> > > > > > > Hello
> > > > > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > > > > > I have 2 ports port 0 is protected and port 1 is unprotected
> > > > > > > Traffic is received
> > > > > > in
> > > > > > > the unprotected and should be sent to the protected  port
> > > > > > > for encryption But the traffic processing for the traffic
> > > > > > > received in the unprotected port is going through the
> > > **process_pkts_inbound ** .
> > > > > > > I expect that the traffic should be directed to the
> > > > > > **process_pkts_outbound**
> > > > > > > [where ESP headers are added etc.] Can someone help ?
> > > > > > >
> > > > > > >
> > > > > > > This is the config file:
> > > > > > >
> > > > > > > #SP rules
> > > > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA
> > > > > > > rules sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac
> > > > > > > auth_key
> > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel
> > > > > > > src
> > > > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload
> > > > > > > port_id
> > > > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4
> > > > > > > dst
> > > > > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > > > > 1.1.1.0/24 port 0
> > > > > > >
> > > > > > >
> > > > > > > and this is the command line to run the applic:
> > > > > > >
> > > > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > > > > >
> > > > > > >
> > > > > > > Best Regards
> > > > > > > Avi

Re: [dpdk-users] IPSEC-SECGW sample application

[Avi Cohen (A)]

The ip-checksum is not calculated in the inbound direction - any idea why ?  (Intel x540) 

> -----Original Message-----
> From: Avi Cohen (A)
> Sent: Sunday, 14 January, 2018 3:53 PM
> To: 'De Lara Guarch, Pablo'; 'Gowda, Sandesh'; 'users@dpdk.org'
> Subject: RE: IPSEC-SECGW sample application
> 
> Hi Sandesh
> The ipsec-secgw is generally working except for the cksm.
> e.g. when I send icmp echo request - I see bad checksum in the destination
> machine is HW cksm offload coexists  with ipsec offload ? other ?
> Best Regards
> Avi
> 
> > -----Original Message-----
> > From: Avi Cohen (A)
> > Sent: Tuesday, 09 January, 2018 5:15 PM
> > To: 'De Lara Guarch, Pablo'; Gowda, Sandesh; users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> > Thank you Sandesh and Pablo
> > I went back to the ipsec-secgw app.
> > with gdb  I saw that the ixgbe driver is complaining about the aead
> > algo, so I only changed  the sa configuration I added the aead algo to
> > the sa - and now ipsec offload is working fine.
> >
> > sa in 105 aead_algo aes-128-gcm \
> > aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
> > mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
> >
> > Best Regards
> > Avi
> > > -----Original Message-----
> > > From: De Lara Guarch, Pablo [mailto:pablo.de.lara.guarch@intel.com]
> > > Sent: Tuesday, 09 January, 2018 12:00 PM
> > > To: Avi Cohen (A); Gowda, Sandesh; users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > > Hi Avi,
> > >
> > > > -----Original Message-----
> > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > > (A)
> > > > Sent: Tuesday, January 9, 2018 9:39 AM
> > > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > > Subject: Re: [dpdk-users] IPSEC-SECGW sample application
> > > >
> > > > Thank you Sandesh
> > > > I'm trying to run the l2fwd-crypto sample app.  but  got this error msg :
> > > > "No crypto devices available
> > > > EAL: Error - exiting with code: 1
> > > >  Cause: Failed to initialize crypto devices"
> > > >
> > > > My setup include 2 physical ports (intel x540)  bound to dpdk -
> > > > these Nics are ipsec offload capable.
> > >
> > > L2fwd-crypto does not support inline IPSec. For this application,
> > > you can only use crypto devices (under crypto folder).
> > >
> > > Pablo
> > >
> > > >
> > > > The cmd-line I use is:
> > > > ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain
> > > > CIPHER_HASH -- cipher_op ENCRYPT --cipher_algo aes-cbc
> > > > --cipher_key 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f
> > > > --auth_op GENERATE
> > > > -- auth_algo aes-xcbc-mac --auth_key
> > > > 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
> > > >
> > > > Best Regards
> > > > Avi
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > Sent: Monday, 08 January, 2018 7:23 PM
> > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > Subject: RE: IPSEC-SECGW sample application
> > > > >
> > > > > Hi Avi,
> > > > >
> > > > >  My response inline.
> > > > >
> > > > > > 1.  I see in the documentation that this app. Supports only
> > > > > > **complete offload**.
> > > > > >  But Intel NICS x540 and 82599 which supports ipsec offload
> > > > > > requires that the SW will  add/remove the ESP headers How can
> > > > > > I run this app with
> > > > > x540 nic ?
> > > > >
> > > > > The SA rule "type" field lets you choose the kind of offload.
> > > > > Following is the description from the ipsecgw app guide:
> > > > >
> > > > > <type>
> > > > >
> > > > > Action type to specify the security action. This option specify
> > > > > the SA to be performed with look aside protocol offload to HW
> > > > > accelerator or protocol offload on ethernet device or inline
> > > > > crypto processing on the ethernet device during transmission.
> > > > > Optional: Yes, default type no-offload Available options:
> > > > > lookaside-protocol-offload: look aside protocol offload to HW
> > > > > accelerator
> > > > > inline-protocol-offload: inline protocol offload on ethernet
> > > > > device
> > > > > inline-crypto-offload: inline crypto processing on ethernet
> > > > > device
> > > > > no-offload: no offloading to hardware
> > > > >
> > > > > Correct your SA rules to have the desired "type" field.
> > > > >
> > > > > The ipsecgw application must work fine for QAT PCIe as well as
> > > > > Ethernet NIC with IPSec feature provided the VFs as correctly
> > > > > bound to
> > > > DPDK.
> > > > >
> > > > >
> > > > > >  2. I added support for ESP header and trailer insertion for
> > > > > > inline-protocol- offload for intel x540 Can you tell me the
> > > > > > exact command line to run the application for this mode ?
> > > > > > is vdev required ?
> > > > >
> > > > >  The ipsecgw application must work fine for QAT PCIe as well as
> > > > > Ethernet NIC with IPSec feature provided the VFs as correctly
> > > > > bound to
> > > > DPDK.
> > > > > Please try running a more basic L2Fwd Crypto application on your
> > > > > NIC to make sure the Crypto feature works.
> > > > >
> > > > >  Regards,
> > > > >  Sandesh
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > > > > > Sent: Monday, January 08, 2018 10:05 PM
> > > > > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > > > > Subject: RE: IPSEC-SECGW sample application
> > > > > >
> > > > > >
> > > > > >  Hi  Sandesh  [I added one more question]  Thank you - I
> > > > > > already understood that.
> > > > > > 1.  I see in the documentation that this app. Supports only
> > > > > > **complete offload**.
> > > > > >  But Intel NICS x540 and 82599 which supports ipsec offload
> > > > > > requires that the SW will  add/remove the ESP headers How can
> > > > > > I run this app with
> > > > > x540 nic ?
> > > > > >
> > > > > >  2. I added support for ESP header and trailer insertion for
> > > > > > inline-protocol- offload for intel x540 Can you tell me the
> > > > > > exact command line to run the application for this mode ?
> > > > > > is vdev required ?
> > > > > >  Best Regards
> > > > > >  Avi
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > > > > Subject: RE: IPSEC-SECGW sample application
> > > > > > > >
> > > > > > > >
> > > > > > > > Hi Avi,
> > > > > > > >
> > > > > > > >  The application classifies the ports as Protected and Unprotected.
> > > > > > > > Thus,
> > > > > > > traffic
> > > > > > > > received on an Unprotected or Protected port is consider
> > > > > > > > Inbound or
> > > > > > > Outbound
> > > > > > > > respectively.
> > > > > > > > ( Refer :
> > > > > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > > > > > )
> > > > > > > >
> > > > > > > >  The Packets sent on a  Unprotected network requires
> > > > > > > > Encryption whereas packets on Protected Network can be plain
> text.
> > > > > > > >  This is the expected behavior.
> > > > > > > >
> > > > > > > >  Regards,
> > > > > > > >  Sandesh
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of
> > > > > > > > Avi Cohen
> > > > > > > > (A)
> > > > > > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > > > > > To: users@dpdk.org
> > > > > > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > > > > > >
> > > > > > > >
> > > > > > > > Hello
> > > > > > > > I'm using the DPDK17.11 and running the sample app.
> Ipsec_secgw.
> > > > > > > > I have 2 ports port 0 is protected and port 1 is
> > > > > > > > unprotected Traffic is received
> > > > > > > in
> > > > > > > > the unprotected and should be sent to the protected  port
> > > > > > > > for encryption But the traffic processing for the traffic
> > > > > > > > received in the unprotected port is going through the
> > > > **process_pkts_inbound ** .
> > > > > > > > I expect that the traffic should be directed to the
> > > > > > > **process_pkts_outbound**
> > > > > > > > [where ESP headers are added etc.] Can someone help ?
> > > > > > > >
> > > > > > > >
> > > > > > > > This is the config file:
> > > > > > > >
> > > > > > > > #SP rules
> > > > > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32
> > > > > > > > #SA rules sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac
> > > > > > > > auth_key
> > > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel
> > > > > > > > src
> > > > > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload
> > > > > > > > port_id
> > > > > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4
> > > > > > > > dst
> > > > > > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > > > > > 1.1.1.0/24 port 0
> > > > > > > >
> > > > > > > >
> > > > > > > > and this is the command line to run the applic:
> > > > > > > >
> > > > > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > > > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > > > > > >
> > > > > > > >
> > > > > > > > Best Regards
> > > > > > > > Avi