From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from huawei.com (lhrrgout.huawei.com [194.213.3.17]) by dpdk.org (Postfix) with ESMTP id 853D9A492 for ; Mon, 15 Jan 2018 16:40:07 +0100 (CET) Received: from lhreml707-cah.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 84B7F63D5B970; Mon, 15 Jan 2018 15:40:04 +0000 (GMT) Received: from FRAEMA706-CHM.china.huawei.com (10.206.14.55) by lhreml707-cah.china.huawei.com (10.201.108.48) with Microsoft SMTP Server (TLS) id 14.3.361.1; Mon, 15 Jan 2018 15:40:05 +0000 Received: from FRAEML521-MBX.china.huawei.com ([169.254.1.156]) by FRAEMA706-CHM.china.huawei.com ([169.254.6.40]) with mapi id 14.03.0361.001; Mon, 15 Jan 2018 16:40:00 +0100 From: "Avi Cohen (A)" To: "De Lara Guarch, Pablo" , "Gowda, Sandesh" , "users@dpdk.org" Thread-Topic: **SOLVED** IPSEC-SECGW sample application Thread-Index: AdOOFxk9XIruj3OfTzqklTiwp5nUzQ== Date: Mon, 15 Jan 2018 15:40:00 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.200.202.108] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected Subject: Re: [dpdk-users] **SOLVED** IPSEC-SECGW sample application X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jan 2018 15:40:07 -0000 SOLVED - I set to zero the ipcksum in the inbound (in the process_pkts_in= bound) - and now the HW calculates a correct ip-cksum > -----Original Message----- > From: Avi Cohen (A) > Sent: Monday, 15 January, 2018 3:55 PM > To: 'De Lara Guarch, Pablo'; 'Gowda, Sandesh'; 'users@dpdk.org' > Subject: RE: IPSEC-SECGW sample application >=20 > The ip-checksum is not calculated in the inbound direction - any idea why= ? > (Intel x540) >=20 > > -----Original Message----- > > From: Avi Cohen (A) > > Sent: Sunday, 14 January, 2018 3:53 PM > > To: 'De Lara Guarch, Pablo'; 'Gowda, Sandesh'; 'users@dpdk.org' > > Subject: RE: IPSEC-SECGW sample application > > > > Hi Sandesh > > The ipsec-secgw is generally working except for the cksm. > > e.g. when I send icmp echo request - I see bad checksum in the > > destination machine is HW cksm offload coexists with ipsec offload ? o= ther ? > > Best Regards > > Avi > > > > > -----Original Message----- > > > From: Avi Cohen (A) > > > Sent: Tuesday, 09 January, 2018 5:15 PM > > > To: 'De Lara Guarch, Pablo'; Gowda, Sandesh; users@dpdk.org > > > Subject: RE: IPSEC-SECGW sample application > > > > > > Thank you Sandesh and Pablo > > > I went back to the ipsec-secgw app. > > > with gdb I saw that the ixgbe driver is complaining about the aead > > > algo, so I only changed the sa configuration I added the aead algo > > > to the sa - and now ipsec offload is working fine. > > > > > > sa in 105 aead_algo aes-128-gcm \ > > > aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef > > > \ mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 > > > > > > Best Regards > > > Avi > > > > -----Original Message----- > > > > From: De Lara Guarch, Pablo > > > > [mailto:pablo.de.lara.guarch@intel.com] > > > > Sent: Tuesday, 09 January, 2018 12:00 PM > > > > To: Avi Cohen (A); Gowda, Sandesh; users@dpdk.org > > > > Subject: RE: IPSEC-SECGW sample application > > > > > > > > Hi Avi, > > > > > > > > > -----Original Message----- > > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi > > > > > Cohen > > > > > (A) > > > > > Sent: Tuesday, January 9, 2018 9:39 AM > > > > > To: Gowda, Sandesh ; users@dpdk.org > > > > > Subject: Re: [dpdk-users] IPSEC-SECGW sample application > > > > > > > > > > Thank you Sandesh > > > > > I'm trying to run the l2fwd-crypto sample app. but got this err= or msg : > > > > > "No crypto devices available > > > > > EAL: Error - exiting with code: 1 > > > > > Cause: Failed to initialize crypto devices" > > > > > > > > > > My setup include 2 physical ports (intel x540) bound to dpdk - > > > > > these Nics are ipsec offload capable. > > > > > > > > L2fwd-crypto does not support inline IPSec. For this application, > > > > you can only use crypto devices (under crypto folder). > > > > > > > > Pablo > > > > > > > > > > > > > > The cmd-line I use is: > > > > > ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain > > > > > CIPHER_HASH -- cipher_op ENCRYPT --cipher_algo aes-cbc > > > > > --cipher_key 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f > > > > > --auth_op GENERATE > > > > > -- auth_algo aes-xcbc-mac --auth_key > > > > > 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f > > > > > > > > > > Best Regards > > > > > Avi > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com] > > > > > > Sent: Monday, 08 January, 2018 7:23 PM > > > > > > To: Avi Cohen (A); users@dpdk.org > > > > > > Subject: RE: IPSEC-SECGW sample application > > > > > > > > > > > > Hi Avi, > > > > > > > > > > > > My response inline. > > > > > > > > > > > > > 1. I see in the documentation that this app. Supports only > > > > > > > **complete offload**. > > > > > > > But Intel NICS x540 and 82599 which supports ipsec offload > > > > > > > requires that the SW will add/remove the ESP headers How > > > > > > > can I run this app with > > > > > > x540 nic ? > > > > > > > > > > > > The SA rule "type" field lets you choose the kind of offload. > > > > > > Following is the description from the ipsecgw app guide: > > > > > > > > > > > > > > > > > > > > > > > > Action type to specify the security action. This option > > > > > > specify the SA to be performed with look aside protocol > > > > > > offload to HW accelerator or protocol offload on ethernet > > > > > > device or inline crypto processing on the ethernet device durin= g > transmission. > > > > > > Optional: Yes, default type no-offload Available options: > > > > > > lookaside-protocol-offload: look aside protocol offload to HW > > > > > > accelerator > > > > > > inline-protocol-offload: inline protocol offload on ethernet > > > > > > device > > > > > > inline-crypto-offload: inline crypto processing on ethernet > > > > > > device > > > > > > no-offload: no offloading to hardware > > > > > > > > > > > > Correct your SA rules to have the desired "type" field. > > > > > > > > > > > > The ipsecgw application must work fine for QAT PCIe as well as > > > > > > Ethernet NIC with IPSec feature provided the VFs as correctly > > > > > > bound to > > > > > DPDK. > > > > > > > > > > > > > > > > > > > 2. I added support for ESP header and trailer insertion for > > > > > > > inline-protocol- offload for intel x540 Can you tell me the > > > > > > > exact command line to run the application for this mode ? > > > > > > > is vdev required ? > > > > > > > > > > > > The ipsecgw application must work fine for QAT PCIe as well > > > > > > as Ethernet NIC with IPSec feature provided the VFs as > > > > > > correctly bound to > > > > > DPDK. > > > > > > Please try running a more basic L2Fwd Crypto application on > > > > > > your NIC to make sure the Crypto feature works. > > > > > > > > > > > > Regards, > > > > > > Sandesh > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com] > > > > > > > Sent: Monday, January 08, 2018 10:05 PM > > > > > > > To: Gowda, Sandesh ; users@dpdk.org > > > > > > > Subject: RE: IPSEC-SECGW sample application > > > > > > > > > > > > > > > > > > > > > Hi Sandesh [I added one more question] Thank you - I > > > > > > > already understood that. > > > > > > > 1. I see in the documentation that this app. Supports only > > > > > > > **complete offload**. > > > > > > > But Intel NICS x540 and 82599 which supports ipsec offload > > > > > > > requires that the SW will add/remove the ESP headers How > > > > > > > can I run this app with > > > > > > x540 nic ? > > > > > > > > > > > > > > 2. I added support for ESP header and trailer insertion for > > > > > > > inline-protocol- offload for intel x540 Can you tell me the > > > > > > > exact command line to run the application for this mode ? > > > > > > > is vdev required ? > > > > > > > Best Regards > > > > > > > Avi > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com] > > > > > > > > > Sent: Monday, 08 January, 2018 10:47 AM > > > > > > > > > To: Avi Cohen (A); users@dpdk.org > > > > > > > > > Subject: RE: IPSEC-SECGW sample application > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Avi, > > > > > > > > > > > > > > > > > > The application classifies the ports as Protected and > Unprotected. > > > > > > > > > Thus, > > > > > > > > traffic > > > > > > > > > received on an Unprotected or Protected port is consider > > > > > > > > > Inbound or > > > > > > > > Outbound > > > > > > > > > respectively. > > > > > > > > > ( Refer : > > > > > > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.htm > > > > > > > > > l > > > > > > > > > ) > > > > > > > > > > > > > > > > > > The Packets sent on a Unprotected network requires > > > > > > > > > Encryption whereas packets on Protected Network can be > > > > > > > > > plain > > text. > > > > > > > > > This is the expected behavior. > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > Sandesh > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of > > > > > > > > > Avi Cohen > > > > > > > > > (A) > > > > > > > > > Sent: Sunday, January 07, 2018 9:12 PM > > > > > > > > > To: users@dpdk.org > > > > > > > > > Subject: [dpdk-users] IPSEC-SECGW sample application > > > > > > > > > > > > > > > > > > > > > > > > > > > Hello > > > > > > > > > I'm using the DPDK17.11 and running the sample app. > > Ipsec_secgw. > > > > > > > > > I have 2 ports port 0 is protected and port 1 is > > > > > > > > > unprotected Traffic is received > > > > > > > > in > > > > > > > > > the unprotected and should be sent to the protected > > > > > > > > > port for encryption But the traffic processing for the > > > > > > > > > traffic received in the unprotected port is going > > > > > > > > > through the > > > > > **process_pkts_inbound ** . > > > > > > > > > I expect that the traffic should be directed to the > > > > > > > > **process_pkts_outbound** > > > > > > > > > [where ESP headers are added etc.] Can someone help ? > > > > > > > > > > > > > > > > > > > > > > > > > > > This is the config file: > > > > > > > > > > > > > > > > > > #SP rules > > > > > > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 > > > > > > > > > #SA rules sa in 5 cipher_algo aes-128-cbc cipher_key > > > > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac > > > > > > > > > auth_key > > > > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode > > > > > > > > > ipv4-tunnel src > > > > > > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload > > > > > > > > > port_id > > > > > > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt > > > > > > > > > ipv4 dst > > > > > > > > > 1.1.2.0/24 port 0 rt ipv4 dst > > > > > > > > > 1.1.1.0/24 port 0 > > > > > > > > > > > > > > > > > > > > > > > > > > > and this is the command line to run the applic: > > > > > > > > > > > > > > > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 > > > > > > > > > --config=3D"(0,0,1),(1,0,1)" -f ../ep1.cfg > > > > > > > > > > > > > > > > > > > > > > > > > > > Best Regards > > > > > > > > > Avi