Re: [dpdk-users] IPSEC-SECGW sample application

["Gowda, Sandesh" <sandesh.gowda@intel.com>]

Hi Avi,

 My response inline.

> 1.  I see in the documentation that this app. Supports only **complete
> offload**.
>  But Intel NICS x540 and 82599 which supports ipsec offload requires that the
> SW will  add/remove the ESP headers How can I run this app with x540 nic ?

The SA rule "type" field lets you choose the kind of offload. 
Following is the description from the ipsecgw app guide:

<type>

Action type to specify the security action. This option specify the SA to be performed with look aside protocol offload to HW accelerator or protocol offload on ethernet device or inline crypto processing on the ethernet device during transmission.
Optional: Yes, default type no-offload
Available options:
lookaside-protocol-offload: look aside protocol offload to HW accelerator
inline-protocol-offload: inline protocol offload on ethernet device
inline-crypto-offload: inline crypto processing on ethernet device
no-offload: no offloading to hardware

Correct your SA rules to have the desired "type" field.

The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC with IPSec feature provided the VFs as correctly bound to DPDK.

 
>  2. I added support for ESP header and trailer insertion for inline-protocol-
> offload for intel x540
> Can you tell me the exact command line to run the application for this mode ?
> is vdev required ?

 The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC with IPSec feature provided the VFs as correctly bound to DPDK. 
Please try running a more basic L2Fwd Crypto application on your NIC to make sure the Crypto feature works.

 Regards,
 Sandesh



> -----Original Message-----
> From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> Sent: Monday, January 08, 2018 10:05 PM
> To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
> 
> 
>  Hi  Sandesh  [I added one more question]  Thank you - I already understood
> that.
> 1.  I see in the documentation that this app. Supports only **complete
> offload**.
>  But Intel NICS x540 and 82599 which supports ipsec offload requires that the
> SW will  add/remove the ESP headers How can I run this app with x540 nic ?
> 
>  2. I added support for ESP header and trailer insertion for inline-protocol-
> offload for intel x540
> Can you tell me the exact command line to run the application for this mode ?
> is vdev required ?
>  Best Regards
>  Avi
> >
> >
> >
> > > -----Original Message-----
> > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > Sent: Monday, 08 January, 2018 10:47 AM
> > > To: Avi Cohen (A); users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > >
> > > Hi Avi,
> > >
> > >  The application classifies the ports as Protected and Unprotected.
> > > Thus,
> > traffic
> > > received on an Unprotected or Protected port is consider Inbound or
> > Outbound
> > > respectively.
> > > ( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > )
> > >
> > >  The Packets sent on a  Unprotected network requires Encryption
> > > whereas packets on Protected Network can be plain text.
> > >  This is the expected behavior.
> > >
> > >  Regards,
> > >  Sandesh
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > (A)
> > > Sent: Sunday, January 07, 2018 9:12 PM
> > > To: users@dpdk.org
> > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > >
> > >
> > > Hello
> > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > I have 2 ports port 0 is protected and port 1 is unprotected Traffic
> > > is received
> > in
> > > the unprotected and should be sent to the protected  port  for
> > > encryption But the traffic processing for the traffic received in
> > > the unprotected port is going through the **process_pkts_inbound ** .
> > > I expect that the traffic should be directed to the
> > **process_pkts_outbound**
> > > [where ESP headers are added etc.] Can someone help ?
> > >
> > >
> > > This is the config file:
> > >
> > > #SP rules
> > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules sa
> > > in 5 cipher_algo aes-128-cbc cipher_key
> > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0
> > > #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > 1.1.1.0/24 port 0
> > >
> > >
> > > and this is the command line to run the applic:
> > >
> > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > >
> > >
> > > Best Regards
> > > Avi