Is if_ipsec/ipsec - AESNI accelerated ?
David P. Discher
dpd at dpdtech.com
Thu Aug 9 20:11:33 UTC 2018
The documentation for using IPSec (especially if_ipsec) is really thin for freebsd, so I pieced some of this together from various posts and mailing lists threads.
Is there no need for racoon ? How in this example is the IKE/ISAKMP setup done ? Is setkey doing this ?
> On Aug 9, 2018, at 1:32 AM, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:
>
> # kldload aesni
> # setkey -DF
> # setkey -c
> add 10.0.0.25 10.0.0.15 esp 10000 -m tunnel -u 16385 -E rijndael-cbc
> "0123456789123456";
> add 10.0.0.15 10.0.0.25 esp 20000 -m tunnel -u 16385 -E rijndael-cbc
> "0123456789123456";
>
> # sysctl net.inet.ipsec.async_crypto=0
> net.inet.ipsec.async_crypto: 1 -> 0
This is 11.2-stable, shortly after release … I don’t have this sysctl.
[ pts/0 sjc2 util201:~ ]
[ dpd ] > sysctl net.inet.ipsec
net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 0
net.inet.ipsec.filtertunnel: 0
net.inet.ipsec.natt_cksum_policy: 0
net.inet.ipsec.check_policy_history: 0
net.inet.ipsec.crypto_support: 50331648
> On Aug 9, 2018, at 6:40 AM, John-Mark Gurney <jmg at funkthat.com> wrote:
>
>
> You don't show what ciphers you are using. It could be that you're
> using CBC mode, which is known to be slow, or that you're using a
> slow AH that is limiting performance, and not the cipher...
>
> Need to see your setkey.conf, or at least the output of setkey -D..
racoon.conf is :
sainfo anonymous
{
pfs_group 2;
lifetime time 86400 seconds;
encryption_algorithm aes;
authentication_algorithm hmac_sha256;
compression_algorithm deflate;
}
remote 10.245.0.202 [500] {
passive off;
my_identifier address 172.30.1.13;
exchange_mode main;
lifetime time 24 hour;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}}
For some reason, I don’t think I can use AES-GCM on the juniper side, because of a combination of other required settings. I remember trying, but don’t remember why I can’t.
setkey.conf is :
flush;
spdflush;
spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec esp/tunnel/10.245.0.201-10.245.0.202/unique:12;
spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in ipsec esp/tunnel/10.245.0.202-10.245.0.201/unique:12;
spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec esp/tunnel/10.245.0.201-10.245.0.203/unique:4;
spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in ipsec esp/tunnel/10.245.0.203-10.245.0.201/unique:4;
And that results in :
[ pts/0 sjc2 util201:~ ]
[ dpd ] > sudo setkey -D
Password:
10.245.0.201 10.245.0.202
esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x0000000c)
E: rijndael-cbc 79e053a5 221c6d48 31e4c98a 3ae8c8ed
A: hmac-sha2-256 9f1a4188 7849ad94 41cfd974 a5e0570a cc7c54a5 c16f5ebc 6bb39fbb 212abce0
seq=0x00000011 replay=4 flags=0x00000000 state=mature
created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018
diff: 1018(s) hard: 86400(s) soft: 69120(s)
last: Aug 9 19:21:16 2018 hard: 0(s) soft: 0(s)
current: 2652(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 17 hard: 0 soft: 0
sadb_seq=1 pid=2441 refcnt=1
10.245.0.202 10.245.0.201
esp mode=tunnel spi=170852236(0x0a2eff8c) reqid=12(0x0000000c)
E: rijndael-cbc 221239cf e0ddedc5 88f1f711 5e744723
A: hmac-sha2-256 bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7 529a40a1 bf5ea2c9 0e3f5f27
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018
diff: 1018(s) hard: 86400(s) soft: 69120(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=2441 refcnt=1
[ pts/0 sjc2 util201:~ ]
[ dpd ] > sudo setkey -D -P
172.30.1.12/30[any] 172.30.1.12/30[any] any
in ipsec
esp/tunnel/10.245.0.202-10.245.0.201/unique:12
spid=22 seq=11 pid=2443 scope=global
refcnt=1
172.30.1.4/30[any] 172.30.1.4/30[any] any
in ipsec
esp/tunnel/10.245.0.203-10.245.0.201/unique:4
spid=24 seq=10 pid=2443 scope=global
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/10.245.0.202-10.245.0.201/unique:12
spid=5 seq=9 pid=2443 scope=ifnet ifname=ipsec12
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/10.245.0.202-10.245.0.201/unique:12
spid=7 seq=8 pid=2443 scope=ifnet ifname=ipsec12
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/10.245.0.203-10.245.0.201/unique:4
spid=13 seq=7 pid=2443 scope=ifnet ifname=ipsec4
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/10.245.0.203-10.245.0.201/unique:4
spid=15 seq=6 pid=2443 scope=ifnet ifname=ipsec4
refcnt=1
172.30.1.12/30[any] 172.30.1.12/30[any] any
out ipsec
esp/tunnel/10.245.0.201-10.245.0.202/unique:12
spid=21 seq=5 pid=2443 scope=global
refcnt=1
172.30.1.4/30[any] 172.30.1.4/30[any] any
out ipsec
esp/tunnel/10.245.0.201-10.245.0.203/unique:4
spid=23 seq=4 pid=2443 scope=global
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/10.245.0.201-10.245.0.202/unique:12
spid=6 seq=3 pid=2443 scope=ifnet ifname=ipsec12
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/10.245.0.201-10.245.0.202/unique:12
spid=8 seq=2 pid=2443 scope=ifnet ifname=ipsec12
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/10.245.0.201-10.245.0.203/unique:4
spid=14 seq=1 pid=2443 scope=ifnet ifname=ipsec4
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/10.245.0.201-10.245.0.203/unique:4
spid=16 seq=0 pid=2443 scope=ifnet ifname=ipsec4
refcnt=1
--
David P. Discher
https://davidpdischer.com/
408.368.3725 • dpd at dpdtech.com
More information about the freebsd-net
mailing list