From owner-freebsd-net@freebsd.org Thu Aug 9 20:11:33 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1CC4810721C8 for ; Thu, 9 Aug 2018 20:11:33 +0000 (UTC) (envelope-from dpd@dpdtech.com) Received: from mail-pl0-x242.google.com (mail-pl0-x242.google.com [IPv6:2607:f8b0:400e:c01::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8A1DF85960 for ; Thu, 9 Aug 2018 20:11:32 +0000 (UTC) (envelope-from dpd@dpdtech.com) Received: by mail-pl0-x242.google.com with SMTP id g6-v6so2998436plq.9 for ; Thu, 09 Aug 2018 13:11:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dpdtech.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=66zfQ4ErQzi2zdppNdISLy/4TYZ537vxk9EpkVn6B94=; b=gChNXn4Nfe4jxeI44/M5OcYoCU+9ALGQHydpAFyA0DmJDoJNHtMUONMrGi+RxaByD3 ZQTd5hURFsUjCPOM/2pPYB6aGH58LsvZP4BJt1ney9j2Vr+2fJNy00uQDGgrua4joZz8 9CkoAq0+tpuwhcikNG1twaZsoQjxOVWBmJukA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=66zfQ4ErQzi2zdppNdISLy/4TYZ537vxk9EpkVn6B94=; b=LHqHrjnlgvCSEvjbrzn0/ctnc60SX7zbHTdAY04iDaZ5AONBmBkSY8avgy3SHBX21r saY+8b+NFSF/7TZYCju22ptpbxVSHbAU5WnL7L3FTqumIo/80+HV0bC5C9d7i2WUDqP+ yZLjFZ6iL6RskU1SZej/0ZsmD8DKarLONuHLjHZNkkbZMofmrPrNbqpRDcOiaE1xn8AJ qiDThYcT00Qmg2JSV5YjE2nYfRzqhtK9A+W1bl8P+kJmyDimW/ALdWUb1jRZw7NtE7Db qr77zMhJene5rmohJkg64Ok1fU2tN2SNH5EoKRLDAy2b13DPK56bHAdNJf9+B6yvAfH7 aaCw== X-Gm-Message-State: AOUpUlHPH3IYpXq6bE797/RPXdNXdneWqyMI6x1NNPIcU0FVTZmBjg1B M6YfjboJ7mxdMnAHEUNT/ytjys8GkSs= X-Google-Smtp-Source: AA+uWPySeFgGZqxxiRMm2VoqhX9A2HK/8QAsPgzrJ7GmgoNDQ7qMwXXYB8o5v1a3aukJ9D67HQfplg== X-Received: by 2002:a17:902:728c:: with SMTP id d12-v6mr3248522pll.283.1533845491368; Thu, 09 Aug 2018 13:11:31 -0700 (PDT) Received: from ?IPv6:2620:131:c001:105:615f:2bcf:3897:8d41? ([2620:131:c001:105:615f:2bcf:3897:8d41]) by smtp.gmail.com with ESMTPSA id h130-v6sm31643078pgc.88.2018.08.09.13.11.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Aug 2018 13:11:30 -0700 (PDT) From: "David P. Discher" Message-Id: Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Is if_ipsec/ipsec - AESNI accelerated ? Date: Thu, 9 Aug 2018 13:11:28 -0700 In-Reply-To: Cc: freebsd-net@freebsd.org To: "Andrey V. Elsukov" , John-Mark Gurney References: <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com> X-Mailer: Apple Mail (2.3273) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2018 20:11:33 -0000 The documentation for using IPSec (especially if_ipsec) is really thin = for freebsd, so I pieced some of this together from various posts and = mailing lists threads. =20 Is there no need for racoon ? How in this example is the IKE/ISAKMP = setup done ? Is setkey doing this ? > On Aug 9, 2018, at 1:32 AM, Andrey V. Elsukov = wrote: >=20 > # kldload aesni > # setkey -DF > # setkey -c > add 10.0.0.25 10.0.0.15 esp 10000 -m tunnel -u 16385 -E rijndael-cbc > "0123456789123456"; > add 10.0.0.15 10.0.0.25 esp 20000 -m tunnel -u 16385 -E rijndael-cbc > "0123456789123456"; >=20 > # sysctl net.inet.ipsec.async_crypto=3D0 > net.inet.ipsec.async_crypto: 1 -> 0 This is 11.2-stable, shortly after release =E2=80=A6 I don=E2=80=99t = have this sysctl. [ pts/0 sjc2 util201:~ ] [ dpd ] > sysctl net.inet.ipsec net.inet.ipsec.def_policy: 1 net.inet.ipsec.esp_trans_deflev: 1 net.inet.ipsec.esp_net_deflev: 1 net.inet.ipsec.ah_trans_deflev: 1 net.inet.ipsec.ah_net_deflev: 1 net.inet.ipsec.ah_cleartos: 1 net.inet.ipsec.dfbit: 0 net.inet.ipsec.ecn: 0 net.inet.ipsec.debug: 0 net.inet.ipsec.filtertunnel: 0 net.inet.ipsec.natt_cksum_policy: 0 net.inet.ipsec.check_policy_history: 0 net.inet.ipsec.crypto_support: 50331648 > On Aug 9, 2018, at 6:40 AM, John-Mark Gurney wrote: >=20 >=20 > You don't show what ciphers you are using. It could be that you're > using CBC mode, which is known to be slow, or that you're using a > slow AH that is limiting performance, and not the cipher... >=20 > Need to see your setkey.conf, or at least the output of setkey -D.. racoon.conf is : sainfo anonymous { pfs_group 2; lifetime time 86400 seconds; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; } remote 10.245.0.202 [500] { passive off; my_identifier address 172.30.1.13; exchange_mode main; lifetime time 24 hour; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2;=20 }} For some reason, I don=E2=80=99t think I can use AES-GCM on the juniper = side, because of a combination of other required settings. I remember = trying, but don=E2=80=99t remember why I can=E2=80=99t. setkey.conf is : flush; spdflush; spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec = esp/tunnel/10.245.0.201-10.245.0.202/unique:12; spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in ipsec = esp/tunnel/10.245.0.202-10.245.0.201/unique:12; spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec = esp/tunnel/10.245.0.201-10.245.0.203/unique:4; spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in ipsec = esp/tunnel/10.245.0.203-10.245.0.201/unique:4; And that results in : [ pts/0 sjc2 util201:~ ] [ dpd ] > sudo setkey -D Password: 10.245.0.201 10.245.0.202 esp mode=3Dtunnel spi=3D60080461(0x0394c14d) = reqid=3D12(0x0000000c) E: rijndael-cbc 79e053a5 221c6d48 31e4c98a 3ae8c8ed A: hmac-sha2-256 9f1a4188 7849ad94 41cfd974 a5e0570a cc7c54a5 = c16f5ebc 6bb39fbb 212abce0 seq=3D0x00000011 replay=3D4 flags=3D0x00000000 state=3Dmature created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018 diff: 1018(s) hard: 86400(s) soft: 69120(s) last: Aug 9 19:21:16 2018 hard: 0(s) soft: 0(s) current: 2652(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 17 hard: 0 soft: 0 sadb_seq=3D1 pid=3D2441 refcnt=3D1 10.245.0.202 10.245.0.201 esp mode=3Dtunnel spi=3D170852236(0x0a2eff8c) = reqid=3D12(0x0000000c) E: rijndael-cbc 221239cf e0ddedc5 88f1f711 5e744723 A: hmac-sha2-256 bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7 = 529a40a1 bf5ea2c9 0e3f5f27 seq=3D0x00000000 replay=3D4 flags=3D0x00000000 state=3Dmature created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018 diff: 1018(s) hard: 86400(s) soft: 69120(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3D0 pid=3D2441 refcnt=3D1 [ pts/0 sjc2 util201:~ ] [ dpd ] > sudo setkey -D -P 172.30.1.12/30[any] 172.30.1.12/30[any] any in ipsec esp/tunnel/10.245.0.202-10.245.0.201/unique:12 spid=3D22 seq=3D11 pid=3D2443 scope=3Dglobal refcnt=3D1 172.30.1.4/30[any] 172.30.1.4/30[any] any in ipsec esp/tunnel/10.245.0.203-10.245.0.201/unique:4 spid=3D24 seq=3D10 pid=3D2443 scope=3Dglobal refcnt=3D1 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/10.245.0.202-10.245.0.201/unique:12 spid=3D5 seq=3D9 pid=3D2443 scope=3Difnet ifname=3Dipsec12 refcnt=3D1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/10.245.0.202-10.245.0.201/unique:12 spid=3D7 seq=3D8 pid=3D2443 scope=3Difnet ifname=3Dipsec12 refcnt=3D1 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/10.245.0.203-10.245.0.201/unique:4 spid=3D13 seq=3D7 pid=3D2443 scope=3Difnet ifname=3Dipsec4 refcnt=3D1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/10.245.0.203-10.245.0.201/unique:4 spid=3D15 seq=3D6 pid=3D2443 scope=3Difnet ifname=3Dipsec4 refcnt=3D1 172.30.1.12/30[any] 172.30.1.12/30[any] any out ipsec esp/tunnel/10.245.0.201-10.245.0.202/unique:12 spid=3D21 seq=3D5 pid=3D2443 scope=3Dglobal refcnt=3D1 172.30.1.4/30[any] 172.30.1.4/30[any] any out ipsec esp/tunnel/10.245.0.201-10.245.0.203/unique:4 spid=3D23 seq=3D4 pid=3D2443 scope=3Dglobal refcnt=3D1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/10.245.0.201-10.245.0.202/unique:12 spid=3D6 seq=3D3 pid=3D2443 scope=3Difnet ifname=3Dipsec12 refcnt=3D1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/10.245.0.201-10.245.0.202/unique:12 spid=3D8 seq=3D2 pid=3D2443 scope=3Difnet ifname=3Dipsec12 refcnt=3D1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/10.245.0.201-10.245.0.203/unique:4 spid=3D14 seq=3D1 pid=3D2443 scope=3Difnet ifname=3Dipsec4 refcnt=3D1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/10.245.0.201-10.245.0.203/unique:4 spid=3D16 seq=3D0 pid=3D2443 scope=3Difnet ifname=3Dipsec4 refcnt=3D1 -- David P. Discher=20 https://davidpdischer.com/ 408.368.3725 =E2=80=A2 dpd@dpdtech.com