Site Navigation

Date:      Thu, 9 Aug 2018 13:11:28 -0700
From:      "David P. Discher" <dpd@dpdtech.com>
To:        "Andrey V. Elsukov" <bu7cher@yandex.ru>, John-Mark Gurney <jmg@funkthat.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Is if_ipsec/ipsec - AESNI accelerated ?
Message-ID:  <BE275E67-A768-47E9-97D4-0A5E4FDC44EF@dpdtech.com>
In-Reply-To: <e9da62df-90e4-e45b-b073-c4c39555b38d@yandex.ru>
References:  <D47976AF-A0AF-4A58-B80E-31E9DED96D26@dpdtech.com> <dc8bea35-1770-48d0-3662-c58e72bd3d2d@yandex.ru> <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com> <e9da62df-90e4-e45b-b073-c4c39555b38d@yandex.ru>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

The documentation for using IPSec (especially if_ipsec) is really thin =
for freebsd, so I pieced some of this together from various posts and =
mailing lists threads.
=20
Is there no need for racoon ?  How in this example is the  IKE/ISAKMP =
setup done ? Is setkey doing this ?


> On Aug 9, 2018, at 1:32 AM, Andrey V. Elsukov <bu7cher@yandex.ru> =
wrote:
>=20
> # kldload aesni
> # setkey -DF
> # setkey -c
> add 10.0.0.25 10.0.0.15 esp 10000 -m tunnel -u 16385 -E rijndael-cbc
> "0123456789123456";
> add 10.0.0.15 10.0.0.25 esp 20000 -m tunnel -u 16385 -E rijndael-cbc
> "0123456789123456";
>=20
> # sysctl net.inet.ipsec.async_crypto=3D0
> net.inet.ipsec.async_crypto: 1 -> 0

This is 11.2-stable, shortly after release =E2=80=A6 I don=E2=80=99t =
have this sysctl.

    [ pts/0 sjc2 util201:~ ]
    [ dpd ] > sysctl net.inet.ipsec
    net.inet.ipsec.def_policy: 1
    net.inet.ipsec.esp_trans_deflev: 1
    net.inet.ipsec.esp_net_deflev: 1
    net.inet.ipsec.ah_trans_deflev: 1
    net.inet.ipsec.ah_net_deflev: 1
    net.inet.ipsec.ah_cleartos: 1
    net.inet.ipsec.dfbit: 0
    net.inet.ipsec.ecn: 0
    net.inet.ipsec.debug: 0
    net.inet.ipsec.filtertunnel: 0
    net.inet.ipsec.natt_cksum_policy: 0
    net.inet.ipsec.check_policy_history: 0
    net.inet.ipsec.crypto_support: 50331648



> On Aug 9, 2018, at 6:40 AM, John-Mark Gurney <jmg@funkthat.com> wrote:
>=20
>=20
> You don't show what ciphers you are using.  It could be that you're
> using CBC mode, which is known to be slow, or that you're using a
> slow AH that is limiting performance, and not the cipher...
>=20
> Need to see your setkey.conf, or at least the output of setkey -D..

racoon.conf is :

    sainfo anonymous
    {
        pfs_group 2;
        lifetime time 86400 seconds;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha256;
        compression_algorithm deflate;
    }

    remote 10.245.0.202 [500] {
        passive off;
        my_identifier address 172.30.1.13;
        exchange_mode main;
        lifetime time 24 hour;
        proposal {
            encryption_algorithm aes;
            hash_algorithm sha1;
            authentication_method pre_shared_key;
            dh_group 2;=20
    }}


For some reason, I don=E2=80=99t think I can use AES-GCM on the juniper =
side, because of a combination of other required settings.  I remember =
trying, but don=E2=80=99t remember why I can=E2=80=99t.


setkey.conf is :

        flush;
        spdflush;

        spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec =
esp/tunnel/10.245.0.201-10.245.0.202/unique:12;
        spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in  ipsec =
esp/tunnel/10.245.0.202-10.245.0.201/unique:12;
        spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec =
esp/tunnel/10.245.0.201-10.245.0.203/unique:4;
        spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in  ipsec =
esp/tunnel/10.245.0.203-10.245.0.201/unique:4;

And that results in :

[ pts/0 sjc2 util201:~ ]
[ dpd ] > sudo setkey -D
Password:
10.245.0.201 10.245.0.202
	esp mode=3Dtunnel spi=3D60080461(0x0394c14d) =
reqid=3D12(0x0000000c)
	E: rijndael-cbc  79e053a5 221c6d48 31e4c98a 3ae8c8ed
	A: hmac-sha2-256  9f1a4188 7849ad94 41cfd974 a5e0570a cc7c54a5 =
c16f5ebc 6bb39fbb 212abce0
	seq=3D0x00000011 replay=3D4 flags=3D0x00000000 state=3Dmature
	created: Aug  9 19:21:15 2018	current: Aug  9 19:38:13 2018
	diff: 1018(s)	hard: 86400(s)	soft: 69120(s)
	last: Aug  9 19:21:16 2018	hard: 0(s)	soft: 0(s)
	current: 2652(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 17	hard: 0	soft: 0
	sadb_seq=3D1 pid=3D2441 refcnt=3D1
10.245.0.202 10.245.0.201
	esp mode=3Dtunnel spi=3D170852236(0x0a2eff8c) =
reqid=3D12(0x0000000c)
	E: rijndael-cbc  221239cf e0ddedc5 88f1f711 5e744723
	A: hmac-sha2-256  bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7 =
529a40a1 bf5ea2c9 0e3f5f27
	seq=3D0x00000000 replay=3D4 flags=3D0x00000000 state=3Dmature
	created: Aug  9 19:21:15 2018	current: Aug  9 19:38:13 2018
	diff: 1018(s)	hard: 86400(s)	soft: 69120(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=3D0 pid=3D2441 refcnt=3D1



[ pts/0 sjc2 util201:~ ]
[ dpd ] > sudo setkey -D -P
172.30.1.12/30[any] 172.30.1.12/30[any] any
	in ipsec
	esp/tunnel/10.245.0.202-10.245.0.201/unique:12
	spid=3D22 seq=3D11 pid=3D2443 scope=3Dglobal
	refcnt=3D1
172.30.1.4/30[any] 172.30.1.4/30[any] any
	in ipsec
	esp/tunnel/10.245.0.203-10.245.0.201/unique:4
	spid=3D24 seq=3D10 pid=3D2443 scope=3Dglobal
	refcnt=3D1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in ipsec
	esp/tunnel/10.245.0.202-10.245.0.201/unique:12
	spid=3D5 seq=3D9 pid=3D2443 scope=3Difnet ifname=3Dipsec12
	refcnt=3D1
::/0[any] ::/0[any] any
	in ipsec
	esp/tunnel/10.245.0.202-10.245.0.201/unique:12
	spid=3D7 seq=3D8 pid=3D2443 scope=3Difnet ifname=3Dipsec12
	refcnt=3D1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in ipsec
	esp/tunnel/10.245.0.203-10.245.0.201/unique:4
	spid=3D13 seq=3D7 pid=3D2443 scope=3Difnet ifname=3Dipsec4
	refcnt=3D1
::/0[any] ::/0[any] any
	in ipsec
	esp/tunnel/10.245.0.203-10.245.0.201/unique:4
	spid=3D15 seq=3D6 pid=3D2443 scope=3Difnet ifname=3Dipsec4
	refcnt=3D1
172.30.1.12/30[any] 172.30.1.12/30[any] any
	out ipsec
	esp/tunnel/10.245.0.201-10.245.0.202/unique:12
	spid=3D21 seq=3D5 pid=3D2443 scope=3Dglobal
	refcnt=3D1
172.30.1.4/30[any] 172.30.1.4/30[any] any
	out ipsec
	esp/tunnel/10.245.0.201-10.245.0.203/unique:4
	spid=3D23 seq=3D4 pid=3D2443 scope=3Dglobal
	refcnt=3D1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	out ipsec
	esp/tunnel/10.245.0.201-10.245.0.202/unique:12
	spid=3D6 seq=3D3 pid=3D2443 scope=3Difnet ifname=3Dipsec12
	refcnt=3D1
::/0[any] ::/0[any] any
	out ipsec
	esp/tunnel/10.245.0.201-10.245.0.202/unique:12
	spid=3D8 seq=3D2 pid=3D2443 scope=3Difnet ifname=3Dipsec12
	refcnt=3D1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	out ipsec
	esp/tunnel/10.245.0.201-10.245.0.203/unique:4
	spid=3D14 seq=3D1 pid=3D2443 scope=3Difnet ifname=3Dipsec4
	refcnt=3D1
::/0[any] ::/0[any] any
	out ipsec
	esp/tunnel/10.245.0.201-10.245.0.203/unique:4
	spid=3D16 seq=3D0 pid=3D2443 scope=3Difnet ifname=3Dipsec4
	refcnt=3D1


--
David P. Discher=20
https://davidpdischer.com/
408.368.3725 =E2=80=A2 dpd@dpdtech.com

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BE275E67-A768-47E9-97D4-0A5E4FDC44EF>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact