VIA IPSec acceleration

Sat, 30 Jul 2005 14:13:45 -0700 

Hello,
I'm trying to set up a point-to-point IPSec VPN tunnel running 3.7-release on two VIA EPIA boxes (dmesg below). Traffic is passing through the tunnel properly, but I don't think the crypto accelerator ("padlock") is being used. 

Here's my lab setup:


           192.168.5.1:vr1                vr1:192.168.5.254
                 +------+                  +------+
     client ---- | vpnA | ---- switch ---- | vpnB | server
                 +------+                  +------+
  192.168.6.254:vr0                              vr0:172.20.1.1



I'm fairly sure the hardware accelerator works properly after this test:

# sysctl kern.usercrypto=1
kern.usercrypto: 1 -> 1
# openssl speed -evp aes-128-cbc
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 5264787 aes-128-cbc's in 2.91s
Doing aes-128-cbc for 3s on 64 size blocks: 4906120 aes-128-cbc's in 2.91s
Doing aes-128-cbc for 3s on 256 size blocks: 3444201 aes-128-cbc's in 2.91s

Doing aes-128-cbc for 3s on 1024 size blocks: 1512989 aes-128-cbc's in 
2.91s

Doing aes-128-cbc for 3s on 8192 size blocks: 242548 aes-128-cbc's in 2.91s
OpenSSL 0.9.7d 17 Mar 2004
built on: date not available

options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) 
aes(partial) blowfish(idx)

compiler: information not available
available timing options: USE_TOD HZ=100 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 
bytes
aes-128-cbc      28984.63k   108040.15k   303385.96k   531663.61k 
683682.83k

# sysctl kern.usercrypto=0
kern.usercrypto: 1 -> 0
# openssl speed -evp aes-128-cbc
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 1182423 aes-128-cbc's in 2.90s
Doing aes-128-cbc for 3s on 64 size blocks: 319179 aes-128-cbc's in 2.89s
Doing aes-128-cbc for 3s on 256 size blocks: 81744 aes-128-cbc's in 2.84s
Doing aes-128-cbc for 3s on 1024 size blocks: 20570 aes-128-cbc's in 2.82s
Doing aes-128-cbc for 3s on 8192 size blocks: 2577 aes-128-cbc's in 2.83s
OpenSSL 0.9.7d 17 Mar 2004
built on: date not available

options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) 
aes(partial) blowfish(idx)

compiler: information not available
available timing options: USE_TOD HZ=100 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 
bytes
aes-128-cbc       6527.23k     7066.80k     7379.03k     7468.56k 
7464.59k





However, I'm pretty sure padlock is not being used for the IPSec traffic 
because doing large FTP transfers I get a maximum of 20Mbps throughput 
through the tunnel, with vmstat showing system CPU as high as 80%. 
Simply routing the traffic through the two VIA boxes gives at least 
50Mbps throughput.



My IPSec configuration is slightly modified from the VPN-east and 
VPN-west examples in /usr/share/ipsec/isakmpd.  I've included the 
isakmpd.conf and isakmpd.policy from vpnB:


# cat isakmpd.conf
#       $OpenBSD: VPN-east.conf,v 1.13 2003/03/16 08:13:02 matthieu Exp $
#       $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
#
# "west" and "east" are the respective security gateways (aka VPN-nodes).

[Phase 1]
192.168.5.1=            ISAKMP-peer-west

[Phase 2]
Connections=            IPsec-east-west

[ISAKMP-peer-west]
Phase=                  1
Transport=              udp
Address=                192.168.5.1
Configuration=          Default-main-mode
Authentication=         mekmitasdigoat

[IPsec-east-west]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-west
Configuration=          Default-quick-mode
Local-ID=               Net-east
Remote-ID=              Net-west

[Net-west]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.6.0
Netmask=                255.255.255.0

[Net-east]
ID-type=                IPV4_ADDR_SUBNET
Network=                0.0.0.0
Netmask=                0.0.0.0

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             AES-SHA

[AES-SHA]
ENCRYPTION_ALGORITHM=   AES_CBC
HASH_ALGORITHM=         SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE

# cat isakmpd.policy
KeyNote-Version: 2

Comment: This policy accepts ESP SAs from a remote that uses the right 
password

        $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
        $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg == "aes" &&
            esp_auth_alg == "hmac-sha" -> "true";



Does anyone have suggestions about how to take advantage of the hardware 
features for IPSec?



Thanks!

Mike



Dmesg below (both machines are identical hardware):

# dmesg
OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
    [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Nehemiah ("CentaurHauls" 686-class) 1.01 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,SEP,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE
cpu0: RNG AES
real mem  = 502837248 (491052K)
avail mem = 451956736 (441364K)
using 4278 buffers containing 25243648 bytes (24652K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(d9) BIOS, date 03/11/04, BIOS32 rev. 0 @ 0xface0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdba4
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdb10/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 9 11 12
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xe000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8623 PCI" rev 0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8633 AGP" rev 0x00
pci1 at ppb0 bus 1

vga1 at pci1 dev 0 function 0 "VIA CLE266" rev 0x03: aperture at 
0xd8000000, size 0x10000000

wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)

vr0 at pci0 dev 15 function 0 "VIA VT6105 RhineIII" rev 0x8b: irq 12 
address 00:40:63:db:53:5d

ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface
ukphy0: OUI 0x004063, model 0x0034, rev. 9
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x80: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x80: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x80: irq 9
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 16 function 3 "VIA VT6202 USB" rev 0x82: irq 12
ehci0: EHCI version 1.0
ehci0: companion controllers, 2 ports each: uhci0 uhci1 uhci2
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: VIA EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub3: single transaction translator
uhub3: 6 ports with 6 removable, self powered
pcib0 at pci0 dev 17 function 0 "VIA VT8235 ISA" rev 0x00

pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, 
channel 0 configured to compatibility, channel 1 configured to 
compatibility

wd0 at pciide0 channel 0 drive 0: <ST380011A>
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <TEAC, CD-224E, 1.9A> SCSI0 5/cdrom removable
cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x50: irq 9
ac97: codec id 0x56494161 (VIA Technologies VT1612A)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
audio0 at auvia0

vr1 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x74: irq 11 address 
00:40:63:db:53:c1

ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface
ukphy1: OUI 0x004063, model 0x0032, rev. 8
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot

wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using 
wsdisplay0

pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pccom2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
biomask ff45 netmask ff45 ttymask ffc7
pctr: user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302















    











					Reply via email to