Hello,
I'm trying to set up a point-to-point IPSec VPN tunnel running
3.7-release on two VIA EPIA boxes (dmesg below). Traffic is passing
through the tunnel properly, but I don't think the crypto accelerator
("padlock") is being used.
Here's my lab setup:
192.168.5.1:vr1 vr1:192.168.5.254
+------+ +------+
client ---- | vpnA | ---- switch ---- | vpnB | server
+------+ +------+
192.168.6.254:vr0 vr0:172.20.1.1
I'm fairly sure the hardware accelerator works properly after this test:
# sysctl kern.usercrypto=1
kern.usercrypto: 1 -> 1
# openssl speed -evp aes-128-cbc
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 5264787 aes-128-cbc's in 2.91s
Doing aes-128-cbc for 3s on 64 size blocks: 4906120 aes-128-cbc's in 2.91s
Doing aes-128-cbc for 3s on 256 size blocks: 3444201 aes-128-cbc's in 2.91s
Doing aes-128-cbc for 3s on 1024 size blocks: 1512989 aes-128-cbc's in
2.91s
Doing aes-128-cbc for 3s on 8192 size blocks: 242548 aes-128-cbc's in 2.91s
OpenSSL 0.9.7d 17 Mar 2004
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
aes(partial) blowfish(idx)
compiler: information not available
available timing options: USE_TOD HZ=100 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-128-cbc 28984.63k 108040.15k 303385.96k 531663.61k
683682.83k
# sysctl kern.usercrypto=0
kern.usercrypto: 1 -> 0
# openssl speed -evp aes-128-cbc
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 1182423 aes-128-cbc's in 2.90s
Doing aes-128-cbc for 3s on 64 size blocks: 319179 aes-128-cbc's in 2.89s
Doing aes-128-cbc for 3s on 256 size blocks: 81744 aes-128-cbc's in 2.84s
Doing aes-128-cbc for 3s on 1024 size blocks: 20570 aes-128-cbc's in 2.82s
Doing aes-128-cbc for 3s on 8192 size blocks: 2577 aes-128-cbc's in 2.83s
OpenSSL 0.9.7d 17 Mar 2004
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
aes(partial) blowfish(idx)
compiler: information not available
available timing options: USE_TOD HZ=100 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-128-cbc 6527.23k 7066.80k 7379.03k 7468.56k
7464.59k
However, I'm pretty sure padlock is not being used for the IPSec traffic
because doing large FTP transfers I get a maximum of 20Mbps throughput
through the tunnel, with vmstat showing system CPU as high as 80%.
Simply routing the traffic through the two VIA boxes gives at least
50Mbps throughput.
My IPSec configuration is slightly modified from the VPN-east and
VPN-west examples in /usr/share/ipsec/isakmpd. I've included the
isakmpd.conf and isakmpd.policy from vpnB:
# cat isakmpd.conf
# $OpenBSD: VPN-east.conf,v 1.13 2003/03/16 08:13:02 matthieu Exp $
# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
#
# "west" and "east" are the respective security gateways (aka VPN-nodes).
[Phase 1]
192.168.5.1= ISAKMP-peer-west
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-west]
Phase= 1
Transport= udp
Address= 192.168.5.1
Configuration= Default-main-mode
Authentication= mekmitasdigoat
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.6.0
Netmask= 255.255.255.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA
[AES-SHA]
ENCRYPTION_ALGORITHM= AES_CBC
HASH_ALGORITHM= SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
# cat isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
$OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
$EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "aes" &&
esp_auth_alg == "hmac-sha" -> "true";
Does anyone have suggestions about how to take advantage of the hardware
features for IPSec?
Thanks!
Mike
Dmesg below (both machines are identical hardware):
# dmesg
OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Nehemiah ("CentaurHauls" 686-class) 1.01 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,SEP,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE
cpu0: RNG AES
real mem = 502837248 (491052K)
avail mem = 451956736 (441364K)
using 4278 buffers containing 25243648 bytes (24652K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(d9) BIOS, date 03/11/04, BIOS32 rev. 0 @ 0xface0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdba4
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdb10/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 9 11 12
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xe000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8623 PCI" rev 0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8633 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "VIA CLE266" rev 0x03: aperture at
0xd8000000, size 0x10000000
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
vr0 at pci0 dev 15 function 0 "VIA VT6105 RhineIII" rev 0x8b: irq 12
address 00:40:63:db:53:5d
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface
ukphy0: OUI 0x004063, model 0x0034, rev. 9
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x80: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x80: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x80: irq 9
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 16 function 3 "VIA VT6202 USB" rev 0x82: irq 12
ehci0: EHCI version 1.0
ehci0: companion controllers, 2 ports each: uhci0 uhci1 uhci2
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: VIA EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub3: single transaction translator
uhub3: 6 ports with 6 removable, self powered
pcib0 at pci0 dev 17 function 0 "VIA VT8235 ISA" rev 0x00
pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: <ST380011A>
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <TEAC, CD-224E, 1.9A> SCSI0 5/cdrom removable
cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x50: irq 9
ac97: codec id 0x56494161 (VIA Technologies VT1612A)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
audio0 at auvia0
vr1 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x74: irq 11 address
00:40:63:db:53:c1
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface
ukphy1: OUI 0x004063, model 0x0032, rev. 8
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using
wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pccom2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
biomask ff45 netmask ff45 ttymask ffc7
pctr: user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302