Hi Sergio,
ipsec is actually working(therefore also your patch), my issue was regarding
dpdk and hw setup.
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12237): https://lists.fd.io/g/vpp-dev/message/12237
Mute This Topic:
Hi,
my apologies, forget my last email.. I measured data back and forth (supposed
to be encrypted) and I checked that cpt crypto devices were enabled and
available but the ipsec tunnel was not working(since crypto counters were not
increasing).
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You
Hi Sergio,
after tracing the crypto layers a bit I did not find anything suspicious so I
decided to revert a commit around ipsec(git checkout
3553abaec54c2784bc6fdccc890411d586c3997e src/vnet/ipsec/*) and looks to be
working as I would expect(using the HW encrypt/decryption). I guess the issue
Hi all,
reading a piece of code( *src/vnet/llc/node.c* ) I noticed that llc_input is
almost the same as function snap_input( *src/vnet/snap/node.c* )...
but there is a different line and I would like to understand the reason, may be
is the same having or not that line but I am not sure.
Hi Sergio,
thank you for your comment, I will try to debug the problem ASAP.
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12213): https://lists.fd.io/g/vpp-dev/message/12213
Mute This Topic: https://lists.fd.io/mt/29538345/21656
Mute
Yes I did, OpenSSL backend is working.
I can see the esp4-encrypt and esp4-decrypt counters incrementing and there are
no errors.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12206): https://lists.fd.io/g/vpp-dev/message/12206
Mute This Topic:
Hi Sergio,
yes, disabling ipsec I successfully get every packet in the receiver side.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12203): https://lists.fd.io/g/vpp-dev/message/12203
Mute This Topic: https://lists.fd.io/mt/29538345/21656
Mute
Hi Sergio,
you are right, both boards are connected back to back in the 192.168.30.0/24
net.
I have cleaned up redundant routes, adding what you are proposing and
unfortunately still I am getting the llc-input errors in the receiving interface
vpp# sh errors
See attached files, setup is taking place in the scripts via vppctl instead of
using the 'exec path_to_file' used in startup.cnf
Let me know if you see anything suspicious
BR,
Manuel
start_vpp_ipsec_board_a_xaui30_p2.sh
Description: application/shellscript
capture and config. attached
vpp# sh ipsec config
sa 10 spi 1001 mode transport protocol esp
crypto alg aes-cbc-128 key 4a506a794f574265564551694d653768 integrity alg
sha1-96 key 4339314b55523947594d6d3547666b45764e6a58
sa 20 spi 1000 mode transport protocol esp
crypto alg aes-cbc-128 key
Hi Sergio,
my apologies... I have been carefully testing this morning(to give you logs)
and everything is working perfectly (encrypting/decrypting with cpt and/or
encrypting/decrypting with openssl).
Thanks a lot for your quick fix!
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all
Hello Sergio,
>From my side, your patch looks good to me.
Nevertheless I can't manage to properly run encryption/decryption (ipsec
between two boards) with the Octeon CPT hardware. (Same ipsec scenario setup
via openssl is actually working as expected)
Do not know whether the problem is
Hi Sergio,
I prefer you to provide the patch to use 1 qp since I have been inspecting
source code for two days only(I might add other bugs...).
I could test your patch in an Octeon board that is supposed to setup 1 qp.
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to
Hi Sergio,
thank you for the explanation, I see that there are 2 (or more qps). My concern
was due to dpdk, since there are a few device drivers exporting only one queue
pair for their crypto devices.
(I followed the code assuming one qps, based on a dpdk-18.11 exported value)
So I do not know
Hello all,
Just tracing a bit the code I noticed that there is a concept of "queue pair"
and every crypto device allocates its own number of queue pairs.
Two questions (version 19.01):
1. Regarding the max_res_idx (ipsec.c) calculation:
max_res_idx = (dev->max_qp / 2) - 1; (if dev->max_qp == 1
Ok, thank you for the clarification. So, as far as I understand, host-stack
preloading is not intended to work with forkable(because of the ldp destructor)
and/or threadable(because of mentioned index) applications.
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this
16 matches
Mail list logo