Hi Avi, > -----Original Message----- > From: users [mailto:[email protected]] On Behalf Of Avi Cohen (A) > Sent: Tuesday, January 9, 2018 9:39 AM > To: Gowda, Sandesh <[email protected]>; [email protected] > Subject: Re: [dpdk-users] IPSEC-SECGW sample application > > Thank you Sandesh > I'm trying to run the l2fwd-crypto sample app. but got this error msg : > "No crypto devices available > EAL: Error - exiting with code: 1 > Cause: Failed to initialize crypto devices" > > My setup include 2 physical ports (intel x540) bound to dpdk - these Nics > are ipsec offload capable.
L2fwd-crypto does not support inline IPSec. For this application, you can only use crypto devices (under crypto folder). Pablo > > The cmd-line I use is: > ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain CIPHER_HASH -- > cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key > 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE -- > auth_algo aes-xcbc-mac --auth_key > 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f > > Best Regards > Avi > > > > -----Original Message----- > > From: Gowda, Sandesh [mailto:[email protected]] > > Sent: Monday, 08 January, 2018 7:23 PM > > To: Avi Cohen (A); [email protected] > > Subject: RE: IPSEC-SECGW sample application > > > > Hi Avi, > > > > My response inline. > > > > > 1. I see in the documentation that this app. Supports only > > > **complete offload**. > > > But Intel NICS x540 and 82599 which supports ipsec offload requires > > > that the SW will add/remove the ESP headers How can I run this app > > > with > > x540 nic ? > > > > The SA rule "type" field lets you choose the kind of offload. > > Following is the description from the ipsecgw app guide: > > > > <type> > > > > Action type to specify the security action. This option specify the SA > > to be performed with look aside protocol offload to HW accelerator or > > protocol offload on ethernet device or inline crypto processing on the > > ethernet device during transmission. > > Optional: Yes, default type no-offload Available options: > > lookaside-protocol-offload: look aside protocol offload to HW > > accelerator > > inline-protocol-offload: inline protocol offload on ethernet device > > inline-crypto-offload: inline crypto processing on ethernet device > > no-offload: no offloading to hardware > > > > Correct your SA rules to have the desired "type" field. > > > > The ipsecgw application must work fine for QAT PCIe as well as > > Ethernet NIC with IPSec feature provided the VFs as correctly bound to > DPDK. > > > > > > > 2. I added support for ESP header and trailer insertion for > > > inline-protocol- offload for intel x540 Can you tell me the exact > > > command line to run the application for this mode ? > > > is vdev required ? > > > > The ipsecgw application must work fine for QAT PCIe as well as > > Ethernet NIC with IPSec feature provided the VFs as correctly bound to > DPDK. > > Please try running a more basic L2Fwd Crypto application on your NIC > > to make sure the Crypto feature works. > > > > Regards, > > Sandesh > > > > > > > > > -----Original Message----- > > > From: Avi Cohen (A) [mailto:[email protected]] > > > Sent: Monday, January 08, 2018 10:05 PM > > > To: Gowda, Sandesh <[email protected]>; [email protected] > > > Subject: RE: IPSEC-SECGW sample application > > > > > > > > > Hi Sandesh [I added one more question] Thank you - I already > > > understood that. > > > 1. I see in the documentation that this app. Supports only > > > **complete offload**. > > > But Intel NICS x540 and 82599 which supports ipsec offload requires > > > that the SW will add/remove the ESP headers How can I run this app > > > with > > x540 nic ? > > > > > > 2. I added support for ESP header and trailer insertion for > > > inline-protocol- offload for intel x540 Can you tell me the exact > > > command line to run the application for this mode ? > > > is vdev required ? > > > Best Regards > > > Avi > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Gowda, Sandesh [mailto:[email protected]] > > > > > Sent: Monday, 08 January, 2018 10:47 AM > > > > > To: Avi Cohen (A); [email protected] > > > > > Subject: RE: IPSEC-SECGW sample application > > > > > > > > > > > > > > > Hi Avi, > > > > > > > > > > The application classifies the ports as Protected and Unprotected. > > > > > Thus, > > > > traffic > > > > > received on an Unprotected or Protected port is consider Inbound > > > > > or > > > > Outbound > > > > > respectively. > > > > > ( Refer : > > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html > > > > > ) > > > > > > > > > > The Packets sent on a Unprotected network requires Encryption > > > > > whereas packets on Protected Network can be plain text. > > > > > This is the expected behavior. > > > > > > > > > > Regards, > > > > > Sandesh > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: users [mailto:[email protected]] On Behalf Of Avi > > > > > Cohen > > > > > (A) > > > > > Sent: Sunday, January 07, 2018 9:12 PM > > > > > To: [email protected] > > > > > Subject: [dpdk-users] IPSEC-SECGW sample application > > > > > > > > > > > > > > > Hello > > > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw. > > > > > I have 2 ports port 0 is protected and port 1 is unprotected > > > > > Traffic is received > > > > in > > > > > the unprotected and should be sent to the protected port for > > > > > encryption But the traffic processing for the traffic received > > > > > in the unprotected port is going through the > **process_pkts_inbound ** . > > > > > I expect that the traffic should be directed to the > > > > **process_pkts_outbound** > > > > > [where ESP headers are added etc.] Can someone help ? > > > > > > > > > > > > > > > This is the config file: > > > > > > > > > > #SP rules > > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA > > > > > rules sa in 5 cipher_algo aes-128-cbc cipher_key > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src > > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id > > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst > > > > > 1.1.2.0/24 port 0 rt ipv4 dst > > > > > 1.1.1.0/24 port 0 > > > > > > > > > > > > > > > and this is the command line to run the applic: > > > > > > > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 > > > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg > > > > > > > > > > > > > > > Best Regards > > > > > Avi
