[dpdk-users] IPSEC-SECGW sample application

[Avi Cohen (A)]

Thank you Sandesh
I'm trying to run the l2fwd-crypto sample app.  but  got this error msg :
"No crypto devices available
EAL: Error - exiting with code: 1
 Cause: Failed to initialize crypto devices"

My setup include 2 physical ports (intel x540)  bound to dpdk - these Nics are ipsec offload capable.

The cmd-line I use is:
./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain CIPHER_HASH --cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE --auth_algo aes-xcbc-mac --auth_key 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f

Best Regards
Avi


> -----Original Message-----
> From: Gowda, Sandesh [mailto:sandesh.gowda at intel.com]
> Sent: Monday, 08 January, 2018 7:23 PM
> To: Avi Cohen (A); users at dpdk.org
> Subject: RE: IPSEC-SECGW sample application
> 
> Hi Avi,
> 
>  My response inline.
> 
> > 1.  I see in the documentation that this app. Supports only **complete
> > offload**.
> >  But Intel NICS x540 and 82599 which supports ipsec offload requires
> > that the SW will  add/remove the ESP headers How can I run this app with
> x540 nic ?
> 
> The SA rule "type" field lets you choose the kind of offload.
> Following is the description from the ipsecgw app guide:
> 
> <type>
> 
> Action type to specify the security action. This option specify the SA to be
> performed with look aside protocol offload to HW accelerator or protocol
> offload on ethernet device or inline crypto processing on the ethernet device
> during transmission.
> Optional: Yes, default type no-offload
> Available options:
> lookaside-protocol-offload: look aside protocol offload to HW accelerator
> inline-protocol-offload: inline protocol offload on ethernet device
> inline-crypto-offload: inline crypto processing on ethernet device
> no-offload: no offloading to hardware
> 
> Correct your SA rules to have the desired "type" field.
> 
> The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC
> with IPSec feature provided the VFs as correctly bound to DPDK.
> 
> 
> >  2. I added support for ESP header and trailer insertion for
> > inline-protocol- offload for intel x540 Can you tell me the exact
> > command line to run the application for this mode ?
> > is vdev required ?
> 
>  The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC
> with IPSec feature provided the VFs as correctly bound to DPDK.
> Please try running a more basic L2Fwd Crypto application on your NIC to make
> sure the Crypto feature works.
> 
>  Regards,
>  Sandesh
> 
> 
> 
> > -----Original Message-----
> > From: Avi Cohen (A) [mailto:avi.cohen at huawei.com]
> > Sent: Monday, January 08, 2018 10:05 PM
> > To: Gowda, Sandesh <sandesh.gowda at intel.com>; users at dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> >
> >  Hi  Sandesh  [I added one more question]  Thank you - I already
> > understood that.
> > 1.  I see in the documentation that this app. Supports only **complete
> > offload**.
> >  But Intel NICS x540 and 82599 which supports ipsec offload requires
> > that the SW will  add/remove the ESP headers How can I run this app with
> x540 nic ?
> >
> >  2. I added support for ESP header and trailer insertion for
> > inline-protocol- offload for intel x540 Can you tell me the exact
> > command line to run the application for this mode ?
> > is vdev required ?
> >  Best Regards
> >  Avi
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Gowda, Sandesh [mailto:sandesh.gowda at intel.com]
> > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > To: Avi Cohen (A); users at dpdk.org
> > > > Subject: RE: IPSEC-SECGW sample application
> > > >
> > > >
> > > > Hi Avi,
> > > >
> > > >  The application classifies the ports as Protected and Unprotected.
> > > > Thus,
> > > traffic
> > > > received on an Unprotected or Protected port is consider Inbound
> > > > or
> > > Outbound
> > > > respectively.
> > > > ( Refer :
> > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > )
> > > >
> > > >  The Packets sent on a  Unprotected network requires Encryption
> > > > whereas packets on Protected Network can be plain text.
> > > >  This is the expected behavior.
> > > >
> > > >  Regards,
> > > >  Sandesh
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: users [mailto:users-bounces at dpdk.org] On Behalf Of Avi Cohen
> > > > (A)
> > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > To: users at dpdk.org
> > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > >
> > > >
> > > > Hello
> > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > > I have 2 ports port 0 is protected and port 1 is unprotected
> > > > Traffic is received
> > > in
> > > > the unprotected and should be sent to the protected  port  for
> > > > encryption But the traffic processing for the traffic received in
> > > > the unprotected port is going through the **process_pkts_inbound ** .
> > > > I expect that the traffic should be directed to the
> > > **process_pkts_outbound**
> > > > [where ESP headers are added etc.] Can someone help ?
> > > >
> > > >
> > > > This is the config file:
> > > >
> > > > #SP rules
> > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules
> > > > sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0
> > > > #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > 1.1.1.0/24 port 0
> > > >
> > > >
> > > > and this is the command line to run the applic:
> > > >
> > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > >
> > > >
> > > > Best Regards
> > > > Avi