Strongswan은 ESP 패킷 하드웨어 가속을 활성화합니다.

tag-icon tag-icon networking linux-kernel hardware-acceleration strongswan
Strongswan은 ESP 패킷 하드웨어 가속을 활성화합니다.

내 Linux 커널은 이미 CESA 하드웨어 가속을 지원하며 openssl은 이 기능을 사용할 수 있습니다.

# openssl speed -evp des3 -elapsed
# cat /proc/interrupts | grep cesa
 51:     464810       GIC  cesa0
 52:     464811       GIC  cesa1

그리고 Strongswan에서 openssl 플러그인을 활성화했으며 터널이 작동되면 로드됩니다.

# ipsec statusall
Security Associations (1 up, 0 connecting):
 cisco-ezvpn[1]: ESTABLISHED 10 minutes ago, 192.168.1.2[19]...192.168.1.1[192.168.1.1]
 cisco-ezvpn[1]: IKEv1 SPIs: abf425e9297ad9f0_i* 196cb5ae22f4f22e_r, pre-shared key+XAuth reauthentication in 23 hours
 cisco-ezvpn[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 cisco-ezvpn{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb142c69_i 2e8c4f0b_o
 cisco-ezvpn{1}:  AES_CBC_128/HMAC_SHA1_96, 41756845 bytes_i (30575 pkts, 107s ago), 550565 bytes_o (9492 pkts, 31s ago), rekeying in 23 hours
 cisco-ezvpn{1}:   10.10.0.6/32 === 0.0.0.0/0

이제 연결이 켜져 있을 때(IKE 메시지) cesa 인터럽트가 증가하는 것을 볼 수 있지만 ESP 패킷은 cesa 인터럽트 카운터를 증가시키지 않습니다.

15:17:28.653001 IP 192.168.1.2 > 192.168.1.1: ESP(spi=0x852c54c5,seq=0x16), length 108
15:17:49.653014 IP 192.168.1.2 > 192.168.1.1: ESP(spi=0x852c54c5,seq=0x17), length 108
15:17:49.653833 IP 192.168.1.1 > 192.168.1.2: ESP(spi=0xcca314fc,seq=0x10), length 92
15:18:35.652995 IP 192.168.1.2 > 192.168.1.1: ESP(spi=0x852c54c5,seq=0x18), length 108
# cat /proc/interrupts | grep cesa
 51:     464813       GIC  cesa0
 52:     464814       GIC  cesa1

내 질문은: ESP 패킷에서 하드웨어 가속을 활성화할 수 있는 방법이 있습니까?

추가 정보:

# ip xfrm state
src 192.168.1.2 dst 192.168.1.1
        proto esp spi 0x2e8c4f0b reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha1) 0x19a289b54670ad8a41ec2314bd6c7b438efef9f2 96
        enc cbc(aes) 0xc3297e37547fce35df7e3cd2d8450db5
src 192.168.1.1 dst 192.168.1.2
        proto esp spi 0xcb142c69 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0xbb3033e4825ccc585c7829fa21b6c0c08bcefce9 96
        enc cbc(aes) 0xc45486fdbcafef85e393295d7baeb968

지원되는 암호:

# cat /proc/crypto 
name         : authenc(hmac(md5),cbc(des3_ede))
driver       : authenc(hmac(md5-generic),cbc(des3_ede-generic))
module       : kernel
priority     : 0
refcnt       : 3
selftest     : passed
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 16
geniv        : <built-in>

name         : cbc(des3_ede)
driver       : cbc(des3_ede-generic)
module       : kernel
priority     : 0
refcnt       : 3
selftest     : passed
type         : givcipher
async        : yes
blocksize    : 8
min keysize  : 24
max keysize  : 24
ivsize       : 8
geniv        : chainiv

name         : cbc(des3_ede)
driver       : cbc(des3_ede-generic)
module       : kernel
priority     : 0
refcnt       : 3
selftest     : passed
type         : blkcipher
blocksize    : 8
min keysize  : 24
max keysize  : 24
ivsize       : 8
geniv        : <default>

name         : hmac(md5)
driver       : hmac(md5-generic)
module       : kernel
priority     : 0
refcnt       : 5
selftest     : passed
type         : shash
blocksize    : 64
digestsize   : 16

name         : stdrng
driver       : krng
module       : kernel
priority     : 200
refcnt       : 2
selftest     : passed
type         : rng
seedsize     : 0

name         : lzo
driver       : lzo-generic
module       : kernel
priority     : 0
refcnt       : 2
selftest     : passed
type         : compression

name         : crc32c
driver       : crc32c-generic
module       : kernel
priority     : 100
refcnt       : 2
selftest     : passed
type         : shash
blocksize    : 1
digestsize   : 4

name         : deflate
driver       : deflate-generic
module       : kernel
priority     : 0
refcnt       : 2
selftest     : passed
type         : compression

name         : aes
driver       : aes-generic
module       : kernel
priority     : 100
refcnt       : 2
selftest     : passed
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

name         : des3_ede
driver       : des3_ede-generic
module       : kernel
priority     : 0
refcnt       : 3
selftest     : passed
type         : cipher
blocksize    : 8
min keysize  : 24
max keysize  : 24

name         : des
driver       : des-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
type         : cipher
blocksize    : 8
min keysize  : 8
max keysize  : 8

name         : sha224
driver       : sha224-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
type         : shash
blocksize    : 64
digestsize   : 28

name         : sha256
driver       : sha256-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
type         : shash
blocksize    : 64
digestsize   : 32

name         : sha1
driver       : sha1-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
type         : shash
blocksize    : 64
digestsize   : 20

name         : md5
driver       : md5-generic
module       : kernel
priority     : 0
refcnt       : 3
selftest     : passed
type         : shash
blocksize    : 64
digestsize   : 16

관련 정보