Usage¶
Before you begin¶
In this section, it is assumed that Virtual Accelerator has been properly installed and configured. See Getting Started for more details.
There is no runtime configuration for IPsec.
Please see the Fast Path IPsec IPv4 documentation, section Before you begin to perform the initial steps.
Configuration example¶
The following example is relevant to an Ubuntu machine.
ip xfrm policy add dir fwd src 3ffe:110:9:9::1/128 dst 3ffe:100:9:9::1/128 index 0x80000062 priority 2000 tmpl src 3ffe:9:11::5 dst 3ffe:9:11::1 proto esp reqid 99 mode tunnel
ip xfrm policy add dir in src 3ffe:110:9:9::1/128 dst 3ffe:100:9:9::1/128 index 0x80000058 priority 2000 tmpl src 3ffe:9:11::5 dst 3ffe:9:11::1 proto esp reqid 99 mode tunnel
ip xfrm policy add dir out src 3ffe:100:9:9::1/128 dst 3ffe:110:9:9::1/128 index 0x80000051 priority 2000 tmpl src 3ffe:9:11::1 dst 3ffe:9:11::5 proto esp reqid 99 mode tunnel
ip xfrm policy list
src 3ffe:100:9:9::1/128 dst 3ffe:110:9:9::1/128
dir out priority 2000 ptype main
tmpl src 3ffe:9:11::1 dst 3ffe:9:11::5
proto esp reqid 99 mode tunnel
src 3ffe:110:9:9::1/128 dst 3ffe:100:9:9::1/128
dir in priority 2000 ptype main
tmpl src 3ffe:9:11::5 dst 3ffe:9:11::1
proto esp reqid 99 mode tunnel
src 3ffe:110:9:9::1/128 dst 3ffe:100:9:9::1/128
dir fwd priority 2000 ptype main
tmpl src 3ffe:9:11::5 dst 3ffe:9:11::1
proto esp reqid 99 mode tunnel
# fp-cli
<fp-0> ipsec6-spd all
IPv6 SPD hash lookup min prefix lengths: local=0, remote=0
Inbound SPD: 1 rules
1: 3ffe:110:9:9::1/128 3ffe:100:9:9::1/128 proto any vr0 protect prio 2000
link-vr0
ESP tunnel 3ffe:9:11::5 - 3ffe:9:11::1 reqid=99
sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0
Outbound SPD: 1 rules
1: 3ffe:100:9:9::1/128 3ffe:110:9:9::1/128 proto any vr0 protect prio 2000
link-vr0 cached-SA 0 genid 0
ESP tunnel 3ffe:9:11::1 - 3ffe:9:11::5 reqid=99
sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0
ip xfrm state add src 3ffe:9:11::5 dst 3ffe:9:11::1 spi 0x00000991 proto esp reqid 99 mode tunnel enc "cbc(des)" 0x706f6e672d2d3939
ip xfrm state add src 3ffe:9:11::1 dst 3ffe:9:11::5 spi 0x00000432 proto esp reqid 99 mode tunnel enc "cbc(des)" 0x1974040657494E44
ip xfrm state list
src 3ffe:9:11::1 dst 3ffe:9:11::5
proto esp spi 0x00000432 reqid 99 mode tunnel
replay-window 0
enc cbc(des) 0x1974040657494e44
sel src ::/0 dst ::/0
src 3ffe:9:11::5 dst 3ffe:9:11::1
proto esp spi 0x00000991 reqid 99 mode tunnel
replay-window 0
enc cbc(des) 0x706f6e672d2d3939
sel src ::/0 dst ::/0
<fp-0> ipsec6-sad all
IPv6 SAD 2 SA.
1: 3ffe:9:11::5 - 3ffe:9:11::1 vr0 spi 0x991 ESP tunnel
x-vr0 reqid=99 genid 1 cached-SP: 0
DES-CBC
key enc:706f6e672d2d3939
sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0
sa_replay_errors=0 sa_selector_errors=0
replay check is off width=0 seq=0 bitmap=0x00000000 - oseq=0
2: 3ffe:9:11::1 - 3ffe:9:11::5 vr0 spi 0x432 ESP tunnel
x-vr0 reqid=99 genid 2 cached-SP: 0
DES-CBC
key enc:1974040657494e44
sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0
sa_replay_errors=0 sa_selector_errors=0
replay check is off width=0 seq=0 bitmap=0x00000000 - oseq=0
Security associations management¶
Please see the Fast Path IPsec IPv4 documentation: the commands to manage security associations are the same.
Security policies management¶
Please see the Fast Path IPsec IPv4 documentation: the commands to manage security policies are the same.
Statistics¶
Displaying the SPD¶
Synopsis
ipsec6-spd [all|raw]
- No parameter
Only display the number of global IPv6 SPs.
- all
Display all global IPv6 SPs registered in the fast path in order of priority.
- raw
Display all IPv6 SPs registered in the fast path in the same order as in the internal table.
Examples
<fp-0> ipsec6-spd
IPv6 SPD hash lookup min prefix lengths: local=0, remote=0
Inbound SPD: 1 rules
Outbound SPD: 1 rules
<fp-0> ipsec6-spd all
IPv6 SPD hash lookup min prefix lengths: local=0, remote=0
Inbound SPD: 1 rules
1: 3ffe:110:9:9::1/128 3ffe:100:9:9::1/128 proto any vr0 protect prio 2000
link-vr0
ESP tunnel 3ffe:9:11::5 - 3ffe:9:11::1 reqid=99
sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0
Outbound SPD: 1 rules
1: 3ffe:100:9:9::1/128 3ffe:110:9:9::1/128 proto any vr0 protect prio 2000
link-vr0 cached-SA 0 genid 0
ESP tunnel 3ffe:9:11::1 - 3ffe:9:11::5 reqid=99
sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0
<fp-0> ipsec6-spd raw
IPv6 SPD hash lookup min prefix lengths: local=0, remote=0
Inbound SPD: 1 total rules, 1 global rules
1: 3ffe:110:9:9::1/128 3ffe:100:9:9::1/128 proto any vr0 protect prio 2000
link-vr0
ESP tunnel 3ffe:9:11::5 - 3ffe:9:11::1 reqid=99
sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0
Outbound SPD: 1 total rules, 1 global rules
1: 3ffe:100:9:9::1/128 3ffe:110:9:9::1/128 proto any vr0 protect prio 2000
link-vr0 cached-SA 0 genid 0
ESP tunnel 3ffe:9:11::1 - 3ffe:9:11::5 reqid=99
sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0
Displaying the SAD¶
Dump all SAs, or only a specific one.
Synopsis
ipsec6-sad [all] [(svti|xfrmi) <ifname>] [<src> <prefix> <dst> <prefix> <proto>]
- No parameters
Only display the number of IPv6 SAs present in the fast path table.
- all
Display all IPv6 SAs present in the fast path table.
- svti <ifname>
Specific SVTI interface name.
- xfrmi <ifname>
Specific XFRM interface name.
- <src>
SA source IPv6 address.
- <prefix>
Length (in bits) of the source IPv6 netmask prefix.
- <dst>
SA destination IPv6 address.
- <prefix>
Length (in bits) of the destination IPv6 netmask prefix.
- <proto>
Select the AH or the ESP protocol.
Examples
<fp-0> ipsec6-sad
IPv6 SAD 2 SA.
<fp-0> ipsec6-sad all
IPv6 SAD 2 SA.
1: 3ffe:9:11::5 - 3ffe:9:11::1 vr0 spi 0x991 ESP tunnel
x-vr0 reqid=99 genid 1 cached-SP: 0
DES-CBC
key enc:706f6e672d2d3939
sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0
sa_replay_errors=0 sa_selector_errors=0
replay check is off width=0 seq=0 bitmap=0x00000000 - oseq=0
2: 3ffe:9:11::1 - 3ffe:9:11::5 vr0 spi 0x432 ESP tunnel
x-vr0 reqid=99 genid 2 cached-SP: 0
DES-CBC
key enc:1974040657494e44
sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0
sa_replay_errors=0 sa_selector_errors=0
replay check is off width=0 seq=0 bitmap=0x00000000 - oseq=0
Extended Sequence Number¶
Note
This feature needs the ESN and large anti-replay window static configuration iproute2 patch.
AH/ESP headers support extended, 64 bit sequence numbers to detect replay.
A single IPsec SA can transfer a maximum of 2^64 IPsec packets.
Example
Create an SA with ESN support and a 128 packets replay window:
$ ip xfrm state add src 3ffe:2:11::1 dst 3ffe:2:11::5 spi 0x00000220 proto esp reqid 22 mode tunnel \ enc aes cle1goldorakgoldorakcle1 auth sha1 cle1goldorakgoldcle1 flag esn replay-window 128
Check that your configuration is correctly synchronized in the fast path:
$ fp-cli<fp-0> ipsec6-sad all IPv6 SAD 1 SA. 1: 3ffe:2:11::1 - 3ffe:2:11::5 vr0 spi 0x220 ESP tunnel x-vr0 reqid=22 counter 1 genid 1 cached-SP: 0 AES-CBC HMAC-SHA1 esn key enc:636c6531676f6c646f72616b676f6c646f72616b636c6531 digest length: 12 key auth:636c6531676f6c646f72616b676f6c64636c6531 sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0 sa_replay_errors=0 sa_selector_errors=0 replay width=128 seq=0x0 - oseq=0x0 00000000 00000000 00000000 00000000
See also
Large anti-replay window example¶
Note
This feature needs the ESN and large anti-replay window static configuration iproute2 patch.
You can set the anti-replay window size between 32 and 4096 packets (maximum size allowed by the Linux kernel).
Example
Create an SA with a 256 packets replay window:
$ ip xfrm state add src 3ffe:2:11::1 dst 3ffe:2:11::5 spi 0x00000220 proto esp reqid 22 mode tunnel \ enc aes cle1goldorakgoldorakcle1 auth sha1 cle1goldorakgoldcle1 replay-window 256
Check that your configuration is correctly synchronized in the fast path:
$ fp-cli<fp-0> ipsec6-sad all IPv6 SAD 1 SA. 1: 3ffe:2:11::1 - 3ffe:2:11::5 vr0 spi 0x220 ESP tunnel x-vr0 reqid=22 counter 2 genid 2 cached-SP: 0 AES-CBC HMAC-SHA1 key enc:636c6531676f6c646f72616b676f6c646f72616b636c6531 digest length: 12 key auth:636c6531676f6c646f72616b676f6c64636c6531 sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0 sa_replay_errors=0 sa_selector_errors=0 replay width=256 seq=0x0 - oseq=0x0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
See also
IPv6 in IPv4 IPsec tunnel example¶
We will encapsulate IPv6 packets in a static IPv4 IPsec tunnel.
Create the inbound IPsec endpoint:
Create an IPv4 IPsec SA for IPv6 packets:
$ ip xfrm state add src 2.1.0.5 dst 2.1.0.1 proto esp spi 0x00000221 mode tunnel \ sel src ::/0 enc aes cle1goldorakgoldorakcle1 auth sha1 cle1goldorakgoldcle1
Create an inbound IPv6 IPsec SP:
$ ip xfrm policy add src 3ffe:110:2:2::1/128 dst 3ffe:100:2:2::1/128 dir in \ tmpl src 2.1.0.5 dst 2.1.0.1 proto esp mode tunnel
Create a forward IPv6 IPsec SP:
$ip xfrm policy add src 3ffe:110:2:2::1/128 dst 3ffe:100:2:2::1/128 dir fwd \ tmpl src 2.1.0.5 dst 2.1.0.1 proto esp mode tunnel
Create the outbound IPsec endpoint:
Create an IPv4 IPsec SA for IPv4 packets:
$ ip xfrm state add src 2.1.0.1 dst 2.1.0.5 proto esp spi 0x00000220 mode tunnel \ sel src ::/0 enc aes cle1goldorakgoldorakcle2 auth sha1 cle1goldorakgoldcle2
Create an outbound IPv4 IPsec SP:
$ ip xfrm policy add src 3ffe:100:2:2::1/128 dst 3ffe:110:2:2::1/128 dir out \ tmpl src 2.1.0.1 dst 2.1.0.5 proto esp mode tunnel
Check that your configuration is correctly synchronized in the fast path:
Start
fp-cli:$ fp-cliDisplay the SAs in the Fast Path IPsec IPv4 table:
<fp-0> ipsec4-sad all SAD 2 SA. 1: 2.1.0.5 - 2.1.0.1 vr0 spi 0x221 ESP tunnel x-vr0 counter 1 cached-SP 0 (genid 1) AES-CBC HMAC-SHA1 key enc:636c6531676f6c646f72616b676f6c646f72616b636c6531 digest length: 12 key auth:636c6531676f6c646f72616b676f6c64636c6531 sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0 sa_replay_errors=0 sa_selector_errors=0 replay width=0 seq=0x0 - oseq=0x0 2: 2.1.0.1 - 2.1.0.5 vr0 spi 0x220 ESP tunnel x-vr0 counter 1 cached-SP 0 (genid 2) AES-CBC HMAC-SHA1 key enc:636c6531676f6c646f72616b676f6c646f72616b636c6532 digest length: 12 key auth:636c6531676f6c646f72616b676f6c64636c6532 sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0 sa_replay_errors=0 sa_selector_errors=0 replay width=0 seq=0x0 - oseq=0x0
Display the SPs in the Fast Path IPsec IPv6 table:
<fp-0> ipsec6-spd all IPv6 SPD hash lookup min prefix lengths: local=0, remote=0 Inbound SPD: 1 rules 1: 3ffe:110:2:2::1/128 3ffe:100:2:2::1/128 proto any vr0 protect prio 0 link-vr0 ESP tunnel 2.1.0.5 - 2.1.0.1 sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0 Outbound SPD: 1 rules 1: 3ffe:100:2:2::1/128 3ffe:110:2:2::1/128 proto any vr0 protect prio 0 link-vr0 cached-SA 0 genid 0 ESP tunnel 2.1.0.1 - 2.1.0.5 sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0
See also
To dynamically configure IPsec tunnels, see the Control Plane Security - IKEv1 and IKEv2 documentation.
Offload of cryptographic operations¶
Maximal throughput of a tunnel is limited. In order to increase this limit cryptographic operations are offloaded to idle fast path cores. Gain provided by this feature depends of the traffic model and the number of idle fast path cores. Typically the maximal throughput of a tunnel with IMIX traffic is double if a fast path core is available to do the cryptographic operations.
Details of the way to configure offloading of the cryptographic operations is detailed in FPN-SDK Cryptographic offloading
By default the crytographic offloading is done only for packets received from the tunnel. The cryptographic offloading for packets sent into the tunnel can be enabled through the cli but can impact packet ordering (especially if there are many flows aggregated in the tunnel) and cause issue with the anti-replay windows of the IPsec SA.
Providing options¶
Some capabilities can be tuned for this module.
Example
FP_OPTIONS="--mod-opt=ipsec6:--sp-hash-order=10"
- --sa-hash-order¶
Size order of IPv6 IPsec SAD hash table. Value automatically updated if ipsec:–max-sa is changed.
- Default value
16
- Range
16 .. 20
- --sp-hash-order¶
Size order of IPv6 IPsec SPD hash table. Value automatically updated if ipsec:–max-sp is changed.
- Default value
9
- Range
8 .. 16
Note
See Fast Path Capabilities documentation for impact of the available memory on the default value of configurable capabilities