2.4. System Configuration¶
This section details the general Turbo IPsec services configuration concepts.
2.4.1. User Accounts¶
Three user accounts are provided by default:
||Standard account to manage Turbo IPsec through CLI|
||Provides the ability to log into the Linux subsystem as superuser. This account is provided for initial system configuration and restricted to the use cases covered in this documentation. Any additional configuration and customization of the system requires expert knowledge of Linux and 6WIND’s technology. Contact the 6WIND customer support team if you expect to use Turbo IPsec in expert mode.|
The CLI User Guide, Basics section, for more information about user accounts.
2.4.2. Turbo IPsec Services¶
At first boot, the system is automatically initialized with the default configuration and the Turbo IPsec services are started.
As root, use
systemctl to check the status of Turbo IPsec services:
# systemctl status turbo
The default configuration is adapted to most use cases. We suggest that you jump to the networking configuration.
For specific needs, it can be customized through the configuration wizard or by
manually editing the configuration files in
described in the next sections.
2.4.3. Customizing the configuration¶
The fast path is the Turbo IPsec component in charge of packet processing. By default, the fast path:
- runs on all the logical cores of the machine except the first one, which is reserved for Linux
- takes control of all supported physical network ports
Fast path configuration customization allows to change:
- Fast path capabilities
- Ethernet NICs managed by fast path
- The cores running fast path
- Crypto acceleration
Stopping Turbo IPsec services¶
Before customizing the configuration, make sure that all Turbo IPsec services are stopped:
# systemctl stop turbo
To disable automatic startup of Turbo IPsec services at boot time, override the default Turbo IPsec services configuration file:
# systemctl disable turbo
Initializing the configuration¶
All Turbo IPsec parameters are stored in
Once logged in, launch the initialization script:
[root@router ~]# turbo.sh config Configuring Turbo Appliance... All 6WINDGate package configuration files were copied to /usr/admin/etc/\*.env. Would you like to continue with the configuration wizard (recommended)? [Y/n]
At this step, you may hit
y to launch the configuration wizard, or type
n and manually edit the fast path configuration file.
Using the fast path configuration wizard¶
The default fast path configuration uses all the logical cores except the first one (which is reserved for Linux) and all the supported physical network ports. Each network port is polled by all the logical cores of the same CPU socket.
In most use cases, this configuration allows to start the fast path with good performance without customization.
To customize the fast path using the interactive wizard:
# fast-path.sh config -i Fast path configuration ======================= 1 - Select fast path ports and polling cores 2 - Select a hardware crypto accelerator 3 - Advanced configuration 4 - Advanced plugin configuration 5 - Display configuration S - Save configuration and exit Q - Quit Enter selection [S]:
1 - Select fast path ports and polling cores takes care of the
mandatory fast path configuration, which comprises:
- Core allocation
- The fast path needs dedicated cores that are isolated from other Linux tasks.
- Physical port assignation
- The fast path must have full control over a network port to provide acceleration on this port. At fast path start, a DPVI will replace each Linux interface associated to a fast path port. The new interface has the same name as the old interface. The configuration that was done on the old interface is lost (IP addresses, MTU, routes, etc).
- Core to port mapping
- The fast path cores’ main task is to check if packets are available on a port, and process these packets. In most use cases, good performance is obtained with the default configuration: all cores poll all ports of the same socket.
2 - Select a hardware crypto accelerator allows to select
the crypto acceleration type.
- Crypto acceleration selection
By default, the fastest software method is used:
- Intel Multi-Buffer for software crypto acceleration using AES-NI if available
- Or generic software crypto implementation
The following hardware crypto engine may also be activated in the menu:
- Intel Coleto Creek for hardware crypto acceleration using Intel Communications Chipset 895x Series, 8925 or 8926 (Coleto Creek)
3 - Advanced configuration, the following parameters can be
- fast path memory allocation (
The fast path needs dedicated memory. The fast path dedicated memory is allocated in hugepages.
A hugepage is a page that addresses more memory than the usual 4KB. Accessing a hugepage is more efficient than accessing a regular memory page. Its default size is 2MB.
- Mbuf pool preallocation
- The network packets manipulated by the fast path are stored in buffers named
mbufs. A mbuf pool is allocated at fast path start.
S - Save configuration and exit writes the configuration file to
Starting Turbo IPsec services¶
Once the fast path configuration is complete, start Turbo IPsec services:
# systemctl start turbo
If you disabled automatic startup of Turbo IPsec services, restore it by
autostart=no from the kernel boot arguments.