2.4. System Configuration

This section details the general Turbo IPsec services configuration concepts.

2.4.1. User Accounts

Three user accounts are provided by default:

Account Default password Description
admin admin Standard account to manage Turbo IPsec through CLI
viewer viewer Same as admin, restricted to monitoring purposes
root 6windos Provides the ability to log into the Linux subsystem as superuser. This account is provided for initial system configuration and restricted to the use cases covered in this documentation. Any additional configuration and customization of the system requires expert knowledge of Linux and 6WIND’s technology. Contact the 6WIND customer support team if you expect to use Turbo IPsec in expert mode.

See also

The CLI User Guide, Basics section, for more information about user accounts.

2.4.2. Turbo IPsec Services

At first boot, the system is automatically initialized with the default configuration and the Turbo IPsec services are started.

As root, use systemctl to check the status of Turbo IPsec services:

# systemctl status turbo

The default configuration is adapted to most use cases. We suggest that you jump to the networking configuration.

For specific needs, it can be customized through the configuration wizard or by manually editing the configuration files in /usr/admin/etc, as described in the next sections.

2.4.3. Customizing the configuration

The fast path is the Turbo IPsec component in charge of packet processing. By default, the fast path:

  • runs on all the logical cores of the machine except the first one, which is reserved for Linux
  • takes control of all supported physical network ports

Fast path configuration customization allows to change:

  • Fast path capabilities
  • Ethernet NICs managed by fast path
  • The cores running fast path
  • Crypto acceleration

Stopping Turbo IPsec services

Before customizing the configuration, make sure that all Turbo IPsec services are stopped:

# systemctl stop turbo

To disable automatic startup of Turbo IPsec services at boot time, override the default Turbo IPsec services configuration file:

# systemctl disable turbo

Initializing the configuration

All Turbo IPsec parameters are stored in /usr/admin/etc subdirectories.

  1. Once logged in, launch the initialization script:

    [root@router ~]# turbo.sh config
    Configuring Turbo Appliance...
    All 6WINDGate package configuration files were copied to /usr/admin/etc/\*.env.
      Would you like to continue with the configuration wizard (recommended)? [Y/n]
    

At this step, you may hit y to launch the configuration wizard, or type n and manually edit the fast path configuration file.

Using the fast path configuration wizard

The default fast path configuration uses all the logical cores except the first one (which is reserved for Linux) and all the supported physical network ports. Each network port is polled by all the logical cores of the same CPU socket.

In most use cases, this configuration allows to start the fast path with good performance without customization.

To customize the fast path using the interactive wizard:

# fast-path.sh config -i

Fast path configuration
=======================

1 - Select fast path ports and polling cores
2 - Select a hardware crypto accelerator
3 - Advanced configuration
4 - Advanced plugin configuration
5 - Display configuration

S - Save configuration and exit
Q - Quit

Enter selection [S]:

The option 1 - Select fast path ports and polling cores takes care of the mandatory fast path configuration, which comprises:

Core allocation
The fast path needs dedicated cores that are isolated from other Linux tasks.
Physical port assignation
The fast path must have full control over a network port to provide acceleration on this port. At fast path start, a DPVI will replace each Linux interface associated to a fast path port. The new interface has the same name as the old interface. The configuration that was done on the old interface is lost (IP addresses, MTU, routes, etc).
Core to port mapping
The fast path cores’ main task is to check if packets are available on a port, and process these packets. In most use cases, good performance is obtained with the default configuration: all cores poll all ports of the same socket.

The option 2 - Select a hardware crypto accelerator allows to select the crypto acceleration type.

Crypto acceleration selection

By default, the fastest software method is used:

  • Intel Multi-Buffer for software crypto acceleration using AES-NI if available
  • Or generic software crypto implementation

The following hardware crypto engine may also be activated in the menu:

  • Intel Coleto Creek for hardware crypto acceleration using Intel Communications Chipset 895x Series, 8925 or 8926 (Coleto Creek)

In 3 - Advanced configuration, the following parameters can be customized:

fast path memory allocation (FP_MEMORY)

The fast path needs dedicated memory. The fast path dedicated memory is allocated in hugepages.

Note

A hugepage is a page that addresses more memory than the usual 4KB. Accessing a hugepage is more efficient than accessing a regular memory page. Its default size is 2MB.

Mbuf pool preallocation
The network packets manipulated by the fast path are stored in buffers named mbufs. A mbuf pool is allocated at fast path start.

The option S - Save configuration and exit writes the configuration file to /usr/admin/etc/fast-path.env.

Starting Turbo IPsec services

Once the fast path configuration is complete, start Turbo IPsec services:

# systemctl start turbo

If you disabled automatic startup of Turbo IPsec services, restore it by removing autostart=no from the kernel boot arguments.