Hi Chuan, You need to specify salt for GCM to work in static config.
i.e. ipsec sa add 1 spi 255129 esp crypto-key 0123456789012345678901234567890101234567890123456789012345678901 crypto-alg aes-gcm-256 salt 0x12345678 LMK if this helps... -- Damjan > On 27 Nov 2019, at 15:16, Chuan Han <chuan...@google.com> wrote: > > I switched cipher from aes-gcm to aes-cbc. native stack works. it seems the > issue is related to aes-gcm cipher support in native stack? Probably some > integration bug between aes-gcm and native stack? > > On Tue, Nov 19, 2019 at 10:42 AM Chuan Han via Lists.Fd.Io > <http://lists.fd.io/> <chuanhan=google....@lists.fd.io > <mailto:google....@lists.fd.io>> wrote: > Hi, Damjan, > > See attachment for detailed logs. no.vdev.xxx files contain the log for the > case where vdev is commented out. v.dev.xxx files contain logs for the case > where vdev is enabled. > > I pinged srv-1 from srv-2, i.e., 172.16.2.2 -> 172.16.1.2. > > When vdev is removed, the srv-1 cannot decrypt the esp pkts. When vdev is > enabled, I can see srv-1 decrypted esp pkts and ping worked fine. > > Thanks. > Chuan > > > On Tue, Nov 19, 2019 at 2:08 AM Damjan Marion <dmar...@me.com > <mailto:dmar...@me.com>> wrote: > Hi Chuan, > > Please note that we have daily run of IPSec performance tests in CSIT with > VPP running on the physical NIC with DPDK drivers. > Also please note that every VPP patch is passing unit tests with IETF and > NIST test encryption vectors. > > Other comments inline…. > > > > On 18 Nov 2019, at 23:48, Chuan Han via Lists.Fd.Io <http://lists.fd.io/> > > <chuanhan=google....@lists.fd.io <mailto:google....@lists.fd.io>> wrote: > > > > Hi, vpp experts, > > > > I was told that vpp's native ipsec stack is stabler and more performant. We > > can enable it by commenting out the vdev line in dpdk stanza. > > > > However, when I did so, ipsec decryption failed. > > > > Ex: > > # commenting out this line makes decryption fail. > > vdev crypto_aesni_mb0,socket_id=0 > > Have you validated that in your working case, packets are decrypted correctly? > Can you share packet trace for both cases? > > > > > Did anyone ever make native ipsec stack, i.e., ia32 work with dpdk/phy nic? > > yes, it is tested and working on the daily basis. > > > > The interesting thing is no matter whether I comment out the vdev line or > > not, ia32 is shown as the active crypto handler for aes-gcm-256. Does this > > mean ia32 is used by both cases? > > > > vpp# sh crypto engines > > Name Prio Description > > ia32 100 Intel IA32 ISA Optimized Crypto > > ipsecmb 80 Intel(R) Multi-Buffer Crypto for IPsec Library > > 0.52.0 > > openssl 50 OpenSSL > > vpp# sh crypto handlers > > Algo Type Active Candidates > > (nil) > > des-cbc encrypt openssl openssl > > decrypt openssl openssl > > 3des-cbc encrypt openssl openssl > > decrypt openssl openssl > > aes-128-cbc encrypt ia32 ia32 ipsecmb > > openssl > > decrypt ia32 ia32 ipsecmb > > openssl > > aes-192-cbc encrypt ia32 ia32 ipsecmb > > openssl > > decrypt ia32 ia32 ipsecmb > > openssl > > aes-256-cbc encrypt ia32 ia32 ipsecmb > > openssl > > decrypt ia32 ia32 ipsecmb > > openssl > > aes-128-ctr encrypt openssl openssl > > decrypt openssl openssl > > aes-192-ctr encrypt openssl openssl > > decrypt openssl openssl > > aes-256-ctr encrypt openssl openssl > > decrypt openssl openssl > > aes-128-gcm aead-encrypt ia32 ia32 ipsecmb > > openssl > > aead-decrypt ia32 ia32 ipsecmb > > openssl > > aes-192-gcm aead-encrypt ia32 ia32 ipsecmb > > openssl > > aead-decrypt ia32 ia32 ipsecmb > > openssl > > aes-256-gcm aead-encrypt ia32 ia32 ipsecmb > > openssl > > aead-decrypt ia32 ia32 ipsecmb > > openssl > > hmac-md5 hmac openssl openssl > > hmac-sha-1 hmac ipsecmb ipsecmb openssl > > hmac-sha-224 hmac ipsecmb ipsecmb openssl > > hmac-sha-256 hmac ipsecmb ipsecmb openssl > > hmac-sha-384 hmac ipsecmb ipsecmb openssl > > hmac-sha-512 hmac ipsecmb ipsecmb openssl > > vpp# > > “show crypto handlers” command is part of new crypto infra, and that command > doesn’t have anything with dpdk ipsec implementation. > If you turn on dpdk ipsec, new crypto infra is simply not used... > > > > > I attached the two servers' startup conf files and topology diagram. > > > > Any input/comments are welcome. > > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub > > <https://lists.fd.io/g/vpp-dev/unsub> [dmar...@me.com > > <mailto:dmar...@me.com>] > > -=-=-=-=-=-=-=-=-=-=-=- > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > > View/Reply Online (#14628): https://lists.fd.io/g/vpp-dev/message/14628 > <https://lists.fd.io/g/vpp-dev/message/14628> > Mute This Topic: https://lists.fd.io/mt/60327762/1991531 > <https://lists.fd.io/mt/60327762/1991531> > Group Owner: vpp-dev+ow...@lists.fd.io <mailto:vpp-dev%2bow...@lists.fd.io> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub > <https://lists.fd.io/g/vpp-dev/unsub> [chuan...@google.com > <mailto:chuan...@google.com>] > -=-=-=-=-=-=-=-=-=-=-=- -- Damjan
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14818): https://lists.fd.io/g/vpp-dev/message/14818 Mute This Topic: https://lists.fd.io/mt/60327762/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
