On Thu, 1 Dec 2016, Ilan Tayari wrote:
You will see ESP packets properly encapsulated. But if you use tcpdump -x (or -w, etc.) you will see plaintext payload inside them.
Replay protection and UDP encapsulation are both features of the XFRM stack and not the crypto layer. They behave with offload just like without offload. You configure them the same way too, and I believe AQUIRE works the same way as well. Only the crypto is offloaded to the NIC. Not the whole IPSec stack. Although we did talk about offloading the replay protection as well, so that RSS can work on the inner packets. This was not implemented yet. esp4/6.c have lots of changes in these patches. Yes. The new mechanisms are highly integrated into this logic.
Thanks for the information! I see no issues with adding support for your device, although one remaining question is how we can easilly detect support for this in the kernel during runtime. Will there be a proc value either in the nic subsystem or elsewhere that we can check for? Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
