> -----Original Message----- > From: Antony Antony [mailto:[email protected]] > Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload > on the NIC
... > > iproute2 does show it, btw: > > > > # ip x s > > src 192.168.7.11 dst 192.168.7.1 > > proto esp spi 0xe1fe6a81 reqid 16389 mode tunnel > > replay-window 32 flag af-unspec > > aead rfc4106(gcm(aes)) > 0xcb294e1c525e72b11f4e80bd0fffe854775e0a171660aefe0dd618ad074dc50fecf7d087 > 128 > > anti-replay context: seq 0x3ef28, oseq 0x0, bitmap 0xffffffff > > crypto offload parameters: dev ens8 dir in > > something like the above line could be added to ipsec status output. > I could possibly help you with this if you could test it. This reminds me of a different thing. With the crypto offload we easily reach 18Gbps on a single SA, and we expect to increase speed even more soon. This means without ESN, we deplete the 2^32 sequence numbers after ~47 minutes. I can set the SA lifetime to less than that, but it would be nicer to have the daemon set a soft limit on packet count, and then rekey just in time before the sequence numbers deplete, regardless of how fast I generate the traffic. What do you think? > > -antony _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
