> -----Original Message----- > From: Antony Antony [mailto:[email protected]] > Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload > on the NIC > > Hi Ilan, > Here are a couple of proposed changes, untested, after a closer review. > > 1. rename option to "nic-offload". Libreswan is moving away from "_" > 2. whack --nic-offload > 3. nic-offload:yes; in "ipsec staus" connection > 4. there is one coding style change I made. > > On Wed, Jun 28, 2017 at 05:31:06AM +0000, Ilan Tayari wrote: > > > I guess this is could be applied. However, please hold on, lets update > > > xfrm.h first. > > > > > > I plan to update linux26/xfrm.h with history from kernel commits. > > > It should happen before this patch. Otherwise it hard to know how upto > > > date > > > xfrm.h is. > > > Yes, I suppose xfrm.h update should come separately and before. > > I don't mind rebasing and re-submitting after you do that. > > Do you have an approximation when this would happen? > > I pushed this change yesterday. Rebase should work. > > > > Another comment. It would be nice to add whack option? > > > > I'll take some time to understand whack better and come up with > something. > > You're talking about the command line tool, right? > > see the attached proposed patch. It is not tested, I don't have a card. >
I just tested this. 1. I would squash your patch 0001 into my patch, no need to put this naming back-and-forth into git history 2. ipsec status shows nic-offload:yes 000 "myconn": 192.168.7.1<192.168.7.1>...192.168.7.11<192.168.7.11>; erouted; eroute owner: #2 000 "myconn": oriented; my_ip=unset; their_ip=unset 000 "myconn": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "myconn": our auth:secret, their auth:secret 000 "myconn": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset; 000 "myconn": labeled_ipsec:no; 000 "myconn": policy_label:unset; 000 "myconn": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "myconn": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "myconn": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "myconn": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "myconn": conn_prio: 32,32; interface: ens8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "myconn": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:yes; 000 "myconn": our idtype: ID_IPV4_ADDR; our id=192.168.7.1; their idtype: ID_IPV4_ADDR; their id:192.168.7.11 000 "myconn": newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "myconn": IKE algorithm newest: AES_CBC_256-SHA2_256-MODP2048 000 "myconn": ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0) 000 "myconn": ESP algorithms loaded: AES_GCM_C(20)_256-NONE(0) 000 "myconn": ESP algorithm newest: AES_GCM_C_256-NONE; pfsgroup=<Phase1> 3. I'll try to get whack command line switch to work next week. Do you have an example of command to add a connection with specific phase2alg using whack? _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
