[Swan] How to tell if an IPSec tunnel uses HW offloading

Tue, 06 Jun 2023 05:38:42 -0700 

Hello,

I created an IPSec tunnel using an XFRM interface and would like to know if
there is a way to check if it is using NIC HW offloading.

I checked the logs, and the only mention of offloading that I see is the
following:

journalctl -u ipsec > /tmp/ipsec.log

grep -i offload /tmp/ipsec.log
Jun 05 07:50:36 super1 pluto[2741141]: Starting Pluto (Libreswan Version
4.9 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO
GCC_EXCEPTIONS NSS (IPsec profile) (NSS-KDF) DNSSEC SYSTEMD_WATCHDOG
LABELED_IPSEC (SELINUX) SECCOMP LIBCAP_NG LINUX_AUDIT AUTH_PAM
NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:2741141
Jun 05 07:50:36 super1 pluto[2741141]: Kernel supports NIC esp-hw-offload

Here are the logs from when the tunnel is created:

Jun 06 07:51:28 gwn02.sand2.auto.bos2.lab pluto[177]: initiating all conns
with alias='vpnclient.gwn02.xyz.com'
Jun 06 07:51:28 gwn02.sand2.auto.bos2.lab pluto[177]: no connection named "
vpnclient.gwn02.xyz.com"
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: "
vpnclient.gwn02.xyz.com": added IKEv2 connection
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: "
vpnclient.gwn02.xyz.com" #195: initiating IKEv2 connection
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: "
vpnclient.gwn02.xyz.com": local IKE proposals (IKE SA initiator selecting
KE):
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: "
vpnclient.gwn02.xyz.com":
1:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: "
vpnclient.gwn02.xyz.com" #195: sent IKE_SA_INIT request
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: "
vpnclient.gwn02.xyz.com": local ESP/AH proposals (IKE SA initiator emitting
ESP/AH proposals):
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: "
vpnclient.gwn02.xyz.com":   1:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-DISABLED
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: "
vpnclient.gwn02.xyz.com" #195: sent IKE_AUTH request {cipher=AES_CBC_256
integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: loading root
certificate cache
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: "
vpnclient.gwn02.xyz.com" #195: established IKE SA; authenticated using RSA
with SHA2_512 and peer certificate '@vpnserver.gwn01.xyz.com' issued by CA
'CN=xyzca.xyz.com, O=XYZ'
Jun 06 07:54:51 gwn02.sand2.auto.bos2.lab pluto[177]: "
vpnclient.gwn02.xyz.com" #196: established Child SA; IPsec tunnel
[0.0.0.0-255.255.255.255:0-65535 0] -> [172.16.10.0-172.16.10.255:0-65535
0] {ESP=>0x389372d2 <0xf1f6217c xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none
NATD=none DPD=active}



Here is the output of ip xfrm state:

sudo ip xfrm state
src 172.22.18.101 dst 172.22.18.102
proto esp spi 0xe0781b7a reqid 16397 mode tunnel
replay-window 32 flag af-unspec
output-mark 0x1/0xffffffff
auth-trunc hmac(sha1) 0x4e600d5ce6efed7b9bfa002ed914480e87f4369e 96
enc cbc(aes)
0xa6895360297ca6d9cc0710d52952591275c4b4b5451dea0fee83ba6a31f257bd
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
if_id 0x1
src 172.22.18.102 dst 172.22.18.101
proto esp spi 0xfc324c0b reqid 16397 mode tunnel
replay-window 32 flag af-unspec
output-mark 0x1/0xffffffff
auth-trunc hmac(sha1) 0x53ef3194493fc012d0ccb898bdd765017df2b8f3 96
enc cbc(aes)
0x89cbea5c80239e1d58ade4b7f5f58f7da406e062b889418ff7f3035f3c19994a
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
if_id 0x1



Here is the XFRM interface that Libreswan creates:

ip a show ipsec1
19: [email protected]: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN group default qlen 1000
    link/none
    inet 172.16.20.102/32 scope 50 ipsec1
       valid_lft forever preferred_lft forever
    inet6 fe80::fcc4:1cea:af34:a581/64 scope link stable-privacy
       valid_lft forever preferred_lft forever


And here is the IPSec tunnel config file:

conn vpnclient.gwn02.xyz.com
    right=172.22.18.101
    rightid="@vpnserver.gwn01.xyz.com"
    rightsubnet=172.16.10.101/24
    rightrsasigkey=%cert

    left=172.22.18.102
    leftrsasigkey=%cert
    leftid="%fromcert"
    leftcert=vpnclient.gwn02.xyz.com
    leftsourceip=172.16.20.102
    leftsubnet=0.0.0.0/0
    ipsec-interface=1

    dpddelay=5
    dpdtimeout=30
    dpdaction=restart

    rekey=yes
    auto=start
    ikelifetime=86400s
    salifetime=3600s
    phase2=esp
    fragmentation=yes
    ike=aes256-sha1
    phase2alg=aes256-sha1



Regards,

Brady

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to