BSD Router Project

User Tools

Site Tools

Trace:
documentation:examples:ipsec_performance_of_a_superserver_5018a-ftn4

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
documentation:examples:ipsec_performance_of_a_superserver_5018a-ftn4 [2020/09/22 11:49] – [Diagram] olivierdocumentation:examples:ipsec_performance_of_a_superserver_5018a-ftn4 [2020/09/22 11:52] – [DUT] olivier
Line 54: Line 54:
  
 Configure IP address, routes and static IPSec. Configure IP address, routes and static IPSec.
 +
 +/boot/loader.conf:
 +<code>
 +# Loading AES-NI module sooner to be sure it is loaded before IPsec keys
 +aesni_load="YES"
 +</code>
  
 /etc/rc.conf: /etc/rc.conf:
Line 59: Line 65:
 # IPv4 router # IPv4 router
 gateway_enable="YES" gateway_enable="YES"
-static_routes="generator receiver" 
-route_generator="-net 198.18.0.0/16 198.18.0.2" 
-route_receiver="-net 198.19.0.0/16 198.18.1.210" 
 ifconfig_cxl0="inet 198.18.0.208/24 -tso4 -tso6 -lro" ifconfig_cxl0="inet 198.18.0.208/24 -tso4 -tso6 -lro"
 ifconfig_cxl1="inet 198.18.1.208/24 -tso4 -tso6 -lro" ifconfig_cxl1="inet 198.18.1.208/24 -tso4 -tso6 -lro"
 +static_routes="generator receiver"
 +route_generator="-net 198.18.0.0/16 198.18.0.2"
 +route_receiver="-net 198.19.0.0/16 198.18.2.210"
 static_arp_pairs="generator receiver" static_arp_pairs="generator receiver"
-static_arp_generator="198.18.0.2 00:07:43:2f:fe:b2"+static_arp_generator="198.18.0.2 00:07:43:2f:fe:b1"
 static_arp_receiver="198.18.1.210 00:07:43:2e:e4:70" static_arp_receiver="198.18.1.210 00:07:43:2e:e4:70"
  
Line 71: Line 77:
 ipv6_gateway_enable="YES" ipv6_gateway_enable="YES"
 ipv6_activate_all_interfaces="YES" ipv6_activate_all_interfaces="YES"
-ipv6_static_routes="generator receiver" 
-ipv6_route_generator="2001:2:: -prefixlen 49 2001:2::2" 
-ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:1::210" 
 ifconfig_cxl0_ipv6="inet6 2001:2::208 prefixlen 64" ifconfig_cxl0_ipv6="inet6 2001:2::208 prefixlen 64"
 ifconfig_cxl1_ipv6="inet6 2001:2:0:1::208 prefixlen 64" ifconfig_cxl1_ipv6="inet6 2001:2:0:1::208 prefixlen 64"
 +ipv6_static_routes="generator receiver"
 +ipv6_route_generator="2001:2:: -prefixlen 49 2001:2::2"
 +ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:2::210"
 static_ndp_pairs="generator receiver" static_ndp_pairs="generator receiver"
-static_ndp_generator="2001:2::2 00:07:43:2f:fe:b2"+static_ndp_generator="2001:2::2 00:07:43:2f:fe:b1"
 static_ndp_receiver="2001:2:0:1::210 00:07:43:2e:e4:70" static_ndp_receiver="2001:2:0:1::210 00:07:43:2e:e4:70"
  
-# Enabling IPSec +cloned_interfaces="ipsec0" 
-kld_list="aesni"+create_args_ipsec0="reqid 100" 
 +ifconfig_ipsec0="inet 198.18.2.208/24 198.18.2.210 tunnel 198.18.1.208 198.18.1.210" 
 +ifconfig_ipsec0_ipv6="inet6 2001:2:0:2::208 prefixlen 64" 
 + 
 +# Enabling IPsec
 ipsec_enable="YES" ipsec_enable="YES"
 </code> </code>
Line 90: Line 100:
 flush; flush;
 spdflush; spdflush;
-spdadd 198.18.0.0/16 198.19.0.0/16 any -P out ipsec esp/tunnel/198.18.1.208-198.18.1.210/require; +add 198.18.1.208 198.18.1.210 esp 10000 -tunnel -u 100 -E aes-gcm-16 "12345678901234567890"; 
-spdadd 198.19.0.0/16 198.18.0.0/16 any -P in ipsec esp/tunnel/198.18.1.210-198.18.1.208/require; +add 198.18.1.210 198.18.1.208 esp 10001 -tunnel -u 100 -E aes-gcm-16 "12345678901234567890";
-add 198.18.1.208 198.18.1.210 esp 0x1000 -E aes-gcm-16 "12345678901234567890"; +
-add 198.18.1.210 198.18.1.208 esp 0x1001 -E aes-gcm-16 "12345678901234567890"; +
-spdadd 2001:2::/49 2001:2:0:8000::/49 any -P out ipsec esp/tunnel/2001:2:0:1::208-2001:2:0:1::210/require; +
-spdadd 2001:2:0:8000::/49 2001:2::/49 any -P in ipsec esp/tunnel/2001:2:0:1::210-2001:2:0:1::208/require; +
-add 2001:2:0:1::208 2001:2:0:1::210 esp 0x1002 -E aes-gcm-16 "12345678901234567890"; +
-add 2001:2:0:1::210 2001:2:0:1::208 esp 0x1003 -E aes-gcm-16 "12345678901234567890";+
 </code> </code>
  
 ==== Reference Endpoint ==== ==== Reference Endpoint ====
 +
 +/boot/loader.conf:
 +<code>
 +# Loading AES-NI module sooner to be sure it is loaded before IPsec keys
 +aesni_load="YES"
 +</code>
  
 Configure IP address, routes and static IPSec: Configure IP address, routes and static IPSec:
 <code> <code>
-# IPv4 router 
 gateway_enable="YES" gateway_enable="YES"
 ifconfig_cxl0="inet 198.18.1.210/24 -tso4 -tso6 -lro -vlanhwtso" ifconfig_cxl0="inet 198.18.1.210/24 -tso4 -tso6 -lro -vlanhwtso"
 ifconfig_cxl1="inet 198.19.0.210/24 -tso4 -tso6 -lro -vlanhwtso" ifconfig_cxl1="inet 198.19.0.210/24 -tso4 -tso6 -lro -vlanhwtso"
 static_routes="generator receiver" static_routes="generator receiver"
-route_generator="-net 198.18.0.0/16 198.18.1.208"+route_generator="-net 198.18.0.0/16 198.18.2.208"
 route_receiver="-net 198.19.0.0/16 198.19.0.2" route_receiver="-net 198.19.0.0/16 198.19.0.2"
 static_arp_pairs="generator receiver" static_arp_pairs="generator receiver"
 static_arp_generator="198.18.1.208 00:07:43:2e:e5:98" static_arp_generator="198.18.1.208 00:07:43:2e:e5:98"
-static_arp_receiver="198.19.0.2 00:07:43:2f:fe:ba"+static_arp_receiver="198.19.0.2 00:07:43:2f:fe:b9"
  
 # IPv6 router # IPv6 router
Line 121: Line 130:
 ifconfig_cxl1_ipv6="inet6 2001:2:0:8000::210 prefixlen 64" ifconfig_cxl1_ipv6="inet6 2001:2:0:8000::210 prefixlen 64"
 ipv6_static_routes="generator receiver" ipv6_static_routes="generator receiver"
-ipv6_route_generator="2001:2:: -prefixlen 49 2001:1::208"+ipv6_route_generator="2001:2:: -prefixlen 49 2001:2:0:2::208"
 ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:8000::2" ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:8000::2"
 static_ndp_pairs="generator receiver" static_ndp_pairs="generator receiver"
 static_ndp_generator="2001:2:0:1::208 00:07:43:2e:e5:98" static_ndp_generator="2001:2:0:1::208 00:07:43:2e:e5:98"
-static_ndp_receiver="2001:2:0:8000::2 00:07:43:2f:fe:ba"+static_ndp_receiver="2001:2:0:8000::2 00:07:43:2f:fe:b9" 
 +cloned_interfaces="ipsec0" 
 +create_args_ipsec0="reqid 200" 
 +ifconfig_ipsec0="inet 198.18.2.210/24 198.18.2.208 tunnel 198.18.1.210 198.18.1.208" 
 +ifconfig_ipsec0_ipv6="inet6 2001:2:0:2::210 prefixlen 64"
  
-# Enabling IPSec +# Enabling IPsec
-kld_list="aesni"+
 ipsec_enable="YES" ipsec_enable="YES"
 </code> </code>
Line 137: Line 149:
 flush; flush;
 spdflush; spdflush;
-spdadd 198.18.0.0/16 198.19.0.0/16 any -P in ipsec esp/tunnel/198.18.1.208-198.18.1.210/require; +add 198.18.1.208 198.18.1.210 esp 10000 -tunnel -u 200 -E aes-gcm-16 "12345678901234567890"; 
-spdadd 198.19.0.0/16 198.18.0.0/16 any -P out ipsec esp/tunnel/198.18.1.210-198.18.1.208/require; +add 198.18.1.210 198.18.1.208 esp 10001 -tunnel -u 200 -E aes-gcm-16 "12345678901234567890";
-add 198.18.1.208 198.18.1.210 esp 0x1000 -E aes-gcm-16 "12345678901234567890"; +
-add 198.18.1.210 198.18.1.208 esp 0x1001 -E aes-gcm-16 "12345678901234567890"; +
-spdadd 2001:2::/49 2001:2:0:8000::/49 any -P in ipsec esp/tunnel/2001:2:0:1::208-2001:2:0:1::210/require; +
-spdadd 2001:2:0:8000::/49 2001:2::/49 any -P out ipsec esp/tunnel/2001:2:0:1::210-2001:2:0:1::208/require; +
-add 2001:2:0:1::208 2001:2:0:1::210 esp 0x1002 -E aes-gcm-16 "12345678901234567890"; +
-add 2001:2:0:1::210 2001:2:0:1::208 esp 0x1003 -E aes-gcm-16 "12345678901234567890";+
 </code> </code>
  
documentation/examples/ipsec_performance_of_a_superserver_5018a-ftn4.txt · Last modified: 2020/09/22 11:56 by olivier
Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki