Re: [Ocf-linux-users] May I ask you a question about openswan and OCF? Thank you
Brought to you by:
david-m
Menu
▾
▴
Re: [Ocf-linux-users] May I ask you a question about openswan and OCF? Thank you
|
From: David M. <Dav...@se...> - 2007-09-03 13:15:00
|
Would you mind changing your mailer to use "text" rather than html, Your mails are hard to read :-) It looks like the version of OCF you have received is not quite right for 2.4 compiles. See the attached patch. Cheers, Davidm Jivin liuwei lays it down ... > Yes, the option of "IPsec: OCF HW Acceleration support" has appeared. But= another problem happened, that is when complile the tree, it failed and gi= ve such information: > make -C ipsecmake[3]: Entering directory `/snapgear/linux-2.4.x/net/ipse= c'ln -fs /snapgear/openswan/linux/net/ipsec/ipsec_init.c ipsec_init.carm-li= nux-gcc -mbig-endian -D__KERNEL__ -I/snapgear/linux-2.4.x/include -Wall -W= strict-prototypes -Wno-trigraphs -O -fno-strict-aliasing -fno-common -Uarm = -fno-common -pipe -mapcs-32 -D__LINUX_ARM_ARCH__=3D5 -mcpu=3Dxscale -mtune= =3Dxscale -malignment-traps -msoft-float -Uarm -I/snapgear/openswan -I/sna= pgear/openswan/lib -I/snapgear/openswan/linux/net/ipsec -I/snapgear/openswa= n/linux/include -I/snapgear/modules/ocf -DIPCOMP_PREFIX -nostdinc -iwithpre= fix include -DKBUILD_BASENAME=3Dipsec_init -c -o ipsec_init.o ipsec_init.c= ipsec_init.c:139:1: warning: "MODULE_PARM" redefinedIn file included from i= psec_init.c:25:/snapgear/linux-2.4.x/include/linux/module.h:313:1: warning:= this is the location of the previous definitionipsec_init.c:144: error: pa= rse error before string constantipsec_init.c:144: warning: type defaults to= `int' in declaration of ! > `MODULE_PARM'ipsec_init.c:144: warning: function declaration isn't a pro= totypeipsec_init.c:144: warning: data definition has no type or storage cla= ssipsec_init.c:149: error: parse error before string constantipsec_init.c:1= 49: warning: type defaults to `int' in declaration of `MODULE_PARM'ipsec_in= it.c:149: warning: function declaration isn't a prototypeipsec_init.c:149: = warning: data definition has no type or storage classmake[3]: *** [ipsec_in= it.o] Error 1rm ipsec_init.cmake[3]: Leaving directory `/snapgear/linux-2.4= =2Ex/net/ipsec'make[2]: *** [_subdir_ipsec] Error 2make[2]: Leaving directo= ry `/snapgear/linux-2.4.x/net'make[1]: *** [_dir_net] Error 2make[1]: Leavi= ng directory `/snapgear/linux-2.4.x'make: *** [linux] Error 1 > I compared the module.h with corresponding file module.h come from Redhat= 9.0, and found that the difference is little except this module.h has defi= ned "used" while the other one has no "used". When I review the ipsec_init.= c in Redhat 9.0 and found no MODULE_PARM in it. I don't know how to do next. > =20 > BTW, when I return back to linux-2.6.x environment in snapgear, an error = happened also but is not the same as above. Some people said my Fedora 4 en= vironment has some problem, and advised me to install Fedora 6, I am doing = now. Have you any advice to me? Thank you. >=20 >=20 >=20 > > Date: Mon, 3 Sep 2007 16:06:18 +1000> From: David_Mccullough@securecomp= uting.com> To: sma...@ho...> Subject: Re: May I ask you a questi= on about openswan and OCF? Thank you> > > Ok, there are some bits missing f= rom the openswan in your source tree.> > snapgear/linux-2.4.x/net/ipsec/Mak= efile, add the following to the> first instance of EXTRA_CFLAGS:> > -I$(ROO= TDIR)/modules/ocf> > snapgear/openswan/linux/net/ipsec/Config.in.os2_4, add= the> followinf line after the CONFIG_KLIPS_DEBUG line near the end.> > boo= l ' IPsec: OCF HW Acceleration support' CONFIG_KLIPS_OCF> > The should get = you going. Do a> > make clean> make oldconfig> (answer y to KLIPS_OCF)> mak= e dep> make> > and you should be doing ok.> > Jivin liuwei lays it down ...= > > hello David I have re-built the tree and get the same result as before.= My environment is Fedora 4 and the install steps listed blow: (1) download= snapgear-3.4.0.tar.gz and arm-linux-tools-20061213.tar.gz and snapgear-mod= ules-20061012.sh! > from http://www.snapgear.org. Do tar operation to unzip the two tar.gz = files and "sh snapgear-modules-20061012.sh" to get the patch files, actuall= y I only use "snapgear-20061012.patch" and "modules-csr2.0-with-crypto-2006= 1012.patch". (2)do patch operation for snapgear, "patch -p1 < snapgear-2006= 1012.patch" (3)make dir of ixp400-2.0, "mkdir -p modules/ixp425/ixp400-2.0"= (4)unzip IXP400 zip files and do patch operation. "cd modules/ixp425/ixp40= 0-2.0", "unzip IPL_ixp400AccessLibraryWithCrypto-2_0.zip", "unzip IPL_ixp40= 0NpeLibraryWithCrypto-2_0.zip", "patch -p1 < modules-csr2.0-with-crypto-200= 61012.patch" (5)download openssl-0.9.8e.tar.gz from www.openssl.org and ope= nssl-0_9_8e.patch.gz from http://www.snapgear.org. move them to snapgear/li= !> > b directory and unzip them, do "mv openssl-0.9.8e libssl" and patch it= using "patch -p0 < openssl-0_9_8e.patch" (6)I noticed the /dev/crypto file= will not be created automatically, so I edited snapgear/vendor/Intel/IXDP4= 25/dev.txt and a! > dd a sentence like this "crw- 10,70 /dev/crypto", save and exi! > t (7)bac >=20 > k to snapgear directory and "make menuconfig" to build the tree, select l= ike this --Select the Vendor you wish to target (Intel) Vendor --Select the= Product you wish to target (IXDP425) Intel Products then (linux-2.4.x) Ker= nel Version (uClibc) Libc Version [] Default all settings [*] Customize Ker= nel Settings [*] Customize Module Settings [*] Customize Vendor/User Settin= gs [] Update.... then Networking options --> <M>IP Security Protocol (Opens= wan IPSEC) ---OpenSWAN ---IPsec options (Openswan) [*] IPsec: IP-in-IP... [= *] IPsec: Authentication... [*] IPsec: Encapsulating.... --- IPsec algorith= ms to include [*] 3DES encryption.... [*] AES .... [*] HMAC-MD5.... [*] HM!= > > AC-SHA1..... [*] IPsec Modular Extensions [*] IPsec: IP Compre!> > ssio= n [*> > > > ] IPsec Debugging Option Network testing ---> [*] IPSEC NAT-Tra= versal (here I wonder why no OCF support options?) then Cryptographic optio= ns ---> (here all set * except the last "Testing module") then OCF Configur= ation ---> <M> O! > CF (Open Cryptographic Framework) <M> enable fips RNG... <M> cryptodev (= user...) <M> cryptosoft (software...) <> safenet... <M>IXP4xx... <> hifn...= <> talitos... <> ocfnull... <> ocf-bench... then XSCALE/IXP400 Modules ---= > <M> Intel IXP400 Access Library (2.0) Intel Access Library version <> Int= el IXP425 ATM Device Support <*> Intel IXP400 Ethernet Device Support [*] N= ames network interfaces as eth, not ixp (All_NPEs) Intel IXP400 Ethernet De= vice Driver NPE support [] Intel IXP400 Ethernet Device Driver Fast Skb Rec= ycling support [] Intel IXP400 Ethernet Device Driver Fast QDisc support --= - Components [] adsl [] atmdAcc [] atmm [] atmsch [*] qmgr [*] npeMh [*] np= eDl [] codec [*] ethAcc [*] ethDB [*] ethMii [] hssAcc [*] timerCtrl [] usb= [] uartAc!> > c [*] ossl [*] osServices [*] featureCtrl [] perfProfAcc [*]= cryptoAcc [] dmaAcc --- Codelets ( here I do not set ) then Network Applic= ations ---> ... [*] openswan-apps [*] pluto [*] whack [*] ranbits [*] rsasi= gkey [*] eroute ! > [*] klipsdebug [*] spi [*] spigrp [*] tncfg ... [*] openssl ..! > . then M >=20 > iscellaneous Applications ---> ... [*] cryptotest [*] cryptokeytest ... t= hen BusyBox ---> ... [*] insmod: Support tainted module checking with new k= ernels ... then make dep, make. (8) in redboot, insmod *.o as before, and r= un "openssl speed -evp aes128 -engine cyrptodev -elapsed -multi 10" again, = get the result type 16 bytes 64 bytes 256 bytes 1024 bytes 2048 bytesaes-12= 8-cbc 4876.46k 5361.77k 5505.94k 5570.00k 7129.36k it is no change. then ru= n "cryptotest 100 4096", get the result 0.091 sec, 200 3des crypts, 4096 by= tes, 9021828 byte/sec, 68.8 Mb/sec I do not know which step I have made pro= blem, could you help me? Th!> > e result "68.8 Mb/sec" is not the IXP425 sp= eed? Thank you. !> > > > > > Liuwei > > > > > Date: Thu, 30 Aug 2007 14:12:= 33 +1000> From: Dav...@se...> To: smallbarrow@hotma= il.com> Subject: Re: May I ask you a question about openswan and OCF? Thank= you> > > Jivin liuwei lays it down ...> > hello David> > I have used snapg= ear 3.4 to build! > openswan IPsec VPN based on IXP425> > and cannot find speed changed. Fi= rstly, I did not select OCF and IXP400> > Access Library, and the speed of = the IPSec (ESP) is about 16Mbps.> > Ok, so 16Mbps is software speed.> > > S= econdly, I selected the OCF and IXP400 Access Library, and get some files> = > such as ocf.o, cryptodev.o, ixp4xx.o and cyrptosoft.o.> > I followed step= s below to run:> > insmod ixp400.o> > cat /etc/IxNpeMicrocode.dat > /dev/ix= Npe> > insmod ixp400_eth> > insmod ocf.o> > insmod cryptodev.o> > insmod ix= p4xx.o> > insmod cryptosoft.o> > insmod ipsec.o> > > You need to rebuild yo= ur tree (kernel and apps) with OCF enabled and OCF> support turned on for o= penswan.> > > Then I test the speed, it was a!> > lways 16Mpbs. I wondered = at this. Thirdly,> > I back to run openssl to test the speed and get the re= sult:> > openssl speed -evp aes128 -engine cyrptodev -elapsed -multi 10> > = type 16 bytes 64 bytes 256 bytes 1024 bytes 2048 bytes> > aes-128-cbc 5007.= 34k 5252.79k 552! > 0.95k 5569.69k 8738.30k> > These are software speeds. Check th! > e number >=20 > s at:> > http://ocf-linux.sourceforge.net/benchmarks.html> > > I have mad= e reference to the Benchmarks and gotten that the result above was> > not s= trange, it!> > is correct. That is to say, the OCF and IXP425 was correctly= running. Then> > my question is why the speed of IPSec VPN was not changed= ? Is any where I> > have made problem? BTW, I noticed that the openswan, OC= F is contained in> > snapgear. But, when I build the openswan, I cannot fin= d the option> > "IPsec OCF Acceleration Support", while this appeared in Mo= ntavista Linux.> > Please refer to> > "http://downloadmirror.intel.com/df-s= upport/11265/ENG/Readme.htm". Thank you.> > For SG Lin!> > ux you need to a= pply the "SnapGear IXP400 Access Library patch!> > [shar]"> > > > > from ht= tp://www.snapgear.org/snapgear/downloads.html> > The will get the OCF drive= rs etc and put them in the tree.> > Then you need to enable the modules for= OCF and so on in the SG build.> > Then rebuild the whole tree (ssl and ope= nswan included) ! > to get full> acceleration.> > If you have done all that, and still no lu= ck, send me these files> from you snapgear release:> > snapgear/.config> sn= apgear/config/.config> snapgear/modules/.config> snapgear/linux-2.N.x/.conf= ig> > and also the output from:> > ls snapgear/libssl modules> > Cheers,> D= avidm> > -- > David McCullough, dav...@se..., Ph:+6= 1 734352815> Secure Computing - SnapGear http://www.uCdot.org http://www.cy= berguard.com> > ___________________________________________________________= ______> > MSN =E4=B8=AD=E6=96=87=E7=BD=91=EF=BC=8C=E6=9C=80=E6=96=B0=E6=97= =B6=E5=B0=9A=E7=94=9F=E6=B4=BB=E8=B5=84=E8=AE=AF=EF=BC=8C=E7=99=BD=E9=A2=86= =E8=81=9A=E9=9B=86=E9=97=A8=E6=88=B7=E3=80=82> > http://cn.msn.com> > > -- = > David McCullough, dav...@se..., Ph:+61 734352815>= Secure Computing - SnapGear http://www.uCdot.org http://www.cyberguard.com > _________________________________________________________________ > Windows Live Custom Domain=EF=BC=8C=E6=82=A8=E7=9A=84=E5=85=8D=E8=B4=B9= =E7=94=B5=E5=AD=90=E9=82=AE=E5=B1=80=E3=80=82 > https://domains.live.com/default.aspx --=20 David McCullough, dav...@se..., Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.cyberguard.com |
