Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-45178

[ixgbe] ipsec hw offload (aes_gcm128-null) not working on Intel x520

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Can't Do
    • Icon: Normal Normal
    • None
    • rhel-9.4
    • libreswan
    • None
    • None
    • None
    • rhel-sst-security-crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      We are trying to configure the IPsec tunnel with hardware offloads on ixgbe capable NIC. However, we are having the following errors in logs in ipsec service:

      ERROR: "IPv6_transport_aes_gcm128-null_encap-no_fd00:0:0:2::11_fd00:0:0:2::1b" #5: netlink response for Add SA esp:e9ebc515@fd00:0:0:2::1b: Invalid argument (errno 22)
"IPv6_transport_aes_gcm128-null_encap-no_fd00:0:0:2::11_fd00:0:0:2::1b" #5: setup_half_ipsec_sa() hit fail:
"IPv6_transport_aes_gcm128-null_encap-no_fd00:0:0:2::11_fd00:0:0:2::1b" #5: responding to CREATE_CHILD_SA message (ID 0) from [fd00:0:0:2::1b]:500 with encrypted notification TS_UNACCEPTABLE
ERROR: "IPv4_transport_aes_gcm128-null_encap-no_172.16.2.17_172.16.2.27" #6: netlink response for Add SA esp.19e0006@172.16.2.27: Invalid argument (errno 22)
"IPv4_transport_aes_gcm128-null_encap-no_172.16.2.17_172.16.2.27" #6: setup_half_ipsec_sa() hit fail:
"IPv4_transport_aes_gcm128-null_encap-no_172.16.2.17_172.16.2.27" #6: responding to CREATE_CHILD_SA message (ID 0) from 172.16.2.27:500 with encrypted notification TS_UNACCEPTABLE

      According to the product datasheet, an encryption of aes_gcm128 should be offloaded to the NIC. See section 7.12.2 in https://www.abacus.cz/prilohy/_5019/5019865/82599-10-gbe-controller-datasheet.pdf

      The NIC:

       

      [root@soustruznik1 ipsec.d]# lspci | grep Intel
01:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)
01:00.1 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01)

       

      The NIC should be capable of esp offload:

       

      [root@soustruznik1 ipsec.d]# ethtool -k ixgbe_1 | grep esp
tx-esp-segmentation: on
esp-hw-offload: on
esp-tx-csum-hw-offload: on

       

      The tunnel config is symmetrical on both sides:

       

      conn IPv4_transport_aes_gcm128-null_encap-no_172.16.2.17_172.16.2.27
    type=transport
    authby=secret
    left=172.16.2.17
    right=172.16.2.27
    phase2=esp
    esp=aes_gcm128-null
    auto=start
    encapsulation=no
    nic-offload=yes

       

       

      Please provide the package NVR for which bug is seen:

      libreswan-4.12-1.el9.x86_64

      kernel-5.14.0-467.el9.x86_64

      How reproducible:

      always

      Steps to reproduce

      1.  Set up a pair of servers with ipsec offload capable ixgbe NICs. Set IP address.
      2.  Install libreswan and configure tunnel according to confuration above.
      3.  ip xfrm state

      Expected results:

      IPsec tunnels are up and running.

       

      [root@soustruznik1 ipsec.d]# ip x sta
<a lot of output omitted ...>

       

      Actual results:

      IPsec tunnels are down.

      [root@soustruznik1 ipsec.d]# ip x sta
[root@soustruznik1 ipsec.d]# 

              dueno@redhat.com Daiki Ueno
              rhn-support-atomasov Adrian Tomasov
              Daiki Ueno Daiki Ueno
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: