[Bug 200472] aesni module corrupt IP packets during encryption with IPSec
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu May 28 12:27:50 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200472
--- Comment #5 from olivier at cochard.me ---
If I unload aesni module on "encrypter" side, the problem disappear: Then how
can the packet being corrupted after decryption ?
New test without aesni module loaded on the "encrypter side" (srv1), but still
loaded on "decrypter side" (srv2):
Encrypter:
[root at srv1]~# kldstat
Id Refs Address Size Name
1 8 0xffffffff80200000 17dc0f0 kernel
2 1 0xffffffff81c11000 2dd6 ichsmb.ko
3 1 0xffffffff81c14000 e7e smbus.ko
4 1 0xffffffff81c15000 2a16 coretemp.ko
Decrypter:
[root at srv2]~# kldstat
Id Refs Address Size Name
1 11 0xffffffff80200000 17dc0f0 kernel
2 1 0xffffffff81c11000 7fe8 aesni.ko
3 1 0xffffffff81c19000 2dd6 ichsmb.ko
4 1 0xffffffff81c1c000 e7e smbus.ko
5 1 0xffffffff81c1d000 2a16 coretemp.ko
Then, again, generating exactly 100 000 packets in a low-rate of 1000
paquet-per-second using netmap's pktgen crossing these 2 FreeBSD IPSec gateway.
Stat on "decrypter side" (srv2):
[root at srv2]~# sysctl dev.igb.2.mac_stats.rx_frames_512_1023
dev.igb.2.mac_stats.rx_frames_512_1023: 100000
[root at srv2]~# sysctl dev.igb.3.mac_stats.tx_frames_512_1023
dev.igb.3.mac_stats.tx_frames_512_1023: 100000
=> All packets are correctly decrypted AND forwarded
No more "bad ip packet" errors on decrypter side:
[root at srv2]~# netstat -ssp ip
ip:
200064 total packets received
100064 packets for this host
100000 packets forwarded
69 packets sent from this host
Then, should I still do a new test in Transport mode ?
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list