[Bug 200472] aesni module corrupt IP packets during encryption with IPSec

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu May 28 12:27:50 UTC 2015


--- Comment #5 from olivier at cochard.me ---
If I unload aesni module on "encrypter" side, the problem disappear: Then how
can the packet being corrupted after decryption ?

New test without aesni module loaded on the "encrypter side" (srv1), but still
loaded on "decrypter side" (srv2):


[root at srv1]~# kldstat
Id Refs Address            Size     Name
 1    8 0xffffffff80200000 17dc0f0  kernel
 2    1 0xffffffff81c11000 2dd6     ichsmb.ko
 3    1 0xffffffff81c14000 e7e      smbus.ko
 4    1 0xffffffff81c15000 2a16     coretemp.ko


[root at srv2]~# kldstat
Id Refs Address            Size     Name
 1   11 0xffffffff80200000 17dc0f0  kernel
 2    1 0xffffffff81c11000 7fe8     aesni.ko
 3    1 0xffffffff81c19000 2dd6     ichsmb.ko
 4    1 0xffffffff81c1c000 e7e      smbus.ko
 5    1 0xffffffff81c1d000 2a16     coretemp.ko

Then, again, generating exactly 100 000 packets in a low-rate of 1000
paquet-per-second using netmap's pktgen crossing these 2 FreeBSD IPSec gateway.

Stat on "decrypter side" (srv2):
[root at srv2]~# sysctl dev.igb.2.mac_stats.rx_frames_512_1023
dev.igb.2.mac_stats.rx_frames_512_1023: 100000
[root at srv2]~# sysctl dev.igb.3.mac_stats.tx_frames_512_1023
dev.igb.3.mac_stats.tx_frames_512_1023: 100000

=> All packets are correctly decrypted AND forwarded

No more "bad ip packet" errors on decrypter side:
[root at srv2]~# netstat -ssp ip
        200064 total packets received
        100064 packets for this host
        100000 packets forwarded
        69 packets sent from this host

Then, should I still do a new test in Transport mode ?

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list