Page MenuHomeVyOS Platform

QAT acceleration not working for IPSec AES-128 (CBC) / SHA256 tunnel
Closed, InvalidPublicBUG

Description

Despite enabling system acceleration qat in the configuration, the Quick Assist co-processor is not in use in a site to site IPSec tunnel—only the CPU is used (with AES-NI).

show system acceleration qat flows are empty. QAT device starts correctly.

Tested on Atom C3758

Details

Version
1.3
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Unknown Object (User) subscribed.Feb 8 2021, 10:39 AM

@ajgnet which exactly version used in this case?

dmbaturin assigned this task to Unknown Object (User).Jul 29 2021, 3:02 PM
Unknown Object (User) added a comment.Aug 9 2021, 11:16 AM

Tested on 1.3-rc5, all works properly

set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'

Flow served QAT

vyos@R2-QAT#  run show system acceleration qat device qat_dev0 flows 
+------------------------------------------------+
| FW Statistics for Qat Device                   |
+------------------------------------------------+
| Firmware Requests [AE  0]:               60046 |
| Firmware Responses[AE  0]:               60046 |
+------------------------------------------------+
| Firmware Requests [AE  1]:              112720 |
| Firmware Responses[AE  1]:              112720 |
+------------------------------------------------+
| Firmware Requests [AE  2]:              219657 |
| Firmware Responses[AE  2]:              219657 |
+------------------------------------------------+
| Firmware Requests [AE  3]:               60046 |
| Firmware Responses[AE  3]:               60046 |
+------------------------------------------------+
| Firmware Requests [AE  4]:              112722 |
| Firmware Responses[AE  4]:              112722 |
+------------------------------------------------+
| Firmware Requests [AE  5]:              219657 |
| Firmware Responses[AE  5]:              219657 |
+------------------------------------------------+

Interrupts

vyos@R2-QAT# run show system acceleration qat interrupts 
140:      44039          0          0          0          0          0          0          0  IR-PCI-MSI 524288-edge      qat0-bundle0
141:          0      42358          0          0          0          0          0          0  IR-PCI-MSI 524289-edge      qat0-bundle1
142:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524290-edge      qat0-bundle2
143:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524291-edge      qat0-bundle3
144:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524292-edge      qat0-bundle4
145:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524293-edge      qat0-bundle5
146:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524294-edge      qat0-bundle6
147:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524295-edge      qat0-bundle7
148:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524296-edge      qat0-bundle8
149:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524297-edge      qat0-bundle9
150:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524298-edge      qat0-bundle10
151:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524299-edge      qat0-bundle11
152:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524300-edge      qat0-bundle12
153:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524301-edge      qat0-bundle13
154:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524302-edge      qat0-bundle14
155:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524303-edge      qat0-bundle15
156:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524304-edge      qat0-ae-cluster
Unknown Object (User) closed this task as Invalid.Aug 9 2021, 11:17 AM
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:31 PM
erkin removed a subscriber: Global Notifications.