Intel QAT support present but IPSec traffic don't accelerate
vyos@R2-QAT# run show system acceleration qat 01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11) vyos@R2-QAT# run show system acceleration qat device qat_dev0 flows +------------------------------------------------+ | FW Statistics for Qat Device | +------------------------------------------------+ | Firmware Requests [AE 0]: 0 | | Firmware Responses[AE 0]: 0 | +------------------------------------------------+ | Firmware Requests [AE 1]: 0 | | Firmware Responses[AE 1]: 0 | +------------------------------------------------+ | Firmware Requests [AE 2]: 0 | | Firmware Responses[AE 2]: 0 | +------------------------------------------------+ | Firmware Requests [AE 3]: 0 | | Firmware Responses[AE 3]: 0 | +------------------------------------------------+ | Firmware Requests [AE 4]: 0 | | Firmware Responses[AE 4]: 0 | +------------------------------------------------+ | Firmware Requests [AE 5]: 0 | | Firmware Responses[AE 5]: 0 | +------------------------------------------------+
IPSec config example
set vpn ipsec esp-group ESP compression 'disable' set vpn ipsec esp-group ESP lifetime '1800' set vpn ipsec esp-group ESP mode 'tunnel' set vpn ipsec esp-group ESP pfs 'enable' set vpn ipsec esp-group ESP proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP proposal 1 hash 'sha1' set vpn ipsec ike-group IKE ikev2-reauth 'no' set vpn ipsec ike-group IKE key-exchange 'ikev1' set vpn ipsec ike-group IKE lifetime '3600' set vpn ipsec ike-group IKE proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 10.217.10.107 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 10.217.10.107 authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer 10.217.10.107 ike-group 'IKE' set vpn ipsec site-to-site peer 10.217.10.107 local-address '10.217.10.66' set vpn ipsec site-to-site peer 10.217.10.107 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 10.217.10.107 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer 10.217.10.107 tunnel 0 esp-group 'ESP' set vpn ipsec site-to-site peer 10.217.10.107 tunnel 0 local prefix '172.16.0.0/24' set vpn ipsec site-to-site peer 10.217.10.107 tunnel 0 remote prefix '172.16.255.0/24'
Version 1.2.5 works as expected
vyos@vyos# run show system acceleration qat device qat_dev0 flows +------------------------------------------------+ | FW Statistics for Qat Device | +------------------------------------------------+ | Firmware Requests [AE 0]: 128805 | | Firmware Responses[AE 0]: 128805 | +------------------------------------------------+ | Firmware Requests [AE 1]: 128798 | | Firmware Responses[AE 1]: 128798 | +------------------------------------------------+ | Firmware Requests [AE 2]: 128807 | | Firmware Responses[AE 2]: 128807 | +------------------------------------------------+ | Firmware Requests [AE 3]: 128804 | | Firmware Responses[AE 3]: 128804 | +------------------------------------------------+ | Firmware Requests [AE 4]: 128799 | | Firmware Responses[AE 4]: 128799 | +------------------------------------------------+ | Firmware Requests [AE 5]: 128805 | | Firmware Responses[AE 5]: 128805 | +------------------------------------------------+ | Firmware Requests [AE 6]: 128797 | | Firmware Responses[AE 6]: 128797 | +------------------------------------------------+ | Firmware Requests [AE 7]: 128803 | | Firmware Responses[AE 7]: 128803 | +------------------------------------------------+