blob: 0fe0aa9dbf171b60edc4b942388c2e43baab0015 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
.. _acceleration:
############
Acceleration
############
In this command tree, all hardware acceleration options will be handled.
At the moment only `Intel® QAT`_ is supported
**********
Intel® QAT
**********
.. opcmd:: show system acceleration qat
use this command to check if there is an Intel® QAT supported Processor in
your system.
.. code-block::
vyos@vyos:~$ show system acceleration qat
01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11)
if there is non device the command will show ```No QAT device found```
.. cfgcmd:: set system acceleration qat
if there is a supported device, enable Intel® QAT
.. opcmd:: show system acceleration qat status
Check if the Intel® QAT device is up and ready to do the job.
.. code-block::
vyos@vyos:~$ show system acceleration qat status
Checking status of all devices.
There is 1 QAT acceleration device(s) in the system:
qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up
Example
=======
Let's build a simple VPN between 2 Intel® QAT ready devices.
Side A:
.. code-block::
set interfaces vti vti1 address '192.168.1.2/24'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123'
set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2'
set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1'
Side B:
.. code-block::
set interfaces vti vti1 address '192.168.1.1/24'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123'
set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1'
set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1'
a bandwidth test over the VPN got these results:
.. code-block::
Connecting to host 192.168.1.2, port 5201
[ 9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 9] 0.00-1.01 sec 32.3 MBytes 268 Mbits/sec 0 196 KBytes
[ 9] 1.01-2.03 sec 32.5 MBytes 268 Mbits/sec 0 208 KBytes
[ 9] 2.03-3.03 sec 32.5 MBytes 271 Mbits/sec 0 208 KBytes
[ 9] 3.03-4.04 sec 32.5 MBytes 272 Mbits/sec 0 208 KBytes
[ 9] 4.04-5.00 sec 31.2 MBytes 272 Mbits/sec 0 208 KBytes
[ 9] 5.00-6.01 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes
[ 9] 6.01-7.04 sec 32.5 MBytes 265 Mbits/sec 0 234 KBytes
[ 9] 7.04-8.04 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes
[ 9] 8.04-9.04 sec 32.5 MBytes 273 Mbits/sec 0 336 KBytes
[ 9] 9.04-10.00 sec 31.2 MBytes 272 Mbits/sec 0 336 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec 0 sender
[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec receiver
with :cfgcmd:`set system acceleration qat` on both systems the bandwidth
increases.
.. code-block::
Connecting to host 192.168.1.2, port 5201
[ 9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 9] 0.00-1.00 sec 97.3 MBytes 817 Mbits/sec 0 1000 KBytes
[ 9] 1.00-2.00 sec 92.5 MBytes 776 Mbits/sec 0 1.07 MBytes
[ 9] 2.00-3.00 sec 92.5 MBytes 776 Mbits/sec 0 820 KBytes
[ 9] 3.00-4.00 sec 92.5 MBytes 776 Mbits/sec 0 899 KBytes
[ 9] 4.00-5.00 sec 91.2 MBytes 765 Mbits/sec 0 972 KBytes
[ 9] 5.00-6.00 sec 92.5 MBytes 776 Mbits/sec 0 1.02 MBytes
[ 9] 6.00-7.00 sec 92.5 MBytes 776 Mbits/sec 0 1.08 MBytes
[ 9] 7.00-8.00 sec 92.5 MBytes 776 Mbits/sec 0 1.14 MBytes
[ 9] 8.00-9.00 sec 91.2 MBytes 765 Mbits/sec 0 915 KBytes
[ 9] 9.00-10.00 sec 92.5 MBytes 776 Mbits/sec 0 1000 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 9] 0.00-10.00 sec 927 MBytes 778 Mbits/sec 0 sender
[ 9] 0.00-10.01 sec 925 MBytes 775 Mbits/sec receiver
.. _`Intel® QAT`: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html
|