Why Fast Path not supported with hardware accelerated IPsec?

mikruser · February 8, 2019, 3:01pm

Hello,

sebastia · February 8, 2019, 5:01pm

Packets of a fast-track-ed connection bypasses a lot of packet processing which is needed for ipsec.
IPSec processes (de- & encapsulation) each packet as it traverses the router, something that fast-track tries to avoid.

mikruser · November 12, 2021, 10:49pm

EoIP, GRE, IPIP, L2TP, PPPoE also do (de- & encapsulation), but FastPath/FastTrack supported
SNAT, DNAT also do packet processing, but FastPath/FastTrack supported

In that case, why not support FastTrack with hardware accelerated IPsec?

kblazewicz · November 14, 2021, 8:17pm

I don’t know if anything changed since 2019, but on my hAP ac^2, ROS v6.49 Fast Path and IPsec with hw. offload seems to work.

> ip ipsec installed-sa print brief 
Flags: H - hw-aead, A - AH, E - ESP 
 #           SPI SRC-ADDRESS      DST-ADDRESS      AUTH-ALGORITHM ENC-ALGORITHM ENC-KEY-SIZE 
 0 HE  0xB9B496E xx.xx.xx.xx:4500 yy.yy.yy.yy:4500 sha256         aes-cbc       256 
 1 HE 0xCA97F92B yy.yy.yy.yy:4500 xx.xx.xx.xx:4500 sha256         aes-cbc       256
 
> interface bridge settings print 
              use-ip-firewall: no
     use-ip-firewall-for-vlan: no
    use-ip-firewall-for-pppoe: no
              allow-fast-path: yes
      bridge-fast-path-active: yes
     bridge-fast-path-packets: 13523898
       bridge-fast-path-bytes: 10433833975
  bridge-fast-forward-packets: 0
    bridge-fast-forward-bytes: 0