[strongSwan] Making pcrypt stick across boots

Eric Germann ekgermann at semperen.com
Mon Oct 2 14:38:01 CEST 2017 

I started (in /etc/rc.local) with

/usr/sbin/modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3
/usr/sbin/modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes-aesni)))" type=3

That dropped me in to a reboot loop with Centos 7 on AWS.

I then moved to (in /etc/rc.modules)

modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3
modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes-aesni)))" type=3

No reboot loop, but no effect either.  I do ignore the output (saw that part of the doc on the site)

EKG


> On Oct 2, 2017, at 2:46 AM, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> 
> Hi Ericm
> 
>> I’ve gone down the path of exploring parallelization of crypto in Strongswan from [1].
> 
> s/Strongswan/Linux kernel/
> 
> 
>> My question to the group is, how does one make it stick across boots?  I tried the trick of putting the modprobe in /etc/rc.local and That Was Bad (continuous reboot loop).  Backed it out and we’re ok.  Obviously there has to be a better way.  Wondering what the proper way in Centos 7 is for this module.
> 
> Well, load pcrypt, but then load tcrypt with the parameters *and do not care about the exit code*. Loading tcrypt will always error out, even if it configured everything as you wanted.
> 
> What did you do exactly?
> 
> Kind regards
> 
> Noel
> 
> On 02.10.2017 02:24, Eric Germann wrote:
>> I’ve gone down the path of exploring parallelization of crypto in Strongswan from [1].
>> 
>> It seems to be working as a) the expected output shows up in ‘cat /proc/crypto’ and b) under load in htop, it’s now showing kernel activity on all cores vs. a single core before (not sophisticated, but it definitely changed after the modprobe).
>> 
>> My question to the group is, how does one make it stick across boots?  I tried the trick of putting the modprobe in /etc/rc.local and That Was Bad (continuous reboot loop).  Backed it out and we’re ok.  Obviously there has to be a better way.  Wondering what the proper way in Centos 7 is for this module.
>> 
>> The process in [2] doesn’t seem to work for installing them.
>> 
>> Thanks for sharing any experiences.
>> 
>> EKG
>> 
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Pcrypt
>> [2] https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-kernel-modules-persistant.html
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171002/6c9ed801/attachment.html>

More information about the Users mailing list