3 # COPYRIGHT NOTICE STARTS HERE
5 # Copyright 2019 Intel Co., Ltd.
7 # Licensed under the Apache License, Version 2.0 (the "License");
8 # you may not use this file except in compliance with the License.
9 # You may obtain a copy of the License at
11 # http://www.apache.org/licenses/LICENSE-2.0
13 # Unless required by applicable law or agreed to in writing, software
14 # distributed under the License is distributed on an "AS IS" BASIS,
15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 # See the License for the specific language governing permissions and
17 # limitations under the License.
19 # COPYRIGHT NOTICE ENDS HERE
21 # This script prepares the runtime environment
22 # for running vIPSec shell scripts on Ubuntu18.04
29 function setup_dependencies {
31 apt-get install -y curl gnupg2 pciutils make gcc libnuma-dev python git linux-headers-`uname -r` module-init-tools libssl-dev
32 echo "deb [trusted=yes] https://packagecloud.io/fdio/release/ubuntu bionic main" >> /etc/apt/sources.list.d/99fd.io.list
33 curl -L https://packagecloud.io/fdio/master/gpgkey | apt-key add -
36 function install_vpp {
38 apt-get install -y vpp vpp-plugin-core vpp-plugin-dpdk
41 function install_dpdk {
43 git clone http://dpdk.org/git/dpdk
45 export RTE_TARGET=x86_64-native-linux-gcc/ && export DESTDIR=/opt/dpdk && export RTE_SDK=/opt/dpdk && make install T=x86_64-native-linux-gcc
47 insmod x86_64-native-linux-gcc/kmod/igb_uio.ko
50 function ipsec_settings {
51 # Create vpp configuration file
52 cat > /opt/config/vpp.config << EOF
54 exec /opt/config/ipsec.conf
56 cli-listen /run/vpp/cli.sock
68 no-tx-checksum-offload
90 # Check if sriov and qat are enabled, bind the pci devices with igb_uio driver
91 if [ "$sriov_enabled" = true ]; then
92 export interfaceABus=$(lspci -D -nn | grep -m1 '8086:154c' | cut -d ' ' -f 1)
93 export interfaceBBus=$(lspci -D -nn | grep -m2 '8086:154c' | cut -d ' ' -f 1 | tail -n1)
95 export interfaceABus=$(ls -la /sys/class/net | grep 'eth1' | cut -d '/' -f 5)
96 export interfaceBBus=$(ls -la /sys/class/net | grep 'eth3' | cut -d '/' -f 5)
98 sed -i -e "s/interfaceABus/${interfaceABus}/g" -e "s/interfaceBBus/${interfaceBBus}/g" /opt/config/vpp.config
99 python /opt/dpdk/usertools/dpdk-devbind.py -b igb_uio $interfaceABus $interfaceBBus
100 export interfaceA=$(vppctl sh int | awk '$2 == "1"' | cut -d ' ' -f 1)
101 export interfaceB=$(vppctl sh int | awk '$2 == "2"' | cut -d ' ' -f 1)
103 if [ "$qat_enabled" = true ]; then
104 export qatABus=$(lspci -D -nn | grep -m1 '8086:37c9' | cut -d ' ' -f 1)
105 export qatBBus=$(lspci -D -nn | grep -m2 '8086:37c9' | cut -d ' ' -f 1 | tail -n1)
106 python /opt/dpdk/usertools/dpdk-devbind.py -b igb_uio $qatABus $qatBBus
107 sed -i "/#enable_cryptodev/a\n dev $qatABus\n dev $qatBBus\n" /opt/config/vpp.config
108 sed -i "/vdev crypto_aesni_mb0/d" /opt/config/vpp.config
111 # Create ipsec configuration file
112 cat > /opt/config/ipsec.conf << EOF
113 set interface state VirtualFunctionEthernet0/5/0 up
114 set interface state VirtualFunctionEthernet0/6/0 up
116 set interface ip address VirtualFunctionEthernet0/5/0 input_interface_ip/24
117 set interface ip address VirtualFunctionEthernet0/6/0 output_interface_ip/24
119 set int promiscuous on VirtualFunctionEthernet0/5/0
120 set int promiscuous on VirtualFunctionEthernet0/6/0
122 set ip arp VirtualFunctionEthernet0/6/0 remote_tunnel_ip fa:16:3e:a6:e4:c7
123 set ip arp VirtualFunctionEthernet0/5/0 routing_ip fa:16:3e:f1:65:dc
125 ip route add count 1 packet_dst/32 via route_interface VirtualFunctionEthernet0/6/0
128 set interface ipsec spd VirtualFunctionEthernet0/6/0 1
129 ipsec sa add 1 spi 1921681004 esp tunnel-src local_tunnel_ip tunnel-dst remote_tunnel_ip crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
130 ipsec policy add spd 1 traffic_direction priority 100 action protect sa 1 local-ip-range packet_src-packet_src remote-ip-range packet_dst-packet_dst
131 ipsec policy add spd 1 traffic_direction priority 90 protocol 50 action bypass local-ip-range packet_src-255.255.255.255 remote-ip-range remote_tunnel_ip-remote_tunnel_ip
134 # Replace the actual ip and interfaces into the ipsec configuration
135 sed -i -e "s/input_interface_ip/${input_interface_ip}/g" -e "s/output_interface_ip/${output_interface_ip}/g" -e "s/routing_ip/${vsn_private_ip_0}/g" -e "s#VirtualFunctionEthernet0/5/0#${interfaceA}#g" -e "s#VirtualFunctionEthernet0/6/0#${interfaceB}#g" -e "s/local_tunnel_ip/${local_tunnel_ip}/g" -e "s/remote_tunnel_ip/${remote_tunnel_ip}/g" -e "s/route_interface/${route_interface}/g" -e "s/packet_src/${packet_src}/g" -e "s/packet_dst/${packet_dst}/g" -e "s/traffic_direction/${traffic_direction}/g" /opt/config/ipsec.conf
136 vpp -c /opt/config/vpp.config
141 echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt
142 echo "$dcae_collector_ip" > /opt/config/dcae_collector_ip.txt
143 echo "$dcae_collector_port" > /opt/config/dcae_collector_port.txt
144 echo "$ipsec_private_net_gw" > /opt/config/ipsec_private_net_gw_ip.txt
145 echo "$ipsec_private_net_cidr" > /opt/config/ipsec_private_net_cidr.txt
146 echo "$ipsec_private_network_name" > /opt/config/ipsec_private_network_name.txt
147 echo "$packet_src" > /opt/config/packet_source_ip.txt
148 echo "$packet_dst" > /opt/config/packet_destination_ip.txt
149 echo "$remote_tunnel_ip" > /opt/config/remote_tunnel.txt
150 echo "$route_interface" > /opt/config/route_interface.txt
151 echo "$traffic_direction" > /opt/config/traffic_direction.txt
152 echo "$vipsecB_private_ip_0" > /opt/config/vipsecB_private_ip0.txt
153 echo "$vipsecB_private_ip_2" > /opt/config/vipsecB_private_ip2.txt
154 echo "$protected_clientB_network_name" > /opt/config/protected_clientB_network_name.txt
155 echo "$protected_clientB_net_gw" > /opt/config/protected_clientB_net_gw.txt
156 echo "$protected_clientB_net_cidr" > /opt/config/protected_clientB_net_cidr.txt
158 echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf