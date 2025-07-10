This IPsec Full Offload for RDMA Traffic option provides a significant performance improvement compared to the software IPsec counterpart, and enables the use of IPsec over RoCE packets, which are outside the network stack and cannot be used without full hardware offload. As a result, users can leverage the benefits of the IPsec protocol with RoCE V2, even when using SR-IOV VFs.

The configuration steps for this feature should be identical to the steps mentioned above, but if this feature is supported, the traffic that will be sent can also be RoCEV2 IPsec traffic.

To configure this feature:

Enable IPsec over VF. For more information, please see IPsec Functionality. Configure IPsec policies and states on the relevant VF net device. This should be identical to the software configuration of IPsec rules, which can be done using one of the following implementation options: Command Offload Request Parameter iproute2 ip xfrm offload packet libreswan nic-offload=packet strongswan Configure an SR-IOV VF normally, and add its OVS/TC rules.

Note For this feature to work, DMFS steering mode must be enabled.

The following is a full minimalistic configuration example using iproute, whereas PF0 is the netdevice PF, F0_REP is the VF representor, and NIC is the VF netdevice to configure IPsec over: Copy Copied! 1 . echo 1 > /sys/ class /net/$PF0 /device/sriov_numvfs 2 . echo 0000 : 08 : 00.2 > /sys/bus/pci/drivers/mlx5_core/unbind 3 . devlink dev eswitch set pci/ 0000 : 08 : 00.0 mode switchdev 4 . devlink dev param set pci/ 0000 : 08 : 00.0 name flow_steering_mode value dmfs cmode runtime 5 . devlink port function set pci/ 0000 : 08 : 00.0 / 1 ipsec_packet enable 6 . echo 0000 : 08 : 00.2 > /sys/bus/pci/drivers/mlx5_core/bind 7 . tc qdisc add dev $PF0 ingress tc qdisc add dev $VF0_REP ingress tc filter add dev $PF0 parent ffff: protocol 802 .1q chain 0 flower vlan_id 10 vlan_ethtype 802 .1q cvlan_id 5 action vlan pop action vlan pop action mirred egress redirect dev $VF0_REP tc filter add dev $VF0_REP parent ffff: protocol all chain 0 flower action vlan push protocol 802 .1q id 5 action vlan push protocol 802 .1q id 10 action mirred egress redirect dev $PF0 8 . ifconfig $PF0 $PF_IP/ 24 up ifconfig $NIC $LOC_IP/$SUB_NET up ip link set dev $VF_REP up 9 . ip xfrm state flush ip xfrm policy flush

Configure IPsec states and policies: Copy Copied! #states ip - 4 xfrm state add src $LOC_IP/$SUB_NET dst $REMOTE_IP/$SUB_NET proto esp spi 1000 reqid 10000 aead 'rfc4106(gcm(aes))' 0x010203047aeaca3f87d060a12f4a4487d5a5c335 128 mode transport sel src $LOC_IP dst $REMOTE_IP offload packet dev $NIC dir out ip - 4 xfrm state add src $REMOTE_IP/$SUB_NET dst $LOC_IP/$SUB_NET proto esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))' 0x010203047aeaca3f87d060a12f4a4487d5a5c335 128 mode transport sel src $REMOTE_IP dst $LOC_IP offload packet dev $NIC dir in #policies ip - 4 xfrm policy add src $LOC_IP dst $REMOTE_IP offload packet dev $NIC dir out tmpl src $LOC_IP/$SUB_NET dst $REMOTE_IP/$SUB_NET proto esp reqid 10000 mode transport ip - 4 xfrm policy add src $REMOTE_IP dst $LOC_IP offload packet dev $NIC dir in tmpl src $REMOTE_IP/$SUB_NET dst $LOC_IP/$SUB_NET proto esp reqid 10001 mode transport ip - 4 xfrm policy add src $REMOTE_IP dst $LOC_IP dir fwd tmpl src $REMOTE_IP/$SUB_NET dst $LOC_IP/$SUB_NET proto esp reqid 10001 mode transport

Note that the configuration above is for one side only, yet IPsec must be configured for both sides in order for them to communicate properly. The configuration for the other side should be almost identical, but Step 9 would be configured in an asymmetrical way, meaning the first policy would look the following, and all other states/policies would be adjusted accordingly:

Copy Copied! ip - 4 xfrm state add src $LOC_IP/$SUB_NET dst $REMOTE_IP/$SUB_NET proto esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))' 0x010203047aeaca3f87d060a12f4a4487d5a5c335 128 mode transport sel src $LOC_IP dst $REMOTE_IP offload packet dev $NIC dir out

Once this step is completed, you can send any RoCE traffic of your choice between the two machines with configured IPsec. For example, ibv_rc_pingpong -g 3 -d VF_device : on one side, and ibv_rc_pingpong -g 3 -d VF_device $IP_OF_OTHER_SIDE : on the other side.

Finally, you can verify that the traffic was encrypted using IPsec by using the ipsec counters: