image image image image image

On This Page

This feature is supported on ConnectX-6 Dx adapter cards (with crypto unit) only.

Overview and Configuration

IPsec crypto offload feature, also known as IPsec inline offload or IPsec aware offload feature enables the user to offload IPsec crypto encryption and decryption operations to the hardware.

Note that the hardware implementation only supports AES-GCM encryption scheme.

 To enable the feature, support in both kernel and adapter firmware is required.

  • For support in the kernel, make sure the following flags are set as follows. 

    CONFIG_XFRM_OFFLOAD=y
    CONFIG_INET_ESP_OFFLOAD=m
    CONFIG_INET6_ESP_OFFLOAD=m

    Note: These flags are enabled by default in RedHat 8 and Ubuntu 18.04.

  • For support in the firmware, make sure the below string is found in the dmesg. 

    mlx5e: IPSec ESP acceleration enabled

Configuring Security Associations for IPsec Offloads

To program the inline offload security associations (SA), add the option "offload dev <netdev interface> dir out/in" in the "ip xfrm state" command for transmitting and receiving SA.

Transmit inline offload SA xfrm command example: 

sudo ip xfrm state add src 192.168.1.64/24 dst 192.168.1.65/24 proto esp spi 0x46dc6204 reqid 0x46dc6204 mode transport aead 'rfc4106(gcm(aes))' 0x60bd6c3eafba371a46411830fd56c53af93883261ed1fb26767820ff493f43ba35b0dcca 128 offload dev p4p1 dir out sel src 192.168.1.64 dst 192.168.1.65

 Receive inline offload SA xfrm command example: 

sudo ip xfrm state add src 192.168.1.65/24 dst 192.168.1.64/24 proto esp spi 0xaea0846c reqid 0xaea0846c mode transport aead 'rfc4106(gcm(aes))' 0x81d5c3167c912c1dd50dab0cb4b6d815b6ace8844304db362215a258cd19deda8f89deda 128 offload dev p4p1 dir in sel src 192.168.1.65 dst 192.168.1.64