This feature is supported on ConnectX-6 Dx adapter cards (with crypto unit) only.
Overview and Configuration
IPsec crypto offload feature, also known as IPsec inline offload or IPsec aware offload feature enables the user to offload IPsec crypto encryption and decryption operations to the hardware.
Note that the hardware implementation only supports AES-GCM encryption scheme.
To enable the feature, support in both kernel and adapter firmware is required.
For support in the kernel, make sure the following flags are set as follows.
Note: These flags are enabled by default in RedHat 8 and Ubuntu 18.04.
For support in the firmware, make sure the below string is found in the dmesg.
Configuring Security Associations for IPsec Offloads
To program the inline offload security associations (SA), add the option "offload dev <netdev interface> dir out/in" in the "ip xfrm state" command for transmitting and receiving SA.
Transmit inline offload SA xfrm command example:
Receive inline offload SA xfrm command example: