IPsec Crypto Offload
This feature is supported on ConnectX-6 Dx adapter cards (with crypto unit) only.
IPsec crypto offload feature, also known as IPsec inline offload or IPsec aware offload feature enables the user to offload IPsec crypto encryption and decryption operations to the hardware.
Note that the hardware implementation only supports AES-GCM encryption scheme.
To enable the feature, support in both kernel and adapter firmware is required.
For support in the kernel, make sure the following flags are set as follows.
CONFIG_XFRM_OFFLOAD=y CONFIG_INET_ESP_OFFLOAD=m CONFIG_INET6_ESP_OFFLOAD=m
Note: These flags are enabled by default in RedHat 8 and Ubuntu 18.04.
For support in the firmware, make sure the below string is found in the dmesg.
mlx5e: IPSec ESP acceleration enabled
To program the inline offload security associations (SA), add the option "offload dev <netdev interface> dir out/in" in the "ip xfrm state" command for transmitting and receiving SA.
Transmit inline offload SA xfrm command example:
sudo ip xfrm state add src 192.168
.1.64
/24
dst 192.168
.1.65
/24
proto esp spi 0x46dc6204
reqid 0x46dc6204
mode transport aead 'rfc4106(gcm(aes))'
0x60bd6c3eafba371a46411830fd56c53af93883261ed1fb26767820ff493f43ba35b0dcca
128
offload dev p4p1 dir out sel src 192.168
.1.64
dst 192.168
.1.65
Receive inline offload SA xfrm command example:
sudo ip xfrm state add src 192.168
.1.65
/24
dst 192.168
.1.64
/24
proto esp spi 0xaea0846c
reqid 0xaea0846c
mode transport aead 'rfc4106(gcm(aes))'
0x81d5c3167c912c1dd50dab0cb4b6d815b6ace8844304db362215a258cd19deda8f89deda
128
offload dev p4p1 dir in sel src 192.168
.1.65
dst 192.168
.1.64