How to enable IPsec crypto offload on CX6?

hi
I meet the issue that I have tried many method, but failed to enable ipsec crypto offload.

  1. the device info I used:
    CX6231016AN-CDAT_06
  2. the ipsec offload info shown from the network card:
  1. ethtool -k ens61f0np0 | grep esp
    tx-esp-segmentation: off [fixed]
    esp-hw-offload: off[fixed]
    esp-tx-csum-hw-offload: off [fixed]
  2. dmesg | grep -i ipsec
    no “IPsec ESP acceleration enabled” log
  1. which I have tried
  1. enable esp-hw-offload by ethtool
    ethtool -K ens61f0np0 esp-hw-offload on
    Actual changes:
    esp-hw-offload: off [requested on]
    could not change any device feature
  2. using xfrm tool to enable esp offload
    as the NVIDIA MLNX OFED document said: ip xfrm state add src 192.168.1.64/24 dst 192.168.1.65/24 proto esp spi 0x46dc6204 reqid 0x46dc6204 mode transport aead ‘rfc4106(gcm(aes))’ 0x60bd6c3eafba371a46411830fd56c53af93883261ed1fb26767820ff493f43ba35b0dcca 128

offload dev ens61f0np0 dir out sel src 192.168.1.64 dst 192.168.1.65

both in and out dir were configured, the result captured from ens61f0np0 by wireshark shown that, the TX has been encrypted while the RX was decrypted, which is not meet the expected result: both TX and RX are cleartext.

my questions:

  1. is this network card model support ipsec crypto offload? if not, which one?
  2. if yes, how to enable ipsec crypto correctly? why using xfrm tool lead to such phenomenon?

Thank you

Hi,

Thanks for your question.
If you are using MCX623106AN-CDAT adapter, it has no crypto enabled
For more information about supported adapters and configuration examples please take a look at OFED user manual.
https://docs.nvidia.com/networking/display/mlnxofedv23101190lts/ipsec+full+offload

Best Regards,
Anatoly

Thank you Anatoly