IPSec Offload in ConnectX-6 NIC


I am currently using nodes from the CloudLab portal. I installed the MLNX_OFED Version as follows MLNX_OFED_LINUX-5.8-
When I try to check the NICS that are there using the following command lspci | grep Mellanox
I can see this as an output :
0000:51:00.0 Ethernet controller: Mellanox Technologies MT2892 Family [ConnectX-6 Dx]
0000:51:00.1 Ethernet controller: Mellanox Technologies MT2892 Family [ConnectX-6 Dx]
0000:8a:00.0 Ethernet controller: Mellanox Technologies MT2894 Family [ConnectX-6 Lx]
0000:8a:00.1 Ethernet controller: Mellanox Technologies MT2894 Family [ConnectX-6 Lx]

I found from the Nvidia website that in order to enable IPSec Crypto offload we can have either ConnectX-6 Dx or ConnectX-6 Lx .
In order to check if my firmware is updated and latest with that mentioned in the NVIDIA website - Firmware for ConnectX®-6 Lx | NVIDIA

I tried the following commands and here is the output. This verifies that my PSID is DEL0000000031. But The Nvidia website does not have an option for DEL0000000031 as PSID. They have only listed the MT versions, eg : MT_0000000532 .

$ ethtool -i ens1f0np0
driver: mlx5_core
version: 5.8-3.0.7
firmware-version: 26.32.2004 (DEL0000000031)
bus-info: 0000:8a:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: yes

subitsha@node0:~$ sudo mstflint -d 0000:8a:00.0 query
Image type: FS4
FW Version: 26.32.2004
FW Release Date: 13.1.2022
Product Version: 26.32.2004
Rom Info: type=UEFI version=14.25.18 cpu=AMD64,AARCH64
type=PXE version=3.6.502 cpu=AMD64
Description: UID GuidsNumber
Base GUID: b83fd2030077fe32 4
Base MAC: b83fd277fe32 4
Image VSD: N/A
Device VSD: N/A
PSID: DEL0000000031
Security Attributes: secure-fw

By using the ifconfig command, I found out that my interface that is currently being used is the ens1f0np0 as it is denoted by <UP,BROADCAST,RUNNING,MULTICAST> . I have attached the screenshot below.

Here is to show that esp-hw-offload and esp-tx-csum-hw-offload are marked as `off [fixed].

subitsha@node0:~$ sudo ethtool -k ens1f0np0 | grep offload
tcp-segmentation-offload: on
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
l2-fwd-offload: off [fixed]
hw-tc-offload: off
esp-hw-offload: off [fixed]
esp-tx-csum-hw-offload: off [fixed]
rx-udp_tunnel-port-offload: on
tls-hw-tx-offload: off [fixed]
tls-hw-rx-offload: off [fixed]
macsec-hw-offload: off [fixed]
hsr-tag-ins-offload: off [fixed]
hsr-tag-rm-offload: off [fixed]
hsr-fwd-offload: off [fixed]
hsr-dup-offload: off [fixed]

Kindly help me setup IPsec cryto offload on my ConnectX-6 NIC.

Hello subitshatlk2001,

Thank you for posting your inquiry to the NVIDIA Developer forums.

The PSID you have provided is a Dell OEM adapter.
Support for this adapter is out of our scope. We can only support NVIDIA/Mellanox adapters - OEM equipment is customized, and support needs to come from the OEM (Dell, in this case).

Please do reach out to Dell for further assistance.
If they require our input to debug this issue, they have the ability to engage us directly.

Thanks, and best regards,
NVIDIA Enterprise Support

Hi I have a new query now. After a careful reconfiguration, I can see that my hca Id : mlx5_1 is also active. This corresponds to this device : 0000:51:00.1 Ethernet controller: Mellanox Technologies MT2892 Family [ConnectX-6 Dx] . I want to do an IPSec crypto offload on the NIC. I read from the Nvidia website that ConnectX-6 Dx and Lx versions do support this feature. However, when I tried to do it , I can see that the TLS-offload, esp-hw offload are all turned OFF and FIXED. I have attached a screenshot for it. The PSID of my NIC is MT_0000000437 . This is not Dell now. However, I see these features are still off.

I used ip route to find out the interface that I am using. and turns out to be ens1f0np0 . Kindly help me in configuring ipsec offload in my NIC.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.