Missing "full_offload" parameter for full IPSec offload on ConnectX-6 DX


I’m trying to get full IPSec offloading to work on a ConnectX-6 DX card on Ubuntu 20.04.02.

According to https://community.mellanox.com/s/article/ConnectX-6DX-Bluefield-2-IPsec-HW-Full-Offload-Configuration-Guide I should use the “full_offload” parameter to “ip xfrm” when setting this up. However, doing this fails with “Error: argument “full_offload” is wrong: unknown”. According to the documentations there is no such parameter (just “offload”).

The same goes for the example swanctl config on the same article, “hw_offload=full” does not exist according to the documentation, only “yes, auto, no” are valid options.

This leads me to the conclusion that the article expects me to use some specific software version / Kernel version.

Please hint me to where I can find this software.


Hi Nils,

Please follow the below updated article for full IPsec offload configuration. The instructions are for the Bluefiled card, but they should be similar for ConnectX-6 Dx.




Hi Chen,

Thanks a lot for your answer!

The article you referenced shows quite nicely how to get a Mellanox version of strongswan up and running, that’s very helpful.

However, it does not talk about the prerequisites for getting the full offload running: The kernel needs to support it, then configuration via ip xrm should also be possible.

Please let me know how I can get kernel support for the full offloading on a standard Ubuntu 20.04 installation.

Thanks again!