NVIDIA DOCA East-West Overlay Encryption Reference Application

Hi all!

Originally following:


I have two /dev/mst/mt41686_pciconf0 cards connected back to back

Outputs after commands in documentation run look like this on the DPUs:

root@localhost:~# /opt/mellanox/iproute2/sbin/devlink dev show

root@localhost:~# cat /sys/class/net/p0/compat/devlink/ipsec_mode
root@localhost:~# cat /sys/bus/pci/devices/0000\:03\:00.0/net/p0/compat/devlink/steering_mode
root@localhost:~# devlink dev eswitch show pci/0000:03:00.0
pci/0000:03:00.0: mode switchdev inline-mode none encap enable
root@localhost:~# cat /sys/class/net/p1/compat/devlink/ipsec_mode
root@localhost:~# cat /sys/bus/pci/devices/0000\:03\:00.1/net/p1/compat/devlink/steering_mode
root@localhost:~# devlink dev eswitch show pci/0000:03:00.1
pci/0000:03:00.1: mode switchdev inline-mode none encap enable
`(For reference this was also run)`
root@localhost:~# ethtool -K p0 hw-tc-offload on

I am unsure if the commands under “Configuring IPsec Rules with iproute2” on
are relevant as they do not appear on

Currently there is no IPSec tunnel set up.

For the time being I am using the default OVS config:

root@localhost:/etc/swanctl/conf.d# sudo ovs-vsctl show
    Bridge ovsbr2
        Port en3f1pf1sf0
            Interface en3f1pf1sf0
        Port pf1hpf
            Interface pf1hpf
        Port p1
            Interface p1
        Port ovsbr2
            Interface ovsbr2
                type: internal
    Bridge ovsbr1
        Port ovsbr1
            Interface ovsbr1
                type: internal
        Port p0
            Interface p0
        Port pf0hpf
            Interface pf0hpf
        Port en3f0pf0sf0
            Interface en3f0pf0sf0
    ovs_version: "2.14.1"

I can currently ping between p1p1 on both hosts and see an output when running
ovs-appctl dpctl/dump-flows type=offloaded
on the DPUs

Which looks a bit like this (Modified MAC addresses before posting):

root@localhost:/etc/swanctl/conf.d# sudo ovs-appctl dpctl/dump-flows type=offloaded
recirc_id(0),in_port(4),eth(src=0c:42:a1:e7:1d:d1,dst=0c:42:a1:e7:1e:b0),eth_type(0x0800),ipv4(frag=no), packets:2, bytes:196, used:0.410s, actions:1
recirc_id(0),in_port(1),eth(src=0c:42:a1:e7:1e:b0,dst=0c:42:a1:e7:1d:d1),eth_type(0x0800),ipv4(frag=no), packets:2, bytes:204, used:0.410s, actions:4

I am unsure if the config under Setting IPSec Full Offload Using strongSwan should be on the Host or on the DPU
from: /display/BlueFieldSWv35011563/IPsec+Functionality

Additionally further down the document it mentions

You may now send encrypted data over the HOST VF interface (192.168.70.[1|2]) configured for VXLAN.

But is not mentioned anywhere else in the documents.

After speaking with the support team they confirmed:

"Configuring IPsec Rules with iproute2” is not required if using strongswan

“Setting IPSec Full Offload Using strongSwan” should be done on the DPU

“192.168. 70 .[1|2]” is a typo

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.