NVIDIA DOCA East-West Overlay Encryption Reference Application

Infrastructure & Networking DOCA Enterprise Networking
1

Hi all!

Originally following:
https://docs.nvidia.com/doca/sdk/east-west-overlay-encryption/index.html
and
https://docs.mellanox.com/display/BlueFieldSWv35011563/IPsec+Functionality

I have two /dev/mst/mt41686_pciconf0 cards connected back to back

Outputs after commands in documentation run look like this on the DPUs:

root@localhost:~# /opt/mellanox/iproute2/sbin/devlink dev show
pci/0000:03:00.0
pci/0000:03:00.1

root@localhost:~# cat /sys/class/net/p0/compat/devlink/ipsec_mode
full
root@localhost:~# cat /sys/bus/pci/devices/0000\:03\:00.0/net/p0/compat/devlink/steering_mode
dmfs
root@localhost:~# devlink dev eswitch show pci/0000:03:00.0
pci/0000:03:00.0: mode switchdev inline-mode none encap enable
root@localhost:~# cat /sys/class/net/p1/compat/devlink/ipsec_mode
full
root@localhost:~# cat /sys/bus/pci/devices/0000\:03\:00.1/net/p1/compat/devlink/steering_mode
dmfs
root@localhost:~# devlink dev eswitch show pci/0000:03:00.1
pci/0000:03:00.1: mode switchdev inline-mode none encap enable
`(For reference this was also run)`
root@localhost:~# ethtool -K p0 hw-tc-offload on

I am unsure if the commands under “Configuring IPsec Rules with iproute2” on
/display/BlueFieldSWv35011563/IPsec+Functionality
are relevant as they do not appear on
/doca/sdk/east-west-overlay-encryption/index.html

Currently there is no IPSec tunnel set up.

For the time being I am using the default OVS config:

root@localhost:/etc/swanctl/conf.d# sudo ovs-vsctl show
1e02a588-b026-4917-82f2-eb150be01790
    Bridge ovsbr2
        Port en3f1pf1sf0
            Interface en3f1pf1sf0
        Port pf1hpf
            Interface pf1hpf
        Port p1
            Interface p1
        Port ovsbr2
            Interface ovsbr2
                type: internal
    Bridge ovsbr1
        Port ovsbr1
            Interface ovsbr1
                type: internal
        Port p0
            Interface p0
        Port pf0hpf
            Interface pf0hpf
        Port en3f0pf0sf0
            Interface en3f0pf0sf0
    ovs_version: "2.14.1"

I can currently ping between p1p1 on both hosts and see an output when running
ovs-appctl dpctl/dump-flows type=offloaded
on the DPUs

Which looks a bit like this (Modified MAC addresses before posting):

root@localhost:/etc/swanctl/conf.d# sudo ovs-appctl dpctl/dump-flows type=offloaded
recirc_id(0),in_port(4),eth(src=0c:42:a1:e7:1d:d1,dst=0c:42:a1:e7:1e:b0),eth_type(0x0800),ipv4(frag=no), packets:2, bytes:196, used:0.410s, actions:1
recirc_id(0),in_port(1),eth(src=0c:42:a1:e7:1e:b0,dst=0c:42:a1:e7:1d:d1),eth_type(0x0800),ipv4(frag=no), packets:2, bytes:204, used:0.410s, actions:4

I am unsure if the config under Setting IPSec Full Offload Using strongSwan should be on the Host or on the DPU
from: /display/BlueFieldSWv35011563/IPsec+Functionality

Additionally further down the document it mentions

You may now send encrypted data over the HOST VF interface (192.168.70.[1|2]) configured for VXLAN.

But 192.168.70.1 is not mentioned anywhere else in the documents.

2

After speaking with the support team they confirmed:

"Configuring IPsec Rules with iproute2” is not required if using strongswan

“Setting IPSec Full Offload Using strongSwan” should be done on the DPU

“192.168. 70 .[1|2]” is a typo

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.