Cannot configure IPsec full offload in Cx-7

virtnet · September 5, 2025, 7:06pm

Hello, I’m trying to Configure IPsec full offload following the official documentations. Here is my system config:

uname -r
6.8.0-79-generic

sudo ethtool -k enp23s0np0|egrep “esp”
tx-esp-segmentation: on
esp-hw-offload: on [fixed]
esp-tx-csum-hw-offload: on [fixed]

cat /boot/config-uname -r| egrep -i “CONFIG_XFRM_OFFLOAD|CONFIG_INET_ESP_OFFLOAD|CONFIG_INET6_ESP_OFFLOAD|MLX5_EN_IPSEC”CONFIG_XFRM_OFFLOAD=y
CONFIG_INET_ESP_OFFLOAD=m
CONFIG_INET6_ESP_OFFLOAD=m
CONFIG_MLX5_EN_IPSEC=y

/opt/mellanox/iproute2/sbin/ip xfrm state help 2>&1|grep offload
        [ offload [ crypto | packet ] dev DEV dir DIR ]

But when I try to add the xfrm state, I get this error:

/opt/mellanox/iproute2/sbin/ip xfrm state add src 192.168.1.64/24 dst 192.168.1.65/24 proto esp spi 0x4834535d reqid 0x4834535d mode transport aead 'rfc4106(gcm(aes))' 0xc57f6f084ebf8c6a71dd9a053c2e03b94c658a9bf00dd25780e73948931d10d08058a27c 128 offload packet dev enp23s0np0 dir out sel src 192.168.1.64 dst 192.168.1.65
Error: Attribute failed policy validation.

dmesg |tail -n1
[69358.006743] netlink: 'ip': attribute type 33 has an invalid length.

Am I missing something?

chenh1 · September 21, 2025, 12:28pm

Hi @virtnet,

I’m not sure which steps you followed to configure IPSec full offload, but please note that on ConnectX-7 it is supported only in DMFS mode.

Kindly refer to the MLNX_OFED documentation:
https://docs.nvidia.com/networking/display/mlnxofedv24103250lts/ipsec+packet+offload

Example configuration steps:

echo 1 > /sys/class/net/$PF0/device/sriov_numvfs
echo 0000:08:00.2 > /sys/bus/pci/drivers/mlx5_core/unbind
devlink dev param set pci/0000:08:00.0 name flow_steering_mode value dmfs cmode runtime
devlink dev eswitch set pci/0000:08:00.0 mode switchdev
devlink port function set pci/0000:08:00.0/1 ipsec_packet enable
echo 0000:08:00.2 > /sys/bus/pci/drivers/mlx5_core/bind

Regards,
Chen

virtnet · November 8, 2025, 5:33pm

Thank you @chenh1 .

I was finally able to configure IPsec offload for RoCEv2 traffic on PF device.

On DMFS requirement, I was able to offload even without DMFS mode. In the below screenshot, left device has SMFS and right has DMFS. Could you please clarify if DMFS is a requirement even if I’m using PF device (no SRIOV)?

Topic		Replies	Views
Missing "full_offload" parameter for full IPSec offload on ConnectX-6 DX Software And Drivers	2	723	October 13, 2021
IPSec RDMA using ConnectX-6 DX Ethernet Adapter Cards	6	173	July 25, 2025
Failed to run IPsec application full offload failed Getting Started & Resources	0	1041	June 23, 2022
ConnectX-6 Dx Crypto Enable, impossible to enable ipsec_packet on VF Ethernet Adapter Cards	1	95	August 14, 2025
IPSec Full Offload ConnectX-6 DX Upstream Linux SoC And SmartNIC	1	880	May 3, 2023
ConnectX-6 Dx Crypto and Secure Boot, XDP Hardware offload not possible because of IPSec? Software And Drivers define , include	1	1533	February 14, 2021
How to enable IPsec crypto offload on CX6? Ethernet Adapter Cards	2	907	January 3, 2024
East-West Overlay IPSEC issue BlueField	2	619	September 25, 2023
Failed to run IPsec application on MBF2H332A-AENOT BlueField-2 P-Series DPU card BlueField	1	887	September 20, 2023
IPSec Offload in ConnectX-6 NIC Mellanox OFED	3	1508	January 25, 2024

Cannot configure IPsec full offload in Cx-7

Related topics