Cannot configure IPsec full offload in Cx-7

virtnet · September 5, 2025, 7:06pm

Hello, I’m trying to Configure IPsec full offload following the official documentations. Here is my system config:

uname -r 6.8.0-79-generic

sudo ethtool -k enp23s0np0|egrep “esp” tx-esp-segmentation: on esp-hw-offload: on [fixed] esp-tx-csum-hw-offload: on [fixed]

cat /boot/config-uname -r| egrep -i “CONFIG_XFRM_OFFLOAD|CONFIG_INET_ESP_OFFLOAD|CONFIG_INET6_ESP_OFFLOAD|MLX5_EN_IPSEC”CONFIG_XFRM_OFFLOAD=y CONFIG_INET_ESP_OFFLOAD=m CONFIG_INET6_ESP_OFFLOAD=m CONFIG_MLX5_EN_IPSEC=y

/opt/mellanox/iproute2/sbin/ip xfrm state help 2>&1|grep offload [ offload [ crypto | packet ] dev DEV dir DIR ]

But when I try to add the xfrm state, I get this error:

/opt/mellanox/iproute2/sbin/ip xfrm state add src 192.168.1.64/24 dst 192.168.1.65/24 proto esp spi 0x4834535d reqid 0x4834535d mode transport aead 'rfc4106(gcm(aes))' 0xc57f6f084ebf8c6a71dd9a053c2e03b94c658a9bf00dd25780e73948931d10d08058a27c 128 offload packet dev enp23s0np0 dir out sel src 192.168.1.64 dst 192.168.1.65 Error: Attribute failed policy validation. dmesg |tail -n1 [69358.006743] netlink: 'ip': attribute type 33 has an invalid length.

Am I missing something?

chenh1 · September 21, 2025, 12:28pm

Hi @virtnet,

I’m not sure which steps you followed to configure IPSec full offload, but please note that on ConnectX-7 it is supported only in DMFS mode.

Kindly refer to the MLNX_OFED documentation:
https://docs.nvidia.com/networking/display/mlnxofedv24103250lts/ipsec+packet+offload

Example configuration steps:

echo 1 > /sys/class/net/$PF0/device/sriov_numvfs echo 0000:08:00.2 > /sys/bus/pci/drivers/mlx5_core/unbind devlink dev param set pci/0000:08:00.0 name flow_steering_mode value dmfs cmode runtime devlink dev eswitch set pci/0000:08:00.0 mode switchdev devlink port function set pci/0000:08:00.0/1 ipsec_packet enable echo 0000:08:00.2 > /sys/bus/pci/drivers/mlx5_core/bind

Regards,
Chen

virtnet · November 8, 2025, 5:33pm

Thank you @chenh1 .

I was finally able to configure IPsec offload for RoCEv2 traffic on PF device.

On DMFS requirement, I was able to offload even without DMFS mode. In the below screenshot, left device has SMFS and right has DMFS. Could you please clarify if DMFS is a requirement even if I’m using PF device (no SRIOV)?

Topic		Replies	Views
Missing "full_offload" parameter for full IPSec offload on ConnectX-6 DX Software And Drivers	2	711	October 13, 2021
Failed to run IPsec application full offload failed Getting Started & Resources	0	1036	June 23, 2022
ConnectX-6 Dx Crypto and Secure Boot, XDP Hardware offload not possible because of IPSec? Software And Drivers define , include	1	1517	February 14, 2021
IPSec Full Offload ConnectX-6 DX Upstream Linux SoC And SmartNIC	1	872	May 3, 2023
How to enable ConnectX-5 NIC ipsec_offload capability Software And Drivers	2	624	July 8, 2021
IPSec RDMA using ConnectX-6 DX Ethernet Adapter Cards	6	151	July 25, 2025
Error while "rxe_cfg start" Mellanox OFED	0	484	August 14, 2015
Troubleshooting the iSER enable on Mellanox ConnectX-2 EN and running iSCSI traffic ofed_info , solutions , ifconfig	6	985	September 17, 2014
East-West Overlay IPSEC issue BlueField	2	610	September 25, 2023
How to enable IPsec crypto offload on CX6? Ethernet Adapter Cards	2	886	January 3, 2024

Cannot configure IPsec full offload in Cx-7

Related topics