Getting Started

fastSwan relies on low-level features supported by NIC, Linux Kernel and strongSwan.

NIC

During our implementation, Nvidia ConnectX Cards: ConnectX-6-Dx & ConnectX-7 were used with success. This is currently the best choice to support HW offload for both Crypto mode and Packet mode (if this assertion is wrong, dont even hesitate to send HW for evaluation)

Linux Kernel

A newer Linux Kernel is required that supports IPsec HW offload at both the network device driver and the XFRM layer. At the time of writing, the Kernel version used is 6.13-rc1. However some dev iterations have been done with Nvidia R&D in late December 2024 in order to extend and fix Tunnel mode support in the mlx5 Driver. Produced patches are being merged into the Kernel mainline, but if you want to try it in the meantime then you will need to apply the patches below. These patches are included in the kernel/git/leon/linux-rdma.git ipsec-fixes branch.

• xfrm: Support ESN context update to hardware for TX
• net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel
• net/mlx5e: Properly match IPsec subnet addresses
• net/mlx5e: Rely on reqid in IPsec tunnel mode
• net/mlx5e: Always start IPsec sequence number from 1
• xfrm: delete intermediate secpath entry in packet offload mode

strongSwan

Last stable strongSwan supporting hw_offload operations. At the time of writing, strongSwan version 6.0.0 is a good choice.