Getting Started
fastSwan relies on low-level features supported by NIC, Linux Kernel and strongSwan.
NIC
During our implementation, Nvidia ConnectX Cards: ConnectX-6-Dx & ConnectX-7 were used with success. This is currently the best choice to support HW offload for both Crypto mode and Packet mode (if this assertion is wrong, dont even hesitate to send HW for evaluation)
Linux Kernel
A newer Linux Kernel is required that supports IPsec HW offload at both the network device driver and the XFRM layer. However some dev iterations have been done with Nvidia R&D in late December 2024 in order to extend and fix Tunnel mode support in the mlx5 Driver. Produced patches has been merged into the Linux Kernel mainline, a list of merged patches on this work can be found below. More patches on on-going work can be found in the kernel/git/leon/linux-rdma.git ipsec-fixes branch.
- xfrm: Support ESN context update to hardware for TX
- xfrm: delete intermediate secpath entry in packet offload
- xfrm: prevent high SEQ input in non-ESN mode
- xfrm: simplify SA initialization routine
- xfrm: rely on XFRM offload
- xfrm: provide common xdo_dev_offload_ok callback
- xfrm: check for PMTU in tunnel mode for packet offload
- xfrm: fix tunnel mode TX datapath in packet offload mode
- xfrm: validate assignment of maximal possible SEQ number
- xfrm: prevent configuration of interface index when offload is used
- xfrm: always initialize offload path
- xfrm: fix offloading of cross-family tunnels
- net/mlx5e: Update TX ESN context for IPSec hardware offload
- net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel
- net/mlx5e: Rely on reqid in IPsec tunnel mode
- net/mlx5e: Always start IPsec sequence number from 1
- net/mlx5e: Separate address related variables to be in struct
- net/mlx5e: Properly match IPsec subnet addresses
- net/mlx5e: Support routed networks during IPsec MACs initialization
- net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init
- net/mlx5e: Trigger neighbor resolution for unresolved destinations
- net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed
strongSwan
Last stable strongSwan supporting hw_offload operations. At the time of writing, strongSwan version 6.0.0 is a good choice.