I tried running the DPDK ipsec-secgw sample app with the following versions
NIC type and driver
Command and cmd line args used to run the app
./build/ipsec-secgw -l 6 -w 00:04.0 -w 00:05.0 --vdev "crypto_null" --log-level 8 \
--socket-mem 1024 -- -p 0xf -P -u 0x2 \
--config="(0,0,6),(1,0,6)" -f /root/config_file
Output:
EAL: Detected 8 lcore(s)
EAL: Detected 1 NUMA nodes
EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
EAL: Selected IOVA mode 'PA'
EAL: Probing VFIO support...
EAL: PCI device 0000:00:04.0 on NUMA socket -1
EAL: Invalid NUMA socket, default to 0
EAL: probe driver: 1af4:1000 net_virtio
EAL: PCI device 0000:00:05.0 on NUMA socket -1
EAL: Invalid NUMA socket, default to 0
EAL: probe driver: 1af4:1000 net_virtio
CRYPTODEV: Creating cryptodev crypto_null
CRYPTODEV: Initialisation parameters - name: crypto_null,socket id: 0, max queue pairs: 8
Promiscuous mode selected
librte_ipsec usage: disabled
replay window size: 0
ESN: disabled
SA flags: 0
Frag TTL: 10000000000 ns
Allocated mbuf pool on socket 0
CRYPTODEV: elt_size 64 is expanded to 176
Allocated session pool on socket 0
Allocated session priv pool on socket 0
Configuring device port 0:
Address: 52:54:00:A5:82:2D
Creating queues: nb_rx_queue=1 nb_tx_queue=1...
EAL: Error - exiting with code: 1
Cause: Error: port 0 required RX offloads: 0xe, avaialbe RX offloads: 0xa1d
Config file contents:
#SP IPv4 rules
sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535
#SA rules
sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \
mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
port_id 1 \
type inline-crypto-offload \
sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \
mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
port_id 1 \
type inline-crypto-offload \
#Routing rules
rt ipv4 dst 172.16.2.5/32 port 1
rt ipv4 dst 192.168.105.10/32 port 0
It says that certain offload capabilities are missing.
I got the config file details and command line arguments from a DPDK test plan for Niantic NICs. Is the app only supposed to work with Niantic PFs/VFs. Is there anyway to get it to work with virtio paravirtualized NICs?
Instructions link followed: Instructions
DPDK example ipsec-gw make use of RX offload .offloads = DEV_RX_OFFLOAD_CHECKSUM. For DPDK 19.11.5 LTS following are the list of devices which supports the same
axgbe
dpaa2
e1000
enic
hinic
ixgbe
mlx4
mlx5
mvneta
mvpp2
netvsc
octeontx
octeontx2
sfc
tap
thunderx
thunderx
vmxnet3
DPDK RX Checksum offload is defined as #define DEV_RX_OFFLOAD_CHECKSUM (DEV_RX_OFFLOAD_IPV4_CKSUM | DEV_RX_OFFLOAD_UDP_CKSUM | DEV_RX_OFFLOAD_TCP_CKSUM). Based on the error log Cause: Error: port 0 required RX offloads: 0xe, available RX offloads: 0xa1d, looks like DEV_RX_OFFLOAD_IPV4_CKSUM is not present in the PMD.
For the question ipsec-gw only works for Niantic NIC assumption is not incorrect. Becuase IPSEC-GW application can run any NIC which has RX offload checksum available. List is shared above.
For the question Is there any way to get it to work with virtio para-virtualized NICs? one can always disable the RX_CHECKSUM and do the checksum of IPv4 in software. But you will need to edit the application and use rte_ip_cksum.