DPDK sample app ipsec-secgw failing with virtio NIC

Question

I tried running the DPDK ipsec-secgw sample app with the following versions

• DPDK version dpdk-stable-19.11.5
• OS CentOS Linux release 7.7.1908 (Core)
• Kernel 3.10.0-1062.el7.x86_64

NIC type and driver

• 0000:00:04.0 'Virtio network device 1000' drv=igb_uio unused=virtio_pci,uio_pci_generic

Command and cmd line args used to run the app

./build/ipsec-secgw -l 6 -w 00:04.0 -w 00:05.0 --vdev "crypto_null" --log-level 8 \
--socket-mem 1024 -- -p 0xf -P -u 0x2 \
--config="(0,0,6),(1,0,6)" -f /root/config_file

Output:

EAL: Detected 8 lcore(s)
EAL: Detected 1 NUMA nodes
EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
EAL: Selected IOVA mode 'PA'
EAL: Probing VFIO support...
EAL: PCI device 0000:00:04.0 on NUMA socket -1
EAL:   Invalid NUMA socket, default to 0
EAL:   probe driver: 1af4:1000 net_virtio
EAL: PCI device 0000:00:05.0 on NUMA socket -1
EAL:   Invalid NUMA socket, default to 0
EAL:   probe driver: 1af4:1000 net_virtio
CRYPTODEV: Creating cryptodev crypto_null

CRYPTODEV: Initialisation parameters - name: crypto_null,socket id: 0, max queue pairs: 8
Promiscuous mode selected
librte_ipsec usage: disabled
replay window size: 0
ESN: disabled
SA flags: 0
Frag TTL: 10000000000 ns
Allocated mbuf pool on socket 0
CRYPTODEV: elt_size 64 is expanded to 176

Allocated session pool on socket 0
Allocated session priv pool on socket 0
Configuring device port 0:
Address: 52:54:00:A5:82:2D
Creating queues: nb_rx_queue=1 nb_tx_queue=1...
EAL: Error - exiting with code: 1
  Cause: Error: port 0 required RX offloads: 0xe, avaialbe RX offloads: 0xa1d

Config file contents:

#SP IPv4 rules
sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535

#SA rules
sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \
mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
port_id 1 \
type inline-crypto-offload \

sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \
mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
port_id 1 \
type inline-crypto-offload \

#Routing rules
rt ipv4 dst 172.16.2.5/32 port 1
rt ipv4 dst 192.168.105.10/32 port 0

It says that certain offload capabilities are missing.

I got the config file details and command line arguments from a DPDK test plan for Niantic NICs. Is the app only supposed to work with Niantic PFs/VFs. Is there anyway to get it to work with virtio paravirtualized NICs?

Instructions link followed: Instructions

Answer 1

DPDK example ipsec-gw make use of RX offload .offloads = DEV_RX_OFFLOAD_CHECKSUM. For DPDK 19.11.5 LTS following are the list of devices which supports the same

axgbe       
dpaa2       
e1000       
enic        
hinic       
ixgbe       
mlx4        
mlx5        
mvneta      
mvpp2       
netvsc      
octeontx    
octeontx2   
sfc         
tap         
thunderx    
thunderx    
vmxnet3     

DPDK RX Checksum offload is defined as #define DEV_RX_OFFLOAD_CHECKSUM (DEV_RX_OFFLOAD_IPV4_CKSUM | DEV_RX_OFFLOAD_UDP_CKSUM | DEV_RX_OFFLOAD_TCP_CKSUM). Based on the error log Cause: Error: port 0 required RX offloads: 0xe, available RX offloads: 0xa1d, looks like DEV_RX_OFFLOAD_IPV4_CKSUM is not present in the PMD.

For the question ipsec-gw only works for Niantic NIC assumption is not incorrect. Becuase IPSEC-GW application can run any NIC which has RX offload checksum available. List is shared above.

For the question Is there any way to get it to work with virtio para-virtualized NICs? one can always disable the RX_CHECKSUM and do the checksum of IPv4 in software. But you will need to edit the application and use rte_ip_cksum.