Also I do want to add when I see the failure I also see following messages- c pluto[47469]: ERROR: "private-or-clear-2#192.201.82.0/24"[8487] ...192.201.82.8 #74156: netlink response for Add SA [email protected]<mailto:[email protected]>: Cannot allocate memory (errno 12) pluto[47469]: "private-or-clear-2#192.201.82.0/24"[8487] ...192.201.82.8 #74156: netlink ext_ack: mlx5_core: Device failed to offload this state pluto[47469]: "private-or-clear-2#192.201.82.0/24"[8487] ...192.201.82.8 #74156: Warning: Adding IPsec SA to failed - NIC packet esp-hw-offload possibly not available for the negotiated p>
Is there any known issue around this ? thanks From: Mamta Gambhir via Swan <[email protected]> Date: Tuesday, July 1, 2025 at 6:11 PM To: Mamta Gambhir via Swan <[email protected]> Subject: [External] : [Swan] Fragmentation with IPsec enabled With libreswan # rpm -qa | grep libreswan libreswan-5.1-6.0.2.el8.x86_64 and .conf conn private-or-clear type=transport auto=route ikev2=insist nic-offload=packet negotiationshunt=passthrough failureshunt=passthrough authby=null rightid=%null leftid=%null right=%opportunisticgroup left=192.201.82.1 conn private-or-clear-2 type=transport auto=route ikev2=insist nic-offload=packet negotiationshunt=passthrough failureshunt=passthrough authby=null rightid=%null leftid=%null right=%opportunisticgroup left=192.201.82.2 When MTU of the interface is say 2300 Anything above MTU(TCP MSS) fails with ipsec enabled(-l) while running udp traffic iperf3 -c 192.201.82.1 -B 192.201.82.3 -u -t 10 -b 100G -l 8192 and passes with ipsec disabled. Though both case I see warning- UDP block size 8192 exceeds TCP MSS 2226, may result in fragmentation / drops But traffic goes through as usual without IPsec. With IPsec enabled Is it that Libreswan doesn’t allow fragment ESP packets, if the encrypted packet exceeds MTU, packets are getting dropped (silent fail). In our case we have hardware offloads enabled(Nvidia CX7 NIC) and IP fragments are handled via a software fallback. I am not very clear on if there is a way to enable fragmented packets to still go through in clear basically to have a similar behavior as I see without ipsec. What are the options in ipsec.conf for pmtu discovery/IP fragments. Thanks Mamta
_______________________________________________ Swan mailing list -- [email protected] To unsubscribe send an email to [email protected]
