[strongSwan] local roadwarrior endpoint in highly virtualized environment

[Christ Schlacta]

I'm hosting a vpn endpoint for a few roadwarrior clients (our laptops 
and phones mostly), and I'm now at the point where I must decide..  do I 
place the roadwarrior endpoints on the virtualized router (right now 
they're on the physical router), on their own Virtual machine (CPU 
pinning anyone?) or on one of the VPN physical host machines ?
Some of the things I've come up with to consider and could use answers to:
1) The routers will be configured for failover.  can the VPN endpoint 
fail over with the router?
2) Does the VPN endpoint use any characteristics of the CPU such that 
vt-x instructions are insufficient (KVM/QEMU Virtual machines)?  I don't 
have VT-D available.
3) placing the endpoint on the VM hosts will certainly lead to 
complications in the firewall and routing tables.  Is the benefit of 
placing the endpoint on that physical machine worth the extra hassle?
4) What am I missing here?  I know it's kinda obvious, but it always 
worries me in situations like this.

I'm using charon, ikev2, and insofar as I remember, clients are 
identified by a certificate file.