[strongSwan] IPSEC hardware acceleration

Martin Willi martin at strongswan.org
Thu Jan 9 09:49:09 CET 2014


> I want to enhance IPsec stack performance, I'm evaluating few NIC/PCI 
> IPsec hardware  acceleration cards.
> Please suggest plugin card compatible with strong swan.

strongSwan usually does not process raw ESP packets, that's handled in
the kernel. So to increase IPsec throughput, you'll need an accelerator
for the kernel.

Linux with its native IPsec stack uses the Linux Crypto API. So you
should check that your accelerator provides a driver for this API. A
growing set of drivers comes with vanilla Linux.

Accelerating userland is different. Usually it is not that important, as
there are not that much IKE packets to encrypt. You can use the af-alg
plugin, though, allowing you to delegate encryption to the Linux crypto
API. Specific hardware drivers are possible as well, the padlock plugin
is an example.

Delegating DH or RSA to crypto hardware might help to increase tunnel
setup performance. If you use our openssl plugin, you might take
advantage of an engine to accelerate crypto in userspace. The pkcs11
plugin can be used as well to delegate some operations if your driver
has a PKCS#11 interface.


More information about the Users mailing list