[strongSwan] IPSEC hardware acceleration

SunilVasanta v.sunil at sawridgesystems.com
Thu Jan 9 10:03:22 CET 2014

Hi Martin,

Thanks for your input...


On 09-01-2014 14:19, Martin Willi wrote:
> Hi,
>> I want to enhance IPsec stack performance, I'm evaluating few NIC/PCI
>> IPsec hardware  acceleration cards.
>> Please suggest plugin card compatible with strong swan.
> strongSwan usually does not process raw ESP packets, that's handled in
> the kernel. So to increase IPsec throughput, you'll need an accelerator
> for the kernel.
> Linux with its native IPsec stack uses the Linux Crypto API. So you
> should check that your accelerator provides a driver for this API. A
> growing set of drivers comes with vanilla Linux.
> Accelerating userland is different. Usually it is not that important, as
> there are not that much IKE packets to encrypt. You can use the af-alg
> plugin, though, allowing you to delegate encryption to the Linux crypto
> API. Specific hardware drivers are possible as well, the padlock plugin
> is an example.
> Delegating DH or RSA to crypto hardware might help to increase tunnel
> setup performance. If you use our openssl plugin, you might take
> advantage of an engine to accelerate crypto in userspace. The pkcs11
> plugin can be used as well to delegate some operations if your driver
> has a PKCS#11 interface.
> Regards
> Martin


Sunil Vasanta

More information about the Users mailing list