Can anyone recommend a good IPSec software that can use multiple CPU cores to achieve performance ~2Gbps on Linux dual-CPU quad-core E5620 Xeon setup (total 16HT cores)?
I have tried OpenSwan and StrongSwan. The OpenSwan KLIPS stack runs only on a single CPU core. And the KLIPS+OCF crypto offload also seems to be very badly implemented because it is consuming all 16 CPU cores at 70% while delivering only ~600Mbps. And as a side product it is also reordering TCP packets.
So far with OpenVPN which uses different protocol we were able achieve ~2Gbps on the same hardware with load balancing without any problems. Only 4 out of 16 cores were utilized at 100%. Now it is time to do the same thing with Ipsec. Preferably that should be OpenSource IPsec solution.
Update:
My latest findings indicate that IPsec NETKEY stack might be able to handle two gigs of traffic without a problem (but only on Multiqueue NICs). I was not able to verify this for sure, because it seems that NAPI switches NIC drivers to polling mode under high load and at that time all performance drops from 1.7 Gbps to 500 Mbps. Also it seems that ubuntu 10.04 does not do time accounting for some kernel threads and because of that I do not see how workload is distributed accross all CPU cores.
hifn
based crypto accelerator hardware has been in use in BSD for while now; quick Google shows Linux drivers as well. The Express DX 1845 card boasts 25Gbps throughput on their brochure, but YMMV, and obviously I'd want to talk to a product/sales engineer first to see if it would work for your purposes.