Hello @everybody
have done some research and we found that one tunnel (VTI, IP+ESP) have bound to single core on the decryption VyOS node.
Do anyone know how to bypass this restriction? On single core we have about 1Gbps IPsec throughput, but want to parallelize to increase it.
Tried to add modules like pcrypt and tcrypt (as described on page Parallel Crypto Engine for the Linux Kernel - Parallel Crypto Engine for the Linux Kernel - strongSwan), without success. VyOS 1.3.2 LTS
Actually found some workaround:
To use rps offload options, several VTI IPsec tunnels, wan load balancing and hoping that packets/streams will be processed on different CPUs on the decryption side.
Hi @rusnino - I am very curious on this because I want to move my deployment from GE to 10GE environment. Could you share more details on how you resolve the issue?
Thanks @Viacheslav , if my understanding is correct that QAT is an extra card, but wondering if @rusnino uses other method?
My current machine has many cpu cores (Xeon E-2378) and sitting there only for IPsec vpn between my two locations, so I am thinking of pushing CPU rather than buy an extra card.