Hi, > I want to enhance IPsec stack performance, I'm evaluating few NIC/PCI > IPsec hardware acceleration cards. > > Please suggest plugin card compatible with strong swan.
strongSwan usually does not process raw ESP packets, that's handled in the kernel. So to increase IPsec throughput, you'll need an accelerator for the kernel. Linux with its native IPsec stack uses the Linux Crypto API. So you should check that your accelerator provides a driver for this API. A growing set of drivers comes with vanilla Linux. Accelerating userland is different. Usually it is not that important, as there are not that much IKE packets to encrypt. You can use the af-alg plugin, though, allowing you to delegate encryption to the Linux crypto API. Specific hardware drivers are possible as well, the padlock plugin is an example. Delegating DH or RSA to crypto hardware might help to increase tunnel setup performance. If you use our openssl plugin, you might take advantage of an engine to accelerate crypto in userspace. The pkcs11 plugin can be used as well to delegate some operations if your driver has a PKCS#11 interface. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
