Linux IPSec hardware acceleration in VM?

[alexc]

I need to set up VM to be used as router which will also do IPSec encryption. Since new CPUs are all crypto acceleration capable, I really wonder which is the best VM hardware I should choose to have it employed.
I suspect I’ll set up CPU of “host” type, but what about VM NICs? If virtio NIC supports that?

Plan to use 18.04 or 20.04 Ubuntu or, if you recommends, Debian 10. Should I also use newer kernel (ML or LT brance instead of the OS supplied one)?

To be exact, I only have 1Gb on WAN link but I really need lower delays.

 

[aaron]

CPU of type host is, as you suspected, the most suitable one. If you have NICs available that can be used purely for that VM, you could pass them through as PCI devices and have direct access. Otherwise, use VirtIO NICs as they have the least overhead. Stuff like hardware offloading needs to be disabled though.

 

[alexc]

Stuff like hardware offloading needs to be disabled though.

Sounds like I have no chance to use CPU assisted hardware crypto acceleration? Maybe Intel type NIC may help?
Sad to know we all have quite capable CPUs nowadays and still stick with software crypto.
And no, I can not bind physical NIC to this VM only.

 

[aaron]

Hardware offloading was meant regarding the NICs. AES and other features of the CPU will be used if you set it to host.

And no, the Intel NIC will emulate an old Intel e1000 NIC to the VM which is slower than the Virtio NIC which is a very thin layer.