Linux IPSec hardware acceleration in VM?

alexc

Renowned Member
Apr 13, 2015
138
4
83
I need to set up VM to be used as router which will also do IPSec encryption. Since new CPUs are all crypto acceleration capable, I really wonder which is the best VM hardware I should choose to have it employed.
I suspect I’ll set up CPU of “host” type, but what about VM NICs? If virtio NIC supports that?

Plan to use 18.04 or 20.04 Ubuntu or, if you recommends, Debian 10. Should I also use newer kernel (ML or LT brance instead of the OS supplied one)?

To be exact, I only have 1Gb on WAN link but I really need lower delays.
 
CPU of type host is, as you suspected, the most suitable one. If you have NICs available that can be used purely for that VM, you could pass them through as PCI devices and have direct access. Otherwise, use VirtIO NICs as they have the least overhead. Stuff like hardware offloading needs to be disabled though.
 
Stuff like hardware offloading needs to be disabled though.
Sounds like I have no chance to use CPU assisted hardware crypto acceleration? Maybe Intel type NIC may help?
Sad to know we all have quite capable CPUs nowadays and still stick with software crypto.
And no, I can not bind physical NIC to this VM only.
 
Hardware offloading was meant regarding the NICs. AES and other features of the CPU will be used if you set it to host.

And no, the Intel NIC will emulate an old Intel e1000 NIC to the VM which is slower than the Virtio NIC which is a very thin layer.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!