[Swan] scaling IPsec throughput with CPUs

Antony Antony antony at phenome.org
Sun Nov 24 06:30:37 UTC 2019

Libreswan developers and Linux kernel developers are working together to 
improve the IPsec throughout using CPU(to encrypt and decrypt). Initial 
results are ~15 Gbps and ~5-6Gbps per flow. Using upto 3CPU cores.

So far the idea look promising. It seems to scale with number of CPUs. With 
faster flows cache miss appears to be the biggest slowing down factor.

At the last couple of IETF hackethons we hacked on this. Now it is ready for 
very early testers. The details can be found at 

We are still working on it, so there is no concrete plans to merge the code 
yet. Both Linux Kernel XFRM changes and related Libreswan changes need more 
work. Such as support rekey (kernel), libreswan auto=route.

However, if you are looking for this kind of IPsec scalability and able to 
test it please do. I would be happy to help. Also more testing and feedback 
would drive us to get this merged sooner than later.


More information about the Swan mailing list