10G Linux VPN performance

Question

I have a Linux box wich has several 10 Gbe interfaces. What I want is to make a crypto-tunnel that has an ability to process 10 Gbit/s traffic as well as 10 Gbit/s router/firewall. There are some ways to achieve this but as I see it all the ways are brings to user-space or kernel-space processing.

As for the user-space solution, I suppose TUN/TAP device. But my experiments shows me that single TUN-device has performance limit at 1 Gbit/s boundary. I try some kind of TUN's aggregation and it gives me about 3.5 Gbit/s on 8xCPU XEON configuration (w/o encryption thought)

As for the kernel-space solution, I suppose that it might be faster than user-space, but it has another degree of complexity....

Has anyone has knowledge of how to make 10th Gbit/s Linux-based VPN solution?

UPD #1

Software solution wanted

Answer 1

TOE (TCP Offload Engine) is both your friend and enemy here.

TOE is the network card equivalent of a GPU from a graphic card along with something like DMA (Direct Memory Access) used by old style hard drive controllers. It allows for offloading the work of the TCP/IP stack to the NIC instead of running it through motherboard front side bus and CPU which are bottle necks for data being processed at this speed.

In order for what you are asking to work you will need your 10Gbps cards to have TOE (hardware acceleration) enabled in the OS and drivers. I worked on a project similar to this using a Cisco Nexus switch and some $5500 NIC cards about three years ago so I'm a little out of date on the technology. I'm betting things have moved along and costs gone down.

If you have already solved the TOE issue, then ignore my response.