Hello!
We're currently testing a following scenario:
Two offices (with multiple VLANs) connected via L2 10Gig connection which we don't necessarily trust. Therefore we'd like to encrypt the traffic passing through, and configured EoIP on it. Everything seems to be working in general, but the performance is as follows:
a) IPsec secret enabled (no FastPath possible): ~500Mbps, CPU 8 at 100%, other cpus doing nothing basically
b) no IPsec secret (FastPath allowed): ~750Mbps, CPU 8 again at 100%, all the rest idling
c) no IPsec secret (FastPath allowed), disabled firewall connection tracking: ~800Mbps, CPU 8 again at 100%, all the rest idling

The configuration itself is as minimal as we could make it, so bridge interface with two ports, the EOIP and local side (in this case bonding interface consisting of two 10Gig ports), no CPU interface.

Is it possible to split the workload across multiple CPUs? We tried to create multiple EoIP tunnels thinking that maybe the encryption is the biggest showstopper here, but that just split the available bandwidth between the tunnels.