2.4.1. Customizing the fast path configuration

The fast path is the Turbo IPsec component in charge of packet processing.

By default, the fast path:

  • runs on all the logical cores of the machine except the first one, which is reserved for Linux,
  • does not take control of any physical ports.

For specific needs, the fast path configuration can be customized through the configuration wizard.

Fast path configuration customization allows to change:

  • Fast path capabilities
  • Ethernet NICs managed by fast path
  • The cores running fast path
  • Crypto acceleration

Stopping Turbo IPsec services

Before customizing the configuration, login as root (password 6windos) and make sure that Turbo IPsec services are stopped.

# systemctl stop turbo

Using the fast path configuration wizard

To customize the fast path using the interactive wizard:

# fast-path.sh config -i

Fast path configuration

1 - Select fast path ports and polling cores
2 - Select a hardware crypto accelerator
3 - Advanced configuration
4 - Advanced plugin configuration
5 - Display configuration

S - Save configuration and exit
Q - Quit

Enter selection [S]:

The option 1 - Select fast path ports and polling cores takes care of the mandatory fast path configuration, which comprises:

Core allocation
The fast path needs dedicated cores that are isolated from other Linux tasks.
Physical port assignation
The fast path must have full control over a network port to provide acceleration on this port. At fast path start, a DPVI will replace each Linux interface associated to a fast path port. The new interface has the same name as the old interface. The configuration that was done on the old interface is lost (IP addresses, MTU, routes, etc).
Core to port mapping

The fast path cores’ main task is to check if packets are available on a port, and process these packets. In most use cases, good performance is obtained with the default configuration: all cores poll all ports of the same socket.


The ports assigned to the fast path using the wizard must also be assigned in the CLI, as described in the configuring the fast path section.

The option 2 - Select a hardware crypto accelerator allows to select the crypto acceleration type.

Crypto acceleration selection

By default, the fastest software method is used:

  • Intel Multi-Buffer for software crypto acceleration using AES-NI if available
  • Or generic software crypto implementation

The following hardware crypto engine may also be activated in the menu:

  • Intel Coleto Creek for hardware crypto acceleration using Intel Communications Chipset 895x Series, 8925 or 8926 (Coleto Creek)

In 3 - Advanced configuration, the following parameters can be customized:

fast path memory allocation (FP_MEMORY)

The fast path needs dedicated memory. The fast path dedicated memory is allocated in hugepages.


A hugepage is a page that addresses more memory than the usual 4KB. Accessing a hugepage is more efficient than accessing a regular memory page. Its default size is 2MB.

Mbuf pool preallocation
The network packets manipulated by the fast path are stored in buffers named mbufs. A mbuf pool is allocated at fast path start.

The option S - Save configuration and exit writes the configuration file to /etc/fast-path.env.


Once the fast path configuration is complete, reboot to take your modifications into account and start Turbo IPsec services:

# reboot