Deterministic load balancing of IPSec packet processing

What is claimed is: 1. A method for deterministic load balancing of processing received encapsulated encrypted data packets at a destination tunnel endpoint (TEP), comprising: engaging in a tunnel creation according to a security protocol with a source TEP for encrypting data packets communicated between a source endpoint and a destination endpoint; selecting a central processing unit (CPU) from a plurality of CPUs of the destination TEP using a CPU selection function, the selected CPU being selected to process packets communicated over the tunnel from the source TEP to the destination TEP; determining a receive side scaling (RSS) queue number associated with an RSS queue associated with a CPU core identifier (ID) of the selected CPU; generating a security parameter index (SPI) value including the RSS queue number; indicating the SPI value to the source TEP; establishing an in-bound security association with the source TEP using the SPI value; receiving an encrypted packet from the source TEP, wherein: the encrypted packet is encrypted by the source TEP based on the in-bound security association; and the encrypted packet includes the SPI value; retrieving the encrypted packet from the RSS queue having the RSS queue number; and processing the encrypted packet using the selected CPU. 2. The method of claim 1 , wherein the CPU selection function uses a CPU utilization level of each of the plurality of CPUs as input. 3. The method of claim 1 , wherein the CPU selection function uses a security association count of each of the plurality of CPUs as input. 4. The method of claim 1 , wherein the CPU selection function uses a round-robin algorithm. 5. The method of claim 1 , wherein the RSS queue number is a first number of bits of the SPI value, and wherein remaining bits of the SPI value represent a value. 6. The method of claim 1 , wherein generating the SPI value further comprises: generating a second SPI value; and replacing a number of bits in the second SPI value with bits of the RSS queue number to generate the SPI value. 7. The method of claim 1 , wherein receiving the encrypted packet from the source TEP comprises: receiving the encrypted packet using a virtual network interface card (VNIC), the encrypted data packet comprising a first header and an encrypted payload, the first header comprising a source IP address of the source TEP, a destination IP address of the destination TEP, and the SPI value corresponding to the in-bound security association, the encrypted payload comprising a second header comprising a source IP address of the source endpoint and a destination IP address of the destination endpoint; determining, at the VNIC, that the encrypted packet is an encapsulating security payload (ESP) encrypted packet; determining, at the VNIC, that the encrypted packet is associated with the RSS queue based on the RSS queue number identifier; and using, at the VNIC, an ESP RSS mode of the VNIC to store the encrypted packet in the RSS queue based on the RSS queue number. 8. A computer system, comprising: a memory comprising executable instructions; and a processor in data communication with the memory and configured to execute the instructions to cause the computer system to perform operations including: engaging in a tunnel creation according to a security protocol with a source tunnel endpoint (TEP) for encrypting data packets communicated between a source endpoint and a destination endpoint; selecting a central processing unit (CPU) from a plurality of CPUs of a destination TEP using a CPU selection function, the selected CPU being selected to process packets communicated over the tunnel from the source TEP to the destination TEP; determining a receive side scaling (RSS) queue number associated with an RSS queue associated with a CPU core identifier (ID) of the selected CPU; generating a security parameter index (SPI) value including the RSS queue number; indicating the SPI value to the source TEP; establishing an in-bound security association with the source TEP using the SPI value; receiving an encrypted packet from the source TEP, wherein: the encrypted packet is encrypted by the source TEP based on the in-bound security association; and the encrypted packet includes the SPI value; retrieving the encrypted packet from the RSS queue having the RSS queue number; and processing the encrypted packet using the selected CPU. 9. The computer system of claim 8 , wherein the CPU selection function uses a CPU utilization level of each of the plurality of CPUs as input. 10. The computer system of claim 8 , wherein the CPU selection function uses a security association count of each of the plurality of CPUs as input. 11. The computer system of claim 8 , wherein the CPU selection function uses a round-robin algorithm. 12. The computer system of claim 8 , wherein the RSS queue number is a first number of bits of the SPI value, and wherein remaining bits of the SPI value represent a value. 13. The computer system of claim 8 , wherein generating the SPI value further comprises: generating a second SPI value; and replacing a number of bits in the second SPI value with bits of the RSS queue number to generate the SPI value. 14. The computer system of claim 8 , wherein receiving the encrypted packet from the source TEP comprises: receiving, at the destination TEP, the encrypted packet using a virtual network interface card (VNIC), the encrypted data packet comprising a first header and an encrypted payload, the first header comprising a source IP address of the source TEP, a destination IP address of the destination TEP, and the SPI value corresponding to the in-bound security association, the encrypted payload comprising a second header comprising a source IP address of the source endpoint and a destination IP address of the destination endpoint; determining, at the VNIC of the destination TEP, that the encrypted packet is an encapsulating security payload (ESP) encrypted packet; determining, at the VNIC of the destination TEP, that the encrypted packet is associated with the RSS queue based on the RSS queue number; and using, at the VNIC, an ESP RSS mode of the VNIC to store the encrypted packet in the RSS queue based on the RSS queue number. 15. A non-transitory computer readable medium having instructions stored thereon that, when executed by a computer system, cause the computer system to perform operations comprising: engaging in a tunnel creation according to a security protocol with a source tunnel endpoint (TEP) for encrypting data packets communicated between a source endpoint and a destination endpoint; selecting a central processing unit (CPU) from a plurality of CPUs of a destination TEP using a CPU selection function, the selected CPU being selected to process packets communicated over the tunnel from the source TEP to the destination TEP; determining a receive side scaling (RSS) queue number associated with an RSS queue associated with a CPU core identifier (ID) of the selected CPU; generating a security parameter index (SPI) value including the RSS queue number; indicating the SPI value to the source TEP; establishing an in-bound security association with the source TEP using the SPI value; receiving an encrypted packet from the source TEP, wherein: the encrypted packet is encrypted by the source TEP based on the in-bound security association; and the encrypted packet includes the SPI value; retrieving the encrypted packet from the RSS queue having the RSS queue number; and processing the encrypted packet using the selected CPU.