Scaling gateway to gateway traffic using flow hash

We claim: 1. A method of configuring a first computing device to assign different processing units to use different encryption-secured tunnels to transmit data messages requiring encryption, the method comprising: associating a virtual tunnel interface (VTI) to each of a plurality of encryption-secured tunnels between a set of interfaces of first and second computers, wherein each encryption-secured tunnel specifies an encryption policy, the encryption policy specifying a key value associated with the encryption-secured tunnel's associated VTI; assigning a private network address to each VTI; for each processing unit, ( 1 ) creating a rule for a desired encryption policy in a network address rule table that identifies a routing lookup table to use for data messages matching a network-address-based rule and ( 2 ) creating a custom routing lookup table that identifies the private network address of at least one VTI as a next hop for a data message matching the network-address-based rule that points to the custom routing lookup table, wherein the network address rule table and the custom routing lookup table are used to select an encryption-based tunnel to transmit a data message requiring encryption. 2. The method of claim 1 , wherein for each particular network-address-based rule, each processing unit identifies in its custom routing table a different, non-overlapping set of VTIs. 3. The method of claim 2 , wherein selecting an encryption-based tunnel to transmit the data message requiring encryption is based on the VTI identified using the custom routing lookup table. 4. The method of claim 1 , wherein a data message which has a next hop identified as a private network address of the VTI is marked with a key value associated with the VTI. 5. The method of claim 4 , wherein the data message marked with the key value is compared to the encryption policies of the encryption-secured tunnels to select the encryption-secured tunnel that applies to the data message's attributes. 6. The method of claim 1 , wherein the first computer implements a first gateway of a first network in a first datacenter. 7. The method of claim 6 , wherein the second computer implements a second gateway of a second network in a second datacenter. 8. The method of claim 1 , wherein the tunnels are IPsec (Internet protocol security) tunnels. 9. A method of configuring a first computing device to assign different processing units to use different encryption-secured tunnels to transmit data messages requiring encryption, the method comprising: associating a virtual tunnel interface (VTI) to each of a plurality of encryption-secured tunnels between a set of interfaces of first and second computers; assigning a private network address to each VTI; for each processing unit, (1) creating a rule for a desired encryption policy in a network address rule table that identifies a routing lookup table to use for data messages matching a network-address-based rule and (2) creating a custom routing lookup table that identifies the private network address of at least one VTI as a next hop for a data message matching the network-address-based rule that points to the custom routing lookup table, wherein the number of VTIs is based on at least one of the number of interfaces of the first computing device used to establish the plurality of encryption-secured tunnels and the number of processors of the first computing device, wherein the network address rule table and the custom routing lookup table are used to select an encryption-based tunnel to transmit a data message requiring encryption. 10. A non-transitory machine readable medium storing a program which when executed by at least one processing unit configures a first computing device to assign different processing units to use different encryption-secured tunnels to transmit data messages requiring encryption, the program comprising sets of instructions for: associating a virtual tunnel interface (VTI) to each of a plurality of encryption-secured tunnels between a set of interfaces of first and second computers, wherein each encryption-secured tunnel specifies an encryption policy, the encryption policy specifying a key value associated with the encryption-secured tunnel's associated VTI; assigning a private network address to each VTI; for each processing unit, (1) creating a rule for a desired encryption policy in a network address rule table that identifies a routing lookup table to use for data messages matching a network-address-based rule and (2) creating a custom routing lookup table that identifies the private network address of at least one VTI as a next hop for a data message matching the network-address-based rule that points to the custom routing lookup table, wherein the network address rule table and the custom routing lookup table are used to select an encryption-based tunnel to transmit a data message requiring encryption. 11. The non-transitory machine readable medium of claim 10 , wherein for each particular network-address-based rule, each processing unit identifies in its custom routing table a different, non-overlapping set of VTIs. 12. The non-transitory machine readable medium of claim 11 , wherein the set of instructions for selecting an encryption-based tunnel to transmit the data message requiring encryption is based on the VTI identified using the custom routing lookup table. 13. The non-transitory machine readable medium of claim 10 , wherein a data message which has a next hop identified as a private network address of the VTI is marked with a key value associated with the VTI. 14. The non-transitory machine readable medium of claim 13 , wherein the data message marked with the key value is compared to the encryption policies of the encryption-secured tunnels to select the encryption-secured tunnel that applies to the data message's attributes. 15. The non-transitory machine readable medium of claim 10 , wherein the first computer implements a first gateway of a first network in a first datacenter. 16. The non-transitory machine readable medium of claim 15 , wherein the second computer implements a second gateway of a second network in a second datacenter. 17. The non-transitory machine readable medium of claim 10 , wherein the tunnels are IPsec (Internet protocol security) tunnels. 18. A non-transitory machine readable medium storing a program which when executed by at least one processing unit configures a first computing device to assign different processing units to use different encryption-secured tunnels to transmit data messages requiring encryption, the program comprising sets of instructions for: associating a virtual tunnel interface (VTI) to each of a plurality of encryption-secured tunnels between a set of interfaces of first and second computers; assigning a private network address to each VTI; for each processing unit, (1) creating a rule for a desired encryption policy in a network address rule table that identifies a routing lookup table to use for data messages matching a network-address-based rule and (2) creating a custom routing lookup table that identifies the private network address of at least one VTI as a next hop for a data message matching the network-address-based rule that points to the custom routing lookup table, wherein the number of VTIs is based on at least one of the number of interfaces of the first computing device used to establish the plurality of encryption-secured tunnels and the number of processors of the first computing device, wherein the network address rule table and the