The KLIPS1 ipsecX devices are never busy. They therefore can not be equalized using this scheduler.
The virtual devices could use the tbusy mechanism. To be able to do this, the MAST device will have to be given a clear amount of resources on a per-virtual device basis. As the limit to throughput will be the lesser of encryption throughput and physical device throughput, once the buffers are full, the virtual device can raise the tbusy flag.
For this to be useful, the paths to the remote host must be different. Specifically, the outer destination address must in some way be different. If there are simply two physical ways to get to the same destination address then standard load-balancing would work once the MAST devices have processed the cleartext.
The use of the tbusy feature is not considered to contribute strongly towards Opportunistic Encryption. The creation of the MAST device is however critical.