Best encryption method for 10gbps Point to Point Leased Line

dalemcdonald · March 11, 2026, 9:12pm

We have a 10gbps Point to Point Leased Line with Openreach.

We are wanting to create a VPN / Encrypted line between both endpoints and so we got some CCR2116-12G-4S+ routers on each end.

I have tried with IPSec and also Wireguard

It is configured so SFP port 1 is the P2P link to the ADVA on each device with an IP set similar to 10.255.255.1/30 and 10.255.255.2/30.

Then i have bridged the other SFP ports together.

IPsec throughput seems to cap at around 1.25gbps

Wireguard reaches just over 2gbps

Is there a better option that can be used for these routers as i had a conversation on ChatGPT and it suggested we could achieve speeds of around 6-7gbps over wireguard.

We are wanting an option to get as close

The P2P line is fine and the Mikrotiks can communicate at 10gbps but the data isn’t encrypted and is confidential data.

sukram · March 11, 2026, 9:40pm

Set Up each side with ADVA/Adtran FSP3000 with 9TCE-PCN- 10GU+AES10G will do Linespeed. But costs a fortune.

Did you use only a single tunnel at a time? This will probably use only one CPU Core and Limit you to the “Single Tunnel” Speeds mentioned in the Performance Table: https://mikrotik.com/product/ccr2116_12g_4splus

dalemcdonald · March 12, 2026, 6:07am

I’m currently using Wireguard and i have 6 seperate tunnels setup and then added routes for each tunnel and IP address

increasing the tunnels to 6 has increased the line speed to around 3.5gbps

but would you suggest IPSec with aes 128 and hardware acceleration would be faster?

I’m new to Mikrotik and so all this is a learning curve for me currently

mkx · March 12, 2026, 6:26am

See my reply in the other topic you opened: Best encryption method for 10gbps P2P Leased Line - #3 by mkx

BartoszP · March 12, 2026, 9:07am

Closing topic as it's a duplicate. Please follow the mkx's link.