Hello,
I need to push about 4 Gbit / s of traffic through the EoIP tunnel with IPsec encryption. Does anyone know if any CCR or CRS will do the job?
Regards,
A CRS will not. See the test results on product page for what the CCRs can do. Looks like none of them can handle 4Gbit/s in a single tunnel, possibly a bond of four tunnels may work.
https://mikrotik.com/product/CCR1016-12G#fndtn-testresults
It would have to be at least four independent IPsec SA pairs, each carrying one EoIP, and the EoIP would have to be bonded together - clearly a voucher for a headache. Even worse, if independence of the SA pairs is not enough and you need 4 independent IPsec “sessions”, building them between just two public IP addresses is almost mission impossible.
If you want to give it a try, create two private local addresses at one of the devices, and use one tunnel policy with level=unique for each of these addresses at each end, using a common IPsec “session”. Then each EoIP tunnel would use another one of these two addresses at that end. This should make it possible for the CCR to handle the cryptography for each pair of SAs by another core, and if it works, you can scale the solution to four tunnels.
However, I’m afraid the overhead of IPsec and of EoIP will eat so much of the throughput that even if you identify and eliminate all sources of fragmentation, you’ll end up with 3.5 Gbit/s or even less.