I’m sure this has been asked before, but I’m having trouble digging through all the posts to find a definitive answer. I’m looking for typical IPsec throughput figures for RB2011, RB1100, CCR1009, and CCR1016. I’m looking to set up multiple remote locations with persistent tunnels back to a central office and I want to make sure I’m sizing the hardware appropriately for the available bandwidth at each site.
Thanks!
Depends on the type of tunnel…and encyption settings. Under optimal real world cobditions
Single tunnel site to site… tcp nat’d/tunnel mode or ipip over ipsec/transport mode:
2011= 20Mbps …give or take
850= 40-50Mbps
1100= 400Mbps
CCR Series = 150Mbps
I have never benchmarked eoip/gre etc..but I would expect slightly lower numbers.
Software updates in the future could lead to better CCR single tunnel tcp performance..but it could be a while.
A future revision of the 850 “might” have ipsec hardware acceleration, which “could” provide between 2-3x throughput.
With a ‘normal’ natt’d setup with 15 or so filter rules i have seen:
2011, 951, CRS etc all at 20-25 Mbps
rb1100ahx2 - 500-600Mbps (have a site with just routing + single ipsec transport tunnel using aes and that reached 800Mbps before performance impact)
I would recommend the RB1100 for most activities, depending on what sort of throughput you’re chasing. They are somewhat affordable and have impressive performance
Why CCR so slow?? CCR does not have hardware encryption?
With latest RC there are no problems forward ~700Mbps TCP over a single tunnel on CCRs and max 3.4Gbps UDP on 34 core router.
Which encryption settings have hardware support?
AES CBC
Why only AES-CBC mode, rather than AES-GCM mode?
http://en.wikipedia.org/wiki/GCM_mode
GCM can take full advantage of parallel processing, and an implementation can make efficient use of an instruction pipeline or a hardware pipeline. In contrast, the CBC mode of operation incurs significant pipeline stalls that hamper its efficiency and performance.
Currently HW driver does not support GCM, but it may change in the future.
Does it mean that there are some improvements in this manner in latest release? I did not see any mention about it in changelog, that’s why I am asking. Does it scale proportionally to number of cores? For example: will 16 core CCR forward ~300Mbps TCP over single tunnel?
So, I’m planning on running a CCR at the central office, probably just a 1009, as 150 mbps per tunnel would be enough. So the next question is, what kind of CPU utilization are we looking at for 1 tunnel, 2 tun, 3 tun, etc.?
Would IPsec be the least impactful of the supported VPN technologies, or would SSTP or another type provide similar/better throughput at the same/less CPU utilization?