We have a situation where we basically have a customer with 100/50 Mbs fiber at two locations and we are connecting the two sites via a IPSEC VPN. At one site we have a Cyberoam 35 (capable of 200 Mbs via VPN). When I have tried a Cyberoam at each end we have had no issues with getting almost fill bandwidth from the VPN.
When I replaced one end with a routerboard is where the issues started. So go the VPN up and passing traffic with no issues. The VPN is 3DES, SHA and DH2 (standard settings)…
The issue is that via the IPSEC VPN I can only get 1 to 2MBs (8 - 16 Mpbs) I have tried various things including disabling PFS and setting the MSS on the RB but same thing. I have tried 2 different RB’s (951G and 2011) with the same issue. I can see the CPU goes high when I load the VPN up and the process driving it high is “encryption” …
If I try the same file transfer not via the VPN, by a NAT (FTP transfer) I get around 5MBs or 40Mbs.
You’ll only get that level of performance with routerboards with hardware encryption engine, like the old RB1000 or the new 1100AHx2. I don’t know if other models are equiped with it too.
As a reference with RB450G I get no more than 23Mbps (with a few firewall/nat rules and routing enabled).
That Cyberoam 35 price range is quite different. Like “Leonset” wrote, you should compare it to RB1100AHx2, which is in the same league (and still is much cheaper). RB1100AHx2 has HW acceleration for IPsec, and can get over 500Mbit IPSec throughput.
It has IPsec acceleration in hardware, but we have not yet implemented the software driver for it, it will be added via software update in next few weeks
3DES is the slowest encryption algorithm and still not secure. Change it to AES128 or Blowfish (if supported by the other end). Please post your results after this change.
Example of speed comparison:
Table shows AES 256, thus AES 128 should have even better performance and is far more secure then 3DES.
No. It’s just an example (found on internet) to show differences in performance. There are a lot of sites comparing those algorithms. When @LogicalNZ will post his results we will have answear to your question.
