I need interconnect approximately 50 sites with central router via IPsec. Is posible ending all tunnels on one MT router (Intel >2GHz)? Data flow (agregation from all sites) is max. 10Mbps.
I have dropped 4 sites to one with an IPSEC tunnel (3Mb) pipe…
I was running a Xeon 2.8 (Ver 2.X ROS) so hyperthreading was NOT used.
Avg load looked something like this..
Link 1: 60 remote users via a 3Mb pipe from a remote office building.
Exchange, acctg app (term services).
Link 2: Remote office. 3Mb pipe
Link 3: NOC colo (Fax server phone swicth etc) Fract T1
Link 4: I aint saying… 1.5Mb
Avg CPU load = 6% on a heavy link..
ONE NOTE OF CAUTION !!!
This will drive you NUTS and you can do little to fix it…
IPSEC is sensitive to the order in wich packets arrive..
If you are dealing with more than 1 isp, and you have “bound” Ts from any given provider,
you will probably run into the issue of packets getting scattered about the internet and then reassembled at the dest. this will cause some packest to arrive “outside the replay window”
this will force the packets to be resent. this problem can get so bad that the only practical wat to deal with the problem is to reboot all the routers to get the “pathing” to settle down.
If you have only single Ts and they are from the same provider, you will be ok…
I had help with the 1st setup so this is one I cant just give the setup out…
Credit must be given when due…
Contact Butch Evans.. He set it up the first time for me… (I now know how it is done …)
If you need contact info, drop a message here and I will look it up…
OR.. he is probably lurking arround and may reply himself…
Craig
Might be a crazy question:
Is it feasible to do VPN or any other secure tunnel on a fast MT box at 1Gbps full duplex?
[edit] I mean a single pipe, encrypted. so each end, a router with 2x GigE ports, one for user traffic the other for the encrypted link.
Or is that just too tough for a software-only MT router?
Regards