Looking at terminating approximately 600+ IPSEC tunnels to a centrally located RB1000U. With the IPSEC accelerator chip, it looks to be the best candidate. Each of the tunnels will carry some (doing IPSEC / Split) - but can’t speak to any traffic patterns at the moment.
With that, anyone out there that is using the RB1000U with that many IPSEC tunnels? I understand that the main thresholds will be based on traffic load, not necessarily number-count of these spokes.
Any gotchas or behaviors to be aware of? We are currently looking at the RB750G to be on the end’s of these tunnels.
Biggest gotcha: This board is EOL and EOS since … about a year?
It will be incredibly hard to find one, if you don’t have it in your stockpile already.
If the version you are running uses a Linux kernel that has drivers for that crypto module then probably yes, but it’s still not guaranteed. You may want to confirm with support@mikrotik.com if you need an immediate answer, otherwise you are stuck waiting for someone with a working crypto module to find this thread and post an answer.
The IPsec subsystem gets unstabel and craches on a regular basis when you reach 100-120 tunnels, true for both RB1100 and PowerRouter 732 with RouterOS up to and including 4.11, haven’t tried ROS 5 yet, but since ‘nothing is changed unless it is stated in the change log’ then I see no need to. So stability will hit you long before any kind of hardware bottleneck.
Thanks. I was goign to ask about the 1100; thanks for the heads up. I may need to terminate these IPSEC tunnels then on a different manufacture. I have a spare Cisco ASA5520 that may do the job. But was hoping to stay microtik …
