Looking for opinions for a good model that could handle 200 +/- IPSEC VPN tunnels back to it. Not too much constant traffic, mainly SNMP/management and the occasional VoIP call across the line. If we should want to go with more traffic at a later time, this should figure in.
A 1100AHx2 should do around 300 MBit of L2TP/IPSec with 200 clients.
If that is sufficient, get that.
Otherwise, get a CCR1009-8G-1S-1S+, it will give you redundant PSUs and about 3 GBit of IPSec.
No it won’t. Not until they can share connections amongst cores.
IPSec is hardware accelerated, has nothing to do with core sharing, since its a dedicated HW acceleration mechanism.
This number is taken from MikroTik, its not something I came up with.
Yes, and that number is valid. But l2tp or gre over ipsec breaks down that number.. throw in TCP connections and it is even lower.. 3.5gbit goes down to 100mbit or less with TCP connections. Thrown in multiple tunnels all sending data and it seems like it might be getting some kind of race condition with the encryption accelerator.
In a nutshell, it seems like if you have 1 interface hooked to an uplink and multiple ipsec/gre or l2tp connections on that uplink, those connections are all tied to one cpu core that has to handle the ethernet traffic, ipsec crypto, and l2tp/gre encapsulation/decapsulation. That is my hunch.. Cant say for sure.