I am looking for a solution to meet a set of requirements, or close to it. I intend to have a hub router (something virtual), that customer spoke routers can connect to via IP tunnel and IPSEC encryption. At the moment im thinking i need to support 1gb of bandwidth total and allow varrying sizes of residential and business class cable/dsl connections to achieve close to their alloted bandwidth. I could have users with 300mbps cable connection, so I would want to get them as close to that 300mbps they can get nativley over the hub/spoke solution.

My current hub ive tested is CHR on an esxi host using 8 cpus and 2gb memory. My test spoke is a CCR1009-8G with a 300mbps cable connection. using IPIP and IPSEC (with the simplest encryption settings) I seem to only manage 150mbps or so. With just IPIP and no encryption i can get 200mbps or a little more.

So here I am asking what sort of virtual set up would i need to be able to handle 1gb of total bandwidth (aggregate from multiple spokes) using IPIP+IPSEC? What would I need to achieve a 300mbps throughput using a multithread TCP session?

I believe having IPIP+ipsec is not a very wise choice. if your clients need to establish site to site tunnel protocol and at the same time you need encryption i wiuld definitly recomment using IPSEC only. therefore IPIP is very overhead intensivr as it will encapsulates the ip packet in a whole new packet so it is using much more overhead than if you use IPSEC alone.

Sent from my SM-N910C using Tapatalk

I believe having IPIP+ipsec is not a very wise choice. if your clients need to establish site to site tunnel protocol and at the same time you need encryption i wiuld definitly recomment using IPSEC only. therefore IPIP is very overhead intensivr as it will encapsulates the ip packet in a whole new packet so it is using much more overhead than if you use IPSEC alone.

Sent from my SM-N910C using Tapatalk

I was wanting to use a routing protocol, which is why I had a tunnel. I may think of another way if no one things IPIP+IPSEC is doable at somewhat high speeds.

tried just plain ipsec tonight. its actually worse than just IPIP (no ipsec). Beginning to thing the CCR just can't handle encryption very well.

Dear Friend, I am sure it is not well configured as CCR are much more effective. Would you send me your export config in orther to troubleshoot your your scenario?



Sent from my SM-N910C using Tapatalk

the configs are pretty bare, hopefully i didn't miss anything.