Hello,

I try to compare and choose which cipher to use in hub-spoke OpenVPN scheme where 30-40 remote points (spokes) will connect to the single "center" point (hub).

The hub is CCR1009 device which is quite powerful and has hardware acceleration for AES, and the spokes are 951 and 2011 routers, which are sufficient for the task (not that huge bandwidth with very nice price and overall value). As far as I know, both 951 and 201 can't do any hardware acceleration for any cipher so I consider it to encrypt in pure software mode.

So my question is: which cipher is less CPU-intensive for 951 device, aes-128 or blowfish-128?

I do understand that CCR will process 40 VPNs easily despite the cipher I choose even with its CPU only, but I suspect I'd better be good on 951 CPU and to care for its load.

As far as I see on the internet, the aes-128 should be better choice for CPU-based crypto like in 951/2011. But then, I really wonder if the CCR will use its h/w acceleration for OpenVPN when I use it with aes-128, or this h/w acceleration is for ipsec only?

Thank you for the answer, I know this is kind of very beginning of VPN area but I'd really like to know and now to just guess!

i have not tested blowfish

i have tested aes-256, aes-128 and 3des on rb951g and hAP lite with ipsec, ipip over ipsec and eoip over ipsec.

openvpn not tested

the better performing was aes-128, second aes-256 and third 3des.

the better performing was aes-128, second aes-256 and third 3des.

Strange to know 3des is the slower, but nice to know that, especially for 951 which are not that hardware advanced when it comes to crypto.

What I do care for, how fast or slow crypto on openvpn vs ipsrc only.

Another question if the hardware accelerations are effective for openvpn as well or it is for ipsec only?

Too bad this questions are discussed in very a few line on the wiki and I suspect it is outdated info (at least for openvpn).

the better performing was aes-128, second aes-256 and third 3des.

Strange to know 3des is the slower, but nice to know that, especially for 951 which are not that hardware advanced when it comes to crypto.

What I do care for, how fast or slow crypto on openvpn vs ipsrc only.

Another question if the hardware accelerations are effective for openvpn as well or it is for ipsec only?

Too bad this questions are discussed in very a few line on the wiki and I suspect it is outdated info (at least for openvpn).

every word i have read about hw accel was on aes-128 looks like its the main focus of optimization