Quick question regarding the implementation of IPSEC on the lower-end Routerboards.
I am trying to work out which is the better system in general out of the RB600 and RB4xxAH in terms of IPSEC performance.
Looking at the raw stats for the CPUs in these boards the '600 should come out on top, and the ports certainly seem much faster (1Gbps raw data rate according to Mikrotik).
However, tolstii's results seem to suggest that there isn't much difference. I find this surprising.
Additionally, his results are using 3DES. I was under the impression that AES on a software-processed VPN should be significantly faster than 3DES. Does anyone have any tested figures for the RB4xxAH with 3DES and AES, and the RB600 with 3DES and AES? This would be with ESP/SHA/pre-shared IKE VPNs terminating at a Juniper Netscreen 5000 (so the bottleneck will always be with the Routerboard).
Or do I just need to buy one of each in and test?
Re: IPSEC figures for RB600 vs RB4xxAH, 3DES vs AES
You can get RB1000 where encryption is done by hardware not software as it is for other RouterBoards.
Re: IPSEC figures for RB600 vs RB4xxAH, 3DES vs AES
Yes, that's fair enough, but I need to be able to justify the purchase for a test item, and I can only really buy one or two in.
Besides, the immediate need is for a low-cost solution. If the smaller routers check out then we may end up buying in some of the RB1000s but as it stands the 1000 is not cheap enough against the Juniper SSG5 or Cisco 870 series devices (for different scenarios). It is cheaper but we don't need its extra performance at this point.
Does no-one have any figures?
Besides, the immediate need is for a low-cost solution. If the smaller routers check out then we may end up buying in some of the RB1000s but as it stands the 1000 is not cheap enough against the Juniper SSG5 or Cisco 870 series devices (for different scenarios). It is cheaper but we don't need its extra performance at this point.
Does no-one have any figures?
Re: IPSEC figures for RB600 vs RB4xxAH, 3DES vs AES
Thanks tolstii.
If 3DES ~=AES256 (seems reasonable), that would imply that AES128 (enough for our requirements) should be around 2/3 of 3DES from past experience.
Those extra few Mbps of throughput could well be the difference between the RB400AH series being enough, and not quite powerful enough. Because I'll be load-balancing two ADSL lines, I'll be after 10Mbps at the least for the system to be sufficient. Since it seems that 3DES achieves ~9Mbps, we should have enough headroom to be able to use the device efficiently.
I've ordered in a 433UAH anyway, so I will post my findings when I have them.
If 3DES ~=AES256 (seems reasonable), that would imply that AES128 (enough for our requirements) should be around 2/3 of 3DES from past experience.
Those extra few Mbps of throughput could well be the difference between the RB400AH series being enough, and not quite powerful enough. Because I'll be load-balancing two ADSL lines, I'll be after 10Mbps at the least for the system to be sufficient. Since it seems that 3DES achieves ~9Mbps, we should have enough headroom to be able to use the device efficiently.
I've ordered in a 433UAH anyway, so I will post my findings when I have them.
Re: IPSEC figures for RB600 vs RB4xxAH, 3DES vs AES
We the distributor in Moldova also give to all interested persons before purchase to test the equipment.
We give any RouterBoard on testing.
Probably and in your country you can take before purchase on testing RouterBoard before purchase.
We give any RouterBoard on testing.
Probably and in your country you can take before purchase on testing RouterBoard before purchase.
Re: IPSEC figures for RB600 vs RB4xxAH, 3DES vs AES
Unfortunately not, the UK distro wouldn't entertain the idea of lending equipment out for testing.
Who is online
Users browsing this forum: mseidler and 44 guests