I've been experimenting with various IPsec options with a RB951G, using v6.7.
For most of my traffic I really just need a kind of proxy, but I'm dealing with a nasty ISP that shapes all sorts of stuff, so I've finally settled on an unencrypted IPsec tunnel. I can get pretty good performance, close to the limits of my link out of both a Linux box running StrongSwan and very similar performance out of the RB951G. Roughly 80-90Mbps.
However ... when I look at the profiler, it's about 65% networking, 20% firewall, and the rest on ethernet etc. It's largely 0% idle during a high bandwidth transfer.
I'm concerned that the firewall number is so high ... I don't have any rules at all for the purposes of this testing, but I do need to do some address translation and a few others things when I set it up properly, plus the main link will be PPPoE on the router which handled somewhere else at the moment ... so I fear that it will not cope given the numbers at the moment.
Am I missing something? I know it needs to make a decision whether to use the IPsec path or not, but that shouldn't be more than a src/dst address compare ... surely that doesn't take 20% of the CPU??