[119271] in North American Network Operators' Group
Re: Gig Throughput on IPSEC
daemon@ATHENA.MIT.EDU (Truman Boyes)
Wed Nov 11 22:57:20 2009
From: Truman Boyes <truman@suspicious.org>
In-Reply-To: <743D8E24-AA62-40D0-A067-80D5E0EDACFC@kanren.net>
Date: Thu, 12 Nov 2009 14:56:19 +1100
To: Brad Fleming <bdfleming@kanren.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 12/11/2009, at 5:45 AM, Brad Fleming wrote:
>
> On Nov 11, 2009, at 3:25 AM, adel@baklawasecrets.com wrote:
>
>>
>>
>> Hi,
>>
>> I have a requirement to encrypt data using IPSEC over a p-t-p gig
>> fibre
>> link. In the past I've normally used Juniper to terminate VPNs, as I
>> have found them excellent devices and the route based VPN
>> functionality
>> very useful. However looking at their range, only the ISG will do
>> a gig
>> of IPSEC. I'm leaning towards keeping my exising Juniper SSG550's
>> for
>> firewall/routing capability at each site. Then having a separate
>> encryption devices to handle the site-to-site vpn requiring the gig
>> throughput. Does anyone have any suggestions on devices to use?
>>
>>
>>
>> Adel
>>
>>
>
> Not knowing all your other needs, I won't swear to it... but would
> the Juniper SRX650 work for your situation? It can pass 1.5Gbps of
> encrypted traffic according to their datasheet. I've never actually
> tried to move that much data through the box so I can't testify to it.
>
> Also, the Juniper SRX3400 is advertised as handling 6Gbps of
> encrypted traffic.
>
> Of course, these are JunosES devices as opposed to ScreenOS, but the
> transition isn't as painful as you might expect. We actually use the
> J-series devices with JunosES as site routers/firewalls with a great
> deal of success.
The usual caveats apply: packet size, packets per second, etc; but
with an SRX 3400/3600 you can scale up the performance of IPSEC VPN
throughput with additional SPCs. You should be able to scale to over
6Gbps of IPSEC with enough SPCs.
Truman
