Re: Gig Throughput on IPSEC

[Truman Boyes <truman () suspicious org>]

On 12/11/2009, at 5:45 AM, Brad Fleming wrote:

> On Nov 11, 2009, at 3:25 AM, adel () baklawasecrets com wrote:
>
> > Hi,
> >
> > I have a requirement to encrypt data using IPSEC over a p-t-p gig  
> > fibre
> > link.  In the past I've normally used Juniper to terminate VPNs, as I
> > have found them excellent devices and the route based VPN  
> > functionality
> > very useful.  However looking at their range, only the ISG will do  
> > a gig
> > of IPSEC.  I'm leaning towards keeping my exising Juniper SSG550's  
> > for
> > firewall/routing capability at each site.  Then having a separate
> > encryption devices to handle the site-to-site vpn requiring the gig
> > throughput.  Does anyone have any suggestions on devices to use?
> >
> >
> >
> > Adel
>
> Not knowing all your other needs, I won't swear to it... but would  
> the Juniper SRX650 work for your situation? It can pass 1.5Gbps of  
> encrypted traffic according to their datasheet. I've never actually  
> tried to move that much data through the box so I can't testify to it.
>
> Also, the Juniper SRX3400 is advertised as handling 6Gbps of  
> encrypted traffic.
>
> Of course, these are JunosES devices as opposed to ScreenOS, but the  
> transition isn't as painful as you might expect. We actually use the  
> J-series devices with JunosES as site routers/firewalls with a great  
> deal of success.

The usual caveats apply: packet size, packets per second, etc; but  
with an SRX 3400/3600 you can scale up the performance of IPSEC VPN  
throughput with additional SPCs. You should be able to scale to over  
6Gbps of IPSEC with enough SPCs.

Truman