On 2012-03-30 22:16, Dewey Hylton wrote:
i'm getting ready to implement a few new site-to-site vpns using
openbsd, and am on the hunt for appropriate hardware. i have several
alix (geode) and lanner (intel atom) boxes working wonderfully as
firewalls and routers, but neither type are able to provide enough
throughput when ipsec is added to their roles.
the lanner boxes can't accept add-in cards. the alix can accept a
minipci, and i know that soekris makes a crypto accelerator (hifn?)
that may help - but i'm not sure that'll be enough oompf either. our
site-to-site link will provide up to 20Mbps, but the lanner box is
topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps.
can anyone point me to a matrix of hardware types and their crypto
performance benchmarks with openbsd, or at least make recommendations
based on real-world use?
i'm using defaults for my ipsec configuration, so this is what i'm
testing with: auth hmac-sha2-256 enc aes
thanks for your time.
This is the throughput/load from a branch vpn ...
Alix
cpu0: Geode(TM) ..... PCS ("AuthenticAMD" 586-class) 499 MHz
IPSec using auth hmac-sha1 enc aes-128
tcpbench:
Conn: 1 Mbps: 11.091 Peak Mbps: 12.038 Avg Mbps:
11.091
systat:
8.6%Int 36.0%Sys 0.6%Usr 0.0%Nic 54.8%Idle
