Depending on what hardware you have and what size the data chunks are will determine what impact IPsec will have. WAN vs LAN isn't the issue.
As for mitigating the impact of the crypto in IPsec it depends on the data size. If the size of the packets is > 512 bytes then the crypto framework will off load that to hardware. However that really only matters for symetric ciphers such as AES, 3DES which if you are doing IPsec AH only, rather than ESP+auth, you aren't using. If you do want to encrypt and have that off loaded to hardware there are two choices: Sun CA-6000 card or an UltraSPARC T2 processors (Niagara 2) [ cpu in the the recently announced new machines ]. Some VPNs are IPsec and some are SSL or SSH. Those that are IPsec based do so with ESP+Auth. IPsec AH doesn't protect the data from viewing on the wire just integrity protects it - just like ZFS today (integrity protected but not encrypted); a VPN needs to be more than that! -- Darren J Moffat _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
