Best pre-built for IPSEC tunnel speed?

bobkoure

I've been looking at the Netgate SG-2440 (atom C2358) as well as the Qotom Q33G4 (i3 4005U) and the Qotom Q355G4 (i5 5250u)
All 3 processors have the AES instructions.

I'm looking to keep IPSEC tunnels up between 2 offices (backups from main office copied to branch and vice versa). Each office has 2 ISPs, min speed of any 25 Gb/s. I'd like to get max utilization. We probably won't upgrade any of these beyond 50 Gb/s through the life of this gear.

First off, does AES-NI being present even matter for IPSEC-AES using PFSense at both ends?

I looked for AES benchmarks for the atom C2358, found none.
i3-4005u 2,180,000 MB/s (noted 'single-core')
i5 5250u 3,470,000 MB/s (also noted 'single-core')
benchmarks at cpuboss - guess I can't post links yet…

I've been running GRE tunnels over IPSEC tunnels with fail-over, but have been looking at GRE over IPSEC transport; not even sure I can do this on PFSense.

Any suggestions, hardware or software?
Thanks!
[edit]
forgot to mention: I'm looking at 4-lan boxes (wan1, wan2, lan, dmz)
[/edit]

stephenw10

Hmm, your numbers look a little suspect. You really have 25 Gigabit per second WAN connections at branch offices? Seems very unlikely. Do you mean 25Mbps?

Those benchmark values look odd too. What are they actually testing there? 2,180,000 MB/s = ~16Tbps… Ludicrous speed!  ;)

AES-NI does matter for maximum IPSec throughput in pfSense.

Steve

bobkoure

Whoops - yeah, sorry, those are Mb/s not Gb/s.

I cut/pasted the bench numbers from cpuboss directly. Dunno exactly how they got them. There was a "thanks to PrimateLabs" notation - but that's a company that provides benchmarking software. It was pretty definitely MB/s not Mb/s.

s_mason16

Hey bobkoure, unrelated to your post, but to help you show your sources in the future, you can post links by using the html code to insert them. there is a button in the editing tools that will do it for you, it's called "insert hyperlink" and looks like a page in front of the world. then just paste your webaddress between the newly made url boxes.

hope this helps

ivor

@bobkoure:

I've been looking at the Netgate SG-2440

I looked for AES benchmarks for the atom C2358, found none.

SG-2440 can do up to 325 Mbps over IPsec, AES128-GCM IKEv2

bobkoure

That's exactly the information I was looking for. We'll probably go with a couple of these, just didn't want to get gear that couldn't do what we needed (embarrassing! - nearly as bad as confusing Mb/s and Gb/s, but with more consequences).

ivor

@bobkoure:

That's exactly the information I was looking for. We'll probably go with a couple of these, just didn't want to get gear that couldn't do what we needed (embarrassing! - nearly as bad as confusing Mb/s and Gb/s, but with more consequences).

Glad I could help :)