Does anyone know the bandwidth of an IPSEC VPN tunnel?

jle2005

gmckinney, thank you for your detail information on moving data accross the link.

jahonix

@jle2005:

…which gives me 3MB/s link (up/dwn).

Maybe you didn't get it:
3 MB is 3 MByte
3 Mb is 3 Mbit

The latter is what you'll have with a T1 or a DSL line.

jle2005

Maybe you didn't get it:
3 MB is 3 MByte
3 Mb is 3 Mbit

The latter is what you'll have with a T1 or a DSL line.

So, Chris what is the best setup for this senario? Thanks

Cry Havok

I suspect the answer is that at a mere 3 Mb/s it probably doesn't matter - almost any hardware will cope.

Still, as per my original post, the rate of change is going to be your key issue.  If you generate more than (about) 256 KB of changes per second then you won't be able to keep up with real time sync.  As long as your daily/weekly average remains at or below this then you'll be able to stay in sync, though there will be a lag at times.

jahonix

@jle2005:

…what is the best setup for this senario?

Given the quality of your feedback to questions and hints and taking in consideration that you are going to secure a business' information pool the only reasonable answer should be: a consultant.

You can get help from the commercial support of the developers. I suggest you check them out!
  http://centipedenetworks.com/products_support_pfsense.php
  http://www.bsdperimeter.com/index.php?option=com_content&task=view&id=6&Itemid=24

!!! There is no pun intended. It just seems to be the best option at the moment!

jle2005

Thank you Cry Havok and jahonix.

jahonix

@Cry:

I suspect the answer is that at a mere 3 Mb/s it probably doesn't matter - almost any hardware will cope.

Since one of his sides only has one T1 line the tunnel will be 1.5Mb only.

fastcon68

I agree that the max connection will be 1.5 Mb,  I would add supported hardware encryption adapters.  That will take the load off the firewall.  I ran into a situation similiar to this one and we add the hardware encrption and that resolved the issue that we where having at the time.

We where dealing with 18 to 30 users using citrix across a t-1. 
RC

databeestje

The speed of a tunnel between sites is determined by the lowest common denominator. E.g. the slowwest upstream value of both lines. For example: I have a 8Mbit fiber at one end, and a 8/1 mbit dsl on the other end. Although the DSL location can fetch from the main site with 8Mbit, they can only send to use with 1mbit.

This becomes even more evident when you have 2 DSL sites. At that point one can never go above the single upstream capacity of one site.

Regarding the bandwidth of the tunnel. A older Wrap system will do about 4-5mbits without problems. The newer Alix 2c3 system does about 8-10mbit ipsec tunnel throughput without problems.

My VPN concentrator at the main site is a Dell PE860 with a Dual Core 2.13. So that one can easily doo 100Mbit wirespeed ipsec without issues.

The reall issue with your case is the latency between those sites as that is critical for running database connections between sites. This determines the responsiveness of the application if the database is used directly.

jle2005

Thank  you guys.