Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

Gig Throughput on IPSEC

  

 
NANOG users RSS feed   Index | Next | Previous | View Threaded


adel at baklawasecrets

Nov 11, 2009, 1:25 AM

Post #1 of 7 (708 views)
Permalink
Gig Throughput on IPSEC
Hi,

I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre
link.  In the past I've normally used Juniper to terminate VPNs, as I
have found them excellent devices and the route based VPN functionality
very useful.  However looking at their range, only the ISG will do a gig
of IPSEC.  I'm leaning towards keeping my exising Juniper SSG550's for
firewall/routing capability at each site.  Then having a separate
encryption devices to handle the site-to-site vpn requiring the gig
throughput.  Does anyone have any suggestions on devices to use?

 

Adel


adel at baklawasecrets

Nov 11, 2009, 2:01 AM

Post #2 of 7 (681 views)
Permalink
Re: Gig Throughput on IPSEC [In reply to]
On second thoughts, thinking about this I am probably looking for some
kind of Layer2 encryption devices.  This will make things a lot easier
for the deployment.  Any experiences, thoughts on these types of devices,
would be much appreciated.

Adel

On Wed 9:25 AM , adel [at] baklawasecrets sent:

Hi,

I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre
link.  In the past I've normally used Juniper to terminate VPNs, as I
have found them excellent devices and the route based VPN functionality
very useful.  However looking at their range, only the ISG will do a gig
of IPSEC.  I'm leaning towards keeping my exising Juniper SSG550's for
firewall/routing capability at each site.  Then having a separate
encryption devices to handle the site-to-site vpn requiring the gig
throughput.  Does anyone have any suggestions on devices to use?

 

Adel


guxiaojian at gmail

Nov 11, 2009, 7:13 AM

Post #3 of 7 (668 views)
Permalink
Re: Gig Throughput on IPSEC [In reply to]
You can run L2TPv3 (available on IOS routers) between sites, not sure
about the throughput though.

On Wed, Nov 11, 2009 at 2:01 AM, <adel [at] baklawasecrets> wrote:
>
>
>  On second thoughts, thinking about this I am probably looking for some
> kind of Layer2 encryption devices.  This will make things a lot easier
> for the deployment.  Any experiences, thoughts on these types of devices,
> would be much appreciated.
>
> Adel
>
>  On Wed 9:25 AM , adel [at] baklawasecrets sent:
>
>  Hi,
>
>  I have a requirement to encrypt data using IPSEC over a p-t-p gig fibre
>  link.  In the past I've normally used Juniper to terminate VPNs, as I
>  have found them excellent devices and the route based VPN functionality
>  very useful.  However looking at their range, only the ISG will do a gig
>  of IPSEC.  I'm leaning towards keeping my exising Juniper SSG550's for
>  firewall/routing capability at each site.  Then having a separate
>  encryption devices to handle the site-to-site vpn requiring the gig
>  throughput.  Does anyone have any suggestions on devices to use?
>
>
>
>  Adel
>
>
>


bdfleming at kanren

Nov 11, 2009, 10:45 AM

Post #4 of 7 (664 views)
Permalink
Re: Gig Throughput on IPSEC [In reply to]
On Nov 11, 2009, at 3:25 AM, adel [at] baklawasecrets wrote:

>
>
> Hi,
>
> I have a requirement to encrypt data using IPSEC over a p-t-p gig
> fibre
> link. In the past I've normally used Juniper to terminate VPNs, as I
> have found them excellent devices and the route based VPN
> functionality
> very useful. However looking at their range, only the ISG will do a
> gig
> of IPSEC. I'm leaning towards keeping my exising Juniper SSG550's for
> firewall/routing capability at each site. Then having a separate
> encryption devices to handle the site-to-site vpn requiring the gig
> throughput. Does anyone have any suggestions on devices to use?
>
>
>
> Adel
>
>

Not knowing all your other needs, I won't swear to it... but would the
Juniper SRX650 work for your situation? It can pass 1.5Gbps of
encrypted traffic according to their datasheet. I've never actually
tried to move that much data through the box so I can't testify to it.

Also, the Juniper SRX3400 is advertised as handling 6Gbps of encrypted
traffic.

Of course, these are JunosES devices as opposed to ScreenOS, but the
transition isn't as painful as you might expect. We actually use the J-
series devices with JunosES as site routers/firewalls with a great
deal of success.


truman at suspicious

Nov 11, 2009, 7:56 PM

Post #5 of 7 (671 views)
Permalink
Re: Gig Throughput on IPSEC [In reply to]
On 12/11/2009, at 5:45 AM, Brad Fleming wrote:

>
> On Nov 11, 2009, at 3:25 AM, adel [at] baklawasecrets wrote:
>
>>
>>
>> Hi,
>>
>> I have a requirement to encrypt data using IPSEC over a p-t-p gig
>> fibre
>> link. In the past I've normally used Juniper to terminate VPNs, as I
>> have found them excellent devices and the route based VPN
>> functionality
>> very useful. However looking at their range, only the ISG will do
>> a gig
>> of IPSEC. I'm leaning towards keeping my exising Juniper SSG550's
>> for
>> firewall/routing capability at each site. Then having a separate
>> encryption devices to handle the site-to-site vpn requiring the gig
>> throughput. Does anyone have any suggestions on devices to use?
>>
>>
>>
>> Adel
>>
>>
>
> Not knowing all your other needs, I won't swear to it... but would
> the Juniper SRX650 work for your situation? It can pass 1.5Gbps of
> encrypted traffic according to their datasheet. I've never actually
> tried to move that much data through the box so I can't testify to it.
>
> Also, the Juniper SRX3400 is advertised as handling 6Gbps of
> encrypted traffic.
>
> Of course, these are JunosES devices as opposed to ScreenOS, but the
> transition isn't as painful as you might expect. We actually use the
> J-series devices with JunosES as site routers/firewalls with a great
> deal of success.

The usual caveats apply: packet size, packets per second, etc; but
with an SRX 3400/3600 you can scale up the performance of IPSEC VPN
throughput with additional SPCs. You should be able to scale to over
6Gbps of IPSEC with enough SPCs.

Truman


joakim at aronius

Nov 11, 2009, 11:46 PM

Post #6 of 7 (666 views)
Permalink
Re: Gig Throughput on IPSEC [In reply to]
* Truman Boyes (truman [at] suspicious) wrote:
>
> an SRX 3400/3600 you can scale up the performance of IPSEC VPN
> throughput with additional SPCs. You should be able to scale to over
> 6Gbps of IPSEC with enough SPCs.
>
> Truman

Yes, the SRX line of products is the most future-proof way to go. I had a meeting with Juniper technical sales a short while ago and they also stated that "performace figures of the SRX is more in line what you get in real deployments" (compared to the ISG and NS marketing material which have IPsec throughput figures which you probably not will see in the field, same as most vendors).
In the ISG and NS series you also need to be aware on capacity limitations in the cards and the backplane.

...and as no one else has commented on L2 security devices I assume that there is not many products for this (IEEE 802.1AE MAC Security). But on the other hand I suppose that there is mostly L3 people on this list and that the Metro Ethernet folks hangs elsewhere.. (I would go for IPsec.)

Cheers,
/Joakim


fweimer at bfk

Nov 12, 2009, 2:23 AM

Post #7 of 7 (661 views)
Permalink
Re: Gig Throughput on IPSEC [In reply to]
> On second thoughts, thinking about this I am probably looking for some
> kind of Layer2 encryption devices.  This will make things a lot easier
> for the deployment.  Any experiences, thoughts on these types of devices,
> would be much appreciated.

You could use OpenVPN, but that would be cheating. 8-)

--
Florian Weimer <fweimer [at] bfk>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.