Gig Throughput on IPSEC

[truman at suspicious.org (Truman Boyes)]

On 12/11/2009, at 5:45 AM, Brad Fleming wrote:

>
> On Nov 11, 2009, at 3:25 AM, adel at baklawasecrets.com wrote:
>
>>
>>
>> Hi,
>>
>> I have a requirement to encrypt data using IPSEC over a p-t-p gig  
>> fibre
>> link.  In the past I've normally used Juniper to terminate VPNs, as I
>> have found them excellent devices and the route based VPN  
>> functionality
>> very useful.  However looking at their range, only the ISG will do  
>> a gig
>> of IPSEC.  I'm leaning towards keeping my exising Juniper SSG550's  
>> for
>> firewall/routing capability at each site.  Then having a separate
>> encryption devices to handle the site-to-site vpn requiring the gig
>> throughput.  Does anyone have any suggestions on devices to use?
>>
>>
>>
>> Adel
>>
>>
>
> Not knowing all your other needs, I won't swear to it... but would  
> the Juniper SRX650 work for your situation? It can pass 1.5Gbps of  
> encrypted traffic according to their datasheet. I've never actually  
> tried to move that much data through the box so I can't testify to it.
>
> Also, the Juniper SRX3400 is advertised as handling 6Gbps of  
> encrypted traffic.
>
> Of course, these are JunosES devices as opposed to ScreenOS, but the  
> transition isn't as painful as you might expect. We actually use the  
> J-series devices with JunosES as site routers/firewalls with a great  
> deal of success.

The usual caveats apply: packet size, packets per second, etc; but  
with an SRX 3400/3600 you can scale up the performance of IPSEC VPN  
throughput with additional SPCs. You should be able to scale to over  
6Gbps of IPSEC with enough SPCs.

Truman