Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 4 Feb 2001 17:15:56 -0800
From:      "Crist J. Clark" <cjclark@reflexnet.net>
To:        Lorin Lund <wbs@infowest.com>
Cc:        FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: How much processing power is needed for a firewall with encyption for a fat pipe?
Message-ID:  <20010204171556.Y91447@rfx-216-196-73-168.users.reflex>
In-Reply-To: <00c301c08eba$78f8b3c0$0200fea9@infowest.com>; from wbs@infowest.com on Sun, Feb 04, 2001 at 07:55:10AM -0700
References:  <00c301c08eba$78f8b3c0$0200fea9@infowest.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Feb 04, 2001 at 07:55:10AM -0700, Lorin Lund wrote:
> If I were to implement a gateway/firewall with FreeBSD and IPsec, how much
> bandwidth could I handle with, say a 1GHz processor?  I'm interested in
> getting a feel for how much processing power is needed for VPN gateways for
> various size pipes.  I hope to do some VPN work in my region. (Utah/Nevada)

The best answer, as always: it depends. Unless you are going to have a
T3 or other mega-pipe, the network is almost always going to be the
choke point. Even multiple T1's is nothing for a properly configured
PII 400 and up. Things to consider:

  - When you say IPsec, I assume you mean this machine is the end of a
    tunnel. If you are just passing IPsec through, that is no
    different than regular IP routing.

  - Certain portions of an IPsec connection take much more horsepower
    than others. Namely, the public key computations during the
    initial IKE exchanges as opposed to the symetric key algorithms
    used during the established connection. Is this machine a tunnel
    for a small number of connections with lots of traffic for each
    (something like gateway-to-gateway), or lots of low traffic
    connections (more like client-to-gateway).

  - What encryption algorithms? Yes. It matters. But...

Again, the typical choke is the network. For example, fragmentation
issues are much more likely to cause pain than too little CPU at the
gateway.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010204171556.Y91447>