Looking for a cheap IPSec appliance - Ideas?

P

Phog

Limp Gawd
Joined
Aug 21, 2012
Messages
275
I've been using OpenVPN for a while now, and while it's insanely easy to setup and configure, it also gives me pretty piss-poor performance. I keep reading IPSec/L2TP is pretty much the only way to go right now for the best latency/throughput. Does anyone know of a decently cheap solution, (software or hardware) that has IPSec site-to-site capabilities?

Also, I should mention I need these to work through NAT. My fiber setup requires a special router/firewall, and I will HAVE to put the device behind it (no static IP either).
 
First, what is "piss-poor performance"?
EdgeRouter Lite running FreeBSD is a nice appliance
//Danne
 
First off, IPSec is single threaded so CPU power is important unless the hardware has built in encryption decoding. More CPU cores would be important if you have lots of IPSec tunnels. Once you start getting into hardware accelerated encryption you are talking big numbers.

Well, lets gather a little data here:

Average affordable Routerboard Device (Mikrotik RouterOS) is about $59-$79, has a 600MHz CPU and will do about 8-10mbps over IPSec. The prices go up from there, but so does the CPU power. Most of the higher end devices are multi-core and have hardware acceleration.

Personally, I've never used the edgerouter lite, but from a quick search it should be able to manage 20mbit or so over VPN. Good for $99.

PFSense should be able to manage at least 30-40mbit minimum on an atom based hardware.
 
What are you looking to spend, and what performance levels to you need to hit? as a Hardware solution, the Zyxel USG series is reasonable in cost, and offer IPSEC, IPSEC/L2TP as well as AD authentication of those tunnels that is setup pretty easily. I'd love to suggest pfSense, but as of yet, it doesn't support IPSEC/L2TP.
 
Look into the Zyxel USG series. Once you figure out their UI (they have a somewhat unique object oriented config) they are very powerful for the price point.
 
Last edited:
just do a aggressive mode s2s. you will only be able to build the tunnel from the site that doesn't have a static ip but you wouldn't have to worry about changing peer addresses later. maybe setup a box to have a constant ping at the non static location pinging the static location. this way if the tunnel goes down you will rebuild it.
 
The ERL should be much faster than that using IPSec unless you're doing something really weird.
I get at least 10mbit using OpenVPN but I havent tried IPSec.
//Danne
 
Take a look at the Juniper 5GT on eBay. It cost about $30 and I believe it meets your requirements.
 
I know you said cheap but I use Cisco 1921 for my ipsec and so far I have seen up to 50mbps throughput. It can do more im certain, almost assured because it has a true hardware encryption engine.

So cheap and fast may not truly exist but less expensive and fast certainly does.
 
Get an old (new if you want?) computer, slap 2 intel NICs in it then install pfsense and go nuts. You can do both OpenVPN and IPSEC either/or/both/none. (second post today with this same comment. :) )

I had a Dell precision 380 with 2 intel pro 1000's inside. I was pushing over 300 IPSec tunnels at nearly 500mbit for a few years and the machine was barely out of breath. Enable Powerd for some power saving features. It's a great solution.
 
You must log in or register to reply here.
Back
Top