High Speed IP-Sec

Mailman List Mirror (Read Only)
1

I'm looking for a high speed (300-1000Mbps) IPSec solution. I need
basic functionality only, a frame in one side pops out the other
side. For the moment I don't care if this is a layer 2 or a layer
3 device. For the application in mind it's just between two points.

I need a supported product, not some home-grown set of bits, and
cost is the major factor. Most units at this speed do a lot of
other stuff (firewall features, vpn clients, ids, other junk), and
cost a lot of money as a result. Since there are FreeBSD/Linux
boxes getting close to that throughput with accelerator cards I
figure someone has to make the stripped down solution for a reasonable
price.

Any pointers welcomed.

2

http://www.juniper.net/products/ip_infrastructure/modules/100048.html#02

The PIC isn't exactly cheap, but it's pretty well supported, and the rest
of the routers aren't too bad on the used market.

3

http://www.cipheroptics.com/

Gig-in/Gig-out - Wirespeed - reasonably priced last I asked.

I can give you my contact if your interested.

andy

4

Here's a summary of answers I received, thanks to all:

* Netscreen www.netscreen.com

  Wide variety of products from low end 10Mbps boxes to high end 1000Mbps
  boxes. Generally also firewalls, have VPN client support, and other
  features.

  From a site-to-site VPN perspective the low end is priced reasonably,
  where as the high end gets a bit expensive due to kitchen sink
  functionality.

* Cisco PIX www.cisco.com

  Good variety of products from 50Mbps to 1000Mbps. Also firewalls and
  in some cases IDS like boxes.

  A bit high in price across the board for site-to-site VPN's, mainly
  due to kitchen sink functionality.

* CipherOptics www.cipheroptics.com

  Dedicated full duplex gige IPSec box, with very minimal firewall
  filters.

  Very good price for a site-to-site VPN and no other junk to get in the
  way. A good contender for high speed IPSec.

* Cisco Accelerator Cards www.cisco.com

  There are two varieties, the VAM for a 7200, and the VPNSM for a
  Cat6509.

  Pricing is good for a site-to-site VPN if you already have the chassis
  for other reasons and have free slots. If you have to include the
  chassis and interfaces in the cost they are both a pretty expensive
  solution.

* Juniper Accelerator Cards www.juniper.com

  There are IPSec cards for all of the M-series boxes.

  Pricing is a similar situation to Cisco. Not too bad for site-to-site
  if you have the chassis, but if you're adding in the cost of a chassis
  and interface cards as well you're back to a pretty expensive
solution.

* ET/R4000 http://www.etinc.com/r4000.htm

  FreeBSD box with an accelerator card. Comes in 100Mbps and Gigabit
  versions, probably can't quite do full gigabit, but could come close.

  Priced very attractively for site-to-site VPN's, a bit of a concern
  that while it's sold as a complete box with support, it's a bit less
  of a "solution" than the other companies offer.

* IWill motherboards.

  These don't meet my qualification, but if you're into roll your own
  I will has motherboards with IPSec coprocessors onboard supported
  by some free OS's:
  http://www.iwill.net/products/ProductDetail.asp?vID=129&CID=110

5

For the sake of completeness, Sun just announced a new Crypto
accelerator board with GigE interfaces that does SSL and IPSec VPNs,
and claims 800 Mb/s "bulk 3DES encryption":

http://www.sun.com/products/networking/sslaccel/suncryptoaccel4000/index.html