How many PIX VPN connections?

[maddog32]

Does anyone know how many VPN 3DES connections a PIX 515 (without an accelerator card) can terminate whilst retaining adequate throughput of 'normal' traffic to keep a 2Mb/s connection busy.

We would like to achieve 40 VPN connections in total between 801 routers so; each tunnel is only going to run at an absolute maximum of rate of 128kb/s. The average sustained rate is likely to be 45 kb/s I guess.

Has anyone any ideas or better still currently doing this?

Regards,
Maddog

 

[jbordeau]

hi,

For my experience, i'm trying this:
3 pix : 1 pix 515 and 2 pix 506.

PIX 515
|
| 2 tunnels VPN DES (56 bits)
/ / Pix 506 Pix 506

When the Ipsec, ISAKMP is negociated, we have 40 % CPU charge and when all tunnel is negociated, i have a 2 % charge CPU (ping, http, ftp protocol to test ).
The IPsec's negociation tunnel with Pre-share Key is very important ( 10% by tunnel). After this negociation, the charge's cpu is under 2 % with traffic IP.
If you realized many many tunnel vpn, try VPN 3005 (100 tunnels maxi) (end's tunnel) and VPN CISCO 3002 (for end's client)
Best regards

Bordeau Jerome - France

 

[maddog32]

Thanks.

From the figures you've provided 40 connections will make the PIX cpu 80% (assuming a linear scale). Not alot left for running the additonal 2Mb/s connection!

Has anyone any other figures with different numbers of VPN connections to determine whether the scale is linear or not?