Hello,
I am about to choose the transforms for a huge VPN depoyment using PIX firewalls from 501 to 535 HA. Some of those firewalls will have VPN AC cards, others not.
Question, Are the VPN AC cards optimized for 3DES/DES or is it also bringing refreshing soda's for busy PIX using AES?
That post since I know some VPN Ac cards, like for Soekris firewalls are optimized only for DES/3DES. So I am wondering ;-)
Thank you very much,
Julien
The VAC & VAC+ support AES:
Marco.
Hi there,
And from the page you've given:
(...) Load sharing ESP and AH activity between up to three VAC+. (...)
What a good stuff in there!
I am wondering how Cisco Systens is positioning VPN Concentrator anymore. Any points on this?
Alain
In article , Julien Nicodeme wrote: :I am about to choose the transforms for a huge VPN depoyment using PIX :firewalls from 501 to 535 HA. Some of those firewalls will have VPN AC :cards, others not.
:Question, Are the VPN AC cards optimized for 3DES/DES or is it also :bringing refreshing soda's for busy PIX using AES?
501: 3 Mbps 3DES, 4.5 Mbps AES-128, ? AES-256 506: 10 Mbps 3DES, ? AES-128, ? AES-256 506E: 17 Mbps 3DES, 30 Mbps AES-128, ? AES-256 515: ?? 515E + VAC: 63 Mbps 3DES, ? AES-128, ? AES-256 515E + VAC+: 140 Mbps 3DES, 135 Mbps AES-128, 140 Mbps AES-256 520: ? 520 + VAC : (supported, rates unknown) 520 + VAC+ : (supported, rates unknown) 525 + VAC: 72 Mbps 3DES, ? AES-128, ? AES-256 525 + VAC+: 155 Mbps 3DES, 165 Mbps AES-128, 170 Mbps AES-256 535 + VAC: 100 MBPS 3DES, ? AES-128, ? AES-256 535 + VAC+: 440 Mbps 3DES, 535 Mbps AES-128, 440 Mbps AES-256Note: there are documented total VPN throughput restrictions on the
506E, 515, and 515E, that are noticably lower than the figures given above. The documentation might not reflect the use of VAC/VAC+. Also, the document was the "506E/515E Q&A" from the 6.1(2) timeframe, but 6.2 introduced substantial VPN speedups for at least some of the systems (e.g., 501), so the data in that document may be obsolete.Also please be aware that the VAC+ card, take up one PCI slot. So in some configurations you have to reorder NIC Interface cards, and/or get quad-FE cards instead. This is mostly seen in PIX515 HW-configuration, since they only got 2 slots.
HTH Martin Bilgrav
Yes, and the new routerseries kick both their butts ! at anytime ! Sure is close - but then again routers costs more than PIXs, but for some senarios they might come in handy.
HTH Martin Bilgrav
its about picking a box to fit the requirement - and hardware performance isnt always most important.
we had a discussion with a cisco SE a year or so back.
the gist was that you could more or less force routers, VPN concentrators or PIXen to do any of the various IPsec VPN jobs, but the platforms are optimised in different ways in terms of features, complexity and amount of ongoing day to day support needed.
use the box optimised for the job:
VPN concentrators for remote access (i.e. lots of individual PCs) PIXes where you want VPNs between firewalls, but with simple topologies like a star network. routers where you want resilience, meshed topology and / or flexibility.
all of the boxes have got more features and are more flexible, but i think those rules of thumb still make a lot of sense.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.