General Questions

What hardware would I need to enable a 70mbit/s IPSEC tunnel between our office and the datacenter? The internet connection is there, but my current VIA EPIA 600 box only does 3mbit/s ipsec using blowfish envryption.

I could run m0n0 in a vm, but would rather not, is there an easy way of increasing our ipsec performance, or what hardware is able to do that?

Your requirement appears to be somewhat, perhaps even well beyond typical use for m0n0wall.

A very fast CPU and perhaps even a special build of m0n0wall may be required to actually obtain 70mbps VPN thruput. And this applies to both ends of the connection, of course.

You may want to contact the developers to see what they think.

Good luck.

3 Mbps sounds pretty low even for software crypto; are you sure the bottleneck is not somewhere else, like with the Internet connection or the remote side?

In any case, if you can install a (Mini) PCI card, then the vpn1401/vpn1411 boards from Soekris Engineering are probably your best bet. These are automatically supported under m0n0wall, and can (in theory) do AES in hardware at up to 250 Mbps. Your effective throughput will of course be lower. Note that they don't do Blowfish, so you'll have to switch to AES or 3DES.

For comparison, I'm running an ALIX board with a vpn1211 (the predecessor to the vpn1411, with an older/slower chip). That particular crypto chip (Hifn 7951) does 32 Mbps according to the datasheet. In practice, I get 30 Mbps TCP throughput with 3DES/SHA1/ESP, at around 30-40% CPU.

The internet connection on one side is 100mbit synchronous (datacenter) and on the other side it is 100mbit/s down/10mbit/s up.

I could get the PCI card, because my Via Epia C3 motherboards support 1 pci expansion card and then use 3DES.

Thanks for the info!