i'm getting ready to implement a few new site-to-site vpns using openbsd, and am on the hunt for appropriate hardware. i have several alix (geode) and lanner (intel atom) boxes working wonderfully as firewalls and routers, but neither type are able to provide enough throughput when ipsec is added to their roles.
the lanner boxes can't accept add-in cards. the alix can accept a minipci, and i know that soekris makes a crypto accelerator (hifn?) that may help - but i'm not sure that'll be enough oompf either. our site-to-site link will provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps. can anyone point me to a matrix of hardware types and their crypto performance benchmarks with openbsd, or at least make recommendations based on real-world use? i'm using defaults for my ipsec configuration, so this is what i'm testing with: auth hmac-sha2-256 enc aes thanks for your time.
