My main concern is stability and second what kind of throughput I would get.
vyos+hyper-v?
isp instability, will tunnel reestablish them self automatically. “Self-healing”
Added latency
Today we us an aging fleet of asa devices that I would like replace, if possible with vyos. I have been using Vyatta for internal routing for years and I’m impress by it! It just works
(1) - can’t imagine it would be a problem, maybe guest tools integration may not work but that only optimises the configuraiton (and assists with some hypervisor management tools), shouldn’t prevent it from fundamentally working.
(2) - I prefer OpenVPN for tunnels so not so sure about IPSEC specifically, but there shouldn’t be any problems with it reestablishing (should be some retry intervals etc).
(3) - Your measures may vary
I recommend you evaluate a pair of firewalls at hub with some form of redundancy (VyOS clustering supports IPSEC failover I believe). This maximises your flexibility for upgrades/configuration changes etc that might be disruptive.
If you wan’t use ipsec, you must using DPD (Dead Peer Detection), so if tunnel down, restablished automatically (time interval etc, ). We using ipsec beetwen three main location via fibre link, and we don’t have any problem with stability.
I have played around with an ipsec/vti site-to-site tunnel between 2 virtual servers on two different physical servers and get ~330Mbit/s throughput (iperf). 1-2 ms latency.
The weakest server uses 1 Xeon® CPU E5507 @ 2.27GHz (Q1’10) and this looks like my bottleneck.
Does this sound like reasonable speed for this setup?
Is there an IKE/ESP encryption combinations that is extra nice to the cpu?
show vpn ipsec esp-group ESP
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes128
hash sha1
}
[/quote]
I have araound 250 vti tunnel, and 2 tunnel fibrelink connect to difrent location, and when we tested Vyatta/VyOS we using standard PC (i5 first gen, and 4 Gb ram and vmware virtualization) and cpu utilization show 0.1 %. So i think your configuration is ok.
If I understand it correct ipsec is singel core/nic bound in vyos and don’t use AES-NI for HW acceleration at the moment?
But by simply using 2 external nic:s I can pretty much double my ipsec throughput as long as I have cores to match or am I oversimplifying this? (max ipsec throughput 1/2 per one session/tunnel)
An Intel Xeon E3-1271 v3 at 3.6GHz and a Broadcom 5720 nic would be a pretty decent setup for this? Maybe an Intel I350 DP instead off Broadcom 5720?