Surely there are MT routers which can do IPsec with throughputs higher than 200Mbps. But only if they support appropriate HW offload functions (not all of them do). All MT routers have product pages and one of sections there is "Test results". And a part of test result page is "IPsec test results". So you can get an idea about IPsec capabilities of every router.
Beware that not all IPsec encryption algorithms and key lengths are supported in hardware. You can consult https://help.mikrotik.com/docs/display/ROS/IPsec , specifically section "Hardware acceleration" to see what fits and what not.
Generally I'd guess that for higher throughputs using CHR on decent hardware would be more cost effective solution than using a powerful MT router. And I'd guess that single core CPU speed is the most important parameter when choosing hardware for running CHR.
If you can, you may want to consider other tunneling protocols. Wireguard is supported quite well in ROS (v7) and requires only a fraction of CPU resources for same throughput as IPsec does. In addition, MT's IPsec implementation doesn't include all the bells and whistles of the best implementations, so there's possibility that IPsec tunnel doesn't establish if the other end is not Mikrotik.
Beware that not all IPsec encryption algorithms and key lengths are supported in hardware. You can consult https://help.mikrotik.com/docs/display/ROS/IPsec , specifically section "Hardware acceleration" to see what fits and what not.
Generally I'd guess that for higher throughputs using CHR on decent hardware would be more cost effective solution than using a powerful MT router. And I'd guess that single core CPU speed is the most important parameter when choosing hardware for running CHR.
If you can, you may want to consider other tunneling protocols. Wireguard is supported quite well in ROS (v7) and requires only a fraction of CPU resources for same throughput as IPsec does. In addition, MT's IPsec implementation doesn't include all the bells and whistles of the best implementations, so there's possibility that IPsec tunnel doesn't establish if the other end is not Mikrotik.
Statistics: Posted by mkx — Thu Mar 21, 2024 1:49 pm