L2TP+IPSEC CPU/RAM resources

A bit of a strange question. And I know I won’t get a definitive answer. But I’m just looking for any advice.

I have a client that needs to get 1500 employees on L2TP+IPSEC VPN. They don’t want to change from L2TP because it’s what they already use. They are currently using a Cisco that only allows them 300 connections at once.

My question is, what sort CPU/RAM specs do you think I would need for IPFire to handle 1500 L2TP connections at once? It’s really pretty light traffic. Mostly a website and a probably 1x 1MB PDF downloaded per minute during business hours (max). Possibly some light HAProxying.

Would any i7+16GB do the trick? Or would I need something beefier like a threadripper/epic chip?


There’s a mid-way: AMD Ryzen.
Normally AMD Ryzen chips have more cores, faster ram access, more PCIe Lanes (this can lead to more network adapters) and as bonus, a more realistic TDP than Intel Core (which is reported by Team Blue as the normal use, while Team Red report it on high load).
So you can find a consumer-grade CPU device with 12 cores, and don’t forget that currently IPFire do not enable Hyperthreading by default for improve security (lower footprint for speculative execution exploits like Spectre and Meltdown).

Here is reported a configuration choosen for 120 IPSec tunnels.

Here you can find a comparison between the CPU into that Proliant DL160, a Ryzen 7 with the same number of core and lower TDP, and a Ryzen 9 with 12 cores with an higher TDP.

An high quality and efficiency PSU, a NVMe SSD, 16GB of ram, a top class mainboard for reliability with the X570 chipset, few network cards (please, not realtek).
This is what it will cost you to give a shot.

It will be enough? I don’t know.
Certainly, as pure hardware, it will cost much less than Cisco plus the license fees.
As power consumption, i’m quite confident that the Cisco solution will drain less power, a lot.

@ms may the Lightining Wires Business Appliance suits for @chemdream needs?

It will be good to know if that’s supposed to be a temporary project or to be run for a longer time? I wouldn’t rely on end consumer hardware in professional use. Is there any need of 19" compatibility? In my opinion a Ryzen Embedded will be fine, or for more CPU power + higher TDP Ryzen PROs. That’s mostly up to the wanted throughput of the VPN gateway. Current Intel CPU architectures are not recommended due to security vulnerability.

Where? This is a regular CPU benchmark comparision with no relation to VPN, numbers of parallel connections or the throughput.

Hi there. This would be a permanent long term solution.

Rack would be nice but not necessary. At their data center that actually have a caged area with shelves instead of racks :-)… All their gear are rack cases other than a nuc for a dev/test environment.

I just can’t find a metric anywhere that is like: “100 tunnels will require X cores and ram”. I know it’s hard to quantify so I’m looking to overkill this thing so I know I at least hit their 1500 at once mark.

Maybe you should consider online services as well: just like insys connectivity service so you needn’t maintain the hard- and software. You will not be able to run performance tests with test hardware because your client will not accept testing with his productive environment.

This is not possible because it’s up to many factors: hard- and software-related and also to the vpn configuration. For exampe if the vpn server software is not able to handle 16 cores it’s totally useless to buy a 16 core processor.

Since I could never sell an industrial computer without ECC RAM, I wouldn’t recommend you to do that. Too bad that I can find many manufacturers for Intel workstation mainboard but not for AMD. There are some epyc embedded boards, but only ITX. Find a AM4 board from a known manufaturer for industrial hardware and you may be fine even with a Athlon PRO processor. You won’t need much RAM and only a litte SSD ( I usually buy kind of old SCL SSDs with 30-40GB).

Thanks. How many cores do you think I need to 100% know it will handle 1500 l2tp tunnels?

I was hoping someone would have a real world metric. Something like: “I have a l2tp server with an X CPU. We average around Y tunnels at once and it’s usually at Z% load”.

The only industrial boards for AMD AM4 CPUs I can find are from Asrock Industrial:


All the others are embedded, AMD Epyc/SP3 or Intel.

I wouldn’t buy anything more than a quad core, like the Ryzen 5 Pro 3400G or max. the Ryzen 5 Pro 3600.

Thanks! I’ll leave this open a bit longer before marking that as the solution.

Just to see if someone comes with some real world measurements that they’ve run themselves.