I just set up a point to point VPN tunnel between a central 3825 and two remote 2811's over a 100Mb link via Ethernet.
I'm using AES256 encryption for isakmp and ipsec. Speeds w/o the tunnel active between the remote and central site are 60-70Mb. Speeds WITH the tunnel are 28-32Mb.
Why such a large decrease in speed? And is this a good result or should I be able to increase speeds some how?
CPU utilization on the 2811's increases to around 75% when a large amount of traffic is being passed. I assume this has something to do with the speed decreases.
An IPSec VPN between a Cisco 2811 running IOS 12.4(24)T Advanced Enterprise with on-board encryption can get you about 60Mbps throughput with AES-256/SHA/DH-5/PFS-group5.
I tested it from a C2811 with a Checkpoint SPLAT NGx R70 firewall. At 60Mbps throughput, the Cisco 2811 CPU is running about 98% Utilization.
Make sure you have these lines in your 2811 config:
crypto engine accelerator
crypto engine onboard 0
The encrypt/decrypt process for the packets is performed by the CPU. Just like on a PC the busier the CPU, they slower everything performs. You are in luck though. Cisco has an AIM card which performs the encrypt/decrypt and allows the CPU to perform other duties. You will see a 'speed' gain when using the AIM card. Here's a link for more information.
A helpful guide once they are installed-
Hope it helps.