I previously had a Site-to-Site IPsec VPN configured between a Vigor 2865 and an old 2860. I wasn't expecting great performance, and could only ever get about 25Mbps throughput, despite the 2860 being rated at 50Mbps IPsec.

Anyway, I upgraded the 2860 to a 2927, and as expected, am getting far better performance. However, with around 70Mbps across the tunnel, both routers sit at around 40-45% CPU as per the Web GUI.

Assuming CPU load scales fairly linearly with throughput, this means 150Mbps on the VPN would result in ~90% CPU use - add a bit of NAT traffic or other load, and the router is maxed out.

This seems odd since both the 2865 and 2927 are rated for 800Mbps IPsec with Hardware Acceleration enabled. (H/w acceleration is enabled on both sides).

I recall reading somewhere (possibly this forum) that h/w accelerated VPN does not work if one side is behind a NAT. Is this true?

Technically, the 2865 (dial-in router) is behind a NAT - this is because the ISP box does not support true modem / bridge mode, so a double NAT with the Draytek in the DMZ was the best I could do. I sometimes forget this is the case though, as everything works flawlessly, including inbound VPN.

Does anybody have any info on this? It is of course not actually causing any issues at the moment, but having paid for 800Mbps IPsec capability, I would like to know that I can utilize it if needed, or at least understand why not.