There is just lightyears between 20mbps and 1gbps......
Let me be honest. It would come as a big surpise if you reach 200mbps VPN traffic....
I have an ISA server handling my VPN, and if I push it, it will handle 130mbps... But only in peaks....Sustained traffic is around 100mbps..
And the tunnel is not encrypted.
Perhaps I phrased my post incorrectly. I do not expect to reach 1Gbps of VPN traffic on a single box. When I hit the limit of that single server, I will simply add another server and load balance the two. When I reach the limit on two, I'll add a third. I know the box can push 1Gbps easily, as I've pushed 1Gbps through the server (across the internet) with RRAS/NAT already, but I do understand that encryption adds significant processing overhead.
What I am trying to avoid, is placing myself in a situation where I need to start sizing and replacing firewalls because they can't bridge and firewall 1Gbps of traffic. I'd rather get that taken care of now as it's the unknown in my equation. I have worked with RRAS since Windows 2000 so I'm very comfortable with what I'll be able to push through it and how to upgrade it with no downtime. CPU usage due to VPN encryption scales rather linearly, at least with RRAS, so my 20Mbps baseline gives me a rough idea of how much I'll be able to push through the box.
Here's a great read from Microsoft on RRAS performance: http://blogs.technet.com/rrasblog/archive/2009/02/09/rras-performance-results.aspx
In short, on an 8-core 2.1GHz Opteron machine, pushing 650Mbps from a single VPN client only utilized 40% of the available processor time. Accounting for the older technology of my 1850, your 200Mbps number is likely pretty close to accurate. The more important numbers are the sustained throughput with a 1000 VPN client load however. As you can see, 1000 clients pushing 100Mbps uses 13% (PPTP) or 33% (SSTP) of the available processor time. While those are numbers from a lab test under ideal circumstances, it provides a rough idea of how many clients I will be able to support before I need to start adding additional CPU power.
I am puzzled by something you said however -- how do you have a VPN tunnel that is not encrypted?