IPsec VPN tunnel between two offices is considered as one connection by these solutions. Due to this, even if both offices have multiple links, the bandwidth for IPsec traffic is limited to maximum bandwidth provided by selected link. Actually, it would be the minimum of office 1 link and office 2 link bandwidth. In many situations, the traffic among offices (branch offices to head office) is mainly IPsec traffic.
IPsec VPN load balancing functionality is expected to solve above problem and fully utilizes the maximum bandwidth provided by multiple links.
Let us examine different deployment scenarios:
- Sceneario 1: Branch office having one WAN link and Head office having multiple WAN links. And entire VPN traffic in each side serviced by one VPN router (or UTM box)
- Scenario 2: Both offices having multiple WAN links and all the VPN traffic in each side serviced by one VPN router (UTM box)
- Scenario 3: Branch office having multiple low bandwidth links and head office having one high bandwidth link.
- Scenario 3: Both offices having multiple WAN links and as many UTM VPN routers as number of links.
In all scenarios, the IPsec VPN functionality of UTM box should take multiple gateway pairs configuration in appropriate SPD policy records. In theory, there could be M * N pairs with M being number of links in site 1 and N being number of links in site2 2. But, in reality, number of gateway pairs one would configure is some where between minimum of M and N to M*N. For example, In scenario3, to take advantage of multiple WAN links in branch office, both head office router and branch office router can be configured with two gateway pairs. On head office side, local gateway IP address is same across these two gateway pairs and in branch office side remote gateway IP address is same across gateway pairs.
How to load balance traffic among multiple tunnels between two sites:
Many VPN routers today have stateful security functions such as firewall, IPS etc.. UTM boxes when used in place of VPN routers have many stateful security functions. If entire VPN traffic is handled by one device, packet based load balancing works fine. But, if the WAN links are handled by two different VPN routers having stateful functionality, then packet based load balancing does not work. Even connection based load balancing can have problems for applications having multiple connections. Hence, I suggest not to use load balancing, but use manual load balancing by creating multiple SPD policy records between two sites, with SPD policy record having different gateway pairs and with different selectors.
In summary: Packet based load balancing across different tunnels of one SPD policy record is applicable if VPN routers don't have stateful security function or if the VPN router is terminating all tunnels.