Sunday, April 6, 2008

IPsec VPN load balancing - technical bit

Many Enterprises are having multiple WAN links for sharing the WAN load and also to provide redundancy. Enterprises are increasingly going for WAN links from different providers for continuous connectivity even when there are failures at service provider end. There are many solutions in the market which take advantage of multiple links - by bonding these WAN links. Since these WAN links belong to different service providers, load sharing is done typically at the connection level. That is, all packets of a 5 tuple connections go through the same WAN link, but packet belonging to different connections go via different links.

IPsec VPN tunnel between two offices is considered as one connection by these solutions. Due to this, even if both offices have multiple links, the bandwidth for IPsec traffic is limited to maximum bandwidth provided by selected link. Actually, it would be the minimum of office 1 link and office 2 link bandwidth. In many situations, the traffic among offices (branch offices to head office) is mainly IPsec traffic.

IPsec VPN load balancing functionality is expected to solve above problem and fully utilizes the maximum bandwidth provided by multiple links.

Let us examine different deployment scenarios:
  • Sceneario 1: Branch office having one WAN link and Head office having multiple WAN links. And entire VPN traffic in each side serviced by one VPN router (or UTM box)
  • Scenario 2: Both offices having multiple WAN links and all the VPN traffic in each side serviced by one VPN router (UTM box)
  • Scenario 3: Branch office having multiple low bandwidth links and head office having one high bandwidth link.
  • Scenario 3: Both offices having multiple WAN links and as many UTM VPN routers as number of links.
IPsec VPN functionality is typically used in tunnel mode. In tunnel mode, IP packets traversing between the sites are encapsulated. As part of encapsulation, newer IP header is added and it is called outer IP header. Outer IP header is mainly used for routing of packets across Internet to reach the right VPN router. The IP addresses of outer IP header, hence must be public IP addresses. These IP addresses are called 'gateway' IP addresses. Local gateway IP address is used as 'source IP' and remtoe gateway IP address is used as 'Destination IP' in the outer IP header. These two gateway IP addresses are called 'gateway pair'. WAN link load balancing function uses these IP addresses (mainly source IP address, as both WAN links have default routes) to route the packets on appropriate WAN link. Hence, it is required that VPN router create multiple tunnels with different local gateway IP addresses and balance the outbound traffic across these tunnels to use the bandwidth of local WAN links efficiently. It is expected that the remote router also does same thing on its outbound traffic.

In all scenarios, the IPsec VPN functionality of UTM box should take multiple gateway pairs configuration in appropriate SPD policy records. In theory, there could be M * N pairs with M being number of links in site 1 and N being number of links in site2 2. But, in reality, number of gateway pairs one would configure is some where between minimum of M and N to M*N. For example, In scenario3, to take advantage of multiple WAN links in branch office, both head office router and branch office router can be configured with two gateway pairs. On head office side, local gateway IP address is same across these two gateway pairs and in branch office side remote gateway IP address is same across gateway pairs.

How to load balance traffic among multiple tunnels between two sites:

Many VPN routers today have stateful security functions such as firewall, IPS etc.. UTM boxes when used in place of VPN routers have many stateful security functions. If entire VPN traffic is handled by one device, packet based load balancing works fine. But, if the WAN links are handled by two different VPN routers having stateful functionality, then packet based load balancing does not work. Even connection based load balancing can have problems for applications having multiple connections. Hence, I suggest not to use load balancing, but use manual load balancing by creating multiple SPD policy records between two sites, with SPD policy record having different gateway pairs and with different selectors.

In summary: Packet based load balancing across different tunnels of one SPD policy record is applicable if VPN routers don't have stateful security function or if the VPN router is terminating all tunnels.


alex smith said...

The customer service and the product are fantastic! I've had no problems establishing a connection out of China and have seen remarkable speed improvements as well! Highly Recommend vpn!

Mary said...

I would like to thank you for posting this article. Indeed this VPN,is so far the best and fastest. I just wish this will last than my previous set up. Thank you and more power!


Mary said...
This comment has been removed by the author.