Bobcares
Client Area
Emergency Support
Latest | Server Management | VPN

How to load balance IPSEC protocol?

PDF Header PDF Footer

The load balance of IPSEC protocol allows us to fully access the available bandwidth between IPSEC VPN sites.

As a part of our Server Management Services, we help our Customers with VPN related requests regularly.

Let us today discuss the steps to load balance IPSEC protocol.

How to load balance IPSEC protocol?

IPSEC Virtual Private Network (VPN) helps to connect between two locations across an IP Wide Area Network (WAN) or across the Internet. Load balancing allows us to fully access available bandwidth between IPSEC VPN sites.

Let us discuss the steps to load balance IPSEC protocol over VPN tunnels to improve the load-balancing of IPSEC ESP traffic.

Setting the load balance method

Set the following load balancing command to balance or distribute data during a session:

config load-balance setting
set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}
end

Flow Rules

When we are not able to load balance a certain type of data, we can send it to the primary FPM. This can be done by configuring flow rules for the traffic.

We can create our flow rules by utilizing the config load-balance flow-rule command. The default configuration utilizes this command to send IKE, GRE, session helper, Kerberos, BGP, RIP, IPv4, and IPv6 DHCP, PPTP, BFD, IPv4 multicast, and IPv6 multicast to the primary FPM.

The following configuration sends all IKE sessions to the primary FPM:

config load-balance flow-rule
edit 1
set status enable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 500-500
set dst-l4port 500-500
set action forward
set forward-slot master
set priority 5
set comment "ike"
next

edit 2
set status disable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 4500-4500
set dst-l4port 0-0
set action forward
set forward-slot master
set priority 5
set comment "ike-natt src"
next

edit 3
set status disable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 0-0
set dst-l4port 4500-4500
set action forward
set forward-slot master
set priority 5
set comment "ike-natt dst"

How to Determine the Primary FPM

The primary FPM carries out dynamic routing. Therefore, we can use the diagnose load-balance status command to choose which FPM is designated as the principal FPM.

The example below demonstrates a diagnosis of the load-balance status output. It reveals that the FPM, in this case, slot 3 is the primary or master FPM of the module.

Slot: 2 Module
FIM02: FIM04E3E16000222
Master FPM Blade: slot-3
Slot 3: FPM20E3E17900133
Status:Working Function:Active
Link: Base: Up Fabric: Up
Heartbeat: Management: Good Data: Good
Status Message: "Running"
Slot 4:
Status:Dead Function:Active
Link: Base: Up Fabric: Down
Heartbeat: Management: Failed Data: Failed
Status Message: "Waiting for management heartbeat."

Load balance IPSEC VPN

We can use the following command to enable or disable IPSEC VPN load balancing:

config load-balance setting
config ipsec-load-balance {disable | enable}
end

By default, the IPSEC VPN sessions are directed to the DP2 processors and load-balanced to the FPMs. However, IPSEC VPN sessions traveling between two IPSEC tunnels will be dropped because the two IPSEC tunnels may be terminated on different FPMs.

So, if we have traffic entering the device from one IPSEC VPN tunnel and leaving the device out another IPSEC VPN tunnel, we need to disable IPSEC load balancing:

config load-balance setting
config ipsec-load-balance disable
end

Rules enabled on disabling IPSEC VPN load balancing include:

config load-balance flow-rule
edit 22
set ether-type ipv4
set protocol udp
set src-l4port 500-500
set dst-l4port 500-500
set comment "ipv4 ike"
next
edit 23
set ether-type ipv4
set protocol udp
set src-l4port 4500-4500
set comment "ipv4 ike-natt src"
next
edit 24
set ether-type ipv4
set protocol udp
set dst-l4port 4500-4500
set comment "ipv4 ike-natt dst"
next
edit 25
set ether-type ipv4
set protocol esp
set comment "ipv4 esp"
next
end

These flow rules should generally handle all IPSEC VPN traffic for VPN tunneling protocols. We can also adjust them or add our own flow rules if we have an IPSEC VPN setup that is not compatible with the default flow rules.

GTP load balancing

We can use the following command to enable or disable GTP load balancing.

config load-balance setting
config gtp-load-balance {disable | enable}
end

By default, this option is disabled and GTP load balancing is disabled. The following flow rule is enabled and GTP traffic is directed to the primary (master) FPM.

config load-balance flow-rule
edit 17
set ether-type ipv4
set protocol udp
set dst-l4port 2123-2123
set comment "gtp-c to master blade"
next
end

When the GTP-load-balance option is enabled, the GTP load balancing is flow rule is disabled. GTP sessions are directed to the DP2processors and load-balanced to the FPMs.

Default Configuration For Traffic That Cannot Be Load Balanced

Recommended flow rules to handle common forms of traffic that cannot be load balanced are given below. These flow rules send GPRS (port 2123), SSL VPN, IPv4, and IPv6 IPSEC VPN, ICMP, and ICMPv6 traffic to the primary (or master) FPM.

config load-balance flow-rule
edit 20
set status enable
set ether-type ipv4
set protocol udp
set dst-l4port 2123-2123
next

edit 21
set status enable
set ether-type ip
set protocol tcp
set dst-l4port 10443-10443
set comment "ssl vpn to the primary FPM"
next

edit 22
set status enable
set ether-type ipv4
set protocol udp
set src-l4port 500-500
set dst-l4port 500-500
set comment "ipv4 ike"
next

edit 23
set status enable
set ether-type ipv4
set protocol udp
set src-l4port 4500-4500
set comment "ipv4 ike-natt src"
next

edit 24
set status enable
set ether-type ipv4
set protocol udp
set dst-l4port 4500-4500
set comment "ipv4 ike-natt dst"
next

edit 25
set status enable
set ether-type ipv4
set protocol esp
set comment "ipv4 esp"
next

edit 26
set status enable
set ether-type ipv6
set protocol udp
set src-l4port 500-500
set dst-l4port 500-500
set comment "ipv6 ike"
next

edit 27
set status enable
set ether-type ipv6
set protocol udp
set src-l4port 4500-4500
set comment "ipv6 ike-natt src"
next

edit 28
set status enable
set ether-type ipv6
set protocol udp
set dst-l4port 4500-4500
set comment "ipv6 ike-natt dst"
next

edit 29
set status enable
set ether-type ipv6
set protocol esp
set comment "ipv6 esp"
next

edit 30
set ether-type ipv4
set protocol icmp
set comment "icmp"
next

edit 31
set status enable
set ether-type ipv6
set protocol icmpv6
set comment "icmpv6"
next

edit 32
set ether-type ipv6
set protocol 41
end

[Need any further assistance to load balance IPSEC protocol? – We’re available 24*7]

Conclusion

In short, the load balance of IPSEC protocol allows us to fully access the available bandwidth between IPSEC VPN sites. Today, we saw how our Support Engineers load balance IPSEC protocol.

 

 

Related posts:

    1. Advantages and Disadvantages of IPSec – A quick view
    2. IPSec vulnerabilities and fixes – A quick look
    3. Quick way to install OpenVPN client in Debian
    4. Windows VPN error 691- Smart troubleshooting methods

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. Advantages and Disadvantages of IPSec – A quick view
  2. IPSec vulnerabilities and fixes – A quick look
  3. Quick way to install OpenVPN client in Debian
  4. Windows VPN error 691- Smart troubleshooting methods

Top Categories

Speed issues driving customers away?
We’ve got your back!

OPTIMIZE TODAY