The load balance of IPSEC protocol allows us to fully access the available bandwidth between IPSEC VPN sites.
As a part of our Server Management Services, we help our Customers with VPN related requests regularly.
Let us today discuss the steps to load balance IPSEC protocol.
How to load balance IPSEC protocol?
IPSEC Virtual Private Network (VPN) helps to connect between two locations across an IP Wide Area Network (WAN) or across the Internet. Load balancing allows us to fully access available bandwidth between IPSEC VPN sites.
Let us discuss the steps to load balance IPSEC protocol over VPN tunnels to improve the load-balancing of IPSEC ESP traffic.
Setting the load balance method
Set the following load balancing command to balance or distribute data during a session:
config load-balance setting set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport} end
Flow Rules
When we are not able to load balance a certain type of data, we can send it to the primary FPM. This can be done by configuring flow rules for the traffic.
We can create our flow rules by utilizing the config load-balance flow-rule command. The default configuration utilizes this command to send IKE, GRE, session helper, Kerberos, BGP, RIP, IPv4, and IPv6 DHCP, PPTP, BFD, IPv4 multicast, and IPv6 multicast to the primary FPM.
The following configuration sends all IKE sessions to the primary FPM:
config load-balance flow-rule edit 1 set status enable set vlan 0 set ether-type ip set protocol udp set src-l4port 500-500 set dst-l4port 500-500 set action forward set forward-slot master set priority 5 set comment "ike" next edit 2 set status disable set vlan 0 set ether-type ip set protocol udp set src-l4port 4500-4500 set dst-l4port 0-0 set action forward set forward-slot master set priority 5 set comment "ike-natt src" next edit 3 set status disable set vlan 0 set ether-type ip set protocol udp set src-l4port 0-0 set dst-l4port 4500-4500 set action forward set forward-slot master set priority 5 set comment "ike-natt dst"
How to Determine the Primary FPM
The primary FPM carries out dynamic routing. Therefore, we can use the diagnose load-balance status command to choose which FPM is designated as the principal FPM.
The example below demonstrates a diagnosis of the load-balance status output. It reveals that the FPM, in this case, slot 3 is the primary or master FPM of the module.
Slot: 2 Module FIM02: FIM04E3E16000222 Master FPM Blade: slot-3 Slot 3: FPM20E3E17900133 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message: "Running" Slot 4: Status:Dead Function:Active Link: Base: Up Fabric: Down Heartbeat: Management: Failed Data: Failed Status Message: "Waiting for management heartbeat."
Load balance IPSEC VPN
We can use the following command to enable or disable IPSEC VPN load balancing:
config load-balance setting config ipsec-load-balance {disable | enable} end
By default, the IPSEC VPN sessions are directed to the DP2 processors and load-balanced to the FPMs. However, IPSEC VPN sessions traveling between two IPSEC tunnels will be dropped because the two IPSEC tunnels may be terminated on different FPMs.
So, if we have traffic entering the device from one IPSEC VPN tunnel and leaving the device out another IPSEC VPN tunnel, we need to disable IPSEC load balancing:
config load-balance setting config ipsec-load-balance disable end
Rules enabled on disabling IPSEC VPN load balancing include:
config load-balance flow-rule edit 22 set ether-type ipv4 set protocol udp set src-l4port 500-500 set dst-l4port 500-500 set comment "ipv4 ike" next edit 23 set ether-type ipv4 set protocol udp set src-l4port 4500-4500 set comment "ipv4 ike-natt src" next edit 24 set ether-type ipv4 set protocol udp set dst-l4port 4500-4500 set comment "ipv4 ike-natt dst" next edit 25 set ether-type ipv4 set protocol esp set comment "ipv4 esp" next end
These flow rules should generally handle all IPSEC VPN traffic for VPN tunneling protocols. We can also adjust them or add our own flow rules if we have an IPSEC VPN setup that is not compatible with the default flow rules.
GTP load balancing
We can use the following command to enable or disable GTP load balancing.
config load-balance setting config gtp-load-balance {disable | enable} end
By default, this option is disabled and GTP load balancing is disabled. The following flow rule is enabled and GTP traffic is directed to the primary (master) FPM.
config load-balance flow-rule edit 17 set ether-type ipv4 set protocol udp set dst-l4port 2123-2123 set comment "gtp-c to master blade" next end
When the GTP-load-balance option is enabled, the GTP load balancing is flow rule is disabled. GTP sessions are directed to the DP2processors and load-balanced to the FPMs.
Default Configuration For Traffic That Cannot Be Load Balanced
Recommended flow rules to handle common forms of traffic that cannot be load balanced are given below. These flow rules send GPRS (port 2123), SSL VPN, IPv4, and IPv6 IPSEC VPN, ICMP, and ICMPv6 traffic to the primary (or master) FPM.
config load-balance flow-rule edit 20 set status enable set ether-type ipv4 set protocol udp set dst-l4port 2123-2123 next edit 21 set status enable set ether-type ip set protocol tcp set dst-l4port 10443-10443 set comment "ssl vpn to the primary FPM" next edit 22 set status enable set ether-type ipv4 set protocol udp set src-l4port 500-500 set dst-l4port 500-500 set comment "ipv4 ike" next edit 23 set status enable set ether-type ipv4 set protocol udp set src-l4port 4500-4500 set comment "ipv4 ike-natt src" next edit 24 set status enable set ether-type ipv4 set protocol udp set dst-l4port 4500-4500 set comment "ipv4 ike-natt dst" next edit 25 set status enable set ether-type ipv4 set protocol esp set comment "ipv4 esp" next edit 26 set status enable set ether-type ipv6 set protocol udp set src-l4port 500-500 set dst-l4port 500-500 set comment "ipv6 ike" next edit 27 set status enable set ether-type ipv6 set protocol udp set src-l4port 4500-4500 set comment "ipv6 ike-natt src" next edit 28 set status enable set ether-type ipv6 set protocol udp set dst-l4port 4500-4500 set comment "ipv6 ike-natt dst" next edit 29 set status enable set ether-type ipv6 set protocol esp set comment "ipv6 esp" next edit 30 set ether-type ipv4 set protocol icmp set comment "icmp" next edit 31 set status enable set ether-type ipv6 set protocol icmpv6 set comment "icmpv6" next edit 32 set ether-type ipv6 set protocol 41 end
[Need any further assistance to load balance IPSEC protocol? – We’re available 24*7]
Conclusion
In short, the load balance of IPSEC protocol allows us to fully access the available bandwidth between IPSEC VPN sites. Today, we saw how our Support Engineers load balance IPSEC protocol.
0 Comments