How to load balance IPSec protocol

The
You can download this article in PDF format to support us through the following link.

Download the guide in PDF format

turn off
The

The
The

The company uses an IPsec virtual private network (VPN) to interconnect between two locations on the IP wide area network (WAN) or the Internet. If you have not tried to use this service, you can Download VPN here . Load balancing allows companies to fully access the available bandwidth between IPsec VPN sites through Equal Cost Multipathing (ECMP) or Link Aggregation Group (LAG).

The following is a short guide on how to load balance IPsec protocol through VPN tunnel to improve load balancing of IPsec ESP traffic.

Set the load balancing method

Set the following load balancing commands to balance or distribute data during the session:

                      
                        config load-balance setting
set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}
end
                      
                    

Flow rule

You may not be able to balance certain types of data. Therefore, if you cannot load balance a certain type of data, send it to the main FPM. You can do this by configuring flow rules for traffic.

Create a flow rule by using the config load balance flow-rule command. The default configuration uses this command to send IKE, GRE, session helper, Kerberos, BGP, RIP, IPv4 and IPv6 DHCP, PPTP, BFD, IPv4 multicast and IPv6 multicast to the main FPM.

The following configuration sends all IKE sessions to the main FPM:

                      
                        config load-balance flow-rule
edit 1
set status enable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 500-500
set dst-l4port 500-500
set action forward
set forward-slot master
set priority 5
set comment "ike"
next

edit 2
set status disable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 4500-4500
set dst-l4port 0-0
set action forward
set forward-slot master
set priority 5
set comment "ike-natt src"
next

edit 3
set status disable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 0-0
set dst-l4port 4500-4500
set action forward
set forward-slot master
set priority 5
set comment "ike-natt dst"
                      
                    

How to determine the main FPM

The main FPM performs dynamic routing. Therefore, you can use the Diagnose Load Balance Status command to choose which FPM is designated as the primary FPM.

The following example demonstrates the diagnosis of load balance status output. It reveals that the FPM-in this case, in slot 3-is the main or main FPM of the module.

                      
                        Slot: 2 Module
FIM02: FIM04E3E16000222
Master FPM Blade: slot-3
Slot 3: FPM20E3E17900133
Status:Working Function:Active
Link: Base: Up Fabric: Up
Heartbeat: Management: Good Data: Good
Status Message: "Running"
Slot 4:
Status:Dead Function:Active
Link: Base: Up Fabric: Down
Heartbeat: Management: Failed Data: Failed
Status Message: "Waiting for management heartbeat."
                      
                    

IPsec VPN load balancing

You can use the following command to enable or disable IPsec VPN load balancing:

                      
                        config load-balance setting
config ipsec-load-balance {disable | enable}
end
                      
                    

By default, IPsec enables VPN load balancing and disables the flow rules listed below. Therefore, the IPsec VPN session is directed to the DP2 processor and is load balanced to FPM. However, when IPsec VPN load balancing is enabled, since the two IPsec tunnels may terminate on different FPMs, the IPsec VPN sessions propagating between the two IPsec tunnels will be discarded.

Therefore, if you have traffic entering the device from one IPsec VPN tunnel and exclude the device from another IPsec VPN tunnel, you need to disable IPsec load balancing:

                      
                        config load-balance setting
config ipsec-load-balance disable
end
                      
                    

If IPsec VPN load balancing is disabled, the following flow rules are enabled:

                      
                        config load-balance flow-rule
edit 22
set ether-type ipv4
set protocol udp
set src-l4port 500-500
set dst-l4port 500-500
set comment "ipv4 ike"
next
edit 23
set ether-type ipv4
set protocol udp
set src-l4port 4500-4500
set comment "ipv4 ike-natt src"
next
edit 24
set ether-type ipv4
set protocol udp
set dst-l4port 4500-4500
set comment "ipv4 ike-natt dst"
next
edit 25
set ether-type ipv4
set protocol esp
set comment "ipv4 esp"
next
end
                      
                    

These flow rules should normally handle all IPsec VPN traffic below VPN tunnel protocol . If your IPsec VPN settings are not compatible with the default flow rules, you can also adjust them or add your own flow rules.

GTP load balancing

You can use the following command to enable or disable GTP load balancing.

                      
                        config load-balance setting
config gtp-load-balance {disable | enable}
end
                      
                    

By default, this option is disabled, and GTP load balancing is disabled. Enable the following flow rules and direct GTP traffic to the primary (primary) FPM.

                      
                        config load-balance flow-rule
edit 17
set ether-type ipv4
set protocol udp
set dst-l4port 2123-2123
set comment "gtp-c to master blade"
next
end
                      
                    

When the gtp-load-balance option is enabled, GTP load balancing will be disabled as a flow rule, and GTP sessions will be directed to the DP2 processor and load balance to FPM.

Default configuration for traffic that cannot be load balanced

It is recommended to use the following flow rules to handle common traffic forms that cannot be load balanced. These flow rules send GPRS (port 2123), SSL VPN, IPv4 and IPv6 IPsec VPN, ICMP and ICMPv6 communications to the main (or main) FPM.

The following CLI syntax only shows configuration changes. All other options are set to their default values. For example, the flow rule option for the FPM slot to which the control session is sent is the forward slot, and in all cases, below the forward slot, it is set to the default value master. This setting sends matching sessions to the main (or main) FPM.

                      
                        config load-balance flow-rule
edit 20
set status enable
set ether-type ipv4
set protocol udp
set dst-l4port 2123-2123
next

edit 21
set status enable
set ether-type ip
set protocol tcp
set dst-l4port 10443-10443
set comment "ssl vpn to the primary FPM"
next

edit 22
set status enable
set ether-type ipv4
set protocol udp
set src-l4port 500-500
set dst-l4port 500-500
set comment "ipv4 ike"
next

edit 23
set status enable
set ether-type ipv4
set protocol udp
set src-l4port 4500-4500
set comment "ipv4 ike-natt src"
next

edit 24
set status enable
set ether-type ipv4
set protocol udp
set dst-l4port 4500-4500
set comment "ipv4 ike-natt dst"
next

edit 25
set status enable
set ether-type ipv4
set protocol esp
set comment "ipv4 esp"
next

edit 26
set status enable
set ether-type ipv6
set protocol udp
set src-l4port 500-500
set dst-l4port 500-500
set comment "ipv6 ike"
next

edit 27
set status enable
set ether-type ipv6
set protocol udp
set src-l4port 4500-4500
set comment "ipv6 ike-natt src"
next

edit 28
set status enable
set ether-type ipv6
set protocol udp
set dst-l4port 4500-4500
set comment "ipv6 ike-natt dst"
next

edit 29
set status enable
set ether-type ipv6
set protocol esp
set comment "ipv6 esp"
next

edit 30
set ether-type ipv4
set protocol icmp
set comment "icmp"
next

edit 31
set status enable
set ether-type ipv6
set protocol icmpv6
set comment "icmpv6"
next

edit 32
set ether-type ipv6
set protocol 41
end
                      
                    

More articles on our website:

How to set up IPSec VPN server using L2TP and Cisco IPsec on Linux

Connect to Algo VPN server from Linux and Android devices

How to connect to OpenVPN Server using nmcli on Linux

Use Cisco AnyConnect from a Linux terminal to connect to a VPN server

Training materials related to cyber and security.


CompTIA Security + (SY0-501) full course and practical exam

★★★★★
(9062)

$ 17.94

$ 224.19

In stock

Buy now

Udemy.com


A complete cybersecurity course: cybersecurity!

A complete cybersecurity course: cybersecurity!

★★★★☆
(8290)

$ 15.69

$ 134.51

In stock

Buy now

Udemy.com


Website hacking/penetration testing and bug bounty hunting

Website hacking/penetration testing and bug bounty hunting

★★★★★
(7468)

$ 17.94

$ 212.98

In stock

Buy now

Udemy.com


Learn moral hacking from scratch

Learn moral hacking from scratch

★★★★★
(75528)

$ 16.82

$ 218.58

In stock

Buy now

Udemy.com

You can download this article in PDF format to support us through the following link.

Download the guide in PDF format

turn off
The

The
The

Related Posts