topic Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS? in Firewall and Security Management

Software limit on the concurrent S2S vpn tunnels for GAIA OS?

let4 — Wed, 24 Jul 2024 09:58:49 GMT

Hi CheckMates !
I would like to know if GAIA OS has a hard limit on concurrent S2S vpn tunnels? Or am I limited only by the performance of the hardware.
A little about the task - customer has about 10k third party devices that need to be connected using the star topology (to center only). The total bandwidth of the Internet channel is about 500 Mbit/s for ALL vpn tunnels. Traffic in these tunnels is very low.

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

_Val_ — Wed, 24 Jul 2024 11:38:32 GMT

No such maximum number is listed in the Release Notes: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RN/Content/Topics-RN/Maximum-Supported-Items.htm

However, 10K devices is a lot, even if they do not generate too much traffic. the main toll will be on CA & SPI negotiations, on the central GW side.

I would advise to engage PS to validate this will work.

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

the_rock — Wed, 24 Jul 2024 11:39:50 GMT

Hope this helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/VPN-Tunnels-Capacity/td-p/6914

https://community.checkpoint.com/t5/General-Topics/Limitation-on-Ipsec-tunnel/td-p/163683

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

PhoneBoy — Wed, 24 Jul 2024 14:49:40 GMT

As @_Val_ said, there isn't a real software limit on this.
However, I will echo is point to involve someone from Check Point (either your Security Engineer or Professional Services) validate the design.

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

Lesley — Wed, 24 Jul 2024 20:37:28 GMT

2 tips I have:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Large-Scale-VPN.htm?Highlight=limit

Large Scale VPN

A VPN that connects branch offices, worldwide partners, remote clients, and other environments, can reach hundreds or thousands of peers. A VPN on this scale brings new challenges.

Each time a new VPN peer is deployed in production configuration and policy installation is required for all participating VPN Gateways.

Large Scale VPN (LSV) addresses these challenges and facilitates deployment without the need for peer configuration and policy installation.

Second tips. I think there is a default software limit for VPN tunnels. Not 100% sure if this related to VPN clients or site to site vpn's. I suspect the last one. See screenshot.

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

the_rock — Wed, 24 Jul 2024 22:55:32 GMT

@Lesley made an excellent point with the screenshot. I had diamond guy tell me once that value does not really have anything to do with number of tunnels, meaning if you put 99k number there it would mean you can create 99,000 tunnels (not at all), but it does help if you have LOTS of tunnels, for sure.

Andy

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

the_rock — Wed, 24 Jul 2024 23:15:02 GMT

I never really checked max value for that option before, but shows 1M...I mean, lets be honest...what fw on this planet could withstand 1 million vpn tunnels? LOL

Andy

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

let4 — Thu, 25 Jul 2024 11:45:35 GMT

Hi! Thank you very much for your answers. It helped me a lot.

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

the_rock — Thu, 25 Jul 2024 12:12:45 GMT

@let4

FWIW, below is what Benny said back in 2017, but he never really answered where he got those numbers from. But, lets assume IF they are indeed correct, I would say, logically, 6000 appliance series can probably support about 70K tunnels (just my "mathematical" estimate lol)

Andy

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

let4 — Thu, 25 Jul 2024 12:28:28 GMT

Hi! Thanks for the reply. As I understand it, there are no hard limit. The question remains how size it correctly. As far as I remember, the VPN process in GAIA is able to work in a multithreading. A large number of CPU cores should ensure stability. Is it possible to use Maestro for this task? Or it's not profitable.

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

the_rock — Thu, 25 Jul 2024 12:33:29 GMT

Im not maestro expert at all (I know very basics of it), but I know we have customer using it and they have lots of tunnels, no issues, most of them route based actually.

So, I would say yes to that question.

Andy

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

let4 — Thu, 25 Jul 2024 13:46:40 GMT

Thanks for help!

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

Bob_Zimmerman — Thu, 25 Jul 2024 13:50:29 GMT

Concurrent tunnels depend on RAM, not processor cores. In the past, Check Point included very little RAM in their default configurations, but they've gotten a bit better about that. Even the base 9100 has 16 GB of RAM now. That should be enough for 50k VPNs, no problem. Stick to gateway-to-gateway tunnels (both sides negotiate 0.0.0.0/0) to keep the number of keys per tunnel to a minimum.

Throughput (no matter how many tunnels) depends on processor power. As long as you have a relatively current processor, a single core can get well over a gigabit of throughput.

Re: Software limit on the concurrent S2S vpn tunnels for GAIA OS?

PhoneBoy — Thu, 25 Jul 2024 14:35:17 GMT

There are some parts of VPN that have historically been single core, which can create some scalability issues.
R81.20 has made some additional improvements in this area, as I recall.

Maestro certainly leverages all this, but again, I would have someone from Check Point validate your proposed design.