topic Re: Limitation on Ipsec tunnel in General Topics

Limitation on Ipsec tunnel

Hardik_Patil_66 — Wed, 30 Nov 2022 10:31:38 GMT

Can you please update on below queries.

1) How much load can we put on single Tunnel. Is there any traffic limitation over a single IPsec VPN Tunnel?

2) How many IPsec Tunnel can be created? Is there any limitation for creation the IPsec Tunnel ?

Re: Limitation on Ipsec tunnel

_Val_ — Wed, 30 Nov 2022 11:04:39 GMT

Why is this in Maestro space? Are you asking specifically about Maestro environment? Or is this a general question?

Re: Limitation on Ipsec tunnel

Hardik_Patil_66 — Wed, 30 Nov 2022 11:11:42 GMT

This is the general question

Re: Limitation on Ipsec tunnel

_Val_ — Wed, 30 Nov 2022 11:23:05 GMT

Ok, I have moved your post to a more appropriate space.

Answer to both questions: it depends on your Security Gateway performance. There is no hard limit on both throughput and amount of VPN tunnels, but more you have, more CPU time it will consume.

Re: Limitation on Ipsec tunnel

Hardik_Patil_66 — Wed, 30 Nov 2022 11:35:36 GMT

Thanks for the update

Re: Limitation on Ipsec tunnel

the_rock — Wed, 30 Nov 2022 13:40:56 GMT

Hey Hardik,

@_Val_ is indeed 100% correct. There is definitely not a hard limit to this, it all depends on how powerful device is. Its sort of similar to discussion as to what is max number of regular/NAT rules one can create in smart console. There was never set limit to it. Honestly, in my 15 years dealing with CP, the MOST VPN tunnels I see someone have was 133 (I still remember that number well lol). And, consider this was back in R77.xx days, so now the code is way better/more stable. Also, same applies for the bandwidth as well.

Andy

Re: Limitation on Ipsec tunnel

PhoneBoy — Wed, 30 Nov 2022 19:04:26 GMT

It also depends on software version.
In the just released R81.20, we done a number of things to improve performance and stability for VPN:

Scalable VPN performance - 3 times faster to process simultaneous Remote Access and Site to Site VPN connections.
Major performance and stability improvement for Remote Access VPN and Site to Site VPN that delivers a significantly greater capacity for VPN tunnels.
Extended Security Gateway certificate validation capabilities for quicker authentication.
Resilient VPN architecture - multi-process architecture to handle IKE negotiations in dedicated scalable daemons, providing unprecedented resiliency.

If VPN performance is a concern, upgrading (or using) R81.20 is highly recommended.

Re: Limitation on Ipsec tunnel

the_rock — Wed, 30 Nov 2022 19:41:25 GMT

Indeed, very true! I personally found with R81.10 and R81.20 that VPN performs much faster.

Re: Limitation on Ipsec tunnel

Ruan_Kotze — Thu, 01 Dec 2022 10:13:01 GMT

I once had case where a customer logged a ticket due to a 5800 gateway being unresponsive, CPU's pegged etc. did some troubleshooting and narrowed it down to VPND. Customer of course insisted nothing changed in the environment.

The gateway was the hub in a community with about 100 smaller sites hanging off it. Eventually I managed to run vpn tu and saw there was something like 30 000 tunnels!!! Long story short - one of the customer admins was troubleshooting an IPSEC issue the previous evening and changed the VPN Tunnel sharing setting from "per pair of gateways" to "per pair of hosts" and due to traffic patterns the poor gateways started building tunnels until it almost melted:-)

Think I might still have a screenhot of the VPN TU output kicking around somewhere:-)

Re: Limitation on Ipsec tunnel

Blason_R — Thu, 01 Dec 2022 12:56:43 GMT

Unfortunately I did not get a chance to upgrade it to R80.20 however the most desired thing is to create a separate VPN tunnel if we have multiple ISPs. Checkpoint still not able to resolve the issue.

Re: Limitation on Ipsec tunnel

the_rock — Thu, 01 Dec 2022 13:05:29 GMT

O man, that made me laugh, though its not funny, but still... : - ).Yea, I think 30k tunnels would "MELT" any appliance LOL