Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andrey_Gl
Explorer
Explorer

Load Sharing in Ipsec , how works?

If I enable load sharing in link selection, how will the traffic be distributed? Is there an algorithm? How can I select a channel to load, for example, 70% on one and 30% on another? I couldn't find this information in the Site to Site VPN R81.10 Administration Guide.

0 Kudos
5 Replies
the_rock
Legend
Legend

Hopefully below is good explanation from help seciton in smart console:

  • Load Sharing mode connects to both ISPs, while distributing the load of outgoing connections between the ISPs according to a designated weight assignment. New connections are randomly assigned to a link. If a link fails, all new outgoing connections are directed to the active link.

 

  • Weight (for Load Sharing only) - Relative distribution for the ISP Links loads. For example, if one link is faster, it can be configured to route more connections across that ISP link than the other. By default, the weight value is 1. For equal weight distribution between two links, specify 50 for each ISP link.
0 Kudos
the_rock
Legend
Legend

Read your post again, sorry, my bad, first response was related to ISPR, below is for link selection. Does not appear you can set it manually though.

Andy

 

  • Use probing. Redundancy mode: - When more than one IP address is available on a Security Gateway for VPN, Link Selection may employ the RDP probing method to determine which link will be used.The RDP probing method is implemented using a proprietary protocol that uses UDP port 259. This protocol is proprietary to Check Point and works only between Check Point entities. (Note that it does not comply with RDP as specified in RFC 908/1151). IP addresses you do not want to be examined (i.e., internal IP addresses) may be removed from the list of IP's to be examined. Once a Security Gateway maps the links' availability, a link selection per connection can be made according to the following redundancy modes:
    • High Availability (default setting) - In High Availability mode the VPN tunnel uses the first IP address to respond, or the primary IP address if a primary IP is configured and active. If the chosen IP address stops responding, the connection fails over to another responding IP address. If a primary IP address is configured, the VPN tunnel will stay on the backup IP address until the primary one becomes available again.
    • Load Sharing - In Load Sharing mode the encrypted traffic is distributed among all available links. Every new connection ready for encryption uses the next available link in a round robin manner. When a link becomes unavailable, all of its connections are distributed among the other available links. A link's availability is determined using RDP probing.
0 Kudos
PhoneBoy
Admin
Admin

This is determined by ClusterXL itself and depends on the clustering mode you’re using.
Unicast Mode forces a 30/70 split due to how it operates.
I don’t believe you can force more or less traffic to go to a specific gateway when using Multicast Mode.

0 Kudos
Andrey_Gl
Explorer
Explorer

And what if I don't have a cluster? For example, I have a single node with two interfaces to different providers on one side, and on the other side, a VPN is also on the same node. I'm just trying to understand how to load sharing between providers if I have 10 different VPN tunnels.

0 Kudos
PhoneBoy
Admin
Admin

It's as stated in the documentation: round-robin.
You cannot specify x% of traffic to go down one tunnel versus another.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events