Site to Site VPN load balancing across dual links

Hi everyone,

I have a VPN tunnel connecting 2 sites, where all traffic is routed over the tunnel. I just installed dual 100Mb links between the sites, which I would like to use as Active/Active. The service provider installed dual switches on each end, and combines the 2 links using LACP between the switches. I connect the firewalls with a single port to one switch at each site.

My concern is that since all traffic goes over a single VPN tunnel, the LACP will not load balance the traffic between the 2 lines, but will treat it all as one "session". How can I get the traffic to run over both links (and achieve aggregate throughput of 200Mb)?

My other idea was to connect 2 ports on each firewall, one to each line, and bond them together into a single interface, then let the Checkpoint handle the load balancing (using which mode settings?). Which method would work better?

See network diagram below:


I would let do this by the providers environment. In the shown network diagramm, with only LACP between the switches, there is no combination of the two WAN links to a bigger one. If these devices are all under control of your provider they should do this.

Another possibility will be to use an additional interface on both gateways, with additional IP configuration and using of VPN link selection in LoadSharing mode. With this you can use both 100Mbit lines.

