Re: VPN Tunnels Capacity

Tiago_Marques · ‎2017-09-30

Hi Masters,

I`m working in important opportunity where I`m offering appliances 730 and 5200 and the customer is requiring the following IPSEC VPN Tunnels capacity:

For 730 appliance, more than 20 IPSec Site-to-Site tunnels and more than 20 IPSec Client to Site Tunnels.

For 5200 appliance, more than 2,500 IPSec Site-to-Site tunnels and more than 2,500 IPSec Client to Site Tunnels.

Please, could some one help me answering if the above appliances support the customer`s requirement ?

Sincerely.
Tiago Marques.

Timothy_Hall · ‎2017-10-01

At least for the 2200-23000 series of appliances, there is not really a hard limit on the total number of VPN tunnels beyond the amount of available RAM in the system. In the Optimization section of the firewall object, by default there can be 200 current IKE negotiations (this increased by default to 1000 in R80.10) and 10,000 concurrent VPN tunnels. Both these values can be increased if needed at the expense of more memory utilization. So for the 5200 with 8GB of RAM I'd say it can meet your requirements for number of tunnels, although if there are numerous memory-hungry blades enabled in addition to VPN there may be a shortage of memory. If this is the case upgrading to 16GB of RAM will help.

Embedded Gaia is in its own world to some degree so I can't comment on the 600-1700 series of appliances.

Beyond just the raw number of tunnels though is how much VPN throughput the firewall can handle, in the past this generally tended to be contained by limited Internet bandwidth but this is becoming less prevalent. The 5200 does not have AES-NI hardware offload (the 5600 does however, which will increase AES throughput 4-10X), but AES should still be utilized instead of 3DES for overall efficiency.

Also running R80.10 gateway is strongly recommended for that potential amount of VPN traffic, due to the new multicore IPSec VPN capability which is enabled by default in R80.10 (sk118097). In R77.30 and earlier (except for a special R77.20 hotfix) all IPSec VPN traffic processing could only take place on one firewall worker core, which is a critical bottleneck if the VPN traffic cannot be accelerated by SecureXL.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Danny · ‎2017-10-01

For the 700 Appliance series there is no hard limit as well, it's more a question of how many Security Associations (SA) that the appliance will have to handle concurrently. The Embedded UTM-1 Edge appliances had a support limit of 100 SA's (= max. 50 VPN Site2Site tunnels) when managed centrally. Instead of using the Embedded 700 appliances I'd recommend using Embedded 1400 appliances and manage them centrally in order provide more performance by using centrally configured VPN communities to initiate SA's per Gateway pair whenever possible.

Benny_Shlesinge · ‎2017-10-02

Yes they do support :

730 supports up to 150 tunnels
5200 supports up to 55,000 tunnels

S2C or S2S is the same from a capacity point of view.

Of course there's always the actual throughput in each tunnel to be taken into consideration, but the numbers you are asking for are perfectly feasible.

Good luck!

Benny.

Phil_Atkinson · ‎2019-06-11

Benny,

Where did you get those stats from?

Thanks,

Phil

Pablo_Barriga · ‎2017-10-03

Hello It's also good to check the VPN throughput of each appliance.

Are you a member of CheckMates?

VPN Tunnels Capacity