Best Practice Configuration for IPsec Traffic Traversing Multiple Gateways

You should be aware of a performance issue for a certain IPsec connection configuration and the best practice recommendation for eliminating the performance issue.

Performance issues can occur when a customer environment contains more than one Cloud Edge appliance with multiple IPsec VPN connections. When the traffic passes through multiple IPsec connections Cloud Edge scans the traffic as it traverses each connection. Multiple scans do not provide better detection, but multiple scans of the same traffic do result in a performance drop.

To avoid any unnecessary scans, the best practice is to scan traffic only once by the Cloud Edge appliance that is closest to the incoming traffic and configure other appliances in the route from source to destination to bypass the scan.

To achieve this, you can use the gateway policy rules to bypass scanning on all but the closest gateway to the IPsec traffic.

Best Practice Configuration Rules

Gateway's Role in Configuration Rule Guidelines

Full-mesh IPsec gateways

Create a policy rule where the Action is to Bypass traffic and add the following to the specified fields:

  • Destination

    Add a network object that contains the gateway's own private network.

  • Source users/User Groups/IP Addresses/FQDN/MAC Addresses

    Add a network object that contains all other private networks in the mesh VPN.

Spokes of a star IPsec gateway

Create a policy rule where the Action is to Bypass traffic and add the following to the specified fields:

  • Destination

    Add a network object that contains the gateway's own private network.

  • Source users/User Groups/IP Addresses/FQDN/MAC Addresses

    Add a network object that contains all other private networks in the star VPN.

Hub of a star IPsec gateway

Create a policy rule where the Action is to Bypass traffic and add the following to the specified fields:

  • Destination

    Add a network object that contains all private networks (including its own private network).

  • Source users/User Groups/IP Addresses/FQDN/MAC Addresses

    Add a network object that contains all spoke private networks in the star VPN (does not contain its own private network).

Example: Star Site-to-Site IPsec VPN with one hub and two spokes

Gateway

Role

Private Network

Bypass Rule

Spoke IPsec gateway (GS1)

Star spoke

NS1

  • Action: Bypass

  • Source: NH1, NS2 (all other private networks)

  • Destination: NS1 (its own private network)

Hub IPsec gateway (GH1)

Star hub

NH1

  • Action: Bypass

  • Source: NS1, NS2 (all other private networks)

  • Destination: NS1, NS2, and NH1 (all private networks)

Spoke IPsec gateway (GS2)

Star spoke

NS2

  • Action: Bypass

  • Source: NH1, NS1 (all other private networks)

  • Destination: NS2 (its own private network)