Cloud Edge > Gateways > Site-to-Site VPN > IPsec Troubleshooting > Best Practice Configuration for IPsec Traffic Traversing Multiple Gateways

Best Practice Configuration for IPsec Traffic Traversing Multiple Gateways

You should be aware of a performance issue for a certain IPsec connection configuration and the best practice recommendation for eliminating the performance issue.

Performance issues can occur when a customer environment contains more than one Cloud Edge gateway with multiple IPsec VPN connections. When the traffic passes through multiple IPsec connections Cloud Edge scans the traffic as it traverses each connection. Multiple scans do not provide better detection, but multiple scans of the same traffic do result in a performance drop.

To avoid any unnecessary scans, the best practice is to scan traffic only once by the Cloud Edge gateway that is closest to the incoming traffic and configure other gateways in the route from source to destination to bypass the scan.

To achieve this, you can use the gateway policy rules to bypass scanning on all but the closest gateway to the IPsec traffic.

Best Practice Configuration Rules

Gateway's Role in Configuration	Rule Guidelines
Full-mesh IPsec gateways	Create a policy rule where the Action is to Bypass traffic and add the following to the specified fields: Destination Add a network object that contains the gateway's own private network. Source users/User Groups/IP Addresses/FQDN/MAC Addresses Add a network object that contains all other private networks in the mesh VPN.
Spokes of a star IPsec gateway	Create a policy rule where the Action is to Bypass traffic and add the following to the specified fields: Destination Add a network object that contains the gateway's own private network. Source users/User Groups/IP Addresses/FQDN/MAC Addresses Add a network object that contains all other private networks in the star VPN.
Hub of a star IPsec gateway	Create a policy rule where the Action is to Bypass traffic and add the following to the specified fields: Destination Add a network object that contains all private networks (including its own private network). Source users/User Groups/IP Addresses/FQDN/MAC Addresses Add a network object that contains all spoke private networks in the star VPN (does not contain its own private network).

Gateway's Role in Configuration

Rule Guidelines

Full-mesh IPsec gateways

Create a policy rule where the Action is to Bypass traffic and add the following to the specified fields:

Destination

Add a network object that contains the gateway's own private network.
Source users/User Groups/IP Addresses/FQDN/MAC Addresses

Add a network object that contains all other private networks in the mesh VPN.

Spokes of a star IPsec gateway

Create a policy rule where the Action is to Bypass traffic and add the following to the specified fields:

Destination

Add a network object that contains the gateway's own private network.
Source users/User Groups/IP Addresses/FQDN/MAC Addresses

Add a network object that contains all other private networks in the star VPN.

Hub of a star IPsec gateway

Create a policy rule where the Action is to Bypass traffic and add the following to the specified fields:

Destination

Add a network object that contains all private networks (including its own private network).
Source users/User Groups/IP Addresses/FQDN/MAC Addresses

Add a network object that contains all spoke private networks in the star VPN (does not contain its own private network).

Example: Star Site-to-Site IPsec VPN with one hub and two spokes

Gateway	Role	Private Network	Bypass Rule
Spoke IPsec gateway (GS1)	Star spoke	NS1	Action: Bypass Source: NH1, NS2 (all other private networks) Destination: NS1 (its own private network)
Hub IPsec gateway (GH1)	Star hub	NH1	Action: Bypass Source: NS1, NS2 (all other private networks) Destination: NS1, NS2, and NH1 (all private networks)
Spoke IPsec gateway (GS2)	Star spoke	NS2	Action: Bypass Source: NH1, NS1 (all other private networks) Destination: NS2 (its own private network)