Rate limiting for IPSec VPN tunnels of the USG6000 series

On the USG6000 series, rate limiting can be implemented for IPSec VPN tunnels by using two methods.
Method 1:
If multiple tunnels are established on the USG, traffic conflicts occur in the case of heavy data traffic. In this case, run speed-limit to limit the traffic in each IPSec tunnel. Excess packets are discarded. This ensures that all packets in each tunnel are transmitted properly.
If the traffic coming through a tunnel to a local port is heavy, run inbound to limit the traffic coming from this IPSec tunnel to the local port. If the traffic forwarded by the local port is heavy, run outbound to limit the traffic forwarded by the local port to the IPSec tunnel.
After a security policy is applied on an interface, you cannot run speed-limit to modify the limited rate in the security policy.

If an IPSec security policy is configured in any of the following modes, you can run speed-limit { inbound | outbound } speed-limit to limit the traffic rate of the IPSec tunnel.
�?Manual mode
�?Template mode
�?Internet Key Exchange (IKE) non-policy template mode

Method 2:
After traffic policies are configured, if the actual address before VPN encapsulation or after decapsulation is matched, the traffic rate of the IPSec VPN can be limited. Assume that the actual address before VPN encapsulation is 10.1.1.1. The configuration method is as follows:
[sysname] traffic-policy
[sysname-policy-traffic] rule name 1
[sysname-policy-traffic-rule-1] source-address 10.1.1.1 32

Scroll to top