Rate limiting for IPSec VPN tunnels of the USG6000 series

158

On the USG6000 series, rate limiting can be implemented for IPSec VPN tunnels by using two methods.
Method 1:
If multiple tunnels are established on the USG, traffic conflicts occur in the case of heavy data traffic. In this case, run speed-limit to limit the traffic in each IPSec tunnel. Excess packets are discarded. This ensures that all packets in each tunnel are transmitted properly.
If the traffic coming through a tunnel to a local port is heavy, run inbound to limit the traffic coming from this IPSec tunnel to the local port. If the traffic forwarded by the local port is heavy, run outbound to limit the traffic forwarded by the local port to the IPSec tunnel.
After a security policy is applied on an interface, you cannot run speed-limit to modify the limited rate in the security policy.

If an IPSec security policy is configured in any of the following modes, you can run speed-limit { inbound | outbound } speed-limit to limit the traffic rate of the IPSec tunnel.
�?Manual mode
�?Template mode
�?Internet Key Exchange (IKE) non-policy template mode

Method 2:
After traffic policies are configured, if the actual address before VPN encapsulation or after decapsulation is matched, the traffic rate of the IPSec VPN can be limited. Assume that the actual address before VPN encapsulation is 10.1.1.1. The configuration method is as follows:
[sysname] traffic-policy
[sysname-policy-traffic] rule name 1
[sysname-policy-traffic-rule-1] source-address 10.1.1.1 32

Other related questions:
how to limit the flow of IPSec VPN with the USG6000
Speed-limit command can be executed for IPSec current limiting.When building the multi tunnel in NGFW, when large data traffic will generate traffic conflict, by configuring the speed-limit command, can limit the packets flow of each IPSec tunnel, exceeds the limit of the traffic will be discarded, ensure the traffic on each of the tunnel have been transferred.

Method used to limit IPSec VPN traffic on the USG6000
You can run the speed-limit command to limit the IPSec traffic. When multiple tunnels are established on the NGFW, traffic conflict occurs in case of heavy traffic. By configuring the speed-limit command, you can limit the traffic on each IPSec tunnel. The traffic beyond the limit is discarded. In this manner, traffic on each tunnel can be transmitted.

Displaying the number of IPSec tunnels on the USG6000
Run the display ipsec sa brief command to display the number of tunnels.

Number of concurrent IPSec VPN tunnels on the firewall
Number of concurrent IPSec VPN tunnels on the USG This question involves the device performance. For an accurate answer, contact the pre-sales personnel. USG2110 USG2130 USG2160 USG2210 USG2220 USG2230 USG2250 USG5120 USG5150 Performance specification Number of concurrent connections 100,000 200,000 200,000 300,000 500,000 800,000 1 million 2 million 2 million Number of new connections per second 1200 IPSec VPN performance 40M 60M 60M 300M 350M 400M 500M 1G 2G Number of concurrent IPSec VPN tunnels 64 64 64 2000 2000 2000 2000 2000 2000

How to configure an AR to limit the rate of IPSec data flows
To configure an AR to limit the rate of IPSec data flows, configure the QoS function for IPSec packets first, and then configure rate limiting for IPSec data flows through MQC. system-view [Huawei]ipsec policy huawei 1 manual //Create an IPSec policy, set the SA creation mode to manual, and enter the IPSec policy view. Alternatively, you can complete the following configurations in the ISAKMP policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, or GDOI policy view. [Huawei-ipsec-policy-manual-huawei-1]qos group 10 //Configure the QoS group to which IPSec packets belong. [Huawei-ipsec-policy-manual-huawei-1]quit [Huawei]traffic classifier c1 //Create a traffic classifier and enter the traffic classifier view. [Huawei-classifier-c1]if-match qos-group 10 //Configure a matching rule based on QoS group 10. [Huawei-classifier-c1]quit [Huawei]traffic behavior b1 //Create a traffic behavior and enter the traffic behavior view. [Huawei-behavior-b1]car cir 3000 //Limit the rate of traffic. [Huawei-behavior-b1]quit [Huawei]traffic policy p1 //Create a traffic policy and enter the traffic policy view. [Huawei-trafficpolicy-p1]classifier c1 behavior b1 //Bind the traffic classifier to the traffic behavior. [Huawei-trafficpolicy-p1]quit [Huawei]interface GigabitEthernet 0/0/0 [Huawei-GigabitEthernet0/0/0]traffic-policy p1 outbound //Apply the traffic policy on the interface

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top