Number of concurrent IPSec VPN tunnels on the firewall

89

Number of concurrent IPSec VPN tunnels on the USG

This question involves the device performance. For an accurate answer, contact the pre-sales personnel.
USG2110 USG2130 USG2160 USG2210 USG2220 USG2230 USG2250 USG5120 USG5150
Performance specification Number of concurrent connections 100,000 200,000 200,000 300,000 500,000 800,000 1 million 2 million 2 million Number of new connections per second 1200
IPSec VPN performance 40M 60M 60M 300M 350M 400M 500M 1G 2G
Number of concurrent IPSec VPN tunnels 64 64 64 2000 2000 2000 2000 2000 2000

Other related questions:
Maximum number of concurrent SSL VPN connections on the firewall
Configuring the maximum number of concurrent SSL VPN users on the USG v-gateway cur-max-user The v-gateway cur-max-user command modifies the maximum number of concurrent users supported by a virtual gateway. By default, the maximum number of concurrent users is the number of concurrent users available as specified by the system license. The undo v-gateway cur-max-user command restores the maximum number of concurrent users to the default value. Syntax v-gateway v-gateway-name cur-max-user cur-max-user undo v-gateway v-gateway-name cur-max-user Parameter Description v-gateway-name Virtual gateway name cur-max-user cur-max-user Maximum number of concurrent users supported by a virtual gateway Usage Guide The maximum number of concurrent users supported by the USG is controlled by the license. The license also limits the total number of concurrent users on virtual gateways of the USG. The maximum number of concurrent users on virtual gateways should be smaller than that of users on virtual gateways. By default, the maximum number of concurrent users on virtual gateways falls into the following situations: If a concurrent user limit is set for virtual gateways, the maximum number of concurrent users on the new virtual gateway is the number of remaining concurrent users of the system license. If no concurrent user limit is set for virtual gateways, the maximum number of concurrent users on the new virtual gateway is the number of concurrent users allowed by the system license. Example system-view [sysname] v-gateway abc cur-max-user 20 //Set the maximum number of concurrent users on virtual gateway abc to 20.

The USG firewall configures the maximum number of concurrent SSL VPNs
USG firewall configuration ssl vpn maximum number of concurrent users V-gateway cur-max-user Use the v-gateway cur-max-user command to modify the maximum number of concurrent users of the virtual gateway. By default, the maximum number of concurrent users is the number of concurrent users available for the system license. Use the undo v-gateway cur-max-user command to delete the maximum number of concurrent users and restore the default value. Command format V-gateway v-gateway-name cur-max-user cur-max-user Undo v-gateway v-gateway-name cur-max-user Parameter Description V-gateway-name virtual gateway name. Cur-max-user cur-max-user The maximum number of concurrent users that a virtual gateway can connect to. user's guidance The number of concurrent users supported by the USG is controlled by the system license. The number of virtual gateway concurrent users created by each virtual gateway is limited by the total number of concurrent users. The maximum number of concurrent users of the virtual gateway is less than the maximum number of virtual gateway users. By default, the maximum number of concurrent users of a virtual gateway is as follows: If the virtual gateway has set the number of concurrent users, then the number of concurrent users of the new virtual gateway is the number of concurrent users available for the system license. If no virtual gateway has set the number of concurrent users, the number of concurrent users of the new virtual gateway is the number of concurrent users allowed by the system license. Use examples System-view [Sysname] v-gateway abc cur-max-user 20 // modify the virtual gateway abc maximum number of concurrent users to 20.

Number of IPSec tunnels supported by the AR
Hi, I cannot answer this question. For details about product specifications, dial 4008229999.

Configuring IPSec VPN on the firewall
Configuring an SA on the USG Creating a dynamic IPSec SA 1. The data between network A and network B is encrypted and securely transmitted through the IPSec tunnel between USG_A and USG_B. USG_A protects network 10.1.1.0/24, and its public address is 202.38.163.1/24. USG_B protects network 10.1.2.0/24, and its public address is 202.38.169.1/24. Network A---USG_A----INTERNET-----USG_B---Network B 2. The configuration steps are as follows: [USG_A] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure a route. [USG_A] ipsec proposal tran1 //Configure an IPSec proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure an IKE proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure an IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface. [USG_B] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure a route. [USG_B] ipsec proposal tran1 //Configure an IPSec proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure an IKE proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure an IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface.

IPSec VPN lifetime on the firewall
Interfaces supported by IPSec VPN reference on the USG IPSec can be applied to Layer 3 physical interfaces, VLANIF interfaces, Layer 2 interfaces, tunnel interfaces, subinterfaces, and dialer interfaces. 1. Apply an IPSec policy on a Layer 3 physical interface. system-view //Access the system view. interface interface-type interface-number //Access the physical interface. ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy. 2. Apply an IPSec policy on a Layer 2 physical interface. system-view //Access the system view. interface interface-type interface-number //Access the physical interface. ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy. Note: Before you establish an IPSec tunnel on a Layer 2 interface, you must first configure the IP address of the VLAN on which the Layer 2 interface resides. 3. Apply an IPSec policy group to a tunnel interface. system-view interface tunnel tunnel-number //Access the tunnel interface view. tunnel-protocol ipsec //Set the encapsulation type on the tunnel interface to IPSec. ipsec policy policy-name //Apply the IPSec policy group to the tunnel interface.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top