StoneBlog.stonesoft.com

Most posts here are about new software-features or products, and the use of those. Today I want to give you a small insight of a real world setup, and a quite unusual one as well.

Starting 2005, calls for a company wide security policy came up, together with the wish to connect all relevant outposts of the company to the headquarters and their regional offices. We’re talking about 75 offices for phase 1, and 120 for phase 2.

Both classic vpn as well as mpls were concidered, but none combined high availability and scalability, together with provider independency and manageable costs. First tests with StoneGate soon revealed the power of MultiLink VPN and Firewall Policy Templates. After a 2-month test-phase, and a complete rebuild of the Headquarter Network, we rolled out 75 offices in 4 months, including several production plants. Last year, phase 2 was due, and another 50 offices were added. Now the picture in SMC5.1.1 looks like this:

Continue reading »

written by jebATpop-i - 3,244 views \\ tags: clustering, MultiLink VPN

Hello,

I’ve been on your main site looking for something to use as a bit of a sales tool to demonstrate how straightforward it is to set-up multi-homing using Multi-Link.  Can’t find anything.

Do you have anything I can point my customers to which is similar to Cisco’s explanation here of how to configure BGP for multi-homing?

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml

written by gizago - 2,221 views \\ tags: bgp, multi-homing, multilink, MultiLink VPN

Traffic is balanced proportionally between the netlinks using measured throughput and packet success rate as a criteria for link performance.

The measurement is based on lazy acknowledgements, i.e. receiving end tells the sender how many packets it has received during the last second (if there is any traffic).

The link selection is also made as stable as possible because some properties of IPSec VPN. Link is changed only if its performance drops below a fixed threshold value.

If performance goes under threshold (128) then standby activation counter is increased. This performance check is done when packet arrives to multi-link VPN module and certain time (about 1 sec) has elapsed. If counter value is greater than 2 then link is marked offline.

Therefore a fail-over from one link to another takes usually 8-12 seconds if one link fails totally.

Measuring of RTT is not done for feasibility reasons, since the load on the other end also affects the measurement. That measurement would also require some kind of periodical query – response mechanism.

It’s probably not possible to compensate for network jitter using multiple links at all; that would require being able to somehow “forecast” the changes in RTT.

Multi-link VPN provides availability in case an ISP connection fails, but is not able to guarantee QoS.

Roar!

written by RoarinPenguin - 1,453 views \\ tags: measurement, MultiLink VPN, tech details