Pitfalls of domestic Remote Access VPN or how to make it stable





Situation



Users of domestic VPN solutions complain about the stability and ease of use. As an engineer, I'm looking for the root of user problems.



Domestic VPN is like coffee. Just as the taste and aroma of coffee depends on the talent of the barista, VPN solutions require the right preparation. Using the example of C-Terra VPN, I will show what users are complaining about and how to avoid it.



Initial data



I have to transfer 500 employees to remote work. For this I use C-Terra VPN version 4.3. From VPN products, I need S-Terra Gateway to the center and S-Terra Client client software for employees' laptops.



I use S-Terra Gateway only for RA VPN. All 500 users connect to the gateway at the same time.



Decision in the forehead



In the IKE / IPsec architecture, one client connection is considered a separate tunnel. This means I need a gateway capable of supporting 500 tunnels at the same time. I open the vendor's website and see that three models are suitable for me:





Security Gateway Model

Number of

simultaneously operating tunnels

S-Terra Gateway 2000

500

S-Terra Gateway 3000

1000

S-Terra Gateway 7000

Not limited



I want to save some money, take the C-Terra Gateway 2000. I quietly begin to hate the world.



Stone 1. It takes time to build 500 tunnels. The



user will come with something like this: "This Estera never connects the first time, never really!"



C-Terra Gateway in RA VPN works as a responder to client connections. According to my observations, about 10 tunnels are built per second (average value for the considered

gateway models). Accordingly, it will take 50 seconds to build 500 tunnels, round up to an honest minute.



Our user is out of luck. Each time a user connects to the gateway, the user is queued. You need to wait up to 60 seconds. The active user will try to restart the client and thus reconnect, but will end up at the end of the queue. Instruct the user that it is best to wait in such situations.



Stone 2. IPsec tunnels are periodically rebuilt



For the user it looks something like this: "This Estera periodically falls off and does not connect again the first time!"



The lifetime of an IPsec tunnel is limited by either the amount of traffic or time. When

the tunnel is rebuilt, a new session symmetric encryption key is generated.



Now imagine - the tunnels decided to rebuild plus or minus at the same time. Again queue and curses. To avoid this, a delta (DELTA) must be set on the Security Gateway, which will randomly change the lifetime of each of the tunnels.



Stone 3. Security gateways are limited in encryption performance I



open the vendor's website and see:



Security Gateway Model

Maximum

encryption performance, Mbps

Performance

IMIX encryption Mbit / s

S-Terra Gateway 2000

380

250

S-Terra Gateway 3000

1550

1180

S-Terra Gateway 7000

3080

2030



What performance should you focus on?



On IMIX. The maximum encryption performance, as a rule, is achieved on

large packets; it is hardly applicable to a real network.



To avoid drops, unstable work and disconnections, you need to estimate what the average traffic volume is generated by one client connection. For example, my users use RDP, mail and workflow. I estimate traffic at 2Mbps on average per connection. I have a total of 1000 Mbps. I will add a margin in case of a peak load of 1 Mbit / s per connection, in total I get 1500 Mbit / s at the peak for 500 simultaneous connections.



I refuse S-Terra Gateway 2000. I look towards S-Terra Gateway 7000.



A head-on solution: S-Terra Gateway 7000 and 500 clients.



Optimizing the solution



I want a fault-tolerant solution, as well as reduce the waiting time in the queue. For this, I am considering options.



I will



unbalance two S-Terra Gateway 3000 Clients in half, 250 connections each. The maximum waiting time in the queue will be 250/10 approximately 25 seconds on first connection. I can solve the problem with queues when rebuilding tunnels by setting DELTA. In case of failure of one of the gateways, the load will move to the second gateway (albeit without a performance margin).



Five S-Terra Gateway 2000



Solution for maximum performance. 100 client connections per gateway, maximum queue time of 10 seconds, but no performance headroom.



S-Terra's price list is open. I will compare the cost of the solutions given (the dollar rate took 73 rubles):



Decision

Price, rub

S-Terra Gateway 7000

+ 500 clients

4 533 270

2 x S-Terra Gateway

3000 + 500 clients

4 564 680

5 x S-Terra Gateway

2000 + 500 clients

4980300



I will choose the second option. Two S-Terra Gateway 3000 and 500 clients. 31,000 rubles for fault tolerance and reduced queuing time is a good price. The vendor's control system is optional, if you want - take it.



Outcome



The recipe for a delicious RA VPN:



  • Determine the number of client connections:
  • Estimate the average traffic volume from a client connection;
  • Balance client connections across multiple gateways; 
  • Consider architectural considerations (queuing and rebuilding).




As the student says, round!



Anonymous engineer

t.me/anonimous.engineer



All Articles