Improving IPsec VPN Traffic Performance

 

The performance of IPsec VPN traffic to minimize packet forwarding overhead can be optimized by enabling VPN session affinity and performance acceleration.

Understanding VPN Session Affinity

VPN session affinity occurs when a cleartext session is located in a Services Processing Unit (SPU) that is different from the SPU where the IPsec tunnel session is located. The goal of VPN session affinity is to locate the cleartext and IPsec tunnel session in the same SPU. This feature is supported only on SRX5400, SRX5600, and SRX5800 devices.

Without VPN session affinity, a cleartext session created by a flow might be located in one SPU and the tunnel session created by IPsec might be located in another SPU. An SPU to SPU forward or hop is needed to route cleartext packets to the IPsec tunnel.

By default, VPN session affinity is disabled on SRX Series devices. When VPN session affinity is enabled, a new cleartext session is placed on the same SPU as the IPsec tunnel session. Existing cleartext sessions are not affected.

Junos OS Release 15.1X49-D10 introduces the SRX5K-MPC3-100G10G (IOC3) and the SRX5K-MPC3-40G10G (IOC3) for SRX5400, SRX5600, and SRX5800 devices.

The SRX5K-MPC (IOC2) and the IOC3 support VPN session affinity through improved flow module and session cache. With IOCs, the flow module creates sessions for IPsec tunnel-based traffic before encryption and after decryption on its tunnel-anchored SPU and installs the session cache for the sessions so that the IOC can redirect the packets to the same SPU to minimize packet forwarding overhead. Express Path (previously known as services offloading) traffic and NP cache traffic share the same session cache table on the IOCs.

To display active tunnel sessions on SPUs, use the show security ipsec security-association command and specify the Flexible PIC Concentrator (FPC) and Physical Interface Card (PIC) slots that contain the SPU. For example:

Note

You need to evaluate the tunnel distribution and traffic patterns in your network to determine if VPN session affinity should be enabled.

Starting with Junos OS Release 12.3X48-D50, Junos OS Release 15.1X49-D90, and Junos OS Release 17.3R1, if VPN session affinity is enabled on SRX5400, SRX5600, and SRX5800 devices, the tunnel overhead is calculated according to the negotiated encryption and authentication algorithms on the anchor Services Processing Unit (SPU). If the configured encryption or authentication changes, the tunnel overhead is updated on the anchor SPU when a new IPsec security association is established.

The VPN session affinity limitations are as follows:

  • Traffic across logical systems is not supported.

  • If there is a route change, established cleartext sessions remain on an SPU and traffic is rerouted if possible. Sessions created after the route change can be set up on a different SPU.

  • VPN session affinity only affects self traffic that terminates on the device (also known as host-inbound traffic); self traffic that originates from the device (also known as host-outbound traffic) is not affected.

  • Multicast replication and forwarding performance is not affected.

Enabling VPN Session Affinity

By default, VPN session affinity is disabled on SRX Series devices. Enabling VPN session affinity can improve VPN throughput under certain conditions. This feature is supported only on SRX5400, SRX5600, and SRX5800 devices. This section describes how to use the CLI to enable VPN session affinity.

Determine if clear-text sessions are being forwarded to IPsec tunnel sessions on a different SPU. Use the show security flow session command to display session information about clear-text sessions.

In the example, there is a tunnel session on FPC 3, PIC 0 and a clear-text session on FPC 6, PIC 0. A forwarding session (session ID 60017354) is set up on FPC 3, PIC 0.

Note

Junos OS Release 15.1X49-D10 introduces session affinity support on IOCs (SRX5K-MPC [IOC2], SRX5K-MPC3-100G10G [IOC3], and SRX5K-MPC3-40G10G [IOC3]) and Junos OS Release 12.3X48-D30 introduces session affinity support on IOC2. You can enable session affinity for the IPsec tunnel session on the IOC FPCs. To enable IPsec VPN affinity, you must also enable the session cache on IOCs by using the set chassis fpc fpc-slot np-cache command.

To enable VPN session affinity:

  1. In configuration mode, use the set command to enable VPN session affinity.
  2. Check your changes to the configuration before committing.
  3. Commit the configuration.

After enabling VPN session affinity, use the show security flow session command to display session information about clear-text sessions.

After VPN session affinity is enabled, the clear-text session is always located on FPC 3, PIC 0.

Accelerating the IPsec VPN Traffic Performance

You can accelerate IPsec VPN performance by configuring the performance acceleration parameter. By default, VPN performance acceleration is disabled on SRX Series devices. Enabling the VPN performance acceleration can improve the VPN throughput with VPN session affinity enabled. This feature is only supported on SRX5400, SRX5600, and SRX5800 devices.

This topic describes how to use the CLI to enable VPN performance acceleration.

Note

To enable performance acceleration, you must ensure that cleartext sessions and IPsec tunnel sessions are established on the same Services Processing Unit (SPU). Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled. For more information on enabling session affinity, see Understanding VPN Session Affinity.

To enable IPsec VPN performance acceleration:

  1. Enable VPN session affinity.
  2. Enable IPsec performance acceleration.
  3. Check your changes to the configuration before committing.
  4. Commit the configuration.

After enabling VPN performance acceleration, use the show security flow status command to display flow status.

Improving IPsec Performance with PowerMode IPsec

PowerMode IPsec (PMI) is a new mode of operation for SRX4100, SRX4200,SRX5400, SRX5600, SRX5800, and vSRX instances that provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel AES-NI instructions. PMI utilizes a small software block inside the Packet Forwarding Engine that bypasses flow processing and utilizes the AES-NI instruction set for optimized performance of IPsec processing and is activated when PMI is enabled.

You enable PMI processing by using the set security flow power-mode-ipsec command. You must reboot the device to apply the statement.

Note

To disable PMI processing, use the delete security flow power-mode-ipsec command to delete the statement from the configuration and then reboot the device.

Packets cannot go through the PMI when firewall or advanced security services are combined with IPsec. Hence, PMI must not be used when firewall or advanced security services are combined with IPsec.

A tunnel session can either be PMI or non-PMI. If a session is configured with any of the non-supported features listed in Table 1, the session is marked as non-PMI and the tunnel will go into non-PMI mode. Once the tunnel goes into the non-PMI mode, it will not go back to the PMI mode.

Table 1 summarizes the features supported in PMI, along with the features that are not supported.

Table 1: Summary of Features Supported in PowerMode IPsec

Supported Features in PowerMode IPsec

Non-Supported Features in PowerMode IPsec

  • Auto Discovery VPN (ADVPN)

  • Internet Key Exchange (IKE) functionality

  • AutoVPN

  • High-availability

  • IPv6

  • Stateful firewall

  • st0 interface

  • Traffic selectors

  • IPsec-in-IPsec tunnels

  • Layer 4 - 7 applications: application firewall and AppSecure

  • GPRS tunneling protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewalls

  • Host traffic

  • Multicast

  • NAT

  • Nested tunnels

  • Quality of service (QoS)

  • Screen options

Note the following usage considerations with PMI:

  • Antireplay maximum window size supported is 64 packets.

  • PMI does a pre-fragmentation and post-fragmentation check. If the PMI detects pre-fragmentation and post-fragmentation packets, packets are not allowed through the PMI mode. The packets will return to non-PMI mode.

  • Any fragments received on an interface will not go through PMI.

  • PMI is supported on link aggregation group (LAG) and redundant Ethernet (reth) interfaces with only one member.

Benefits of PowerMode IPsec

  • Enhances the performance of IPsec.

Understanding the Loopback Interface for a High Availability VPN

In an IPsec VPN tunnel configuration, an external interface must be specified to communicate with the peer IKE gateway. Specifying a loopback interface for the external interface of a VPN is a good practice when there are multiple physical interfaces that can be used to reach a peer gateway. Anchoring a VPN tunnel on the loopback interface removes the dependency on a physical interface for successful routing.

Using a loopback interface for VPN tunnels is supported on standalone SRX Series devices as well as on SRX Series devices in chassis clusters. In a chassis cluster active-passive deployment, you can create a logical loopback interface and make it a member of a redundancy group so that it can be used to anchor VPN tunnels. The loopback interface can be configured in any redundancy group and is assigned as the external interface for the IKE gateway. VPN packets are processed on the node where the redundancy group is active.

Note

On SRX5400, SRX5600, and SRX5800 devices, if the loopback interface is used as the IKE gateway external interface, it must be configured in a redundancy group other than RG0.

In a chassis cluster setup, the node on which the external interface is active selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are processed on that SPU. Thus an active external interface determines the anchor SPU.

You can use the show chassis cluster interfaces command to view information on the redundant pseudointerface.

Release History Table
Release
Description
Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled.
Starting with Junos OS Release 12.3X48-D50, Junos OS Release 15.1X49-D90, and Junos OS Release 17.3R1, if VPN session affinity is enabled on SRX5400, SRX5600, and SRX5800 devices, the tunnel overhead is calculated according to the negotiated encryption and authentication algorithms on the anchor Services Processing Unit (SPU).