IPSec Support
Although Tunnel Routing provides itself a simple data protection by encrypting the data payload of original packets, it is not secure enough as standard IPSec’s protection. IPSec defines rigorous procedures on security parameters negotiation, key exchange and authentication to prevent any compromise. Various encryption and authentication algorithms, and key strengths are contained in IPSec, so that various security levels are provided. With IPSec protection, a standard virtual private network (VPN) can be implemented.
Although Tunnel Routing connects two incompatible networks (private networks) by tunneling through Internet, it is seriously not a standard VPN since it is short on security. FortiWAN IPSec (Transport mode) is capable of protecting Tunnel Routing tunnels, so that Tunnel Routing becomes qualified to the standard VPN. With IPSec protection, Tunnel Routing not only functions in a securer way, but also keeps the advantage of bandwidth aggregation and fault tolerance between tunnels. The only sacrifice is dynamic IP addresses and NAT pass through are not supported for Tunnel Routing over IPSec. Besides, deployments of Tunnel Routing over IPSec is limited. For more information about Tunnel Routing over IPSec, please refer to “IPSec – About FortiWAN IPSec VPN”, “Limitation in the IPSec deployment” and “IPSec – Define routing policies for an IPSec VPN”.
Performance
Tunnel Routing spreads packets of a session over multiple tunnels and arranges the packets in correct order at the opposite site, then forwards the well-ordered packets to the destinations. Different quality of tunnels (Round Trip Time between the two ends of a tunnel) causes different latency to packets arriving, which is the major factor for data transmission performance. Bad quality of a tunnel or greatly difference of quality between tunnels will cause packet loss and retransmission in higher possibility, which results in terrible decrease in Tunnel Routing transmission performance.
Throughput of a tunnel
As the previous description, a logical tunnel is established by two FortiWAN units via two physical WAN links (such as WAN1 of FWN-A and WAN2 of FWN-B in the above diagram). Throughput of the tunnel is bounded by one of the two WAN links with the worst throughput. For example, if throughput of the two WAN links are 30Mbps and 50Mbps respectively, packets can not be transferred via the tunnel at speed higher than 30Mbps. We can roughly say that throughput of the tunnel is 30Mbps.
Latency that a tunnel group
Ideally, we expect Tunnel Routing to transfer packets of a session at the speed aggregated with the throughput of the tunnels (packets of the session are transferred via the two tunnels). For example, you might expect a speed close to 100 Mbps if both the two tunnels are 50Mbps. However, realistic network latency and transport layer protocols make it impossible to aggregate the bandwidth in such perfect way. We tried to figure out the factors affecting Tunnel Routing performance, and network latency is surely the major one. If packets of a session is transferred via a group of tunnels (packets are distributed among the tunnels, the concept of tunnel group will be introduced in Tunnel Routing – Setting), performance of the transmission will be mainly influenced by the highest latency of the participating tunnels. For example, if connection latency of two tunnels (such as Tunnel1 and Tunnel2 in above diagram) are 10ms and 30ms respectively, a transmission via the two tunnels will suffer from 30ms delays. We can roughly say that the latency that the tunnel group is experiencing is 30ms.
Evaluation of your tunnels
The throughput and quality of WAN links so that are the important factors in your plan for deploying a Tunnel
Routing network. Basically, WAN links with better quality (lower latency) bring better performance for Tunnel Routing transmission. Measuring the latency of all the pairs of WAN links between two FortiWAN units in advance helps you to determine the WAN links for the Tunnel Routing network. For example, two FortiWAN units have three WAN links individually, and the latency of all the pairs of WAN links between the two units is as followings:
| FWN-A-WAN1 | FWN-A-WAN2 | FWN-A-WAN3 | |
| FWN-B-WAN1 | 45ms | 50ms | 15ms |
| FWN-B-WAN2 | 30ms | 55ms | 65ms |
| FWN-B-WAN3 | 55ms | 20ms | 52ms |
According the above measure, pairs of FWN-A’s WAN1 and FWN-B’s WAN2, FWN-A’s WAN2 and FWN-B’s WAN3, and FWN-A’s WAN3 and FWN-B’s WAN1 are the better connections among all the pairs. It seems that the three WAN link pairs are qualified to be used for establishing tunnels in your Tunnel Routing network. You can pick two or three of them and combine them into a tunnel group. FortiWAN provides a benchmark (See “Tunnel Routing – Benchmark”) to measure the latency (RTT) and evaluate the tunnels , which is helpful to plan a Tunnel Routing network.
Now let’s see how the latency influence Tunnel Routing performance. If the WAN link pairs of FWN-A’s WAN1 and FWN-B’s WAN2, and FWN-A’s WAN3 and FWN-B’s WAN1 are used to establish tunnels for a tunnel group, the throughput of the WAN links and the two tunnels are as following:
| Tunnel 1 | Tunnel 2 | |
| FWN-A-WAN1 FWN-B-WAN2 | FWN-A-WAN3 FWN-B-WAN1 | |
| Throughput/WAN link | 50Mbps 60Mbps | 100Mbps 50Mbps |
| Throughput/tunnel | 50Mbps | 50Mbps |
As the previous discussion that throughput of a tunnel is bounded to the worse WAN link, throughput of the two tunnels is bounded to 50Mbps. Similar according previous definition, transmission through the tunnel group consisting of the two tunnels suffers from 30ms delay, which is the higher latency of the two tunnels. However, according to measure, this Tunnel Routing deployment (two 50Mbps tunnels with 30ms latency) results in 69Mbps performance, which is 69% usages of the two tunnels (69Mbps/50Mbps+50Mbps). In the measurement of tunnel performance and latency, bandwidth of the participating WAN links is wholly available for the Tunnel Routing transmission; there is no other traffic occupied the bandwidth.
| Tunnel Group
Tunnel 1 Tunnel 2 |
|||
| Latency/tunnel | 30ms | 15ms | |
| Latency/tunnel group | 30ms | ||
| Throughput/tunnel | 50Mbps | 50Mbps | |
| Throughput/tunnel group | 69Mbps | ||
| Bandwidth Usage | 69% | ||
With the same latency of a tunnel group, the higher throughput of each the participating tunnel brings lower aggregation percentage, which means the higher throughput the tunnels the lower latency is required to remain the aggregation percentage at the same level. For example, the following measurement shows how the aggregation percentage of tunnels performance is varied by single tunnel’s throughput under the same latency.
| Tunnel Group | Tunnel Group | Tunnel Group | |
| Tunnel 1 Tunnel 2 | Tunnel 1 Tunnel 2 | Tunnel 1 Tunnel 2 | |
| Latency/tunnel group | 30ms | ||
| Throughput/tunnel | 50Mbps 50Mbps | 100Mbps 100Mbps | 250Mbps 250Mbps |
| Throughput/tunnel group | 69Mbps | 70Mbps | 92Mbps |
| Bandwidth Usage | 69% | 35% | 18% |
With the same conditions, packets of a session are transferred through the tunnel group consisting of two 100Mbps tunnels at a maximum of 70Mbps. Bandwidth usages of the two tunnels is down to 35%. It might require latency less than 5ms to bring bandwidth usage of the two 100Mbps tunnels close to 60%.
The above measurement gives basic concept that how the performance of a Tunnel Routing transmission is influenced. Both the throughput (bandwidth) of single WAN link and its connection latency deeply influence the performance, and these factors greatly concern the plan you deploy the Tunnel Routing network. The above data is for your reference, some variations in details are possible.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!