Load sharing IPSec tunnels

stakano · ‎05-18-2002

I have a 2621 router that terminates 2 T1 links with per packet load sharing on my outbound connections.

I would like to implement IPSec tunnels that terminate on these routers, and have the traffic load shared between the two links.

Though, I have heard that IPSec does not like load sharing and it either may not work, or will just prefer one link and not share the two links.

I need clarification as I have heard both sides, one saying that it will load share, and the other saying it won't.

If I'm not able to, would terminating the IPSec tunnels behind the router solve anything?

Theoretically, I can't see why this would not work.

Thanks.

cjacinto · ‎05-18-2002

Normally what I do in this scenario is form a gre tunnel between the ipsec peers, and then ipsec protect it. The gre tunnel source and destination is based on the routers loopbacks. The route to the peer loopback is thru the

the 2 T1 lines, either by static route or thru some routing protocol. Then enable

per packet load sharing on the t1 interfaces. So the ipsec traffic actually gets

load balanced across the 2 T1 links.

engel · ‎05-21-2002

Hi,

I am really interesting with this scenario, any information that this solution has been proved on the field ? Definitely as soon as I have time, will test this on the lab for performance, caveats, etc.

Appreciate for any insight

cjacinto · ‎05-22-2002

I've got the same scenario running on one of my customer sites. You also have to take into account if your ISP is able to do per packet load sharing, so

you have load sharing inbound as well. The config I have suggested would give you an outbound load sharing.

stakano · ‎05-24-2002

Thanks. The ISP is not doing per packet load balancing.