VPNs and Multi-Link for SD-WAN

Using Multi-Link enhances the reliability of the VPN communications by ensuring the availability of network connections.

Forcepoint NGFW can balance the VPN traffic load between multiple network connections and redistribute traffic when a connections becomes unavailable. Using Multi-Link reduces the possibility of traffic congestion or ISP network connectivity failures. Multi-Link is not a part of the IPsec standards.

Note: Multi-Link is only supported with Forcepoint NGFW gateways at both ends of the VPN tunnel. If an external gateway device allows configuring multiple VPN tunnels between two devices, you might still be able to use some Multi-Link features. Not all Multi-Link features are available with external gateway devices.

In a Multi-Link VPN configuration, the traffic can use one or several alternative tunnels to reach the same destination. Multi-Link guarantees that even if one or more tunnels fail, the VPN service continues as long a tunnel is available.

You can use Multi-Link between two Forcepoint NGFW gateways when one or both gateways use multiple network connections. VPN traffic is balanced between the tunnels based on availability checks on each VPN tunnel. If one of the links fails or becomes congested, the VPN traffic is routed through the other tunnels.

The Stonesoft VPN Client can also use Multi-Link. If the ISP connection for one of the gateways fails, the client automatically connects to the next available NetLink.

The VPN links can be in three different modes: active, aggregate, or standby. If there are multiple links in active mode, traffic is dynamically balanced across the links. The balancing decision can be based on a performance measurement or based on the links’ relative bandwidths. In active mode, a single connection uses one of the active links at a time. With multiple connections, all links are used. If there are multiple links in aggregate mode, each connection is balanced on a packet-by-packet basis between all aggregate links in round robin fashion. Standby tunnels are used only if all active or aggregate tunnels become unavailable. Individual tunnels can also be disabled so that they are never used in the VPN.

Note: Aggregate mode in a Multi-Link VPN is likely to cause packet reordering due to different latencies of different links. Packet reordering can decrease performance if the TCP stacks of the connection endpoints do not handle reordering well. Use Active mode instead.
This illustration shows a Multi-Link VPN between two VPN Gateways that both have multiple ISP connections. In this configuration, ISP 2 at Gateway B acts as a backup connection for VPN traffic. The three tunnels (one from each ISP at Gateway A) with their endpoints in the ISP 2 network have been set to standby. They are only used if ISP 1 fails. The standby setting is not tied to a particular ISP (NetLink). It is possible to set, for example, only the ISP A to ISP 2 tunnel to active mode while leaving the other tunnels in standby mode.

Figure: Example of a Multi-Link VPN with standby tunnels