VPNs and Multi-Link for SD-WAN
Using Multi-Link enhances the reliability of the VPN communications by ensuring the availability of network connections.
Forcepoint NGFW can balance the VPN traffic load between multiple network connections and redistribute traffic when a connections becomes unavailable. Using Multi-Link reduces the possibility of traffic congestion or ISP network connectivity failures. Multi-Link is not a part of the IPsec standards.
In a Multi-Link VPN configuration, the traffic can use one or several alternative tunnels to reach the same destination. Multi-Link guarantees that even if one or more tunnels fail, the VPN service continues as long a tunnel is available.
You can use Multi-Link between two Forcepoint NGFW gateways when one or both gateways use multiple network connections. VPN traffic is balanced between the tunnels based on availability and performance checks on each VPN tunnel. If one of the links fails or becomes congested, the VPN traffic is routed through the other tunnels.
The Forcepoint VPN Client can also use Multi-Link. If the ISP connection for one of the gateway endpoints fails, the client automatically connects to the NetLink of the next available endpoint.
The VPN links can be in three different modes: active, aggregate, or standby. If there are multiple links in active mode, traffic is dynamically balanced across the links. The balancing decision can be based on a performance measurement or based on the links’ relative bandwidths. In active mode, a single connection uses one of the active links at a time. With multiple connections, all links are used. If there are multiple links in aggregate mode, each connection is balanced on a packet-by-packet basis between all aggregate links in round robin fashion. Standby tunnels are used only if all active or aggregate tunnels become unavailable. Individual tunnels can also be disabled so that they are never used in the VPN.