IPSec Offload

How to offload IPSec functionality from NGFW/UTM

How to offload IPSec functionality from overloaded NGFW/UTM to dedicated VPN router.


Situation

We have one firewall (NGFW or UTM) that serves multiple security functions: AV, IPS, VPN etc. Because of high load we need to move some function to other box. This will stabilize performance and give us some time before hardware upgrade.
In this case we will move VPN to dedicated router.

To simplify, whole network (clients and servers) is presented as one object:


We need to attach VPN router to firewall:


But in real life it will be attached to switch using extra VLAN:


It would be great if we could use public IP address on new router. If we don't have free pool we can always use NAT to redirect traffic to VPN router. But in this situation we can have problems when connection to some VPN implementations (for example: Google Cloud)

Now we can use two possible scenarios: VRF seperation or policy based routing:


Policy based routing

In this scenario we need to add one or two extra VLANs. In first case IPSec and "real" traffic will be transfered in one VLAN. In second case IPSec traffic will travel in one VLAN and "real" traffic in second.


VPNs are terminated on routers interface connected to firewall. Here you can add second VLAN to separate IPSec and real traffic.
Traffic from VPN tunnel to local LAN will be routed to firewall where we can controll it. Traffic from local to remote site will also be inspected.
Everything looks fine, but traffic from one to second remote site will not pass firewall as everything is configured in one routing table. We can solve this issue by configuring policy based routing on VPN router. Force all traffic from VPN tunnels to firewall. We need to apply this policy to every VPN interface.

It's also a good idea to configure some dynamic routing protocol between VPN router and firewall.


Pros:
- Simplicity
- Easy to configure new VPN tunnels

Cons:
- No real separation
- Don't forget to add policy based routing



VRF

In this configuration we will have to add one VLAN for IPSec traffic and one VLAN for every VPN tunnel. This means that adding extra VPN you will require to add: new VLAN and loopback interface on VPN router, new interface on firewall, new vlan on swithc, new VRF domain, dynamic routing instance (optional). It looks complex.
As we will use VRF domains, every VPN tunnel will have to terminate on its own VRF domain.

Public IP (used for VPN tunnels) has to be configured on loopback address. One public IP = one loopback. Route for this IP has to be added on firewall. This IP can be used for multiple VPN tunnels. Loopback interface will belong to one vrf (for IPSec traffic only) but IPSec tunnel interface will belong to another one (for "real" traffic").


Pros:
- Real separation
- Traffic will be separated or it will not work at all
Cons:
- Complex configuration
- Adding new tunnel will require change on FW, switch and VPN router