Description:

This article describes special configuration parameters in LANCOM routers/Central Site Gateways with LCOS, which can be used to optimize the connection setup of VPN connections (IKEv2).

The default settings for the parameters described below are the recommended configuration settings. If you change these parameters, be sure to perform simulated failure tests, to ensure, that the connections are still functioning properly. 

Notes regarding scaling


An IKEv2-Initiator has a Backoff-Timer, which ensures, that the next connection setup (IKE_SA_INIT) does not start immediately after a failed attempt

Backoff-Timer of 30 seconds plus/minus a random value between 0 and 10 seconds is applied after the following VPN errors. The timer does not increase after multiple failed connection attempts.

 ike_i_ike_key_mismatch
 ike_r_ike_key_mismatch
 ipsec_r_no_rule_matched_ids
 ipsec_i_no_proposal_matched
 ipsec_r_no_proposal_matched
 interface_i_connection_timeout_protocol
 interface_r_connection_timeout_protocol


Parameters for optimization:

Precalculation:

Depending on the encryption settings (Setup/VPN/IKEv2/Encryption/), one or multiple keys are precalculated (so called Precalculation) for each statically configured IKEv2 connection.

If additional keys should be kept available, this can be changed in the CLI path Setup/VPN/Isakmp/DH-Groups/Group-Config/ by setting the parameter Precalc-Target to the desired value.

Calculating additional keys takes more CPU ressources. Therefore this parameter has to be balanced with the value set for "Negotiation-Control".


Negotiation-Control:

The Negotiation-Control defines, how many IKEv2 connections can be set up by the IKEv2-Responder simultaneously.

If the parameter Negotiation-Control in the CLI path Setup/VPN/ is set from Normal to Medium or Fast, more connections can be set up simultaneously. When using a greater number of VPN connctions, this reduces the time, till all connections are established.     

Setting up a greater number of VPN connections simultaneously takes more CPU ressources. Therefore this parameter has to be balanced with the value set for "Precalculation".


Backup-Delay:

The Backup-Delay defines the time in seconds, until the VRRP router enters the Standby, when the connected remote site (WAN or VPN) fails.

The value for the Backup-Delay can be modified in the CLI path Setup/WAN/Backup-Delay-Seconds. A higher value prevents unnecessary flapping of the VRRP with unstable connections. A lower value decreses the connection downtime

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH