I'm in a task to configure a S2S VPN using traffic selector and proxy id in almost 10 firewalls.
The customer is asking me to deploy almost 100 traffic selector and almost 100 proxy-id in a specific site to site vpn.
I sugested summarize the traffic selector and proxy id in one line as below:
set security vpn VPN-A traffic-selector VPN-10 local-ip 10.20.20.0/24 remote 10.30.30.0/24
set security vpn VPN-B ike proxy-id local-ip 10.120.120.0/24 remote 10.130.130.0/24
However, the customer don't want do this, because they say that this is one more security layer.
So, now i'm concerned with the HIGH CPU utilization, and impact that use almost 100 traffic selector and 100 proxy id would bring to the performance of the firewall. Please, could you help me?
In general I agree with the point that it's a bit over-engineered to have individual traffic-selectors per IP for security. Then you should ensure eg. TLS on the traffic on-top of IPsec as the individual SAs are generated out from the same IPsec configuration.
That said... depending on your platform it should not break your device - even a SRX240 can handle more than 1000 active tunnels/SA pairs so it can handle it. It will of course generate high CPU utilization during rekeying of the SA pairs but if it could be done based on traffic amount instead of fixed expiry times, you could spread out the rekeying a bit instead of 100 SA's done at the same time.
Which SRX platform and how many existing tunnels and throughput in general are the gateway handling?
Thanks a lot for you answer. Sorry for delay.
I'm using a srx 1400, this customer use application control, and intrusion prevention also.