Understanding VPNconnection types and load balance


#1

I want to check a few things about the VPN options for my HD4 to B380 secure networking as I find the manual somewhat confusing. Setup:

• All units are on 7.1.0 Firmware.
• I have one SF setup between the B380 and the HD4 across all the available HD4 Cell WANs to the B380 fixed line WAN.
• There are no VLANS
• Drop in not used
• There are no IPSEC VPN set up
• The HD4 it set to “send all traffic” to B380 under Advanced->SF
• Wan smoothing is off.
• Outbound policy is set as below image with default set as Auto = Lowest Latency

• Mutiple tunnels as per Outbound policies within a PepVPN or SpeedFusion tunnel not turned on.

Now:

  1. In the above scenario the SF controls which of the 4 active cell routes to send packets down and the outbound policies/load balance algorithms have no effect – correct?

  2. If I turn off the 256 encryptions for the PepVPN profile in question (both ends) then in theory if one of the 4 cell channels was accessed they would get part of the data packets that are on that channel which is of little use – correct?

  3. If I turn OFF the HD4 “send all traffic” to B380 under Advanced->SF then what controls the routing? If there is no other SF or IPsec VPN then does it still all go down the SF tunnel? If there were another SF or IPSec VPN what controls the routing?

  4. I still not 100% clear what the difference is between the following and the mix available assuming the unit is licenced for all 3. I just want to be 100 % sure on my case justification for using each – especially when it comes to load balance policies.
    a. SF connection
    b. PepVPN connection
    c. Ipsec VPN Connection

Thank you.


#2

Yes, the default outbound policy (HTTPS Persistence, Default “Auto”), have nothing to do for SpeedFusion Traffics. The default policy only control traffics from LAN to WANs internet traffics.

Not sure your question but encryption enabled mean traffics send via the PepVPN/Speedfsion tunnels will be encrypted .

Network A <----PepVPN/SpeedFusion -----> Network B

Without send All traffics enabled :

  • A & B are interconnected via PepVPN/SpeedFusion.
  • A internet access is via HD4 WANs

With send all traffics enabled :

  • A & B are interconnected via PepVPN/SpeedFusion.
  • A internet access is will force send via B380 WANs

Hope the above answer your question.

What do you mean licensed for 3 ? Do you mean your device have the above features ?

Basically PepVPN and SF connection are refer to the same thing.

PepVPN
Peplink proprietary & patented VPN technology, whether it’s bonding or not, can be named as PepVPN.

SpeedFusion
This actually means the bonding technology. Normally you will see PepVPN with Speedfusion or SpeedFusion for bonding capable models.

By default, outbound policy (load Balance policies) have nothing to do for PepVPN/Speedfusion and IPSEC connections and it’s more on LAN to WAN (Internet) load Balance traffics

Outbound Policy only will only be consider if you want to control and send more traffics via PepVPN/Speedfusion or you have multiple tunnels between 2 sites. This is well explained Outbound policies within a PepVPN or Speed-fusion tunnel


#3

Thank you for the update:

  1. Ok I get it.
  2. What I am getting at is this. If I turn off the AES 256 the traffic still runs in PepVPN/SF tunnels - are these in themselves encrypted? If yes how does PepVPN/SF stack up to non proprietary VPN technology? Why use both?
  3. OK. So in the case where the “send all traffic over SF” is off how does the HD4 decide which of the 4 active cell circuits to use to access the internet - assuming all 4 are set with the same priority?
  4. When I say all 3 I mean the unit csan use IPSEC/PEPVPN/SF.

#4

The VPN tunnel is IPSec, so if you have encryption on it’s encrypting it with 256 bit AES like any other IPSec VPN. If you disable the encryption then it’s just normal public internet traffic. You’d probably use encryption more so if you’re connecting 2 sites together with private internal data, vs if you’re just using SF to bond internet traffic then it may not be needed. You lose up to 20% of bandwidth due to overhead when you have encryption turned on.

When you’re sending all traffic over SF you’re basically bonding it, so the HD4 is using all 4 SIMs equally splitting the traffic over all of them as one large pipe.

The difference would be not sending all traffic over SF, then you go to Outbound Policy and that’s where you can say “Use SIM1 and 2 100% of the time with SIM3 and SIM4 50%” or things like “Send all VoIP traffic over SIM1 with Guest Wifi on SIM2” and so on.