IPsec license usage calculation

Last modified on 14 Apr, 2021. Revision 9
A description and some examples on how the number of IPsec tunnels and their use is calculated towards the license
Up to date for
13.00.10
Supported since
11.00.00
Status OK
Author
Peter Nilsson

Description

The cOS Core VPN license check towards IPsec tunnels is matched against the amount of IPsec tunnels configured, amount of IKE SA’s or amount of IPsec SA’s. The one with the highest value will be matched against the license.

A way to check which one that has the highest value would be to use the following CLI commands:

  • IKE
  • IPsec
  • IKE -tunnels

The resulting output with most hits will be matched against the license.  This means that based on how the IPsec tunnel(s) are configured there is a chance that we will get near the license limit. A few examples:

Scenario-1:
5 IPsec tunnels configured, one network defined as local and remote network on all of them, all tunnels are established.
License parameters used : 5

Scenario-2:
5 IPsec tunnels configured, one network defined as local and remote network on all of them. None of the tunnels are established/active.
License parameters used : 5

Scenario-3:
1 IPsec tunnel configured, 5 networks configured as local and one network configured as remote, tunnel is established and all network combinations is active.
License parameters used : 5

Scenario-4:
1 IPsec tunnel configured, 5 networks configured as local and 5 networks configured as remote, tunnel is established and 2 local networks is established/mapped towards 3 remote networks.
License parameters used : 6

Scenario-5:
1 IPsec tunnel configured, 5 networks configured as local and 5 networks configured as remote, tunnel is established and all network combinations is active.
License parameters used : 25

Scenario-6:
1 IPsec tunnel configured as a roadwarrior /roaming server, one network defined as local and one remote network (all-nets).
License parameters used : one per connected client. Unless client negotiates multiple IPsec SA’s based on the network it wants to access, then it would be that one client could generate multiple license parameter uses (depends on how the client is configured).

Freeing up tunnels in the license

In case we run into a scenario where the license has hit the limit, one fairly easy way to lower the amount of tunnels used in the license is to combine networks into larger segments. So instead of using several /24 networks in a range we combine it into one big /16. Then there will be fewer negotiations and IPsec SA’s needed.

A very common way to configure tunnels with many networks is to define them as “all-nets”. We still control with routing and rules what should be allowed to/from the tunnel(s). As long as rules and routing are correctly configured the security impact will be kept at a minimum. This also has the advantage that there will be fewer tunnel re-keys and less chance of network “hiccup” when these operations are performed. There is however some pitfalls when configuring tunnels like this, please see the Clavister Cookbook Recipe 2.6 and the subsection called “Alternative IPsec tunnel network definition using all-nets” for more details on this.

https://www.clavister.com/services/resources/configuration-cookbooks/

Question: This has been working fine until recently, i have not made any changes in my configuration. Why did this problem all of a sudden start now?

Answer:

The reason why it could have worked before is most likely because we were close to the limit of the license. Additional VPN clients could have started connecting to the Firewall or that a network combination that was previously not active now started to be in use, which caused the license limit to be exceeded.

Question: I failed to deploy my new configuration with a message about “Allow IPsec rules reached”, is this the same problem that  the license has been exceeded?

Answer:

Yes, most likely this is the same problem that the license has been exceeded. An example on how a failed configuration deployment could look like if this is the case:

IPsec configuration failed with error: "Maximum number of allowed IPsec rules reached. 
Failed to create outbound rule." for tunnel: "IPsec_To_Stockholm"



Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Setup of a Layer-3 bridge over IPsec in cOS Core
12 Apr, 2023 core proxyarp arp ipsec routing
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
CSPN (Clavister Service Provisioning Network) details for license & database updates
17 Nov, 2022 core license updates idp antivirus wcf ipreputation applicationcontrol
cOS Core L2TP server setup with Windows Server CA certificates
21 Feb, 2023 ipsec certificate windows ca core
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
Setting up OSPF with IPsec in cOS Core
16 Apr, 2024 core routing ospf ipsec
cOS Core IPsec IKEv1 "No_Proposal_Chosen" error in 14.00.10
4 Aug, 2023 core ipsec troubleshoot ike
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Split tunneling in cOS Core with Windows L2TP/IPsec clients
29 Mar, 2023 ipsec core windows vpn l2tp
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
cOS Core IKEv2 tunnel setup with certificates for iOS clients
5 Apr, 2023 core nps ipsec radius legacy
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover