Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 8480 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic Shaping for IPSEC VPN Tunnels

tom greene

Hey,

 

I have a few site to site ipsec vpn tunnels and i wanted to know if there is a way to limit the traffic for a specific tunnel. I want to limit the traffic to 2mbps on that specific tunnel. 



This thread was automatically locked due to age.
Parents
  • +1

    Tom,

    you can apply traffic shaping to firewall rule (lan to VPN) where in the destination objects, you specify the IP, range IP of the remote VPN network. Of course if you have multiple VPN, create many different firewall rules with specific source/destination IP (vpn to lan and lan to vpn firewall rule).

    https://community.sophos.com/kb/en-us/123357

    Regards

  • 0 in reply to lferrara

    Hey Luk,

    One more question, For the LAN-VPN, VPN-LAN firewall rules are IPS policies applied to these rules Recommended, or is it ok if ips policies are not applied?. 

    Also which IPS policy is best for VPN rules?

    Thanks

  • +1 in reply to tom greene

    Tom,

    remember to ask one question per thread. If the question is answered, mark "this helped me" so the thread is marked as completed.

    IPS is resource consuming but it should applied wherever possible. It depends how you trust your other side of the tunnel. Apply an IPS based on the traffic that will pass through the tunnel, for example select only the application that will pass through it. Most of the time, Admins create a site to site where services is any. This is not my case. I always pretend to know what the tunnel is for, which protocols, users, etc etc etc will need to be allowed. This is another vector of malware if the other side is not correctly protected or breached.

    Regards

Reply
  • +1 in reply to tom greene

    Tom,

    remember to ask one question per thread. If the question is answered, mark "this helped me" so the thread is marked as completed.

    IPS is resource consuming but it should applied wherever possible. It depends how you trust your other side of the tunnel. Apply an IPS based on the traffic that will pass through the tunnel, for example select only the application that will pass through it. Most of the time, Admins create a site to site where services is any. This is not my case. I always pretend to know what the tunnel is for, which protocols, users, etc etc etc will need to be allowed. This is another vector of malware if the other side is not correctly protected or breached.

    Regards

Children
No Data