VPN / SDWAN On-Ramp — primer¶
Help Center primer for the VPN tunnel termination + Cloud On-Ramp engine. Pairs with ADR 0023 and the SDWAN scaffolds in
pkg/test-plan/.
What it tests¶
Modern NGFW deployments terminate tunnels in three distinct flavours:
- Site-to-site IPSec — classic branch-office posture, IKEv2
- ESP, BGP-over-IPSec for route exchange
- Cloud On-Ramp / DIA — branch directly to cloud SaaS via per-session paths, inspected at the branch NGFW
- GRE + WireGuard — emerging WireGuard adoption, GRE for legacy overlay deployments
This engine spins up VyOS pods on vpn-remote VLAN, negotiates
tunnels against the DUT, drives inside-tunnel traffic through
the primary L7 + programmable-load engines, and measures:
- Tunnel establishment time (T₅₀ / T₉₅ / T₉₉)
- Per-tunnel SA rekey cost under load
- Maximum concurrent tunnels until the DUT's IKE daemon backs off
- Inside-tunnel throughput delta vs outside-tunnel baseline
Three-axis configuration¶
| Axis | Options |
|---|---|
protocol |
ipsec-ikev2 / dia-onramp (default) / wireguard / gre |
tunnel_count |
10 / 50 / 100 (default) / 500 / 1000 / vendor-max |
rekey_under_load |
off / on (default) |
The dashboard pre-validates (SKU, protocol, tunnel_count) against
the DUT catalog (Cisco FTD MVP for IPSec is locked per ADR 0010).
Layered vs standalone¶
- Standalone:
test_kind = sdwan-cor. Pure tunnel stress — inside traffic is clean (RFC 2544 + 6349) so the result isolates the tunnel cost. - Layered: enable
sdwan_layeredmodifier on any other test to run the same workload inside N tunnels — measure the inspection cost of decrypted, post-IPSec, post-NAT traffic.
Reading the report¶
Each VPN/SDWAN run adds an "Annex L (VPN)" block:
- DUT → vendor IKE / SA capacity claim
- Run config → 3 axes
- Establishment → T₅₀/T₉₅/T₉₉ tunnel-up
- Rekey → rekey-under-load p95 cost
- Inside-traffic → delta vs outside baseline (the headline number for the buyer comparing site-to-site vs cloud-on-ramp inspection cost)
- Failure → tunnels that didn't establish, with vendor IKE log fragment when available
Common patterns¶
| Symptom | Likely cause |
|---|---|
| Rekey causes per-tunnel TLS reset storm | DUT serialises rekey + decrypt on same CPU; capture for sales |
| Tunnel count plateaus far below vendor claim | DUT IKE daemon CPU saturated; vendor scale was lab-only |
| Inside delta > 30% vs outside | DUT inspection inside IPSec is slow path; major buyer signal |
| DIA paths flap during rekey | Cloud endpoint mTLS handshake racing with tunnel rekey |
Related¶
- ADR 0023 — cloud endpoint
pkg/test-plan/—sdwan-corTest Kind- STRESS_ENGINES_CATALOG — engine matrix
- Cloud Endpoint primer: cloud-endpoint-service
Last verified against shipping code: v3.7.0 (2026-05-12).