[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: redundancy

To: Matt Field <MFIELD@securenet.com.au>
Subject: Re: redundancy
From: Srinivasa Rao Addepalli <srao@intotoinc.com>
Date: Thu, 24 Jun 1999 10:12:18 -0700
CC: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
References: <c=AU%a=_%l=MELADMIN-990623235820Z-1202@meladmin.randata.com.au>
Sender: owner-ipsec@lists.tislabs.com



Matt Field wrote:

> Hi,
>
> Can anyone illustrate if and how ipsec could handle multiple ipsec
> gateways to a single network.  I have come accross the following
> scenario:
>
> ----------------------------------------- Network 1
>               |
>               | D
>         --------------
>         |        |
>         |        |
>         A        B
>         |        |
>         |        |
>         \       /
>           \        /
>             \    /
>               C
>                |
> ----------------------------------------- Network 2
>
> Network 1 has D which is a Front End Processor (FEP) that performs some
> kind of load balancing that may route packets either through ipsec
> gateways A or B.  C is an ipsec gateway on a remote network.  The
> problem is, if tunnels are created beween gateways A-C and B-C, then
> when C receives a packet from Network 2 for network 1, how does
> determine which SA to use since the destination address is behind both
> gateways?
>
> My guess is that this is an implementation detail and outside the scope
> of IPSEC but any thoughts on this would be useful.

Good solution would be add one more load balancer on other end ofA and B
too.
When you are using this type of solution, unless the load balancers
talk to each other, you can have only IP address based IPSEC policies.

>
>
> regards,
>
> Matt Field

Regards
Srini

References:

redundancy

From: Matt Field <MFIELD@securenet.com.au>

Prev by Date: notify message payloads
Next by Date: IPSEC win95/98/NT Clients
Prev by thread: Re: redundancy
Next by thread: Re: redundancy
Index(es):
- Main
- Thread