[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: High Availability and IPSec

To: ipsec@lists.tislabs.com
Subject: Re: High Availability and IPSec
From: Joern Sierwald <joern.sierwald@F-Secure.com>
Date: Tue, 22 Aug 2000 16:06:14 +0200
In-Reply-To: <C1256943.0049E172.00@nlmta01.inet.nl.abnamro.com>
Sender: owner-ipsec@lists.tislabs.com

At 15:28 22.8.2000 +0200, you wrote:
>
>
>Apologies if this is the wrong place to ask this...
>
>Does anyone know the action/impact of IPSec in a highly available
environment.
>
>EG
>
>Scenario 1: Client (Win2K) connects to server (HP w/ ServiceGuard) using
IPSec,
>network card in
>     server fails, connections/IP Address get failed over to "backup" network
>card.
>
>Will the client cope with this? Or will something stop the connection from
>continuing? (Will it think it's
>someone trying to spoof the connection for example)
>

There should not be any problem at the client side. It shouldn't even notice.
I would expect such a fail-over system to deal with ARP problems.

>Scenario 2: Client connects to server, server dies, packages (Including IP
>address) fail over
>to another machine...
>
>Pretty much the same questions.
>

Well that _is_ a problem. From the client side, it looks just like
the server rebooted: The server forgot all IPsec SAs.
ARP could also be a problem.

If the client has a feature to detect dead tunnels, good.

If it does not, the client can't reach the server for the
remaining lifetime of the IPsec SA (phase 2). In this
case, phase 2 lifetimes should be small. Like 5 minutes.

J–rn

References:

High Availability and IPSec

From: Gavin.Kerr@nl.abnamro.com

Prev by Date: RE: I-D ACTION:draft-lordello-ipsec-vpn-doi-00.txt
Next by Date: Difference between IPSec and SSH
Prev by thread: High Availability and IPSec
Next by thread: Difference between IPSec and SSH
Index(es):
- Main
- Thread