[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Ipsec load balancing devices - UDP-ESP impact
It doesn't support fail-over, unless your using something like our device
which maintains "state" between two active vpn gateways. As far as I know
where the only vendors doing this: Fully Meshed, Active Active with
session&sa mirroring between 2 active devices for statefull failover.
-----Original Message-----
From: jshukla [mailto:jshukla@earthlink.net]
Sent: Friday, August 24, 2001 9:21 AM
To: Jay Ratford; 'William Dixon'; ipsec@lists.tislabs.com; Ari Huttunen
Subject: Re: Ipsec load balancing devices - UDP-ESP impact
how does the load balancing work when one of
the VPN gateways dies?
regards,
Jayant
----- Original Message -----
From: "Jay Ratford" <Jratford@netscreen.com>
To: "'William Dixon'" <wdixon@windows.microsoft.com>; "jshukla"
<jshukla@earthlink.net>; <ipsec@lists.tislabs.com>; "Ari Huttunen"
<Ari.Huttunen@F-Secure.com>
Sent: Friday, August 24, 2001 8:32 AM
Subject: RE: Ipsec load balancing devices - UDP-ESP impact
> Alteon (now Nortel) devices perform NAT and NAPT, but not in default
> configurations. They also have a "VPN Load-Balancing" solution to load
> balance your VPN Gateway's - It does keep some kind of state, specifically
> how i'm not sure.
>
>
>
> -----Original Message-----
> From: William Dixon [mailto:wdixon@windows.microsoft.com]
> Sent: Thursday, August 23, 2001 8:11 PM
> To: jshukla; ipsec@lists.tislabs.com; Ari Huttunen
> Subject: Ipsec load balancing devices - UDP-ESP impact
>
>
> Jayant, I've checked around on the popular load balancing product web
> sites. But the details are often not avail, or buried in technical docs
> that require a customer account to access.
>
> Does anyone know of any products that do NAT or "VLAN" translation and
> specifically provide mapping support for IPSec "sessions", that is,
> devices that aren't already IPSec gateways and terminating IPSec before
> they do NAT ?
>
> I'd like to know if they do something more than maintain source IP-based
> mappings, like cookie-pair-SPI tracking or something.
>
> In any case, combining IKE & ESP in the same UDP port 500 encapsulation
> makes the take easier by having to track only one UDP src/dst pair - vs.
> IPSec ESP inbound and outbound SPIs, in addition to the IKE traffic, or
> in addition to another critically related UDP src/dst port pair carrying
> ESP.
>
> Wm
> William Dixon
> Program Manager - Network Security, IPSec
> Windows Networking
>
> -----Original Message-----
> From: jshukla [mailto:jshukla@earthlink.net]
> Sent: Saturday, August 18, 2001 5:10 PM
> To: ipsec@lists.tislabs.com; Ari Huttunen
> Subject: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits
> of , i-cookie=0
>
>
>
> ----- Original Message -----
> From: "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
> >
> > At the Helsinki bakeoff there were seven implementations of the latest
> drafts,
> > including us. Additional three had implementations of some earlier
> > draft. This would be a good time for someone to provide really solid
> > arguments against using just one port, if such arguments exist. Like,
> > statistical calculations of actual overhead. The firewall-argument
> > doesn't cut it, it
>
> Have you guys considered how network based load-balancing
> will work in your approach? This is a general question regarding your
> approach, not using IKE port for ESP will not exactly help.
>
> regards,
> Jayant
Follow-Ups: