Re: Ipsec load balancing devices - UDP-ESP impact

[Marc Solsona-Palomar <marc@iprg.nokia.com>]

You can have a look at Nokia VPN products, you'll see clustering, fail over and
such. I know we shouldn't be using IETF groups for advertising, but I'm answering
a question guys!

http://www.nokia.com/vpn/nokiavpn.html

marc.

Dan Harkins wrote:

>   Actually you're not. There's another vendor out there that does
> dynamic load balancing and active session failover of IPsec and IKE SAs--
> fully meshed if so configured-- as well as PPTP and L2TP tunnels and BGP,
> OSPF, and RIP. (It was a great day when I failed the box who was currently
> assigned the workload of sucking down a full Internet routing table via
> BGP and watched the entire session-- including all the routing state and
> the TCP state-- failover to another node without a hitch). It's subsecond
> failover too and beat the crap out of the competition in a trade rag's
> head-to-head comparison. And it's not just between "2 active devices",
> the size of the cluster can be 2, 3, 4 or more and adding nodes gives you
> a non-linear increase in performance (that eventually tapers off).
>
>   This vendor has had this capability for around three years. I won't
> mention who it is because for some strange reason they don't advertise
> this expertise.
>
>   Dan.
>
> On Fri, 24 Aug 2001 09:54:51 PDT you wrote
> > It doesn't support fail-over, unless your using something like our device
> > which maintains "state" between two active vpn gateways. As far as I know
> > where the only vendors doing this: Fully Meshed, Active Active with
> > session&sa mirroring between 2 active devices for statefull failover.
> >
> > -----Original Message-----
> > From: jshukla [mailto:jshukla@earthlink.net]
> > Sent: Friday, August 24, 2001 9:21 AM
> > To: Jay Ratford; 'William Dixon'; ipsec@lists.tislabs.com; Ari Huttunen
> > Subject: Re: Ipsec load balancing devices - UDP-ESP impact
> >
> >
> > how does the load balancing work when one of
> > the VPN gateways dies?
> >
> > regards,
> > Jayant
> >
> > ----- Original Message -----
> > From: "Jay Ratford" <Jratford@netscreen.com>
> > To: "'William Dixon'" <wdixon@windows.microsoft.com>; "jshukla"
> > <jshukla@earthlink.net>; <ipsec@lists.tislabs.com>; "Ari Huttunen"
> > <Ari.Huttunen@F-Secure.com>
> > Sent: Friday, August 24, 2001 8:32 AM
> > Subject: RE: Ipsec load balancing devices - UDP-ESP impact
> >
> >
> > > Alteon (now Nortel) devices perform NAT and NAPT, but not in default
> > > configurations.  They also have a "VPN Load-Balancing" solution to load
> > > balance your VPN Gateway's - It does keep some kind of state, specifically
> > > how i'm not sure.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: William Dixon [mailto:wdixon@windows.microsoft.com]
> > > Sent: Thursday, August 23, 2001 8:11 PM
> > > To: jshukla; ipsec@lists.tislabs.com; Ari Huttunen
> > > Subject: Ipsec load balancing devices - UDP-ESP impact
> > >
> > >
> > > Jayant, I've checked around on the popular load balancing product web
> > > sites.  But the details are often not avail, or buried in technical docs
> > > that require a customer account to access.
> > >
> > > Does anyone know of any products that do NAT or "VLAN" translation and
> > > specifically provide mapping support for IPSec "sessions", that is,
> > > devices that aren't already IPSec gateways and terminating IPSec before
> > > they do NAT ?
> > >
> > > I'd like to know if they do something more than maintain source IP-based
> > > mappings, like cookie-pair-SPI tracking or something.
> > >
> > > In any case, combining IKE & ESP in the same UDP port 500 encapsulation
> > > makes the take easier by having to track only one UDP src/dst pair - vs.
> > > IPSec ESP inbound and outbound SPIs, in addition to the IKE traffic, or
> > > in addition to another critically related UDP src/dst port pair carrying
> > > ESP.
> > >
> > > Wm
> > > William Dixon
> > > Program Manager - Network Security, IPSec
> > > Windows Networking
> > >
> > > -----Original Message-----
> > > From: jshukla [mailto:jshukla@earthlink.net]
> > > Sent: Saturday, August 18, 2001 5:10 PM
> > > To: ipsec@lists.tislabs.com; Ari Huttunen
> > > Subject: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits
> > > of , i-cookie=0
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
> > > >
> > > > At the Helsinki bakeoff there were seven implementations of the latest
> > > drafts,
> > > > including us. Additional three had implementations of some earlier
> > > > draft. This would be a good time for someone to provide really solid
> > > > arguments against using just one port, if such arguments exist. Like,
> > > > statistical calculations of actual overhead. The firewall-argument
> > > > doesn't cut it, it
> > >
> > > Have you guys considered how network based load-balancing
> > > will work in your approach? This is a general question regarding your
> > > approach, not using IKE port for ESP will not exactly help.
> > >
> > > regards,
> > > Jayant

---

Follow-Ups:

• Re: Ipsec load balancing devices - UDP-ESP impact
• From: "jshukla" <jshukla@earthlink.net>

References:

• Re: Ipsec load balancing devices - UDP-ESP impact
• From: Dan Harkins <dharkins@lounge.org>

---

• Prev by Date: RE: Ipsec load balancing devices - UDP-ESP impact
• Next by Date: Re: Ipsec load balancing devices - UDP-ESP impact
• Prev by thread: Re: Ipsec load balancing devices - UDP-ESP impact
• Next by thread: Re: Ipsec load balancing devices - UDP-ESP impact
• Index(es):
  • Main
  • Thread