[Ipsec-tools-devel] Re: [Ipsec] is there any idea on ipsec HA?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 1/1/06, Yoav Nir <yn...@ch...> wrote:
>
> If you're doing HA, you can have a single IKE SA, but a separate IPsec SA
> for each security gateway.  If you're using IKEv1, this will work with
> some
> but not all of the peers. If you're using IKEv2, then allowing two
> parallel
> SAs is required.
>
> Even if this is not allowed, when the failover happens, you can quickly
> (using Quick Mode or Create-Child-SA) create an IPsec SA and traffic will
> continue as before. You don't need to backup every packet or synchronize
> the
> replay counter for every packet.

    Here, does you mean only backup the phase I SA is enough?  so .. when
the master SG broken down, we still need to re-negotiating the phase II SA =
,
that will take some time, at least we need the 3 message each side for quic=
k
mode exchange,  and we should notify the remote peer to delete the old one
of the Phase II and initiating the exchange, all of the must take some
time... If the traffic is busy, this will cause many packets in the ipsec
tunnel be droped...

   And for the "load share" the phase II SA is necessary, right? The 2
phases SA should be backed up, and may be the 32 packets anti-reply window
can be used.

   Here is an idea on the SN processing, but I'm not sure it's
feasibility: We can send the backup info only when the anti-reply checking
reach the edge of window, that means we will send 1 backup info every 32
packets have been processed by Ipsec.  So if the master halt, the backup SG
can increase the SN counter and continue the packet forwarding...

Huide

________________________________
>
> From: ips...@ie... [mailto:ips...@ie...] On Behalf Of
> Wade
> Sent: Friday, December 30, 2005 6:33 PM
> To: ip...@ie...; ips...@li...
> Subject: [Ipsec] is there any idea on ipsec HA?
>
>
> hello,
>
>     The Ipsec high availability is one of requirement of people. Usually
> we
> use two security gateways, one acting as a master and another acting as a
> standby SG.
>     I got a question on the packet sequence number,  should the master SG
> send every packet to standby SG? The sequence number is used by
> anti-reply,
> if we don't bakeup it, when the master SG is halt for some reason the
> remote
> peer won't accept the packet which received from the backup SG because th=
e
> packet SN won't pass the anti-reply checking mechanism. But to backup
> every
> packet is impossible, it's take too much throughput..
>
>     If we don't want to disable the anti-replay,  is there any advice to
> solve this problem?
>
>
> Thanks
>
> Huide
>
>