Re: IPSEC and Failover

From: S. Pidgorny [MVP] (slavickp_at_yahoo.com)
Date: 05/14/03

• Next message: Ed: "Re: Hot fix and security deployment tools"
• Previous message: pinghanchen: "How to sign code use CRYPTOAPI and accepted by IE."
• In reply to: Amihai Bareket: "IPSEC and Failover"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 14 May 2003 20:41:10 +1000

This is a problem to IPsec standard. Whatever IPsec implementation will be,
IPsec IKE SAs are unique and therefore a connection will not failover
without being broken. The only option to facilitate continuous availability
is really mirrored hardware (like Tandem or Stratus), but using it for IPsec
is overkill.

The latency relates to re-establishing IPsec connection - it's both client
and server, OS-independent.

Yes, a load balancer isn't going to solve the problem.

-- 
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-
"Amihai Bareket" <amihai73@hotmail.com> wrote in message
news:unIoD1dGDHA.2140@TK2MSFTNGP12.phx.gbl...
> According to Microsoft, there's a problem to implement IPSEC in a
Clustered
> server enviorment (KB Q306677).
> Few questions -
> 1. Is this problem related to IPSEC in general or only to Microsoft's
> implementation of the protocol?
> 2. Does the latency to create new sessions in case of failover relates to
> the server or the client side? (will the problem repeates it self if the
> server is a non-MS OS?)
> 3. Say i'm working with several servers configured as an array behaind a
> hardware based load balancer (Say Cisco for example). Now, due to a
failure
> of one of the servers, the client's workstation is being directed to a new
> server. Will I still experiance this problem? (Create new tunnel with
> IPSEC)?
>
> Thanks...
>
>

---

• Next message: Ed: "Re: Hot fix and security deployment tools"
• Previous message: pinghanchen: "How to sign code use CRYPTOAPI and accepted by IE."
• In reply to: Amihai Bareket: "IPSEC and Failover"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages [LONG] ipsec connection up, pinging other end impossible ... I'm trying to set up an ipsec connection between a Linux system at home, ... Pinging the server is possible again once I ipsec auto --down the ... (comp.os.linux.networking) Re: SBS Server keeps shutting down ... as we have had a few power cuts recently and the server kept chugging along. ... I have no idea what IPSec is ... multiple reboot mentioned above and some other troubleshooting steps ... (microsoft.public.windows.server.sbs) Re: Restrict ODBC through group policy ... IPSEC runs as a service on w2k and w2k3. ... can either Allow, Drop, or Authenicate connection attempts based on port ... IPSEC to secrue a web server that is exposed to the internet ... port 80 request. ... (microsoft.public.windows.server.security) Re: L2TP/IPSec Verbindung läuft mit XP SP2 nicht mehr ... In XPSP2 the IPsec driver needs a registry setting when either the ... server or workstation are behind a NAT gateway. ... 1- Client initiates to a server that is behind the NAT ... > Peer Private Addr ... (microsoft.public.de.german.windowsxp.networking) Re: Should I install Certificate Authority to solve these problems ? ... You can use IPsec with or without certs from your PKI. ... negotiations to your AD machines or those trusting the ... > In the item 1 below, the tool in use is a HP server management tool (type ... >>> Management is pushing to get Certificate Authority ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)