[Openswan Users] How to work with IPsec behind NAT

[Kimmo Koivisto]

Gagandeep bajaj wrote:
> Hi
>
> I am working on IMS and been given the responsibility of implementing IPsec
> between the user-agent(SIP phone) and our proxy server (P-CSCF).
>
> the architecture of P-CSCF is like it is an 8 blade server(chassis based)
> and shows a single IP to the outer world. It has to support IPsec ( key
> exchange is done at the application level ie. SIP)for both UDP and TCP.
>
> What I want is scalibility like ..
>
> UE ( 40.x.x.x) ---------->  P-CSCF ( internal IP addresses from
>                            (50.x.x.x)   192.168.1.1 to 192.168.1.8)
>
> I want to distribute the IPsec connections made
> onto different blades, so there is no single point of
> failure. Basically, this is  load-balancing  IPsec connections in a
> cluster .
>
> And also, How do i make these connections  redundant over different servers
> so the SIP phone doesnot have to  redo the whole process of making IPsec
> with the server on failure.
>
> Thanks and sorry if this is not the right place to ask... but i have been
> searching for this for 2 weeks now .. but to no avail .... any pointers
> would be appreciated .....
>
> Thanks again
>
> Gagandeep Bajaj

Hello

I would build Load balancing VPN-cluster to the front of the P-CSCF. I know 
one solution (Linux-based) that could do that with plain IPsec or it also 
supports Mobile IPv4 + IPsec which provides similar to Mobike, seamless 
roaming etc. without renegotiating tunnels.  

Only thing is that the solution that I have in my mind is commercial and I 
don't wan't to advertise product name here. 

How to do this with openswan, don't know.

Regards,
Kimmo Koivisto