[Openswan Users] How to work with IPsec behind NAT
koippa at gmail.com
Mon Feb 25 10:43:48 EST 2008
Gagandeep bajaj wrote:
> I am working on IMS and been given the responsibility of implementing IPsec
> between the user-agent(SIP phone) and our proxy server (P-CSCF).
> the architecture of P-CSCF is like it is an 8 blade server(chassis based)
> and shows a single IP to the outer world. It has to support IPsec ( key
> exchange is done at the application level ie. SIP)for both UDP and TCP.
> What I want is scalibility like ..
> UE ( 40.x.x.x) ----------> P-CSCF ( internal IP addresses from
> (50.x.x.x) 192.168.1.1 to 192.168.1.8)
> I want to distribute the IPsec connections made
> onto different blades, so there is no single point of
> failure. Basically, this is load-balancing IPsec connections in a
> cluster .
> And also, How do i make these connections redundant over different servers
> so the SIP phone doesnot have to redo the whole process of making IPsec
> with the server on failure.
> Thanks and sorry if this is not the right place to ask... but i have been
> searching for this for 2 weeks now .. but to no avail .... any pointers
> would be appreciated .....
> Thanks again
> Gagandeep Bajaj
I would build Load balancing VPN-cluster to the front of the P-CSCF. I know
one solution (Linux-based) that could do that with plain IPsec or it also
supports Mobile IPv4 + IPsec which provides similar to Mobike, seamless
roaming etc. without renegotiating tunnels.
Only thing is that the solution that I have in my mind is commercial and I
don't wan't to advertise product name here.
How to do this with openswan, don't know.
More information about the Users