Failure preventive mechanism for IPsec gateways

Operators are mainly using IPsec Virtual Private Networks (VPNs) to extend a security domain over untrusted networks. A VPN is usually established when an End-User (EU) and a Security Gateway (SG) negotiate security associations (SA). For a better QoS, the SGs are geographically distributed so they are as close as possible to EU. As such, the higher is the level of responsibility of the SG, the higher is the risk to be overloaded and to break down. This paper presents a mechanism for extracting and reinstalling security associations as well as a mechanism to transfer a given IPsec traffic from one SG to another. We also propose an additional mechanism for solving the mis-synchronization of IPsec anti-replay counters and IKEv2 Messages ID counters. Finally some performance measurements are provided in terms of delays, and packet loss, and prove feasibility of the approach. Results obtained through real implementation showed that the system time to extract an IKEv2/IPsec session is in a range of 5ms up to 15ms whereas the system time to restore an IKEv2/IPsec session can take 2ms up to 22ms.