IP Security Protocol (IPsec) traffic and other types of traffic are typically load-balancing among the various network entities processing such traffic to maintain system efficiency, resiliency and so on. That is, it is desirable to distribute IPsec traffic among a plurality of IPsec processing units (IPsec PUs) available to process such traffic.
DNS based load-balancing solutions provide that each IPsec processing unit has a different gateway address, IPsec clients are provisioned with single gateway Fully Qualified Domain Names (FQDNs), and the DNS server returns a list of addresses in a different order for each IPsec client resolve request. In this manner, since IPsec clients will connect to the 1st address in the returned DNS list, the IPsec traffic associated with the various clients is distributed across multiple IPsec processing units. Unfortunately, since the DNS server does not have information pertaining to the availability, capacity and current load of each PU, this load-balancing solution is not accurate and efficient.
Internet Engineering Task Force (IETF) Request for Comments (RFC) 5685 provides an IPsec load-balancing solution wherein the Internet Key Exchange Protocol version 2 (IKEv2) is extended to allow a gateway to redirect an IPsec client to a different gateway during tunnel setup or after tunnel is created. Unfortunately, this solution requires client support of the extended RFC5685, which most IPsec clients lack. Further, the solution pertains to IKEv2 only and does not address the IKEv1 protocol widely in use today.
Other IPsec load-balancing solutions contemplate on-the-fly changing of the destination MAC/IP address associated with IPsec traffic. Unfortunately, this solution is also inefficient since the PU or other entity used to perform such on-the-fly Mac/IP address changes does not have information pertaining to the availability, capacity and current load of each PU. Further, there are additional limitations such as a lack of Authentication Header (AH) mode support due to the changing of destination IP addresses, and requirement of PUs to be in the same network layer due to the changing of destination MAC addresses.