IPSec in Cluster Networking

Applies To: Windows Server 2003 with SP1

Although it is possible to use Internet Protocol Security (IPSec) for applications that can failover in a Server cluster, IPSec was not designed for failover situations and we recommend that you do NOT use IPSec for applications in a Server cluster.

The primary issue is that Internet Key Exchange (IKE) Security Associations (SAs) are not transferred from one server to the other if a failover occurs because they are stored in a local database on each node.

In a connection that is protected by IPSec, an IKE SA is created in phase-I negotiations. Two IPSec SAs are created in phase II. A time-out value is associated with the IKE and IPSec SAs. If Master Perfect Forward Secrecy is not used, the IPSec SAs are created by using key material from the IKE SAs. If this is the case, the client must wait for the default time-out or lifetime period for the inbound IPSec SA to expire and then wait for the timeout or lifetime period that is associated with the IKE SA.

The default time-out for the Security Association Idle Timer is 5 minutes, in the event of a failover, clients will not be able to reestablish connections until at least 5 minutes after all resources are online, using IPSec.

Although IPSec is not optimally designed for a clustered environment, it may be used if your business need for secure connectivity outweighs client downtime in the event of a failover.