Since applications on client use private IP address, any change in the ISP provided IP address does not destroy the IP connections to Enterprise networks. This is in particular helps mobile users. While traveling by car, Mobiles may get different IP addresses across different point of attachments to the cellular network. As long as private IP address does not change, there is no disconnection to voice calls and data sessions. These sessions and calls work even in cases where mobile point of attachment changes from cellular to wi-fi and vice versa.
When outer IP address changes, IPsec client creates new tunnel to the IPsec gateway. Tunnel establishment typically takes hundred of milliseconds to a second. Though this is fine for data sessions, it introduces big jitter and that may not be acceptable for voice and other real time multi-media applications. At Intoto, we have created a proprietary solution (We call it IPsec address adoption) to adopt the IP address change in existing tunnel, there by avoiding new tunnel creation. Both IPsec Gateway and IPsec client adopt to change in IP address and change the tunnel addresses securely, avoiding expensive tunnel creation and thereby providing smooth transition.
Assumptions and Limitations of 'Address adoption' technique:
- It always uses tunnel mode.
- Forces NAT-T even when there is no NAT device in between
- Always does UDP encapsulation.
- Always sends Keep alive messages.
- Since it detects the address change based on incoming packets, it is assumed that there is traffic in both directions.
In summary, IPsec with its inherent capability of tunneling, provides seamless mobility to Enterprise resources. With additional Intoto proprietary address adoption technique, it reduces jitterness in the real time traffic.