Enabling capwap/lwapp tunnel encryption with ipsec, Configuration considerations – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 32

Step Command

Remarks

Specify the AP

connection priority for
the AC.

priority level priority

Optional.
By default, the AP connection

priority of the AC is 4.
If an AC has an AP connection
priority of 7, the AC becomes the

master AC. When the master AC

fails and then recovers, it will
re-establish connections with APs

and become the master AC.

NOTE:

The two ACs must have the same AP configuration view settings for an AP. Otherwise, the AP may fail to
work after a master and subordinate switchover.

Enabling CAPWAP/LWAPP tunnel encryption with IPsec

Control And Provisioning of Wireless Access Points (CAPWAP) defines how an AP communicates with an

AC. It provides a generic encapsulation and transport mechanism between AP and AC. However, tunnel

packets are transmitted in plain text, which brings security problems. To ensure CAPWAP/LWAPP

transmission security, you can use IPsec to encrypt and authenticate control and data packets. If you
configure both AC backup and Portal stateful failover, use the undo ipsec synchronization enable

command to disable IPsec stateful failover.

Configuration considerations

Enable the AP and AC to establish a CAPWAP/LWAPP tunnel between them and make sure the

AP is in running state.

Enter AP configuration view to complete IPsec encryption configurations, and execute the save

wlan ap provision command to save the configuration to the wlan_ap_cfg.wcfg file of the AP.

Reboot the AP to validate the configuration.

Configure IPsec. For more information about IPsec configuration, see Security Configuration
Guide.
Follow these guidelines when you configure IPsec:

{

The security protocol, encapsulation mode, authentication algorithm, and encryption algorithm
can only be ESP, tunnel, SHA1, and DES, respectively. You can only use IKEv1 to set up SAs,

use the default security proposal, and adopt only the main IKE negotiation mode. For more

information about IPsec commands, see Security Command Reference.

{

You can configure an IPsec policy that uses IKE only by referencing an IPsec policy template
because the AC responds to the AP's negotiation requests.

{

When you configure pre-shared key authentication for an IKE peer, the pre-shared key
configured with the pre-shared-key command (the key on the AC) must be the same as that
configured with the tunnel encryption ipsec pre-shared-key command (the key sent by the AC

to the AP by using the AP provision function).

{

To make sure the SAs between the AC and AP can be removed in time when the AP disconnects
with the AC, configure Dead Peer Detection (DPD), configure the ISAKMP SA keepalive interval

with the ike sa keepalive-timer interval command, configure the ISAKMP SA keepalive timeout

This manual is related to the following products:

H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points