beautypg.com

Protocols and standards, Ipsec configuration task list – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 364

background image

350

process is transparent to remote devices. No extra configuration is required on remote devices and no

IPsec re-negotiation is required after the switchover.

Figure 147 IPsec stateful failover

As shown in

Figure 147

, Device A and Device B form an IPsec stateful failover system and Device A is

elected the master in the VRRP group. When Device A operates normally, it establishes an IPsec tunnel

to Device C, and synchronizes its IPsec service data to Device B. The synchronized IPsec service data

includes the IKE SA, IPsec SAs, and DPD packet sequence number. Based on the IPsec service data,

Device B creates standby IKE SA and standby IPsec SAs to back up the active IKE SA and active IPsec SAs

on Device A. When Device A fails, the VRRP mechanism switches IPsec traffic from Device A to Device B.
Because Device B has an instant copy of Device A's IPsec service data, Device B can immediately

process IPsec traffic to provide nonstop IPsec service.

Protocols and standards

RFC 2401, Security Architecture for the Internet Protocol

RFC 2402, IP Authentication Header

RFC 2406, IP Encapsulating Security Payload

RFC 4552, Authentication/Confidentiality for OSPFv3

RFC4301, Security Architecture for the Internet Protocol

RFC4302, IP Authentication Header

RFC4303, IP Encapsulating Security Payload (ESP)

IPsec configuration task list

The following is the generic configuration procedure for implementing IPsec:

1.

Configure IPsec proposals to specify the security protocols, and authentication and encryption
algorithms.

LAN

Device A

Device B

Device C

Failover link

Master

Backup

Virtual router 1

Virtual router 2

IP

se

c

tu

nn

el

LAN

Internet