Protocols and standards, Ipsec configuration task list – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

350

process is transparent to remote devices. No extra configuration is required on remote devices and no

IPsec re-negotiation is required after the switchover.

Figure 147 IPsec stateful failover

As shown in

Figure 147

, Device A and Device B form an IPsec stateful failover system and Device A is

elected the master in the VRRP group. When Device A operates normally, it establishes an IPsec tunnel

to Device C, and synchronizes its IPsec service data to Device B. The synchronized IPsec service data

includes the IKE SA, IPsec SAs, and DPD packet sequence number. Based on the IPsec service data,

Device B creates standby IKE SA and standby IPsec SAs to back up the active IKE SA and active IPsec SAs

on Device A. When Device A fails, the VRRP mechanism switches IPsec traffic from Device A to Device B.
Because Device B has an instant copy of Device A's IPsec service data, Device B can immediately

process IPsec traffic to provide nonstop IPsec service.

Protocols and standards

•

RFC 2401, Security Architecture for the Internet Protocol

•

RFC 2402, IP Authentication Header

•

RFC 2406, IP Encapsulating Security Payload

•

RFC 4552, Authentication/Confidentiality for OSPFv3

•

RFC4301, Security Architecture for the Internet Protocol

•

RFC4302, IP Authentication Header

•

RFC4303, IP Encapsulating Security Payload (ESP)

IPsec configuration task list

The following is the generic configuration procedure for implementing IPsec:

1.

Configure IPsec proposals to specify the security protocols, and authentication and encryption
algorithms.

LAN

Device A

Device B

Device C

Failover link

Master

Backup

Virtual router 1

Virtual router 2

IP

se

c

tu

nn

el

LAN

Internet