Configuring ipsec stateful failover, Configuration prerequisites, Configuration procedure – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

358

Configuring IPsec stateful failover

In an IPsec stateful failover scenario, these restrictions apply:

•

VRRP must work in the standard protocol mode.

•

IPsec stateful failover supports only the active/standby failover mode.

•

RSA signature authentication is not supported in IKE negotiation.

•

The keepalive mechanism for IKE to maintain the link status of ISAKMP SAs is not supported.

•

Support for the IPsec stateful failover feature depends on the device model. For whether your AC
supports this feature, see the feature matrixes in About the WX Series Access Controllers

Configuration Guides.

Configuration prerequisites

Before you configure IPsec stateful failover, complete the tasks in this section on the two devices.

1.

Configure stateful failover:

{

Configure the devices to work in the active/standby mode.

{

Specify the interfaces between the devices as failover interfaces for transferring state
negotiation messages and backing up IPsec service data.

For more information about stateful failover, see High Availability Configuration Guide.

2.

Configure VRRP:

{

On each device, configure a VRRP group for the uplink interface and a VRRP group for the
downlink interface, and assign virtual IP addresses to the groups.

{

Set the priorities of the devices in the groups, making sure that one of the devices is the master

in both VRRP groups.

{

Configure the devices to work in the same mode (preemption mode or non-preemptive mode)
in both VRRP groups. To deploy the preemption mode, set the preemption delay of the backup

device to 0 so the backup device can immediately take over when the priority of the master

comes down, and set the preemption delay of the backup to a bigger value such as 255

seconds so the master has enough time to synchronize IPsec service data with the backup
device after it recovers.

For more information about VRRP, see High Availability Configuration Guide.

3.

Configure IPsec and IKE:

{

Create and configure the same IKE peers on the two devices. The local gateway addresses of

the IKE peers must be the virtual IP address of the uplink VRRP group.

{

Create and configure the same IPsec policies or IPsec profiles that use IKE on the two devices.

{

Apply the IPsec policies or IPsec profiles to the uplink interfaces on the two devices. If you
change the virtual IP address after applying the IPsec policy to an interface, be sure to re-apply

the IPsec policy to the interface.

Configuration procedure

To implement IPsec stateful failover on two devices, you must enable IPsec stateful failover on both

devices.
To configure IPsec stateful failover on a device: