Configuring ipsec stateful failover, Configuration prerequisites, Configuration procedure – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 372

358
Configuring IPsec stateful failover
In an IPsec stateful failover scenario, these restrictions apply:
•
VRRP must work in the standard protocol mode.
•
IPsec stateful failover supports only the active/standby failover mode.
•
RSA signature authentication is not supported in IKE negotiation.
•
The keepalive mechanism for IKE to maintain the link status of ISAKMP SAs is not supported.
•
Support for the IPsec stateful failover feature depends on the device model. For whether your AC
supports this feature, see the feature matrixes in About the WX Series Access Controllers
Configuration Guides.
Configuration prerequisites
Before you configure IPsec stateful failover, complete the tasks in this section on the two devices.
1.
Configure stateful failover:
{
Configure the devices to work in the active/standby mode.
{
Specify the interfaces between the devices as failover interfaces for transferring state
negotiation messages and backing up IPsec service data.
For more information about stateful failover, see High Availability Configuration Guide.
2.
Configure VRRP:
{
On each device, configure a VRRP group for the uplink interface and a VRRP group for the
downlink interface, and assign virtual IP addresses to the groups.
{
Set the priorities of the devices in the groups, making sure that one of the devices is the master
in both VRRP groups.
{
Configure the devices to work in the same mode (preemption mode or non-preemptive mode)
in both VRRP groups. To deploy the preemption mode, set the preemption delay of the backup
device to 0 so the backup device can immediately take over when the priority of the master
comes down, and set the preemption delay of the backup to a bigger value such as 255
seconds so the master has enough time to synchronize IPsec service data with the backup
device after it recovers.
For more information about VRRP, see High Availability Configuration Guide.
3.
Configure IPsec and IKE:
{
Create and configure the same IKE peers on the two devices. The local gateway addresses of
the IKE peers must be the virtual IP address of the uplink VRRP group.
{
Create and configure the same IPsec policies or IPsec profiles that use IKE on the two devices.
{
Apply the IPsec policies or IPsec profiles to the uplink interfaces on the two devices. If you
change the virtual IP address after applying the IPsec policy to an interface, be sure to re-apply
the IPsec policy to the interface.
Configuration procedure
To implement IPsec stateful failover on two devices, you must enable IPsec stateful failover on both
devices.
To configure IPsec stateful failover on a device:
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000