Ipsec stateful failover – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 867
846
Figure 898 An IPsec VPN
You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly
create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful
failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local
gateway.
IPsec RRI dynamically creates static routes based on IPsec SAs. In each static route, the destination
address is the address of a protected branch network, and the next hop is the user-specified remote peer
address or the remote tunnel endpoint's address learned during IPsec SA negotiation.
In an MPLS L3VPN network, an RRI-configured IPsec VPN gateway can add static routes into the IP
routing table of the VPN instance that is bound to the interface applied with an IPsec policy.
IPsec RRI creates static routes when the IPsec SAs are established, and deletes the static routes when the
IPsec SAs are deleted.
IPsec stateful failover
IMPORTANT:
Support for this feature depends on the device model. For more information, see "
Controllers Web-Based Configuration Guide
The IPsec stateful failover function enables hot backup of IPsec service data between two devices and is
usually deployed on two redundant gateways at the headquarters to improve the availability of IPsec
service.
The IPsec stateful failover function must work with the stateful failover feature and the VRRP feature.
The two devices in IPsec stateful failover must join the same VRRP group to act as a single virtual device.
They use the virtual IP address of the virtual device to communicate with remote devices.
The IPsec stateful failover function can operate only in standard VRRP mode. In this mode, the master
processes and forwards IPsec traffic, and the backup device only synchronizes IPsec service data with the
master. When the master fails, the backup immediately takes over to forward IPsec traffic. This switchover
process is transparent to remote devices. No extra configuration is required on remote devices and no
IPsec re-negotiation is required after the switchover.
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module