Configuring ipsec stateful failover, Configuration prerequisites, Configuring stateful failover – H3C Technologies H3C SecPath F1000-E User Manual
Page 203: Configuring vrrp, Configuring ipsec and ike
191
Task Remarks
Applying an IPsec policy to an IPv6 routing
protocol
Required.
See Network Management Configuration Guide.
Configuring IPsec stateful failover
CAUTION:
In an IPsec stateful failover scenario, these restrictions apply:
•
VRRP must work in the standard protocol mode.
•
Only the active/standby stateful failover mode is supported; the active/active mode is not.
•
RSA signature authentication is not supported in IKE negotiation.
•
The keepalive mechanism for IKE to maintain the link status of ISAKMP SAs is not supported.
•
The IPsec stateful failover configuration is available only at the CLI.
Configuration prerequisites
Before you configure IPsec stateful failover, complete the following configurations on the two devices:
Configuring stateful failover
•
Configure the devices to operate in the active/standby mode.
•
Specify the failover interface for transferring state negotiation messages and backing up IPsec
service data.
For more information about stateful failover, see High Availability Configuration Guide.
Configuring VRRP
•
On each device, configure a VRRP group for the uplink interface and a VRRP group for the downlink
interface, and assign virtual IP addresses to the groups.
•
Set the priorities of the devices in the groups, making sure that one of the devices is the master in
both VRRP groups.
•
Configure the devices to work in the same mode (preemption mode or non-preemptive mode) in
both the VRRP groups. To deploy the preemption mode, set the preemption delay of the backup to
0 so that the backup can immediately take over when the priority of the master comes down, and
set the preemption delay of the backup to a bigger value such as 255 seconds so that the master
has enough time to synchronize IPsec service data from the backup after it recovers.
For more information about VRRP, see High Availability Configuration Guide.
Configuring IPsec and IKE
•
Create and configure the same IKE peers on the two devices. The local gateway addresses of the
IKE peers must be the virtual IP address of the VRRP group for the uplink interface.
•
Create and configure the same IPsec policies or IPsec profiles that use IKE on the two devices.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS