Ipsec stateful failover configuration example, Network requirements, Configuring secpath a – H3C Technologies H3C SecPath F1000-E User Manual
Page 226
214
IPsec stateful failover configuration example
Network requirements
As shown in
, a network has two gateways, SecPath A and SecPath B, at the headquarters.
Configure an IPsec tunnel between the headquarters and the branch to ensure secure communication.
Configure IPsec stateful failover on the firewalls for high availability of the IPsec tunnel:
•
Deploy a physical link for IPsec service data backup between SecPath A and SecPath B.
•
On SecPath A and SecPath B, add the uplink interface to VRRP group 2 and the downlink interface
to VRRP group 1, and assign the virtual IP address 192.168.0.1/24 to VRRP group 2 and the virtual
IP address 10.1.1.1/2 to VRRP group 1.
•
Use SecPath A to establish an IPsec tunnel with Router when it works normally, and make sure that
IPsec traffic is switched to SecPath B when SecPath A fails.
Figure 131 Network diagram
Configuring SecPath A
Assign IPv4 addresses to the interfaces. Make sure that SecPath A, SecPath B, and Router have IP
connectivity between them.
1.
Configure stateful failover:
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS