F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100
144
Figure 97 An IPsec VPN
You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly
create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful
failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local
gateway.
194BIPsec stateful failover
The following matrix shows the feature and hardware compatibility:
Hardware Feature com
p
atible
F1000-A-EI/F1000-S-EI Yes
F1000-E Yes
F5000 Yes
Firewall module Yes
U200-A No
U200-S No
The IPsec stateful failover function enables hot backup of IPsec service data between two devices and is
usually deployed on two redundant gateways at the headquarters to improve the availability of IPsec
service.
The IPsec stateful failover function must work with the stateful failover feature and the VRRP feature.
The two devices in IPsec stateful failover must join the same VRRP group to act as a single virtual device.
They use the virtual IP address of the virtual device to communicate with remote devices.
The IPsec stateful failover function can operate only in standard VRRP mode. In this mode, the master
processes and forwards IPsec traffic, and the backup device only synchronizes IPsec service data with the
master. When the master fails, the backup immediately takes over to forward IPsec traffic. This switchover
process is transparent to remote devices. No extra configuration is required on remote devices and no
IPsec re-negotiation is required after the switchover.