Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
191192193194195196197198199200
186
VRRP must operate in the standard protocol mode.
IPsec stateful failover supports only the active/standby failover mode.
RSA signature authentication is not supported in IKE negotiation.
The keepalive mechanism for IKE to maintain the link status of ISAKMP SAs is not supported.
The following matrix shows the feature and hardware compatibility:
Hardware Feature com
p
atible
F1000-A-EI/F1000-S-EI Yes
F1000-E Yes
F5000 Yes
Firewall module Yes
U200-A No
U200-S No
453BConfiguration prerequisites
Before you configure IPsec stateful failover, complete the tasks in this section on the two devices.
1. Configure stateful failover:
{ Configure the devices to operate in the active/standby mode.
{ Specify the interfaces between the devices as failover interfaces for transferring state
negotiation messages and backing up IPsec service data.
For more information about stateful failover, see High Availability Configuration Guide.
2. Configure VRRP:
{ On each device, configure a VRRP group for the uplink interface and a VRRP group for the
downlink interface, and assign virtual IP addresses to the groups.
{ Set the priorities of the devices in the groups, making sure that one of the devices is the master
in both VRRP groups.
{ Configure the devices to operate in the same mode (preemption mode or non-preemptive
mode) in both VRRP groups. To deploy the preemption mode, set the preemption delay of the
backup device to 0 so the backup device can immediately take over when the priority of the
master comes down, and set the preemption delay of the backup to a bigger value such as 255
seconds so the master has enough time to synchronize IPsec service data with the backup
device after it recovers.
For more information about VRRP, see High Availability Configuration Guide.
3. Configure IPsec and IKE:
{ Create and configure the same IKE peers on the two devices. The local gateway addresses of
the IKE peers must be the virtual IP address of the uplink VRRP group.
{ Create and configure the same IPsec policies or IPsec profiles that use IKE on the two devices.
{ Apply the IPsec policies or IPsec profiles to the uplink interfaces on the two devices. If you
change the virtual IP address after applying the IPsec policy to an interface, be sure to re-apply
the IPsec policy to the interface.