R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

191

192

193

194

195

196

197

198

199

200

186

Configuring stateful failover

• Configure the devices to operate in the active/standby mode.

• Specify the failover interface for transferring state negotiation messages and backing up IPsec

service data.

For more information about stateful failover, see High Availability Configuration Guide.

Configuring VRRP

• On each device, configure a VRRP group for the uplink interface and a VRRP group for the downlink

interface, and assign virtual IP addresses to the groups.

• Set the priorities of the devices in the groups, making sure that one of the devices is the master in

both VRRP groups.

• Configure the devices to work in the same mode (preemption mode or non-preemptive mode) in

both the VRRP groups. To deploy the preemption mode, set the preemption delay of the backup to

0 so that the backup can immediately take over when the priority of the master comes down, and

set the preemption delay of the backup to a bigger value such as 255 seconds so that the master

has enough time to synchronize IPsec service data from the backup after it recovers.

For more information about VRRP, see High Availability Configuration Guide.

Configuring IPsec and IKE

• Create and configure the same IKE peers on the two devices. The local gateway addresses of the

IKE peers must be the virtual IP address of the VRRP group for the uplink interface.

• Create and configure the same IPsec policies or IPsec profiles that use IKE on the two devices.

• Apply the IPsec policies or IPsec profiles to the uplink interfaces on the two devices. If you change

the virtual IP address after applying the IPsec policy to an interface, be sure to re-apply the IPsec

policy to the interface.

Configuration procedure

To implement IPsec stateful failover on two devices, you must make sure that IPsec stateful failover is

enabled on both devices.

To enable IPsec stateful failover on a device:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable IPsec stateful

failover.

ipsec synchronization

enable

Optional.

By default, IPsec stateful failover is enabled.

Displaying and maintaining IPsec

Task Command

Remarks

Display IPsec policy

information.

display ipsec policy [ brief | name policy-name

[ seq-number ] ] [ | { begin | exclude | include }

regular-expression ]

Available in any

view