HP VPN Firewall Appliances VPN Configuration Guide
141
IPsec stateful failover
The IPsec stateful failover function enables hot backup of IPsec service data between two devices and is
usually deployed on two redundant gateways at the headquarters to improve the availability of IPsec
service.
The IPsec stateful failover function must work with the stateful failover feature and the VRRP feature.
The two devices in IPsec stateful failover must join the same VRRP group to act as a single virtual device.
They use the virtual IP address of the virtual device to communicate with remote devices.
The IPsec stateful failover function can operate only in standard VRRP mode. In this mode, the master
processes and forwards IPsec traffic, and the backup device only synchronizes IPsec service data with the
master. When the master fails, the backup immediately takes over to forward IPsec traffic. This switchover
process is transparent to remote devices. No extra configuration is required on remote devices and no
IPsec re-negotiation is required after the switchover.
To use the IPsec stateful failover function, the tunnel source address must be the virtual IP address of a
VRRP group. If IPsec works with other service modules to implement stateful failover, the other service
modules must also support the stateful failover function. Otherwise, IPsec cannot work with the service
modules correctly. In a stateful failover environment, if you use a non-virtual IP address as the source
address to establish IPsec SAs, HP recommends you disable the IPsec stateful failover function.
Figure 98 IPsec stateful failover
As shown in Figure 98, Device A and Device B form an IPsec stateful failover system and Device A is
elected the master in the VRRP group. When Device A operates correctly, it establishes an IPsec tunnel to
Device C, and synchronizes its IPsec service data to Device B. The synchronized IPsec service data
includes the IKE SA, IPsec SAs, anti-replay sequence number and window, SA lifetime in bytes, and DPD
packet sequence number. Based on the IPsec service data, Device B creates standby IKE SA and standby
IPsec SAs to back up the active IKE SA and active IPsec SAs on Device A. When Device A fails, the VRRP
mechanism switches IPsec traffic from Device A to Device B. Because Device B has an instant copy of
Device A's IPsec service data, Device B can immediately process IPsec traffic to provide nonstop IPsec
service.
LAN
Device A
Device B
Device C
Failover link
Master Backup
Virtual router 1
Virtual router 2
LAN
Internet