HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

181

182

183

184

185

186

187

188

189

190

181

• The keepalive mechanism for IKE to maintain the link status of ISAKMP SAs is not supported.

• IPsec RRI is not effective.

Configuration prerequisites

Before you configure IPsec stateful failover, complete the tasks in this section on the two devices.

1. Configure stateful failover:

{ Configure the devices to operate in the active/standby mode.

{ Specify the interfaces between the devices as failover interfaces for transferring state

negotiation messages and backing up IPsec service data.

For more information about stateful failover, see High Availability Configuration Guide.

2. Configure VRRP:

{ On each device, configure a VRRP group for the uplink interface and a VRRP group for the

downlink interface, and assign virtual IP addresses to the groups.

{ Set the priorities of the devices in the groups, making sure that one of the devices is the master

in both VRRP groups.

{ Configure the devices to operate in the same mode (preemption mode or non-preemptive mode)

in both VRRP groups. To deploy the preemption mode, set the preemption delay of the backup

device to 0 so the backup device can immediately take over when the priority of the master

comes down, and set the preemption delay of the backup to a bigger value such as 255

seconds so the master has enough time to synchronize IPsec service data with the backup device

after it recovers.

For more information about VRRP, see High Availability Configuration Guide.

3. Configure IPsec and IKE:

{ Create and configure the same IKE peers on the two devices. The local gateway addresses of

the IKE peers must be the virtual IP address of the uplink VRRP group.

{ Create and configure the same IPsec policies or IPsec profiles that use IKE on the two devices.

{ Apply the IPsec policies or IPsec profiles to the uplink interfaces on the two devices. If you

change the virtual IP address after applying the IPsec policy to an interface, be sure to re-apply

the IPsec policy to the interface.

Configuration procedure

To implement IPsec stateful failover on two devices, you must enable IPsec stateful failover on both

devices.

To configure IPsec stateful failover on a device:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable IPsec stateful

failover.

ipsec synchronization enable

By default, IPsec stateful

failover is enabled.