Enabling capwap/lwapp tunnel encryption with ipsec, Configuration considerations – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

20

Step Command

Remarks

5.

Specify the AP

connection priority for
the AC.

priority level priority

Optional.
By default, the AP connection

priority of the AC is 4.
If an AC has an AP connection
priority of 7, the AC becomes the

master AC. When the master AC

fails and then recovers, it will
re-establish connections with APs

and become the master AC.

NOTE:

The two ACs must have the same AP configuration view settings for an AP. Otherwise, the AP may fail to
work after a master and subordinate switchover.

Enabling CAPWAP/LWAPP tunnel encryption with IPsec

Control And Provisioning of Wireless Access Points (CAPWAP) defines how an AP communicates with an

AC. It provides a generic encapsulation and transport mechanism between AP and AC. However, tunnel

packets are transmitted in plain text, which brings security problems. To ensure CAPWAP/LWAPP

transmission security, you can use IPsec to encrypt and authenticate control and data packets. If you
configure both AC backup and Portal stateful failover, use the undo ipsec synchronization enable

command to disable IPsec stateful failover.

Configuration considerations

1.

Enable the AP and AC to establish a CAPWAP/LWAPP tunnel between them and make sure the

AP is in running state.

2.

Enter AP configuration view to complete IPsec encryption configurations, and execute the save

wlan ap provision command to save the configuration to the wlan_ap_cfg.wcfg file of the AP.

3.

Reboot the AP to validate the configuration.

4.

Configure IPsec. For more information about IPsec configuration, see Security Configuration
Guide.
Follow these guidelines when you configure IPsec:

{

The security protocol, encapsulation mode, authentication algorithm, and encryption algorithm
can only be ESP, tunnel, SHA1, and DES, respectively. You can only use IKEv1 to set up SAs,

use the default security proposal, and adopt only the main IKE negotiation mode. For more

information about IPsec commands, see Security Command Reference.

{

You can configure an IPsec policy that uses IKE only by referencing an IPsec policy template
because the AC responds to the AP's negotiation requests.

{

When you configure pre-shared key authentication for an IKE peer, the pre-shared key
configured with the pre-shared-key command (the key on the AC) must be the same as that
configured with the tunnel encryption ipsec pre-shared-key command (the key sent by the AC

to the AP by using the AP provision function).

{

To make sure the SAs between the AC and AP can be removed in time when the AP disconnects
with the AC, configure Dead Peer Detection (DPD), configure the ISAKMP SA keepalive interval

with the ike sa keepalive-timer interval command, configure the ISAKMP SA keepalive timeout