Enabling capwap/lwapp tunnel encryption with ipsec, Configuration considerations – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 32
20
Step Command
Remarks
5.
Specify the AP
connection priority for
the AC.
priority level priority
Optional.
By default, the AP connection
priority of the AC is 4.
If an AC has an AP connection
priority of 7, the AC becomes the
master AC. When the master AC
fails and then recovers, it will
re-establish connections with APs
and become the master AC.
NOTE:
The two ACs must have the same AP configuration view settings for an AP. Otherwise, the AP may fail to
work after a master and subordinate switchover.
Enabling CAPWAP/LWAPP tunnel encryption with IPsec
Control And Provisioning of Wireless Access Points (CAPWAP) defines how an AP communicates with an
AC. It provides a generic encapsulation and transport mechanism between AP and AC. However, tunnel
packets are transmitted in plain text, which brings security problems. To ensure CAPWAP/LWAPP
transmission security, you can use IPsec to encrypt and authenticate control and data packets. If you
configure both AC backup and Portal stateful failover, use the undo ipsec synchronization enable
command to disable IPsec stateful failover.
Configuration considerations
1.
Enable the AP and AC to establish a CAPWAP/LWAPP tunnel between them and make sure the
AP is in running state.
2.
Enter AP configuration view to complete IPsec encryption configurations, and execute the save
wlan ap provision command to save the configuration to the wlan_ap_cfg.wcfg file of the AP.
3.
Reboot the AP to validate the configuration.
4.
Configure IPsec. For more information about IPsec configuration, see Security Configuration
Guide.
Follow these guidelines when you configure IPsec:
{
The security protocol, encapsulation mode, authentication algorithm, and encryption algorithm
can only be ESP, tunnel, SHA1, and DES, respectively. You can only use IKEv1 to set up SAs,
use the default security proposal, and adopt only the main IKE negotiation mode. For more
information about IPsec commands, see Security Command Reference.
{
You can configure an IPsec policy that uses IKE only by referencing an IPsec policy template
because the AC responds to the AP's negotiation requests.
{
When you configure pre-shared key authentication for an IKE peer, the pre-shared key
configured with the pre-shared-key command (the key on the AC) must be the same as that
configured with the tunnel encryption ipsec pre-shared-key command (the key sent by the AC
to the AP by using the AP provision function).
{
To make sure the SAs between the AC and AP can be removed in time when the AP disconnects
with the AC, configure Dead Peer Detection (DPD), configure the ISAKMP SA keepalive interval
with the ike sa keepalive-timer interval command, configure the ISAKMP SA keepalive timeout