Protocols and standards, Configuration guidelines – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 868
847
Figure 899 IPsec stateful failover
As shown in
, Device A and Device B form an IPsec stateful failover system and Device A is
elected the master in the VRRP group. When Device A works normally, it establishes an IPsec tunnel to
Device C, and synchronizes its IPsec service data to Device B. The synchronized IPsec service data
includes the IKE SA, IPsec SAs, anti-replay sequence number and window, SA lifetime in bytes, and DPD
packet sequence number. Based on the IPsec service data, Device B creates standby IKE SA and standby
IPsec SAs to back up the active IKE SA and active IPsec SAs on Device A. When Device A fails, the VRRP
mechanism switches IPsec traffic from Device A to Device B. Because Device B has an instant copy of
Device A's IPsec service data, Device B can immediately process IPsec traffic to provide nonstop IPsec
service.
Protocols and standards
•
RFC 2401, Security Architecture for the Internet Protocol
•
RFC 2402, IP Authentication Header
•
RFC 2406, IP Encapsulating Security Payload
•
RFC 4552, Authentication/Confidentiality for OSPFv3
•
RFC 4301, Security Architecture for the Internet Protocol
•
RFC 4302, IP Authentication Header
•
RFC 4303, IP Encapsulating Security Payload (ESP)
Configuration guidelines
When you configure IPsec, follow these guidelines:
•
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50, respectively. You must make sure flows of these protocols are not denied on the interfaces
with IKE or IPsec configured.
LAN
Device A
Device B
Device C
Failover link
Master
Backup
Virtual router 1
Virtual router 2
IP
se
c
tu
nn
el
LAN
Internet