Ipsec stateful failover – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 867

Advertising
background image

846

Figure 898 An IPsec VPN

You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly

create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful

failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local

gateway.
IPsec RRI dynamically creates static routes based on IPsec SAs. In each static route, the destination

address is the address of a protected branch network, and the next hop is the user-specified remote peer

address or the remote tunnel endpoint's address learned during IPsec SA negotiation.
In an MPLS L3VPN network, an RRI-configured IPsec VPN gateway can add static routes into the IP
routing table of the VPN instance that is bound to the interface applied with an IPsec policy.
IPsec RRI creates static routes when the IPsec SAs are established, and deletes the static routes when the

IPsec SAs are deleted.

IPsec stateful failover

IMPORTANT:

Support for this feature depends on the device model. For more information, see "

About the H3C Access

Controllers Web-Based Configuration Guide

."

The IPsec stateful failover function enables hot backup of IPsec service data between two devices and is

usually deployed on two redundant gateways at the headquarters to improve the availability of IPsec

service.
The IPsec stateful failover function must work with the stateful failover feature and the VRRP feature.
The two devices in IPsec stateful failover must join the same VRRP group to act as a single virtual device.

They use the virtual IP address of the virtual device to communicate with remote devices.
The IPsec stateful failover function can operate only in standard VRRP mode. In this mode, the master
processes and forwards IPsec traffic, and the backup device only synchronizes IPsec service data with the

master. When the master fails, the backup immediately takes over to forward IPsec traffic. This switchover

process is transparent to remote devices. No extra configuration is required on remote devices and no

IPsec re-negotiation is required after the switchover.

Advertising
This manual is related to the following products:

H3C WX5500E Series Access Controllers, H3C WX3500E Series Access Controllers, H3C WX2500E Series Access Controllers, H3C WX6000 Series Access Controllers, H3C WX5000 Series Access Controllers, H3C LSUM3WCMD0 Access Controller Module, H3C LSUM1WCME0 Access Controller Module, H3C LSRM1WCM2A1 Access Controller Module

Popular Brands
Popular manuals