Workflow to configure and manage MC IPsec

Stages
 

Configure an ISA tunnel MDA and ISA tunnel group on each MC IPsec peer NE; see To configure an ISA-tunnel group .

You must do the following:

  • Enable the Multiple Active ISA Support parameter.

  • Enable the IPsec Responder Only parameter to configure the NE to act as an IKE responder when an MC IPsec switchover occurs, and not initiate a new SA policy or rekey an existing SA.

Ensure that the ISA tunnel groups have the same configuration on each MC IPsec peer NE; alternatively, you can create ISA tunnel groups when you configure the MC IPsec group in Stage 3

Enable MC IPsec on the MC peer group. See To configure MC IPsec on an MC peer group .

Create an MC IPsec tunnel group between the MC peer NEs. See To create an MC IPsec group .

Configure MC IPsec parameters.

The parameters must be configured on the following interfaces:

Note: The IPsec tunnels must have the same tunnel name, properties, and associated IKE, transform, and security policies.

Tunnels that have a configuration mismatch between peers are lost when a switchover occurs.

Configure two identical static IPsec tunnels using the redundant tunnel group on the two MC peer NEs; see To configure an IPsec tunnel on a VPRN tunnel interface .

Configure IPsec protocol and state parameters in the From Criteria of a routing policy statement entry; see To configure a routing policy statement .

You must do the following:

  • Set the Protocol parameter to IPsec.

  • Set the State parameter to one of the following:

    • IPsec Master with Peer—The corresponding tunnel group is the master with a reachable peer.

    • IPsec Master No Peer—The corresponding tunnel group is the master with an unreachable peer.

    • IPsec Non Master—The corresponding tunnel group is not the master.

If required, perform a manual switchover from the MC IPsec tunnel group and from all of the associated IPsec tunnels that are configured above the MC IPsec tunnel group. See To perform an MC IPsec switchover .