(Optional) Configuring an IPSec Cluster

Context

In an LTE scenario, user traffic on base stations needs to be transmitted between the insecure transport network and secure core network. To ensure security of user traffic, the IPSec gateway is deployed at the edge of the core network. An IPSec tunnel is established between a base station and the IPSec gateway so that user traffic is securely transmitted through the IPSec tunnel. There are a large number of base stations in the LTE scenario, and user traffic on each base station increases greatly as 4G services develop.

One IPSec gateway has limited performance and cannot transmit traffic from all base stations. In an LTE scenario, multiple IPSec gateways need to be deployed to meet bandwidth requirements of VPN traffic on IPSec tunnels. User traffic varies on base stations and multiple IPSec gateways are independent from each other. In this situation, the load on some IPSec gateways is heavy, resulting in failure to establish new IPSec tunnels, while some IPSec gateways are not fully used.

To address the problem, you can configure an IPSec cluster to associate multiple IPSec gateways, and the IPSec cluster is equivalent to a virtual device. Base stations negotiate with the IPSec cluster for establishing IPSec tunnels, without the need to know specific IPSec gateways. The IPSec cluster can select an appropriate IPSec gateway to respond to the IPSec negotiation request of a base station based on the load of the member gateways.

One IPSec cluster corresponds to one load balancing group, and IPSec gateways in the IPSec cluster must be configured with the load balancing group. You can reference a load balancing group in an IKE peer so that packets can be redirected based on the load during IKE negotiation.

Only IKEv2 supports the IPSec cluster.

IPSec IPv6 does not supportIPSec cluster.

Pre-configuration Tasks

Before configuring an IPSec cluster, configure a VRRP group so that the master in the load balancing group is selected.

Procedure

Configure a load balancing group.
1. Run system-view
  The system view is displayed.
2. Run loadgroup group-name
  A load balancing group is created and the load balancing group view is displayed.
3. Run server-ip ip-address
  The external IP address used by the load balancing group to provide services is configured.
  
  The address is used to connect to a base station. Other member gateways in the load balancing group use this IP address to report load information to the master gateway.
  
  The external IP address used by the load balancing group to provide services must be the same as the virtual IP address of the VRRP group.
4. Run port port-number
  A UDP port is configured for the load balancing group to report and receive load information.
  
  By default, the load balancing group uses UDP port 2014 to report and receive load information.
  
  Other member gateways in the load balancing group use the configured UDP port to report its load information to the master gateway, and the master gateway uses the configured UDP port to receive load information from other member gateways.
5. Run authentication-key authentication-key
  The authentication key of IKEv2 redirection packets is configured.
  
  By default, the authentication key of IKEv2 redirection packets is not configured.
  
  A member gateway in a load balancing group reports load information to the master gateway, and the master gateway authenticates member gateways using the authentication key. The authentication key of all member gateways in the load balancing group must be the same.
6. Run overload-manage { limit percent | ipsec-bandwidth ipsec-bandwidth-weight | sa-number sa-number-weight }^*
  The following information is configured: upper limit for the load percentage of a member gateway in a load balancing group, weights for the IPSec tunnel bandwidth, and security association (SA) quantity weight.
  
  By default, the upper limit for the load percentage of a member gateway in a load balancing group is 80, and the weights for the IPSec tunnel bandwidth and SA quantity are not configured.
7. Run member { hello seconds | max-ipsec-bandwidth max-ipsec-bandwidth | max-ipsec-tunnel-number max-ipsec-tunnel-number }^*
  The following information is configured: interval at which a member gateway in a load balancing group sends Hello packets to the master gateway, maximum number of IPSec tunnels, and maximum IPSec bandwidth.
  
  By default, a member gateway in a load balancing group sends Hello packets to the master gateway at an interval of 3s, and the maximum number of IPSec tunnels and the maximum IPSec bandwidth are not configured.
8. Run holdtime seconds
  The timeout interval of load balancing group member information is configured.
  
  By default, the timeout interval of load balancing group member information is 10s.
  
  If the master gateway does not receive load information from a member gateway within the timeout interval, the member gateway is removed from the load balancing group.
9. Run quit
  Exit from the load balancing group view.
Reference a load balancing group in an IKE peer.
1. Run ike peer peer-name
  An IKE peer is created and the IKE peer view is displayed.
2. Run undo version 1
  IKEv1 is disabled.
3. Run ikev2-redirect-group group-name { auth | init }
  A load balancing group is referenced in an IKE peer and the phase where IKEv2 redirection is performed is specified.
  
  By default, an IKE peer does not reference a load balancing group.