Hot standby IPSec configuration on the USG2000 series

3

The USG supports hot standby IPSec. For the configuration method, see the example in the product documentation: IPSec gateway hot standby.

Other related questions:
Restrictions on using hot standby together with IPSec on the USG2000 and USG5000 series
Restrictions on using hot standby together with IPSec: 1. The device supports the interworking of IPSec and hot standby in active/standby mode but not in load balancing mode. 2. When hot standby runs together with IPSec, the upstream and downstream service interfaces of the active and standby devices must be Layer-3 interfaces. 3. When hot standby runs together with IPSec, the hot standby configuration and IPSec configuration are the same as they run alone. 4. The IPSec policy needs to be configured only on the active device. 5. If the local device is the initiator of an IPSec tunnel, set the local gateway IP address at phase 2 to the virtual IP address of the VRRP group.

Whether the standby device in hot standby deployment can be configured
By default, configurations that can be backed up can be configured only on the active device and automatically synchronized to the standby device. You cannot configure them on the standby device. After you run the hrp slave config enable command on the active device, the standby device obtains the permission for configuring these commands when this command is backed up to the standby device. The configurations on the standby device are also synchronized to the active device. Configurations that cannot be backed up, such as interface IP addresses, can be configured on the standby device.

VRRP+NAT in hot standby deployment on the USG2000&5000
For the complete configuration example, see "Combining Dual-System Hot Backup with NAT" in the USG2000/5000 product documentation.

Hot standby modes on the USG2000 and USG5000 series
Hot standby is in either active/standby or load balancing mode.

Hardware restrictions of hot standby on the USG2000 and USG5000 series
Hardware restrictions of hot standby: 1. Currently, hot standby can be implemented only between two devices. 2. The active and standby devices must have the same product model and version. 3. The active and standby devices must have the same number and types of boards installed in the same arrangement. Otherwise, the information synchronized from the active device does not match the physical configuration of the standby device. As a result, faults occur after an active/standby switchover. 4. If you want to use a Layer 2 interface as the heartbeat interface, you need to add it to the VLAN, create the VLANIF interface, and configure the IP address of the VLANIF interface. Then use the VLANIF interface as the heartbeat interface and specify the heartbeat interface IP address of the peer device.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top