| Description | This article describes how to securely encrypt and authenticate HA traffic |
| Scope | 7.4.2+ GA Releases. |
| Solution |
Consider a scenario where a network administrator has the following topology:
There is an HA cluster which consists of two units connecting via their ha1 interfaces.
These HA members are located in different geographic regions and the physical connection between these two devices is a non-trusted network.
The administrator wants to secure their HA traffic so it cannot be mirrored by someone who intends to craft false HA messages in order to cause cluster instability.
To do so, the administrator uses the following commands:
config system ha set authentication enable set encryption enable set ipsec-phase2-proposal <List of encryption & Hashing algorithms> end
When authentication & encryption is enabled, an IPsec tunnel is created between the HA members which is established & maintained by IKE. After, the encryption and hashing algorithms can be manually chosen in order for the traffic to be compliant with current regulations.
The IKE daemon will be responsible for periodically generating and transmitting the new keys among the HA members. |
