10. Configure Clustering group 1/3
VR-1
VR-2
LAN vSwitch
Primary Node
Secondary Node
10.10.10.100/24 VIP
Sample Configuration for VR-1 and VR-2
$ configure
# set system host-name VR-1 (or VR-2)
# set cluster dead-interval 1000
# set cluster group CLUSTER auto-failback true
# set cluster interface eth0
# set cluster interface eth1
# set cluster keepalive-interval 200
# set cluster pre-shared-secret SeCrEt
# set cluster group CLUSTER primary VR-1
# set cluster group CLUSTER secondary VR-2
# set cluster group CLUSTER service 10.10.10.100/24/eth1
# set cluster mcast-group 239.10.10.100
11. Configure Clustering group 2/3
Sample Configuration for VR-3 and VR-4
$ configure
# set system host-name VR-3 (or VR-4)
# set cluster dead-interval 1000
# set cluster group CLUSTER auto-failback true
# set cluster interface eth0
# set cluster interface eth1
# set cluster keepalive-interval 200
# set cluster pre-shared-secret SeCrEt
# set cluster group CLUSTER primary VR-3
# set cluster group CLUSTER secondary VR-4
# set cluster group CLUSTER service 10.20.20.100/24/eth1
# set cluster mcast-group 239.20.20.100
VR-3
VR-4
LANvSwitchSecondary Node
VIP 10.20.20.100/24
Primary Node
12. Configure Clustering group 3/3
VR-1 VR-3
vSwitch LANvSwitchLAN
Monitoring
VR-1# set cluster monitor-dead-interval 1000
VR-1# set cluster group CLUSTER monitor 133.242.YYY.3
VR-1# commit
VR-1# save
VR-3# set cluster monitor-dead-interval 1000
VR-3# set cluster group CLUSTER monitor 133.242.XXX.1
VR-3# commit
VR-3# save
133.242.YYY.3133.242.XXX.1
13. Configure Dual IPSec Tunneling 1/3
VR-1 VR-3
vSwitch LANvSwitchLAN
IPSec Tunnel
Sample Configuration for VR-1 and VR-3
# set vpn ipsec esp-group ESP lifetime 1800
# set vpn ipsec esp-group ESP mode tunnel
# set vpn ipsec esp-group ESP pfs enable
# set vpn ipsec esp-group ESP proposal 1 encryption aes256
# set vpn ipsec esp-group ESP proposal 1 hash sha1
# set vpn ipsec ike-group IKE lifetime 3600
# set vpn ipsec ike-group IKE proposal 1 encryption aes256
# set vpn ipsec ike-group IKE proposal 1 hash sha1
# set vpn ipsec ipsec-interfaces interface eth0
14. Configure Dual IPSec Tunneling 2/3
VR-1 VR-3
vSwitch LANvSwitchLAN
IPSec Tunnel
VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 local-address 133.242.XXX.1
VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication mode pre-shared-secret
VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication pre-shared-secret SeCrEt
VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 connection-type initiate
VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 default-esp-group ESP
VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 ike-group IKE
VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 local prefix 10.10.10.0/24
VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 remote prefix 10.20.20.0/24
VR-1# commit
VR-1# save
133.242.YYY.3133.242.XXX.1
10.10.10.0/24 10.20.20.0/24
15. Configure Dual IPSec Tunneling 3/3
VR-1 VR-3
vSwitch LANvSwitchLAN
IPSec Tunnel
VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 local-address 133.242.YYY.3
VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 authentication mode pre-shared-secret
VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 authentication pre-shared-secret SeCrEt
VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 connection-type initiate
VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 default-esp-group ESP
VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 ike-group IKE
VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 tunnel 0 local prefix 10.20.20.0/24
VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 tunnel 0 remote prefix 10.10.10.0/24
VR-3# commit
VR-3# save
133.242.YYY.3133.242.XXX.1
10.10.10.0/24 10.20.20.0/24
16. Configure TCP-MSS modify for VPN
VR-1 VR-3
vSwitch LANvSwitchLAN
IPSec Tunnel
VR-1# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.20.20.0/24
VR-1# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp
VR-1# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386
VR-1# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN TCP
VR-1# set interfaces ethernet eth0 policy route TCP-MSS1386-ETH0
VR-1# commit
10.10.10.0/24 10.20.20.0/24
VR-3# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.10.10.0/24
VR-3# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp
VR-3# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386
VR-3# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN TCP
VR-3# set interfaces ethernet eth0 policy route TCP-MSS1386-ETH0
VR-3# commit