If you are considering implementing IPsec in an active/active configuration, you will need to optimize IPsec to function in this environment.
The IPsec protocol, by its nature, does not work well in a failover environment, that is, an environment in which one storage system in a active/active configuration must take over the other storage system. This is because security policies, but not security associations, are taken over from the failed storage system. Clients will continue to send packets to the failed client for the remainder of the client security association lifetime, after which a new security association must be renegotiated and dropped packets resent.
For this reason, you should reduce the security association lifetime to a minimum value to optimize IPsec operation in an active/active configuration. This minimizes the time clients use to destroy their security associations and negotiate new ones with the storage system that took over.