IPSec VPN 高可用-设备备份VPN

拓扑:

 

 

需求,Beijing作为总部,需要与Company进行连接,同时SH部分采用双线介入ISP保证网络高可用性,现需求,在SH1down的情况下,SH2接替SH1的工作保证VPN连接的持续有效性.

 

Beijing 主要配置:

 

Beijing配置与传统的IPsec L2L VPN配置毫无区别

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 117.1.1.10

crypto ipsec transform-set cisco esp-3des esp-md5-hmac

crypto map vpn 10 ipsec-isakmp

set peer 117.1.1.10

set transform-set cisco

match address vpn

interface Loopback0

ip address 1.1.1.1 255.255.255.0

interface FastEthernet0/0

ip address 124.1.1.1 255.255.255.0

duplex half

crypto map vpn

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip access-list extended vpn permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

 

SH1主要配置:

SH配置首先要使用DPD进行检测,从而保证在IPsec SA中端后,备份设备能够启动.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 124.1.1.1

crypto isakmp keepalive 10 periodic

 

crypto ipsec transform-set cisco esp-3des esp-md5-hmac

crypto map cisco 10 ipsec-isakmp

set peer 124.1.1.1

set transform-set cisco

match address vpn r

everse-route tag 10 static

使用反向路由注入,将感兴趣流注入成静态路由,完成数据点有路由,使用关键字static在没有SA的时候产生路由(Active设备)

interface FastEthernet2/0

ip address 117.1.1.8 255.255.255.0

duplex half

standby 1 ip 117.1.1.10

standby 1 priority 150

standby 1 preempt

standby 1 name Redunvpn
crypto map cisco redundancy Redunvpn

在讲MAP应用的时候,要加上关键字redundancy并且调用standby的名字.

interface FastEthernet3/0

ip address 10.1.1.1 255.255.255.0

duplex half

router eigrp 10

redistribute static route-map vpntraffic

将注入路由分布进内部网络

network 10.1.1.0 0.0.0.255

no auto-summary

ip route 0.0.0.0 0.0.0.0 FastEthernet2/0

ip access-list extended vpn permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

route-map vpntraffic permit 10 match tag 10

 

另一个SH2配置与SH1配置无太大区别,就不罗列了.

 

实验结果:

 

1.ping测试

 

 

 

2.Active加解密情况: