IPSecVPN-高可用.docx

cryptoipsectransfor11r-stmysetcsp-descsp-md5-hmaccryptomapEyEaP10ipsec-isakmsettransform-sotmysetmatchaddress101reverse-routetag10reverse-routestatic因为本地是Standby,即使打了这个吩咐也不会注入路由interfaceFastEthernetOZOstandby1preemptstandby1namehsrpcryptomapIttymaPredundancyhsrpinterfaceFastEthernctIZOrouterOSPf1redistributestaticsubnetsroute-maps2onetwork2.2.2.00.0.0.255area0iproute000.00.0.0.0FaStEthCrnCtO/0route-maps2opermit10matchtag10insideinterfaceFaStEthCrnCto/0routerospf1network2.2,2.00.0.0.255area0链路备份也叫RedgdanCyVPN,是一种常见的解决方案，支持双方首先发起流量并且支持抢占功能链路备份高可用VPN配Si缺点：没有抢占功能，必需R1端先发起流量，由于没有HSRP所以IPsec不能打reverse-routestatic（地址没照图做）clientcryptoisakmppolicy10authenticationpre-shar©cryptoisakmpkccpalive10periodiccryptoipsectransform-setmysetesp-desesp-md5-hmaccryptomapmymap10ipscc-isakmpsettransform-setmysetInatChaddress101interface1.oopbackOinterfaceFastEthernetO/Ocryptomapmymapiprout©0.0.0.00.0.0.0FastEthernetO/OinternetinterfaceFastEthernetO/OinterfaceFastEthernetIZOcryptomapmymapiproute00.0.00.0.0.0FastEthernetOZOR2interfaceFdStEthernetO/0noshutdowninterfaceEthcrnctIZOnoshutdowninterfaceEthernctIZInoshutdownR3cryptoisakmppolicy10authenticationpre-sharecryptoipsecIransfornrsetmysetesp-descsp-md5-hmaccryptomapmymapIocaI-address1.oopbacklcryptomapmymap10ipsec-isakmpsettransform-setmysetmatchaddress101interface1.oopbackOinterface1.oopbacklinterfaceEthernetO/OcryptomapmymapnoshuinterfaceEthernetOZIcryptomapmymapnoshu好处：IPSecSA被复制到了CrymaP的全部接口，并且同IKE关联起来，链接状态在全部接口之间共享，从而节约了内存和处理资源，复原速度和IPSeC对等体间的路由选择协议收敛一样快，R2Router#showcryptoipsecsainterface:EthcrnetO/Oinboundspsas:spi:0×A67C531D(2793165597)outboundespsas:spi:0xD2A5C98C(3534080396)interface:Ethernet1inboundespsas:spi:0xA67C531D(2793165597)outboundcspsas:spi:0×D2A5C98C(3534080396)Rlttping30.1.1.1source10.1.1.1repeat10000Successrateis88percentPPPM1.VPNhostnameR1cryptoisakmppolicy10authenticationpro-sharecryptoipsectransform-setmysetesp-desesp-md5-hmaccryptomapmymap10ipscc-isakmpsettransform-setmysetwatchaddress101interface1.oopbackOinterfaceFastEthernetOZOnoShutdOMniproute0.0.0.00.0.0.0FastEthernetOZOhostnameR2interfaceMultiIink1pppmu11iIinkpppmu11iIinkgroup1interfaceFastEthernetOZOinterfaceSerial2/0noipaddressencapsulationpppserialrestart-delay0PPPmu11iIinkPPPmu11iIinkgroup1interfaceSeria12/1noipaddressencapsulationpppserialrestart-delay0pppmu11iIinkPPPmu11iIinkgroup1hostnameR3cryptoisakmppolicy10authenticationpre-sharecryptoipsectransform-setmysetesp-desesp-md5-hmaccryptomapmymap10ipscc-isakmpsettransform-setmysetmatchaddress101interface1.oopbackOinterfaceMultiIinklPPPmu11iIinkPPPmu11iIinkgroup1cryptomapmymapinterfaceSeria11/0noipaddressencapsulationpppserialrestart-delay0PPPmu11iIinkPPPmu11iIinkgroup1interfaceSeriall/1noipaddressencapsulationpppserialrestart-delay0pppmu11iIinkPPPmu11iIinkgroup1iproute0.0.0.00.0.0.0MultiIinkl测试高可用测试Routertping30.1.1.1source10.1.1.1repeat1000IIIIUIInIUIIIMHISuccessrateis65percent(21/32)双隧道路由方式hostnameR1cryptoisakmppolicy10cncr3deshashmd5authenticationpre-sharegroup2cryptoipsectransform-setmysetesp-desesp-md5-hmaccryptoipsecprofiIemyprosettransform-setmysetinterface1.oopbackOinterfaceTunneIOtunneImodeipsecipv4tunnelprotectionipsecprofiIcmyprointerfaceTunneHtunneImodeipsecipv4tnneIprotectionipsecprofiIemyprointerfaceEthernotO/Oroutercigrp1Iinccon0exec-timeout00hostnameR2interfaceEthernot00interfaceEthcrnctO/1interfaceEthernet02Iincon0exec-timeout00hostnameR3cryptoisakmppolicy10cncr3dcshashmd5authenticationpre-shar©group2cryptoipsectransform-setmysetesp-dsesp-md5-hmaccryptoipsccprofiIemyprosettransform-setmysetinterfaceTunneIOtunneImodeipsecip4tunnelprotectionipsccprofiIcmyprointerfaceEthernetO/OinterfaceEthernet1routercigrp1noauto-su11waryIinecon0CXCC-timeout00hostnameR4cryptoisakmppolicy10encr3dcshashmd5authenticationpre-sharegroup2cryptoipsectransform-setmysetesp-desesp-md5-hmaccryptoipsccprofiIemyprosettransform-setmysetinterfaceTunncIOtu11ncImodeipsecipv4tunnIprotectionipsecprofiIcmyprointerfaceEthernetO/OinterfaceEthernetOZlrouterCiNrP1Iinccon0cxoc-timcout00hostnameR5interface1.oopbackOinterfaceEthernetO/Oroutereigr1noauto-su1111>aryIinecon0验证：R1#showiproute50.0.00/24D50.1.1.0CXCC-timeout00eigrpissubnetted.1subnets90/297398016via14.1.1.4.00:03:27,Tunnell90/297398016via13.1.1.3.00:03:27,TunneIO3.OO0/24issubnetted.1subnets3.4,5090/29727001690/297270016via14.1.1.4.via13.1.1.3.00:03:27.00:03:27.Tunnel1TunnoIOR5ttshowiproute10.0.00/24D10.1.1.0eigrpissubnetted.1subnets13.0.00/2413. 1.1.014. 0.0.0/2414.1.1.090/297398016via3.4.5.4.90/297398016via3.4.5.3.issubnetted.1subnets90/297270016via3.4.5.3.issubnetted.1subnets90/297270016via3.4.5.4.00:03:36.00:03:36.00:03:51.00:03:36.EthernetO/OEthernetO/OEthernctO/OEthernetO/OTypeescapesequencetoabort.Sending5,100-byteICMPEchosto501.1.1.timeoutis2seconds:Packetsentwithasourceaddressof10.1.11I!Successrateis100percent(5/5).round-tripmiavgma×=16/42/68ms测试高可用：R2(config)#iterfaceethret0/2R2(config-if)#shutdownRlttping50.1.1.1source10.1.1.1repeat10000Typeescapesequencetoabort.Sending10000.100-byteICMPEchosto501.1.1,timeoutis2seconds:Packetsentwithasourceaddressof10.1.11!I!*Mar100:16:09.459:WUA1.-5-NBRCHANGE:IP-EIGRP(O)1:Neighbor14.1.1.4(TunneH)isdown:holdingtimeexpired.!I!Successrateis93percent(100/107)rround-tripmin/avg/max三8/34/96ms优点：支持负载均衡、非等价负载均衡(E6RP.BGP)支持0。S等须要隧道的技术，收敛速度取决于IGP,所以当设备都是CiSCo时，请运用这个代替链路备份。