《IPSecVPN-高可用.docx》由会员分享,可在线阅读,更多相关《IPSecVPN-高可用.docx(9页珍藏版)》请在第壹文秘上搜索。
1、cryptoipsectransfor11r-stmysetcsp-descsp-md5-hmaccryptomapEyEaP10ipsec-isakmsettransform-sotmysetmatchaddress101reverse-routetag10reverse-routestatic因为本地是Standby,即使打了这个吩咐也不会注入路由interfaceFastEthernetOZOstandby1preemptstandby1namehsrpcryptomapIttymaPredundancyhsrpinterfaceFastEthernctIZOrouterOSPf1red
2、istributestaticsubnetsroute-maps2onetwork2.2.2.00.0.0.255area0iproute000.00.0.0.0FaStEthCrnCtO/0route-maps2opermit10matchtag10insideinterfaceFaStEthCrnCto/0routerospf1network2.2,2.00.0.0.255area0链路备份也叫RedgdanCyVPN,是一种常见的解决方案,支持双方首先发起流量并且支持抢占功能链路备份高可用VPN配Si缺点:没有抢占功能,必需R1端先发起流量,由于没有HSRP所以IPsec不能打rever
3、se-routestatic(地址没照图做)clientcryptoisakmppolicy10authenticationpre-sharcryptoisakmpkccpalive10periodiccryptoipsectransform-setmysetesp-desesp-md5-hmaccryptomapmymap10ipscc-isakmpsettransform-setmysetInatChaddress101interface1.oopbackOinterfaceFastEthernetO/Ocryptomapmymapiprout0.0.0.00.0.0.0FastEther
4、netO/OinternetinterfaceFastEthernetO/OinterfaceFastEthernetIZOcryptomapmymapiproute00.0.00.0.0.0FastEthernetOZOR2interfaceFdStEthernetO/0noshutdowninterfaceEthcrnctIZOnoshutdowninterfaceEthernctIZInoshutdownR3cryptoisakmppolicy10authenticationpre-sharecryptoipsecIransfornrsetmysetesp-descsp-md5-hmac
5、cryptomapmymapIocaI-address1.oopbacklcryptomapmymap10ipsec-isakmpsettransform-setmysetmatchaddress101interface1.oopbackOinterface1.oopbacklinterfaceEthernetO/OcryptomapmymapnoshuinterfaceEthernetOZIcryptomapmymapnoshu好处:IPSecSA被复制到了CrymaP的全部接口,并且同IKE关联起来,链接状态在全部接口之间共享,从而节约了内存和处理资源,复原速度和IPSeC对等体间的路由选
6、择协议收敛一样快,R2Router#showcryptoipsecsainterface:EthcrnetO/Oinboundspsas:spi:0A67C531D(2793165597)outboundespsas:spi:0xD2A5C98C(3534080396)interface:Ethernet1inboundespsas:spi:0xA67C531D(2793165597)outboundcspsas:spi:0D2A5C98C(3534080396)Rlttping30.1.1.1source10.1.1.1repeat10000Successrateis88percentPPP
7、M1.VPNhostnameR1cryptoisakmppolicy10authenticationpro-sharecryptoipsectransform-setmysetesp-desesp-md5-hmaccryptomapmymap10ipscc-isakmpsettransform-setmysetwatchaddress101interface1.oopbackOinterfaceFastEthernetOZOnoShutdOMniproute0.0.0.00.0.0.0FastEthernetOZOhostnameR2interfaceMultiIink1pppmu11iIin
8、kpppmu11iIinkgroup1interfaceFastEthernetOZOinterfaceSerial2/0noipaddressencapsulationpppserialrestart-delay0PPPmu11iIinkPPPmu11iIinkgroup1interfaceSeria12/1noipaddressencapsulationpppserialrestart-delay0pppmu11iIinkPPPmu11iIinkgroup1hostnameR3cryptoisakmppolicy10authenticationpre-sharecryptoipsectra
9、nsform-setmysetesp-desesp-md5-hmaccryptomapmymap10ipscc-isakmpsettransform-setmysetmatchaddress101interface1.oopbackOinterfaceMultiIinklPPPmu11iIinkPPPmu11iIinkgroup1cryptomapmymapinterfaceSeria11/0noipaddressencapsulationpppserialrestart-delay0PPPmu11iIinkPPPmu11iIinkgroup1interfaceSeriall/1noipadd
10、ressencapsulationpppserialrestart-delay0pppmu11iIinkPPPmu11iIinkgroup1iproute0.0.0.00.0.0.0MultiIinkl测试高可用测试Routertping30.1.1.1source10.1.1.1repeat1000IIIIUIInIUIIIMHISuccessrateis65percent(21/32)双隧道路由方式hostnameR1cryptoisakmppolicy10cncr3deshashmd5authenticationpre-sharegroup2cryptoipsectransform-se
11、tmysetesp-desesp-md5-hmaccryptoipsecprofiIemyprosettransform-setmysetinterface1.oopbackOinterfaceTunneIOtunneImodeipsecipv4tunnelprotectionipsecprofiIcmyprointerfaceTunneHtunneImodeipsecipv4tnneIprotectionipsecprofiIemyprointerfaceEthernotO/Oroutercigrp1Iinccon0exec-timeout00hostnameR2interfaceEther
12、not00interfaceEthcrnctO/1interfaceEthernet02Iincon0exec-timeout00hostnameR3cryptoisakmppolicy10cncr3dcshashmd5authenticationpre-shargroup2cryptoipsectransform-setmysetesp-dsesp-md5-hmaccryptoipsccprofiIemyprosettransform-setmysetinterfaceTunneIOtunneImodeipsecip4tunnelprotectionipsccprofiIcmyprointe
13、rfaceEthernetO/OinterfaceEthernet1routercigrp1noauto-su11waryIinecon0CXCC-timeout00hostnameR4cryptoisakmppolicy10encr3dcshashmd5authenticationpre-sharegroup2cryptoipsectransform-setmysetesp-desesp-md5-hmaccryptoipsccprofiIemyprosettransform-setmysetinterfaceTunncIOtu11ncImodeipsecipv4tunnIprotection
14、ipsecprofiIcmyprointerfaceEthernetO/OinterfaceEthernetOZlrouterCiNrP1Iinccon0cxoc-timcout00hostnameR5interface1.oopbackOinterfaceEthernetO/Oroutereigr1noauto-su1111aryIinecon0验证:R1#showiproute50.0.00/24D50.1.1.0CXCC-timeout00eigrpissubnetted.1subnets90/297398016via14.1.1.4.00:03:27,Tunnell90/2973980
15、16via13.1.1.3.00:03:27,TunneIO3.OO0/24issubnetted.1subnets3.4,5090/29727001690/297270016via14.1.1.4.via13.1.1.3.00:03:27.00:03:27.Tunnel1TunnoIOR5ttshowiproute10.0.00/24D10.1.1.0eigrpissubnetted.1subnets13.0.00/2413. 1.1.014. 0.0.0/2414.1.1.090/297398016via3.4.5.4.90/297398016via3.4.5.3.issubnetted.1subnets90/297270016via3.4.5.3.issubnetted.1subnets90/297270016via3.4.5.4.00:03:36.00:03:36.00:03:51.
