IPSec××× High Available
一.高可用性概述… 2
1.简介… 2
2.高可用性技术… 2
二.实验… 3
1.实验目的… 3
2.实验拓扑… 4
3.实验步骤… 4
1).基本配置… 4
2).中心站点NAT、HSRP配置… 6
3).IPSec ×××配置… 8
4).启用SCTP协议… 10
5).验证… 11
6).最终配置… 16
一.高可用性概述
1.简介
随着技术的逐渐发展,任何技术、网络的使用都涉及高可用性问题。为了保证及满足企业级的生产需要,高可用性技术在网络中的应用也是至关重要的。路由的高可用技术包括HSRP、VRRP,交换的高可用性包括STP…当然,强大的IPSec ×××技术也有高可用性技术的应用。本实验主要介绍的就是IPSec ×××在企业级生产环境中的高可用性技术。
2.高可用性技术
-
DPD(Dead Peer Detection,死亡邻居检测)
传统的路由协议如OSPF,是通过周期性发送Hello包来探测对等体是否存活,如果一段时间内发送的包没有得到响应,就证明对等体出现了问题。
DPD技术也是利用这个原理检测对等体。DPD包含两种工作模式
1).周期性工作模式:通过定时器周期性向对等体发送DPD数据包,检测对等体的状态;
优点:能够快速检测到有问题的对等体;
缺点:DPD包发送频率大,占用网络、设备资源;
2).按需工作模式:DPD的默认工作模式,DPD数据包信息会基于流量的形式不同而采取不同的发送方式。当本地路由向对等体发送加密数据包,但是在一定时间内没有收到并解密任何源自对等体的的数据包时,就会向对等体发送DPD数据包询问状态。此工作模式可能要等到IKE和IPSec SA建立事时才会发现,所以此模式的DPD包检测到问题的速度较慢。
优点:发送更少的DPD包,节约资源;
缺点:发现问题的时间较长。
-
RRI(Reverse Route Injection 反向路由注入)
此技术的应用主要存在于有主备链路的网络环境中。如下图:
说明:当分支站点通过主用网关访问中心站点server时,与主用网关路由之间建立IPSec ×××会话的安全关联(SA),时长一个小时。数据去时是经过主用网管到达目的,但是回来时,有两条路径可选,如果选择了备用网关回来,则肯定是不能成功的,因为分支站点已经与主用网管设备间建立了IPSec ×××会话,而不是与备用网关设备间,所以通过备用网关回的包不能成功完成通信。基于此,引入RRI技术,即反向路由注入。当分支站点与主用网关之间建立IPSec ×××会话连接到中心站点server之后,同时向中心站点设备注入一条静态路由(回复的路径,也就是原路径),引导回包通过正确的路径返回(即还是通过主用网关与分支站点建立的IPSec ×××回去),这样就能保证通信来去的通畅了。
总的来说,使用DPD来探测有问题的网关,使用RRI技术是解决回包路由问题。
二.实验
1.实验目的
-
对比路由中的高可用性技术HSRP,思考×××在实际生产中的高可用性问题;
-
理解并掌握×××中高可用性技术及其原理;
-
熟练掌握Ipsec ×××高可用性技术的实施。
2.实验拓扑
说明:本实验模拟分支站点与中心站点之间的IPSec ×××通信。其中包括IPSec ×××穿越NAT、×××的高可用性技术、HSRP、sctp协议。NAT设备模拟分支站点的边界路由器,此设备假设只支持NAT,不支持IPSec ×××。Branch设备为分支站点内网的一个次边界设备(使用私有网络地址),而Branch设备要支持NAT穿越功能,与中心站点间设备建立IPSec 安全关联实现回话,由于Branch为私有网络地址,所以要映射到NAT设备的公网地址上,借助其公网地址与中心站点设备建立对等体关系。又NAT设备不支持IPSec ×××,所以不能发送esp协议号50(×××第2个阶段的协商协议)到达中心站点对等体,所以,Branch要与对等体建立关系,会转换ESP:50为UDP:4500给NAT设备,然后由其转发给中心站点的对等体……对于中心站点的主备网关设备,为模拟更加真实环境,内外网都用上HSRP(即双向HSRP,分支站点是与虚拟网管建立对等体关系),并在中心站点配置NAT转换。本实验省略了ISP部分,Inter-SW模拟Internet交换机设备。
注:为实现主备之间的状态切换,还要用到一个协议,sctp。正常情况下,如果主用网关设备出现问题,IPSec会话会切换到备用设备上,但是,由于用的是虚拟网关地址,分支站点还是会与这个虚拟地址协商建立对等体关系,由于主用网管出现问题,协商出现了问题,所以,即使备用设备能用,也不能协商成功。用sctp协议,当主用网关出现问题时,备用网关完整复制其IPSec协商到自己,继续保持IPSec ×××的正常回话
3.实验步骤
1).基本配置
本部分主要是搭建基本的网络环境,为后续试验做准备。中心站点内网启用ospf协议。
Branch配置
| Branch(config)#inter loopback 0 Branch(config-if)#ip add 10.1.1.1 255.255.255.0 Branch(config-if)#inter fa0/0 Branch(config-if)#ip add 192.168.1.1 255.255.255.0 Branch(config-if)#no shut Branch(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.2 |
NAT配置
| ——————————————-基本IP配置—————————————– NAT(config)#inter fa0/1 NAT(config-if)#ip add 192.168.1.2 255.255.255.0 NAT(config-if)#no shut NAT(config-if)#inter fa0/0 NAT(config-if)#ip add 202.100.1.1 255.255.255.0 NAT(config-if)#no shut NAT(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.1 ——————————————–NAT配置————————————— NAT(config)#access-list 100 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 NAT(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 any NAT(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any NAT(config)#ip nat inside source list 100 interface fa0/0 overload NAT(config)#inter fa0/0 NAT(config-if)#ip nat outside NAT(config-if)#inter fa0/1 NAT(config-if)#ip nat inside NAT(config-if)#exit |
×××-GW1配置
| ——————————————-基本IP配置—————————————– ×××-GW1(config)#inter fa0/0 ×××-GW1(config-if)#ip add 202.100.1.2 255.255.255.0 ×××-GW1(config-if)#no shut ×××-GW1(config-if)#inter fa0/1 ×××-GW1(config-if)#ip add 172.16.1.1 255.255.255.0 ×××-GW1(config-if)#no shut ×××-GW1(config)#ip route 0.0.0.0 0.0.0.0 202.100.1.1 ——————————————-启用ospf协议—————————————– ×××-GW1(config)#router ospf 110 ×××-GW1(config-router)#router-id 1.1.1.1 ×××-GW1(config-router)#net 172.16.1.0 0.0.0.255 area 0 ×××-GW1(config-router)#default-information originate <为内网引入默认路由> |
×××-GW2配置
| ——————————————-基本IP配置—————————————– ×××-GW2(config)#inter fa0/0 ×××-GW2(config-if)#ip add 202.100.1.3 255.255.255.0 ×××-GW2(config-if)#no shut ×××-GW2(config-if)#inter fa0/1 ×××-GW2(config-if)#ip add 172.16.1.2 255.255.255.0 ×××-GW2(config-if)#no shut ×××-GW2(config-if)#ip route 0.0.0.0 0.0.0.0 202.100.1.1 ——————————————-启用ospf协议—————————————– ×××-GW2(config)#router ospf 110 ×××-GW2(config-router)#router-id 2.2.2.2 ×××-GW2(config-router)#net 172.16.1.0 0.0.0.255 area 0 ×××-GW2(config-router)#default-information originate ×××-GW2(config-router)#exit |
Inside配置
| ——————————————基本IP配置—————————————– Inside(config)#inter fa1/1 Inside(config-if)#ip add 172.16.1.3 255.255.255.0 Inside(config-if)#no shut Inside(config-if)#inter loo0 Inside(config-if)#ip add 10.2.2.2 255.255.255.0 Inside(config-if)#no shut ——————————————启用ospf协议—————————————– Inside(config-if)#router ospf 110 Inside(config-router)#router-id 3.3.3.3 Inside(config-router)#net 172.16.1.0 0.0.0.255 area 0 Inside(config-router)#net 10.2.2.0 0.0.0.255 area 0 Inside(config-router)#exit |
2).中心站点NAT、HSRP配置
×××-GW1配置
| ——————————————-NTA配置———————————– ×××-GW1(config)#access-list 100 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ×××-GW1(config)#access-list 100 permit ip 10.2.2.0 0.0.0.255 any ×××-GW1(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 any ×××-GW1(config)# ip nat inside source list 100 interface fastEthernet 0/0 overload ×××-GW1(config)#inter fa0/0 ×××-GW1(config-if)#ip nat outside ×××-GW1(config-if)#inter fa0/1 ×××-GW1(config-if)#ip nat inside ×××-GW1(config-if)#exit ———————————————-HSRP配置———————————– 外部HSRP配置:提供×××的备用,提高×××的可用性 ×××-GW1(config)#inter fa0/0 ×××-GW1(config-if)#standby 1 ip 202.100.1.4 ×××-GW1(config-if)#standby 1 priority 150 ×××-GW1(config-if)#standby 1 preempt *Nov 18 13:41:36.071: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active ×××-GW1(config-if)#standby 1 track fastEthernet 0/1 60 ×××-GW1(config-if)#standby 1 name HA-outside <为HSRP取个名字,为后面的冗余性校验做准备>
内部HSRP配置:提高内部网络的容错性 ×××-GW1(config)#inte fa0/1 ×××-GW1(config-if)#standby 2 name HA-inside ×××-GW1(config-if)#standby 2 ip 172.16.1.4 ×××-GW1(config-if)#standby 2 priority 150 ×××-GW1(config-if)#standby 2 preempt *Nov 18 13:46:47.799: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 2 state Standby -> Active ×××-GW1(config-if)#standby 2 track fastEthernet 0/0 90 |
×××-GW2配置
| ——————————————-NTA配置———————————– ×××-GW2(config)# access-list 100 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ×××-GW2(config)#access-list 100 permit ip 10.2.2.0 0.0.0.255 any ×××-GW2(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 any ×××-GW2(config)# ip nat inside source list 100 interface FastEthernet0/0 overload ×××-GW2(config)#inter fa0/0 ×××-GW2(config-if)#ip nat outside ×××-GW2(config-if)#inter fa0/1 ×××-GW2(config-if)#ip nat inside ×××-GW2(config-if)#exit ———————————————-HSRP配置———————————– ×××-GW2(config)#inter fa0/0 ×××-GW2(config-if)#standby 1 ip 202.100.1.4 ×××-GW2(config-if)#standby 1 track fastEthernet 0/1 *Nov 18 13:43:02.427: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby ×××-GW2(config-if)#standby 1 name HA-outside ×××-GW2(config-if)#exit
×××-GW2(config)#inter fa0/1 ×××-GW2(config-if)#standby 2 name HA-inside ×××-GW2(config-if)#standby 2 ip 172.16.1.4 ×××-GW2(config-if)#standby 2 track fa0/0 ×××-GW2(config-if)#exit |
3).IPSec ×××配置
Branch配置
| Branch(config)#crypto isakmp keepalive 10 2 periodic <启用DPD:每10s发送一次DPD包,对等体会话失败则每两秒发送一次 ———————————-第一阶段配置—————————– Branch(config)#crypto isakmp policy 10 Branch(config-isakmp)#authentication pre-share Branch(config-isakmp)#exit Branch(config)#crypto isakmp key freeit address 202.100.1.4 ———————————-第二阶段配置—————————– Branch(config)#crypto ipsec transform-set l2l esp-3des esp-md5-hmac Branch(cfg-crypto-trans)#exit Branch(config)#ip access-list extended *** Branch(config-ext-nacl)#permit ip 10.1.1.1 0.0.0.0 10.2.2.2 0.0.0.0 Branch(config-ext-nacl)#exit Branch(config)#crypto map MAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Branch(config-crypto-map)#set peer 202.100.1.4 Branch(config-crypto-map)#set transform-set l2l Branch(config-crypto-map)#match address *** Branch(config-crypto-map)#exit Branch(config)#inter fa0/0 Branch(config-if)#crypto map MAP Branch(config-if)#exit |
×××-GW1配置
| ×××-GW1(config)#crypto isakmp keepalive 10 2 periodic ×××-GW1(config)#crypto isakmp policy 10 ×××-GW1(config-isakmp)# authentication pre-share ×××-GW1(config-isakmp)#exit ×××-GW1(config)#crypto isakmp key freeit address 202.100.1.1 ×××-GW1(config)#crypto ipsec transform-set l2l esp-3des esp-md5-hmac ×××-GW1(cfg-crypto-trans)#exit ×××-GW1(config)#ip access-list extended *** ×××-GW1(config-ext-nacl)#permit ip 10.2.2.2 0.0.0.0 10.1.1.1 0.0.0.0 ×××-GW1(config-ext-nacl)#exit ×××-GW1(config)#crypto map MAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. ×××-GW1(config-crypto-map)#set peer 202.100.1.1 ×××-GW1(config-crypto-map)#set transform-set l2l ×××-GW1(config-crypto-map)#match address *** ×××-GW1(config-crypto-map)#reverse-route <启用RRI,当建立IPSec ×××会话之后向内部网络注入反向路由,引导返回路径> ×××-GW1(config-crypto-map)#exit ×××-GW1(config)#inter fa0/0 ×××-GW1(config-if)#crypto map MAP redundancy HA-outside stateful <接口调用crytomap,同时调用HSRP,网络出问题时进行主备切换。这里引用内外的HSRP都行,不过实际生产环境中外部端口流量较大,建议调用内部HSRP> |
×××-GW2配置
| ×××-GW2(config)#crypto isakmp keepalive 10 2 periodic ×××-GW2(config)#crypto isakmp policy 10 ×××-GW2(config-isakmp)# authentication pre-share ×××-GW2(config-isakmp)#exit ×××-GW2(config)#crypto isakmp key freeit address 202.100.1.1 ×××-GW2(config)#crypto ipsec transform-set l2l esp-3des esp-md5-hmac ×××-GW2(cfg-crypto-trans)#exit ×××-GW2(config)#ip access-list extended *** ×××-GW2(config-ext-nacl)# permit ip host 10.2.2.2 host 10.1.1.1 ×××-GW2(config-ext-nacl)#exit ×××-GW2(config)#crypto map MAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. ×××-GW2(config-crypto-map)# set peer 202.100.1.1 ×××-GW2(config-crypto-map)# set transform-set l2l ×××-GW2(config-crypto-map)# match address *** ×××-GW2(config-crypto-map)# reverse-route ×××-GW2(config-crypto-map)#exit ×××-GW2(config)#inter fa0/0 ×××-GW2(config-if)#crypto map MAP redundancy HA-outside stateful ×××-GW2(config-if)#exit |
4).启用SCTP协议
分支机构的加密点设备协商是与中心站点的虚拟网关进行的。所以,一般情况下,即使主网关设备出问题了,由于协商是在本设备上,所以在IPSec SA到达过期时间之前,一切IPSec ×××会话都是中断的,不会切换到备用网关上(本设备上没有协商内容)。使用SCTP协议,当主网关设备出现问题之后,一直处于监听状态的备份网关完整复制主网关的协商状态到自己,继续维持IPSec ×××会话,不用等待一个小时的IPSec SA过期时间。下面就来看下具体的配置,配置完成后设备要硬重启:
×××-GW1配置
| ×××-GW1(config)#redundancy inter-device ×××-GW1(config-red-interdevice)#scheme standby HA-outside <主备网关之间调用HSRP实现冗余> ×××-GW1(config)#ipc zone default ×××-GW1(config-ipczone)#association 1 ×××-GW1(config-ipczone-assoc)#no shut ×××-GW1(config-ipczone-assoc)#protocol sctp ×××-GW1(config-ipc-protocol-sctp)#local-port 5000 ×××-GW1(config-ipc-local-sctp)#local-ip 172.16.1.1 ×××-GW1(config-ipc-protocol-sctp)#remote-port 5000 ×××-GW1(config-ipc-remote-sctp)#remote-ip 172.16.1.2 ×××-GW1(config-ipc-remote-sctp)#end
|
×××-GW2配置
| ×××-GW2(config)#redundancy inter-device ×××-GW2(config-red-interdevice)#scheme standby HA-outside % Standby scheme configuration cannot be processed now group HA-outside is not in active state <需要重启生效> ×××-GW2(config-red-interdevice)#exit ×××-GW2(config)#ipc zone default ×××-GW2(config-ipczone)#association 1 ×××-GW2(config-ipczone-assoc)#no shut ×××-GW2(config-ipczone-assoc)#protocol sctp ×××-GW2(config-ipc-protocol-sctp)#local-port 5000 ×××-GW2(config-ipc-local-sctp)#local-ip 172.16.1.2 ×××-GW2(config-ipc-local-sctp)#exit ×××-GW2(config-ipc-protocol-sctp)#remote-port 5000 ×××-GW2(config-ipc-remote-sctp)#remote-ip 172.16.1.1 ×××-GW2(config-ipc-remote-sctp)#end |
5).验证
在Branch上ping中心站点虚拟网关,查看NAT转换状况
| —————————————–在Branch上发送ICMP包 Branch#ping 202.100.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 124/136/156 ms ——————————————在NAT上查看转换状况———————————- NAT#sho ip nat tr Pro Inside global Inside local Outside local Outside global icmp 202.100.1.1:4 192.168.1.1:4 202.100.1.4:4 202.100.1.4:4 |
先查看下中心站点Inside上的路由表
| Inside#sho ip ro ……此部分省略…… O*E2 0.0.0.0/0 [110/1] via 172.16.1.2, 00:27:58, FastEthernet1/1 [110/1] via 172.16.1.1, 00:00:30, FastEthernet1/1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.2.2.0/24 is directly connected, Loopback0 L 10.2.2.2/32 is directly connected, Loopback0 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, FastEthernet1/1 L 172.16.1.3/32 is directly connected, FastEthernet1/1 <没有Branch的私有网段路由> |
在Branch上ping测试IPSec ×××通信状况,并断开主网关验证备用网关可用性
| ————————————-在Branch上重复发送ICMP包—————————- Branch#ping 10.2.2.2 source loopback 0 repeat 1000 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 .!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!! !! —————————————在主网关上查看IPSec SA—————— ×××-GW1#sho cry ips sa
interface: FastEthernet0/0 Crypto map tag: MAP, local addr 202.100.1.4
protected vrf: (none) local ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0) current_peer 202.100.1.1 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 222, #pkts decrypt: 222, #pkts verify: 222 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 15
local crypto endpt.: 202.100.1.4, remote crypto endpt.: 202.100.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x4676FC90(1182203024) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x892DB9C5(2301475269) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: MAP sa timing: remaining key lifetime (k/sec): (4182733/3591) HA KB life last checkpointed at (k): (4147200) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x4676FC90(1182203024) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 8, flow_id: SW:8, sibling_flags 80000040, crypto map: MAP sa timing: remaining key lifetime (k/sec): (4182736/3591) HA KB life last checkpointed at (k): (0) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: <由上可知,主网关正在走数据> ————————————–查看Inside的路由表 Inside#sho ip ro ………此部分省略………….. Gateway of last resort is 172.16.1.2 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 172.16.1.2, 00:28:10, FastEthernet1/1 [110/1] via 172.16.1.1, 00:00:42, FastEthernet1/1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks O E2 10.1.1.1/32 [110/20] via 172.16.1.1, 00:00:08, FastEthernet1/1 C 10.2.2.0/24 is directly connected, Loopback0 L 10.2.2.2/32 is directly connected, Loopback0 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, FastEthernet1/1 L 172.16.1.3/32 is directly connected, FastEthernet1/1 <SA建立之后注入路由,引导回包路径> —————————————在备用网关上查看IPSec SA—————— ×××-GW2#sho cry ip sa
interface: FastEthernet0/0 Crypto map tag: MAP, local addr 202.100.1.4
protected vrf: (none) local ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0) current_peer 202.100.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 202.100.1.4, remote crypto endpt.: 202.100.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas: <由上可知,备用网关现在没有走IPSec数据> —————————————–断开主网关的接口———————— ×××-GW1(config)#inter fa0/0 ×××-GW1(config-if)#shut ×××-GW1(config-if)# *Nov 18 16:32:34.335: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Init ×××-GW1(config-if)# *Nov 18 16:32:36.319: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down *Nov 18 16:32:37.319: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down ——————————————查看Branch的ping状态————————- Branch#ping 10.2.2.2 source loopback 0 repeat 1000 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 .!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!………………!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <断开主网关时,ICMP包暂时中断,DDI验证问题后切换到备份链路,继续发送ICMP包维护IPSec SA> ——————————————查看备用网关IPSec sa————————- ×××-GW2#sho cry ip sa
interface: FastEthernet0/0 Crypto map tag: MAP, local addr 202.100.1.4
protected vrf: (none) local ident (addr/mask/prot/port): (10.2.2.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0) current_peer 202.100.1.1 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 6
local crypto endpt.: 202.100.1.4, remote crypto endpt.: 202.100.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x222CD346(573363014) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0xE1AF1A77(3786349175) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: MAP sa timing: remaining key lifetime (k/sec): (4375158/3562) HA KB life last checkpointed at (k): (4147200) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x222CD346(573363014) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: MAP sa timing: remaining key lifetime (k/sec): (4375175/3562) HA KB life last checkpointed at (k): (0) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: <主网关断开之后,备用网关开始接收其IPSec SA状态继续维持会话的建立> |
6).最终配置
Branch:
Branch#sho running-config
Building configuration…
Current configuration : 1434 bytes
!
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Branch
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key freeit address202.100.1.4
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set l2l esp-3desesp-md5-hmac
modetunnel
!
!
!
crypto map MAP 10 ipsec-isakmp
setpeer 202.100.1.4
settransform-set l2l
match address ***
!
!
!
!
!
!
interface Loopback0
ipaddress 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ipaddress 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map MAP
!
interface FastEthernet0/1
noip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
ip access-list extended ***
permit ip host 10.1.1.1 host 10.2.2.2
!
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
!
End
NAT:
NAT#sho running-config
Building configuration…
Current configuration : 1310 bytes
!
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NAT
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ipaddress 202.100.1.1 255.255.255.0
ipnat outside
ipvirtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ipaddress 192.168.1.2 255.255.255.0
ipnat inside
ipvirtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interfaceFastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 100 permit ip 10.1.1.00.0.0.255 any
access-list 100 permit ip 192.168.1.00.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
!
end
×××-GW1
×××-GW1#sho running-config
Building configuration…
Current configuration : 2390 bytes
!
! Last configuration change at 16:53:56 UTCTue Nov 18 2014
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ×××-GW1
!
boot-start-marker
boot-end-marker
!
!
!
!
ipc zone default
association 1
noshutdown
protocol sctp
local-port 5000
local-ip 172.16.1.1
remote-port 5000
remote-ip 172.16.1.2
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy inter-device
scheme standby HA-outside
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key freeit address202.100.1.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set l2l esp-3desesp-md5-hmac
modetunnel
!
!
!
crypto map MAP 10 ipsec-isakmp
setpeer 202.100.1.1
settransform-set l2l
match address ***
reverse-route
!
!
!
!
!
!
interface FastEthernet0/0
ipaddress 202.100.1.2 255.255.255.0
ipnat outside
ipvirtual-reassembly in
standby 1 ip 202.100.1.4
standby 1 priority 150
standby 1 preempt
standby 1 name HA-outside
standby 1 track 1 decrement 60
duplex auto
speed auto
crypto map MAP redundancy HA-outside stateful
!
interface FastEthernet0/1
ipaddress 172.16.1.1 255.255.255.0
ipnat inside
ipvirtual-reassembly in
standby 2 ip 172.16.1.4
standby 2 priority 150
standby 2 preempt
standby 2 name HA-inside
standby 2 track 2 decrement 90
duplex auto
speed auto
!
router ospf 110
router-id 1.1.1.1
redistribute static subnets
network 172.16.1.0 0.0.0.255 area 0
default-information originate
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interfaceFastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.100.1.1
!
ip access-list extended ***
permit ip host 10.2.2.2 host 10.1.1.1
!
access-list 100 permit ip host 10.2.2.2 any
access-list 100 permit ip 172.16.1.00.0.0.255 any
access-list 100 deny ip host 10.2.2.2 host 10.1.1.1
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
!
end
×××-GW2
×××-GW2#sho running-config
Building configuration…
Current configuration : 2280 bytes
!
! Last configuration change at 16:53:49 UTCTue Nov 18 2014
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ×××-GW2
!
boot-start-marker
boot-end-marker
!
!
!
!
ipc zone default
association 1
noshutdown
protocol sctp
local-port 5000
remote-port 5000
remote-ip 172.16.1.2
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy inter-device
scheme standby HA-outside
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key freeit address202.100.1.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set l2l esp-3desesp-md5-hmac
modetunnel
!
!
!
crypto map MAP 10 ipsec-isakmp
setpeer 202.100.1.1
settransform-set l2l
match address ***
reverse-route
!
!
!
!
!
!
interface FastEthernet0/0
ipaddress 202.100.1.3 255.255.255.0
ipnat outside
ipvirtual-reassembly in
standby 1 ip 202.100.1.4
standby 1 name HA-outside
standby 1 track 1 decrement 10
duplex auto
speed auto
crypto map MAP redundancy HA-outside stateful
!
interface FastEthernet0/1
ipaddress 172.16.1.2 255.255.255.0
ipnat inside
ipvirtual-reassembly in
standby 2 ip 172.16.1.4
standby 2 name HA-inside
standby 2 track 2 decrement 10
duplex auto
speed auto
!
router ospf 110
router-id 2.2.2.2
redistribute static subnets
network 172.16.1.0 0.0.0.255 area 0
default-information originate
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interfaceFastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.100.1.1
!
ip access-list extended ***
permit ip host 10.2.2.2 host 10.1.1.1
!
access-list 100 permit ip host 10.2.2.2 any
access-list 100 permit ip 172.16.1.00.0.0.255 any
access-list 100 deny ip host 10.2.2.2 host 10.1.1.1
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
!
end
Inside
Inside#sho running-config
Building configuration…
Current configuration : 1353 bytes
!
! Last configuration change at 16:53:38 UTCTue Nov 18 2014
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Inside
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ipaddress 10.2.2.2 255.255.255.0
!
interface Ethernet0/0
noip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
noip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface FastEthernet1/0
noip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
ipaddress 172.16.1.3 255.255.255.0
duplex auto
speed auto
!
router ospf 110
router-id 3.3.3.3
network 10.2.2.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
!
end
转载于:https://blog.51cto.com/380531251/1579231
发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/109652.html原文链接:https://javaforall.cn
【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛
【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...