IPSec××× High Available

一.高可用性概述… 2

1.简介… 2

2.高可用性技术… 2

.实验… 3

1.实验目的… 3

2.实验拓扑… 4

3.实验步骤… 4

1).基本配置… 4

2).中心站点NATHSRP配置… 6

3).IPSec ×××配置… 8

4).启用SCTP协议… 10

5).验证… 11

6).最终配置… 16

 


 

一.高可用性概述

 

1.简介

随着技术的逐渐发展,任何技术、网络的使用都涉及高可用性问题。为了保证及满足企业级的生产需要,高可用性技术在网络中的应用也是至关重要的。路由的高可用技术包括HSRPVRRP,交换的高可用性包括STP…当然,强大的IPSec ×××技术也有高可用性技术的应用。本实验主要介绍的就是IPSec ×××在企业级生产环境中的高可用性技术。

 

2.高可用性技术

  • DPDDead Peer Detection,死亡邻居检测)

传统的路由协议如OSPF,是通过周期性发送Hello包来探测对等体是否存活,如果一段时间内发送的包没有得到响应,就证明对等体出现了问题。

DPD技术也是利用这个原理检测对等体。DPD包含两种工作模式

1).周期性工作模式:通过定时器周期性向对等体发送DPD数据包,检测对等体的状态;

     优点:能够快速检测到有问题的对等体;

     缺点:DPD包发送频率大,占用网络、设备资源;

2).按需工作模式:DPD的默认工作模式,DPD数据包信息会基于流量的形式不同而采取不同的发送方式。当本地路由向对等体发送加密数据包,但是在一定时间内没有收到并解密任何源自对等体的的数据包时,就会向对等体发送DPD数据包询问状态。此工作模式可能要等到IKEIPSec SA建立事时才会发现,所以此模式的DPD包检测到问题的速度较慢。

      优点:发送更少的DPD包,节约资源;

      缺点:发现问题的时间较长。

 

  • RRIReverse Route Injection 反向路由注入)

此技术的应用主要存在于有主备链路的网络环境中。如下图:

wKioL1RrIAHAbxEJAAEAqnJSGB0473.jpg

说明:当分支站点通过主用网关访问中心站点server时,与主用网关路由之间建立IPSec ×××会话的安全关联(SA),时长一个小时。数据去时是经过主用网管到达目的,但是回来时,有两条路径可选,如果选择了备用网关回来,则肯定是不能成功的,因为分支站点已经与主用网管设备间建立了IPSec ×××会话,而不是与备用网关设备间,所以通过备用网关回的包不能成功完成通信。基于此,引入RRI技术,即反向路由注入。当分支站点与主用网关之间建立IPSec ×××会话连接到中心站点server之后,同时向中心站点设备注入一条静态路由(回复的路径,也就是原路径),引导回包通过正确的路径返回(即还是通过主用网关与分支站点建立的IPSec ×××回去),这样就能保证通信来去的通畅了。

 

总的来说,使用DPD来探测有问题的网关,使用RRI技术是解决回包路由问题。

 

.实验

 

 

1.实验目的

  • 对比路由中的高可用性技术HSRP,思考×××在实际生产中的高可用性问题;

  • 理解并掌握×××中高可用性技术及其原理;

  • 熟练掌握Ipsec ×××高可用性技术的实施。   

 

2.实验拓扑

wKiom1RrH42R7dSpAAE5vz6v1Pk457.jpg

说明:本实验模拟分支站点与中心站点之间的IPSec ×××通信。其中包括IPSec ×××穿越NAT×××的高可用性技术、HSRPsctp协议NAT设备模拟分支站点的边界路由器,此设备假设只支持NAT,不支持IPSec ×××Branch设备为分支站点内网的一个次边界设备(使用私有网络地址),而Branch设备要支持NAT穿越功能,与中心站点间设备建立IPSec 安全关联实现回话,由于Branch为私有网络地址,所以要映射到NAT设备的公网地址上,借助其公网地址与中心站点设备建立对等体关系。又NAT设备不支持IPSec ×××,所以不能发送esp协议号50×××2个阶段的协商协议)到达中心站点对等体,所以,Branch要与对等体建立关系,会转换ESP50UDP4500NAT设备,然后由其转发给中心站点的对等体……对于中心站点的主备网关设备,为模拟更加真实环境,内外网都用上HSRP(即双向HSRP,分支站点是与虚拟网管建立对等体关系),并在中心站点配置NAT转换。本实验省略了ISP部分,Inter-SW模拟Internet交换机设备。

注:为实现主备之间的状态切换,还要用到一个协议,sctp。正常情况下,如果主用网关设备出现问题,IPSec会话会切换到备用设备上,但是,由于用的是虚拟网关地址,分支站点还是会与这个虚拟地址协商建立对等体关系,由于主用网管出现问题,协商出现了问题,所以,即使备用设备能用,也不能协商成功。用sctp协议,当主用网关出现问题时,备用网关完整复制其IPSec协商到自己,继续保持IPSec ×××的正常回话

 

 

 

3.实验步骤

 

1).基本配置

本部分主要是搭建基本的网络环境,为后续试验做准备。中心站点内网启用ospf协议。

Branch配置

Branch(config)#inter loopback 0

Branch(config-if)#ip add 10.1.1.1  255.255.255.0

Branch(config-if)#inter fa0/0

Branch(config-if)#ip add 192.168.1.1  255.255.255.0

Branch(config-if)#no shut

Branch(config-if)#ip route 0.0.0.0  0.0.0.0 192.168.1.2

 

NAT配置

——————————————-基本IP配置—————————————–

NAT(config)#inter fa0/1

NAT(config-if)#ip add 192.168.1.2  255.255.255.0

NAT(config-if)#no shut

NAT(config-if)#inter fa0/0

NAT(config-if)#ip add 202.100.1.1  255.255.255.0

NAT(config-if)#no shut

NAT(config-if)#ip route 0.0.0.0 0.0.0.0  192.168.1.1

——————————————–NAT配置—————————————

NAT(config)#access-list 100 deny ip  10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

NAT(config)#access-list 100 permit  ip  10.1.1.0 0.0.0.255 any            

NAT(config)#access-list 100 permit  ip  192.168.1.0 0.0.0.255 any

NAT(config)#ip nat inside source list 100  interface fa0/0 overload

NAT(config)#inter fa0/0

NAT(config-if)#ip nat outside

NAT(config-if)#inter fa0/1

NAT(config-if)#ip nat inside

NAT(config-if)#exit

 

×××-GW1配置

——————————————-基本IP配置—————————————–

×××-GW1(config)#inter fa0/0

×××-GW1(config-if)#ip add 202.100.1.2  255.255.255.0

×××-GW1(config-if)#no shut

×××-GW1(config-if)#inter fa0/1

×××-GW1(config-if)#ip add 172.16.1.1  255.255.255.0

×××-GW1(config-if)#no shut

×××-GW1(config)#ip route 0.0.0.0 0.0.0.0  202.100.1.1

——————————————-启用ospf协议—————————————–

×××-GW1(config)#router ospf 110

×××-GW1(config-router)#router-id 1.1.1.1

×××-GW1(config-router)#net 172.16.1.0  0.0.0.255 area 0

×××-GW1(config-router)#default-information  originate

<为内网引入默认路由>

 

×××-GW2配置

——————————————-基本IP配置—————————————–

×××-GW2(config)#inter fa0/0

×××-GW2(config-if)#ip add 202.100.1.3  255.255.255.0

×××-GW2(config-if)#no shut

×××-GW2(config-if)#inter fa0/1

×××-GW2(config-if)#ip add 172.16.1.2  255.255.255.0

×××-GW2(config-if)#no shut

×××-GW2(config-if)#ip route 0.0.0.0  0.0.0.0 202.100.1.1

——————————————-启用ospf协议—————————————–

×××-GW2(config)#router ospf 110

×××-GW2(config-router)#router-id 2.2.2.2

×××-GW2(config-router)#net 172.16.1.0  0.0.0.255 area 0

×××-GW2(config-router)#default-information  originate

×××-GW2(config-router)#exit

 

Inside配置

——————————————基本IP配置—————————————–

Inside(config)#inter fa1/1

Inside(config-if)#ip add 172.16.1.3  255.255.255.0

Inside(config-if)#no shut

Inside(config-if)#inter loo0

Inside(config-if)#ip add 10.2.2.2  255.255.255.0

Inside(config-if)#no shut

——————————————启用ospf协议—————————————–

Inside(config-if)#router ospf 110

Inside(config-router)#router-id 3.3.3.3

Inside(config-router)#net 172.16.1.0  0.0.0.255 area 0

Inside(config-router)#net 10.2.2.0  0.0.0.255 area 0

Inside(config-router)#exit

 

 

2).中心站点NATHSRP配置

 

×××-GW1配置

——————————————-NTA配置———————————–

×××-GW1(config)#access-list 100 deny ip  10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

×××-GW1(config)#access-list 100 permit ip  10.2.2.0 0.0.0.255 any

×××-GW1(config)#access-list 100 permit ip  172.16.1.0 0.0.0.255 any 

×××-GW1(config)# ip nat inside source  list 100 interface fastEthernet 0/0 overload

×××-GW1(config)#inter fa0/0  

×××-GW1(config-if)#ip nat outside

×××-GW1(config-if)#inter fa0/1

×××-GW1(config-if)#ip nat inside

×××-GW1(config-if)#exit

———————————————-HSRP配置———————————–

外部HSRP配置:提供×××的备用,提高×××的可用性

×××-GW1(config)#inter fa0/0

×××-GW1(config-if)#standby 1 ip  202.100.1.4

×××-GW1(config-if)#standby 1 priority 150

×××-GW1(config-if)#standby 1 preempt

*Nov 18 13:41:36.071:  %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

×××-GW1(config-if)#standby 1 track  fastEthernet 0/1 60

×××-GW1(config-if)#standby 1 name  HA-outside

<HSRP取个名字,为后面的冗余性校验做准备>

 

内部HSRP配置:提高内部网络的容错性

×××-GW1(config)#inte fa0/1

×××-GW1(config-if)#standby 2 name  HA-inside

×××-GW1(config-if)#standby 2 ip  172.16.1.4

×××-GW1(config-if)#standby 2 priority 150

×××-GW1(config-if)#standby 2 preempt

*Nov 18 13:46:47.799:  %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 2 state Standby -> Active

×××-GW1(config-if)#standby 2 track  fastEthernet 0/0 90

 

 

×××-GW2配置

——————————————-NTA配置———————————–

×××-GW2(config)# access-list 100 deny ip  10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255         

×××-GW2(config)#access-list 100 permit ip  10.2.2.0 0.0.0.255 any

×××-GW2(config)#access-list 100 permit ip  172.16.1.0 0.0.0.255 any

×××-GW2(config)# ip nat inside source  list 100 interface FastEthernet0/0 overload      

×××-GW2(config)#inter fa0/0

×××-GW2(config-if)#ip nat outside

×××-GW2(config-if)#inter fa0/1

×××-GW2(config-if)#ip nat inside

×××-GW2(config-if)#exit

———————————————-HSRP配置———————————–

×××-GW2(config)#inter fa0/0      

×××-GW2(config-if)#standby 1 ip  202.100.1.4

×××-GW2(config-if)#standby 1 track  fastEthernet 0/1

*Nov 18 13:43:02.427:  %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby

×××-GW2(config-if)#standby 1 name  HA-outside

×××-GW2(config-if)#exit

 

×××-GW2(config)#inter fa0/1

×××-GW2(config-if)#standby 2 name  HA-inside 

×××-GW2(config-if)#standby 2 ip  172.16.1.4

×××-GW2(config-if)#standby 2 track  fa0/0     

×××-GW2(config-if)#exit

 

 

3).IPSec ×××配置

 

Branch配置

Branch(config)#crypto isakmp keepalive 10  2 periodic

<启用DPD:每10s发送一次DPD包,对等体会话失败则每两秒发送一次

———————————-第一阶段配置—————————–

Branch(config)#crypto isakmp policy 10

Branch(config-isakmp)#authentication  pre-share

Branch(config-isakmp)#exit

Branch(config)#crypto isakmp key freeit  address 202.100.1.4

———————————-第二阶段配置—————————–

Branch(config)#crypto ipsec transform-set  l2l esp-3des esp-md5-hmac

Branch(cfg-crypto-trans)#exit

Branch(config)#ip access-list extended  ***

Branch(config-ext-nacl)#permit ip  10.1.1.1 0.0.0.0 10.2.2.2 0.0.0.0

Branch(config-ext-nacl)#exit

Branch(config)#crypto map MAP 10  ipsec-isakmp

% NOTE: This new crypto map will remain  disabled until a peer

         and a valid access list have been configured.

Branch(config-crypto-map)#set peer  202.100.1.4

Branch(config-crypto-map)#set  transform-set l2l

Branch(config-crypto-map)#match address  ***

Branch(config-crypto-map)#exit

Branch(config)#inter fa0/0

Branch(config-if)#crypto map MAP

Branch(config-if)#exit

 

×××-GW1配置

×××-GW1(config)#crypto isakmp keepalive  10 2 periodic

×××-GW1(config)#crypto isakmp policy 10

×××-GW1(config-isakmp)# authentication  pre-share

×××-GW1(config-isakmp)#exit

×××-GW1(config)#crypto isakmp key freeit  address 202.100.1.1

×××-GW1(config)#crypto ipsec  transform-set l2l esp-3des esp-md5-hmac

×××-GW1(cfg-crypto-trans)#exit

×××-GW1(config)#ip access-list extended  ***

×××-GW1(config-ext-nacl)#permit ip  10.2.2.2 0.0.0.0 10.1.1.1 0.0.0.0

×××-GW1(config-ext-nacl)#exit

×××-GW1(config)#crypto map MAP 10  ipsec-isakmp

% NOTE: This new crypto map will remain  disabled until a peer

        and a valid access list have been  configured.

×××-GW1(config-crypto-map)#set peer  202.100.1.1

×××-GW1(config-crypto-map)#set  transform-set l2l

×××-GW1(config-crypto-map)#match address  ***

×××-GW1(config-crypto-map)#reverse-route

<启用RRI,当建立IPSec ×××会话之后向内部网络注入反向路由,引导返回路径>

×××-GW1(config-crypto-map)#exit

×××-GW1(config)#inter fa0/0

×××-GW1(config-if)#crypto map MAP  redundancy HA-outside stateful

<接口调用crytomap,同时调用HSRP,网络出问题时进行主备切换。这里引用内外的HSRP都行,不过实际生产环境中外部端口流量较大,建议调用内部HSRP>

 

×××-GW2配置

×××-GW2(config)#crypto isakmp keepalive  10 2 periodic

×××-GW2(config)#crypto isakmp policy 10

×××-GW2(config-isakmp)# authentication  pre-share

×××-GW2(config-isakmp)#exit

×××-GW2(config)#crypto isakmp key freeit  address 202.100.1.1   

×××-GW2(config)#crypto ipsec  transform-set l2l esp-3des esp-md5-hmac

×××-GW2(cfg-crypto-trans)#exit

×××-GW2(config)#ip access-list extended  ***

×××-GW2(config-ext-nacl)# permit ip host  10.2.2.2 host 10.1.1.1

×××-GW2(config-ext-nacl)#exit

×××-GW2(config)#crypto map MAP 10 ipsec-isakmp  

% NOTE: This new crypto map will remain  disabled until a peer

         and a valid access list have been configured.

×××-GW2(config-crypto-map)# set peer  202.100.1.1

×××-GW2(config-crypto-map)# set  transform-set l2l

×××-GW2(config-crypto-map)# match address  ***

×××-GW2(config-crypto-map)# reverse-route

×××-GW2(config-crypto-map)#exit

×××-GW2(config)#inter fa0/0

×××-GW2(config-if)#crypto map MAP  redundancy HA-outside stateful

×××-GW2(config-if)#exit

 

 

4).启用SCTP协议

分支机构的加密点设备协商是与中心站点的虚拟网关进行的。所以,一般情况下,即使主网关设备出问题了,由于协商是在本设备上,所以在IPSec SA到达过期时间之前,一切IPSec ×××会话都是中断的,不会切换到备用网关上(本设备上没有协商内容)。使用SCTP协议,当主网关设备出现问题之后,一直处于监听状态的备份网关完整复制主网关的协商状态到自己,继续维持IPSec ×××会话,不用等待一个小时的IPSec SA过期时间。下面就来看下具体的配置,配置完成后设备要硬重启:

 

×××-GW1配置

×××-GW1(config)#redundancy inter-device

×××-GW1(config-red-interdevice)#scheme  standby HA-outside

<主备网关之间调用HSRP实现冗余>

×××-GW1(config)#ipc zone default

×××-GW1(config-ipczone)#association 1

×××-GW1(config-ipczone-assoc)#no shut

×××-GW1(config-ipczone-assoc)#protocol sctp

×××-GW1(config-ipc-protocol-sctp)#local-port  5000

×××-GW1(config-ipc-local-sctp)#local-ip  172.16.1.1

×××-GW1(config-ipc-protocol-sctp)#remote-port  5000     

×××-GW1(config-ipc-remote-sctp)#remote-ip  172.16.1.2

×××-GW1(config-ipc-remote-sctp)#end

 

 

 

×××-GW2配置

×××-GW2(config)#redundancy  inter-device 

×××-GW2(config-red-interdevice)#scheme  standby HA-outside

% Standby scheme configuration cannot be  processed now group HA-outside is not in active state

<需要重启生效>

×××-GW2(config-red-interdevice)#exit

×××-GW2(config)#ipc zone default

×××-GW2(config-ipczone)#association 1

×××-GW2(config-ipczone-assoc)#no  shut 

×××-GW2(config-ipczone-assoc)#protocol  sctp

×××-GW2(config-ipc-protocol-sctp)#local-port  5000

×××-GW2(config-ipc-local-sctp)#local-ip  172.16.1.2

×××-GW2(config-ipc-local-sctp)#exit

×××-GW2(config-ipc-protocol-sctp)#remote-port  5000

×××-GW2(config-ipc-remote-sctp)#remote-ip  172.16.1.1

×××-GW2(config-ipc-remote-sctp)#end

 

 

5).验证

 

Branchping中心站点虚拟网关,查看NAT转换状况

—————————————–Branch上发送ICMP

Branch#ping 202.100.1.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to  202.100.1.4, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5),  round-trip min/avg/max = 124/136/156 ms

——————————————NAT上查看转换状况———————————-

NAT#sho ip nat tr            

Pro Inside global      Inside local       Outside local      Outside global

icmp 202.100.1.1:4     192.168.1.1:4      202.100.1.4:4      202.100.1.4:4

 

先查看下中心站点Inside上的路由表

Inside#sho ip ro

……此部分省略……

O*E2   0.0.0.0/0 [110/1] via 172.16.1.2, 00:27:58, FastEthernet1/1

                [110/1] via 172.16.1.1,  00:00:30, FastEthernet1/1

       10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C         10.2.2.0/24 is directly connected, Loopback0

L         10.2.2.2/32 is directly connected, Loopback0

       172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C         172.16.1.0/24 is directly connected, FastEthernet1/1

L         172.16.1.3/32 is directly connected, FastEthernet1/1

<没有Branch的私有网段路由>

 

Branchping测试IPSec ×××通信状况,并断开主网关验证备用网关可用性

————————————-Branch上重复发送ICMP—————————-

Branch#ping 10.2.2.2 source loopback 0  repeat 1000

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to  10.2.2.2, timeout is 2 seconds:

Packet sent with a source address of  10.1.1.1

.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!

!!

—————————————在主网关上查看IPSec SA——————

×××-GW1#sho cry ips sa 

 

interface: FastEthernet0/0

     Crypto map tag: MAP, local addr 202.100.1.4

 

    protected vrf: (none)

    local  ident  (addr/mask/prot/port): (10.2.2.2/255.255.255.255/0/0)

    remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)

    current_peer 202.100.1.1 port 4500

      PERMIT, flags={origin_is_acl,}

     #pkts encaps: 0, #pkts encrypt:  0, #pkts digest: 0

    #pkts decaps: 222, #pkts decrypt: 222,  #pkts verify: 222

     #pkts compressed: 0, #pkts decompressed: 0

     #pkts not compressed: 0, #pkts compr. failed: 0

     #pkts not decompressed: 0, #pkts decompress failed: 0

     #send errors 0, #recv errors 15

 

      local crypto endpt.: 202.100.1.4, remote crypto endpt.: 202.100.1.1

      path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

      current outbound spi: 0x4676FC90(1182203024)

      PFS (Y/N): N, DH group: none

 

      inbound esp sas:

       spi: 0x892DB9C5(2301475269)

         transform: esp-3des esp-md5-hmac ,

         in use settings ={Tunnel UDP-Encaps, }

         conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: MAP

         sa timing: remaining key lifetime (k/sec): (4182733/3591)

              HA KB life last checkpointed at  (k): (4147200)

         IV size: 8 bytes

         replay detection support: Y

         Status: ACTIVE(ACTIVE)

 

      inbound ah sas:

 

      inbound pcp sas:

 

      outbound esp sas:

       spi: 0x4676FC90(1182203024)

         transform: esp-3des esp-md5-hmac ,

         in use settings ={Tunnel UDP-Encaps, }

         conn id: 8, flow_id: SW:8, sibling_flags 80000040, crypto map: MAP

         sa timing: remaining key lifetime (k/sec): (4182736/3591)

              HA KB life last checkpointed at  (k): (0)

         IV size: 8 bytes

         replay detection support: Y

         Status: ACTIVE(ACTIVE)

           

      outbound ah sas:

 

      outbound pcp sas:

<由上可知,主网关正在走数据>

————————————–查看Inside的路由表

Inside#sho ip ro

………此部分省略…………..

Gateway of last resort is 172.16.1.2 to  network 0.0.0.0

 

O*E2   0.0.0.0/0 [110/1] via 172.16.1.2, 00:28:10, FastEthernet1/1

                [110/1] via 172.16.1.1,  00:00:42, FastEthernet1/1

       10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

O E2     10.1.1.1/32  [110/20] via 172.16.1.1, 00:00:08, FastEthernet1/1

C         10.2.2.0/24 is directly connected, Loopback0

L         10.2.2.2/32 is directly connected, Loopback0

       172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C         172.16.1.0/24 is directly connected, FastEthernet1/1

L         172.16.1.3/32 is directly connected, FastEthernet1/1

<SA建立之后注入路由,引导回包路径>

—————————————在备用网关上查看IPSec SA——————

×××-GW2#sho cry ip sa

 

interface: FastEthernet0/0

     Crypto map tag: MAP, local addr 202.100.1.4

 

    protected vrf: (none)

    local  ident  (addr/mask/prot/port): (10.2.2.2/255.255.255.255/0/0)

    remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)

    current_peer 202.100.1.1 port 500

      PERMIT, flags={origin_is_acl,}

     #pkts encaps: 0, #pkts encrypt:  0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts  verify: 0

     #pkts compressed: 0, #pkts decompressed: 0

     #pkts not compressed: 0, #pkts compr. failed: 0

     #pkts not decompressed: 0, #pkts decompress failed: 0

     #send errors 0, #recv errors 0

 

      local crypto endpt.: 202.100.1.4, remote crypto endpt.: 202.100.1.1

      path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

      current outbound spi: 0x0(0)

      PFS (Y/N): N, DH group: none

 

      inbound esp sas:

 

      inbound ah sas:

 

     inbound pcp sas:

 

      outbound esp sas:

 

      outbound ah sas:

 

      outbound pcp sas:

<由上可知,备用网关现在没有走IPSec数据>

—————————————–断开主网关的接口————————

×××-GW1(config)#inter fa0/0

×××-GW1(config-if)#shut

×××-GW1(config-if)#

*Nov 18 16:32:34.335:  %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Init

×××-GW1(config-if)#

*Nov 18 16:32:36.319: %LINK-5-CHANGED:  Interface FastEthernet0/0, changed state to administratively down

*Nov 18 16:32:37.319: %LINEPROTO-5-UPDOWN:  Line protocol on Interface FastEthernet0/0, changed state to down

——————————————查看Branchping状态————————-

Branch#ping 10.2.2.2 source loopback 0  repeat 1000

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to  10.2.2.2, timeout is 2 seconds:

Packet sent with a source address of  10.1.1.1

.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!………………!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<断开主网关时,ICMP包暂时中断,DDI验证问题后切换到备份链路,继续发送ICMP包维护IPSec SA>

——————————————查看备用网关IPSec sa————————-

×××-GW2#sho cry ip sa 

 

interface: FastEthernet0/0

     Crypto map tag: MAP, local addr 202.100.1.4

 

    protected vrf: (none)

    local  ident  (addr/mask/prot/port): (10.2.2.2/255.255.255.255/0/0)

    remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)

    current_peer 202.100.1.1 port 4500

      PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts  digest: 0

    #pkts decaps: 99, #pkts decrypt: 99,  #pkts verify: 99

     #pkts compressed: 0, #pkts decompressed: 0

     #pkts not compressed: 0, #pkts compr. failed: 0

     #pkts not decompressed: 0, #pkts decompress failed: 0

     #send errors 0, #recv errors 6

 

      local crypto endpt.: 202.100.1.4, remote crypto endpt.: 202.100.1.1

      path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

      current outbound spi: 0x222CD346(573363014)

      PFS (Y/N): N, DH group: none

 

      inbound esp sas:

       spi: 0xE1AF1A77(3786349175)

         transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

         conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: MAP

         sa timing: remaining key lifetime (k/sec): (4375158/3562)

              HA KB life last checkpointed at  (k): (4147200)

         IV size: 8 bytes

         replay detection support: Y

         Status: ACTIVE(ACTIVE)

 

      inbound ah sas:

 

      inbound pcp sas:

 

      outbound esp sas:

       spi: 0x222CD346(573363014)

         transform: esp-3des esp-md5-hmac ,

         in use settings ={Tunnel UDP-Encaps, }

         conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: MAP

         sa timing: remaining key lifetime (k/sec): (4375175/3562)

              HA KB life last checkpointed at  (k): (0)

         IV size: 8 bytes

         replay detection support: Y

         Status: ACTIVE(ACTIVE)

           

      outbound ah sas:

 

      outbound pcp sas:

<主网关断开之后,备用网关开始接收其IPSec  SA状态继续维持会话的建立>

 

6).最终配置

 

Branch

Branch#sho running-config

Building configuration…

 

Current configuration : 1434 bytes

!

upgrade fpd auto

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Branch

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

no ip icmp rate-limit unreachable

!

!

!

!

!

!        

no ip domain lookup

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

redundancy

!

!

ip tcp synwait-time 5

!

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key freeit address202.100.1.4   

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set l2l esp-3desesp-md5-hmac

 modetunnel

!

!

!

crypto map MAP 10 ipsec-isakmp

 setpeer 202.100.1.4

 settransform-set l2l

 match address ***

!

!

!

!

!

!

interface Loopback0

 ipaddress 10.1.1.1 255.255.255.0

!

interface FastEthernet0/0

 ipaddress 192.168.1.1 255.255.255.0

 duplex auto

 speed auto

 crypto map MAP

!

interface FastEthernet0/1

 noip address

 shutdown

 duplex auto

 speed auto

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 192.168.1.2

!

ip access-list extended ***

 permit ip host 10.1.1.1 host 10.2.2.2

!

!

!        

!

control-plane

!

!

!

mgcp profile default

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line vty 0 4

 login

 transport input all

!

!

End

 

NAT

NAT#sho running-config

Building configuration…

 

Current configuration : 1310 bytes

!

upgrade fpd auto

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname NAT

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

no ip icmp rate-limit unreachable

!

!

!

!

!

!        

no ip domain lookup

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

redundancy

!

!

ip tcp synwait-time 5

!

!

!

!        

!

!

!

!

!

!

interface FastEthernet0/0

 ipaddress 202.100.1.1 255.255.255.0

 ipnat outside

 ipvirtual-reassembly in

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ipaddress 192.168.1.2 255.255.255.0

 ipnat inside

 ipvirtual-reassembly in

 duplex auto

 speed auto

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list 100 interfaceFastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

access-list 100 deny   ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 100 permit ip 10.1.1.00.0.0.255 any

access-list 100 permit ip 192.168.1.00.0.0.255 any

!

!

!

control-plane

!

!

!

mgcp profile default

!

!

!

gatekeeper

 shutdown

!

!        

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line vty 0 4

 login

 transport input all

!

!

end

 

 

×××-GW1

×××-GW1#sho running-config

Building configuration…

 

Current configuration : 2390 bytes

!

! Last configuration change at 16:53:56 UTCTue Nov 18 2014

upgrade fpd auto

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ×××-GW1

!

boot-start-marker

boot-end-marker

!

!

!

!

ipc zone default

 association 1

  noshutdown

 protocol sctp

  local-port 5000

   local-ip 172.16.1.1

  remote-port 5000

   remote-ip 172.16.1.2

!

no aaa new-model

no ip icmp rate-limit unreachable

!

!

!

!

!

!

no ip domain lookup

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!        

!

!

!

redundancy inter-device

 scheme standby HA-outside

!

!

redundancy

!

!

ip tcp synwait-time 5

!

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key freeit address202.100.1.1   

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set l2l esp-3desesp-md5-hmac

 modetunnel

!

!        

!

crypto map MAP 10 ipsec-isakmp

 setpeer 202.100.1.1

 settransform-set l2l

 match address ***

 reverse-route

!

!

!

!

!

!

interface FastEthernet0/0

 ipaddress 202.100.1.2 255.255.255.0

 ipnat outside

 ipvirtual-reassembly in

 standby 1 ip 202.100.1.4

 standby 1 priority 150

 standby 1 preempt

 standby 1 name HA-outside

 standby 1 track 1 decrement 60

 duplex auto

 speed auto

 crypto map MAP redundancy HA-outside stateful

!

interface FastEthernet0/1

 ipaddress 172.16.1.1 255.255.255.0

 ipnat inside

 ipvirtual-reassembly in

 standby 2 ip 172.16.1.4

 standby 2 priority 150

 standby 2 preempt

 standby 2 name HA-inside

 standby 2 track 2 decrement 90

 duplex auto

 speed auto

!

router ospf 110

 router-id 1.1.1.1

 redistribute static subnets

 network 172.16.1.0 0.0.0.255 area 0

 default-information originate

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list 100 interfaceFastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 202.100.1.1

!

ip access-list extended ***

 permit ip host 10.2.2.2 host 10.1.1.1

!

access-list 100 permit ip host 10.2.2.2 any

access-list 100 permit ip 172.16.1.00.0.0.255 any

access-list 100 deny   ip host 10.2.2.2 host 10.1.1.1

!

!

!

control-plane

!

!

!

mgcp profile default

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line vty 0 4

 login

 transport input all

!

!

end

 

 

×××-GW2

×××-GW2#sho running-config

Building configuration…

 

Current configuration : 2280 bytes

!

! Last configuration change at 16:53:49 UTCTue Nov 18 2014

upgrade fpd auto

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ×××-GW2

!

boot-start-marker

boot-end-marker

!

!

!

!

ipc zone default

 association 1

  noshutdown

 protocol sctp

  local-port 5000

  remote-port 5000

   remote-ip 172.16.1.2

!

no aaa new-model

no ip icmp rate-limit unreachable

!

!

!

!

!

!

no ip domain lookup

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!        

!

!

redundancy inter-device

 scheme standby HA-outside

!

!

redundancy

!

!

ip tcp synwait-time 5

!

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key freeit address202.100.1.1   

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set l2l esp-3desesp-md5-hmac

 modetunnel

!

!

!        

crypto map MAP 10 ipsec-isakmp

 setpeer 202.100.1.1

 settransform-set l2l

 match address ***

 reverse-route

!

!

!

!

!

!

interface FastEthernet0/0

 ipaddress 202.100.1.3 255.255.255.0

 ipnat outside

 ipvirtual-reassembly in

 standby 1 ip 202.100.1.4

 standby 1 name HA-outside

 standby 1 track 1 decrement 10

 duplex auto

 speed auto

 crypto map MAP redundancy HA-outside stateful

!

interface FastEthernet0/1

 ipaddress 172.16.1.2 255.255.255.0

 ipnat inside

 ipvirtual-reassembly in

 standby 2 ip 172.16.1.4

 standby 2 name HA-inside

 standby 2 track 2 decrement 10

 duplex auto

 speed auto

!

router ospf 110

 router-id 2.2.2.2

 redistribute static subnets

 network 172.16.1.0 0.0.0.255 area 0

 default-information originate

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list 100 interfaceFastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 202.100.1.1

!        

ip access-list extended ***

 permit ip host 10.2.2.2 host 10.1.1.1

!

access-list 100 permit ip host 10.2.2.2 any

access-list 100 permit ip 172.16.1.00.0.0.255 any

access-list 100 deny   ip host 10.2.2.2 host 10.1.1.1

!

!

!

control-plane

!

!

!

mgcp profile default

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line vty 0 4

 login

 transport input all

!

!

end

 

 

Inside

Inside#sho running-config

Building configuration…

 

Current configuration : 1353 bytes

!

! Last configuration change at 16:53:38 UTCTue Nov 18 2014

upgrade fpd auto

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Inside

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

no ip icmp rate-limit unreachable

!

!

!

!

!        

!

no ip domain lookup

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

redundancy

!

!

ip tcp synwait-time 5

!

!

!        

!

!

!

!

!

!

!

interface Loopback0

 ipaddress 10.2.2.2 255.255.255.0

!

interface Ethernet0/0

 noip address

 shutdown

 duplex auto

!

interface GigabitEthernet0/0

 noip address

 shutdown

 duplex full

 speed 1000

 media-type gbic

 negotiation auto

!        

interface FastEthernet1/0

 noip address

 shutdown

 duplex auto

 speed auto

!

interface FastEthernet1/1

 ipaddress 172.16.1.3 255.255.255.0

 duplex auto

 speed auto

!

router ospf 110

 router-id 3.3.3.3

 network 10.2.2.0 0.0.0.255 area 0

 network 172.16.1.0 0.0.0.255 area 0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

!        

!

!

control-plane

!

!

!

mgcp profile default

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 stopbits 1

line vty 0 4

 login

 transport input all

!

!

end