拓撲:
需求,Beijing作為總部,需要與Company進行連接,同時SH部分采用雙線介入ISP保證網絡高可用性,現需求,在SH1down的情況下,SH2接替SH1的工作保證VPN連接的持續有效性.
Beijing 主要配置:
Beijing配置與傳統的IPsec L2L VPN配置毫無區別
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 117.1.1.10
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
set peer 117.1.1.10
set transform-set cisco
match address vpn
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 124.1.1.1 255.255.255.0
duplex half
crypto map vpn
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip access-list extended vpn permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
SH1主要配置:
SH配置首先要使用DPD進行檢測,從而保證在IPsec SA中端后,備份設備能夠啟動.
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 124.1.1.1
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
crypto map cisco 10 ipsec-isakmp
set peer 124.1.1.1
set transform-set cisco
match address vpn r
everse-route tag 10 static
使用反向路由注入,將感興趣流注入成靜態路由,完成數據點有路由,使用關鍵字static在沒有SA的時候產生路由(Active設備)
interface FastEthernet2/0
ip address 117.1.1.8 255.255.255.0
duplex half
standby 1 ip 117.1.1.10
standby 1 priority 150
standby 1 preempt
standby 1 name Redunvpn
crypto map cisco redundancy Redunvpn
在講MAP應用的時候,要加上關鍵字redundancy并且調用standby的名字.
interface FastEthernet3/0
ip address 10.1.1.1 255.255.255.0
duplex half
router eigrp 10
redistribute static route-map vpntraffic
將注入路由分布進內部網絡
network 10.1.1.0 0.0.0.255
no auto-summary
ip route 0.0.0.0 0.0.0.0 FastEthernet2/0
ip access-list extended vpn permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
route-map vpntraffic permit 10 match tag 10
另一個SH2配置與SH1配置無太大區別,就不羅列了.
實驗結果:
1.ping測試
2.Active加解密情況:
