高可用性GRE+IPSEC中心—分支
在实际网络运用中我们时常跑GRE+IPSEC来实现我们中心到分支的远程访问回话,这样以来容易配置,而来可用性高,我们知道L2L无论是链路备份还是设备备份,都不是状态备份,当一个点断掉后,用经过几十秒甚至1分多种的时间收敛,才能切换到另一条线路上,重新构建ipsec回话。我们用GRE+IPSEC则可以用更少的时间来切换线路。
要求:
1.实现ipsec高可用性切换
2.在中心站点部署两台vpn网管,跑gre
R1:
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 69.1.10.5 no-xauth
crypto isakmp key cisco address 88.88.8.4 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
mode transport
crypto map mymap local-address Ethernet0/0
crypto map mymap 10 ipsec-isakmp
set peer 69.1.10.5
set transform-set liang
match address 101
crypto map mymap 20 ipsec-isakmp
set peer 88.88.8.4
set transform-set liang
match address 102
!interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface Loopback1
ip address 1.1.1.1 255.255.255.255
interface Tunnel0
bandwidth 1000
ip address 10.1.15.1 255.255.255.0
ip mtu 1438
keepalive 10 3
tunnel source Ethernet0/0
tunnel destination 69.1.10.5
interface Tunnel1
ip address 10.1.14.1 255.255.255.0
ip mtu 1438
keepalive 10 3
tunnel source Ethernet0/0
tunnel destination 88.88.8.4
interface Ethernet0/0
ip address 191.1.1.1 255.255.255.0
half-duplex
crypto map mymap
router ospf 10
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.1.15.0 0.0.0.255 area 1
network 10.1.14.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 191.1.1.3
access-list 101 permit gre host 191.1.1.1 host 69.1.10.5
access-list 102 permit gre host 191.1.1.1 host 88.88.8.4
R2:
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 88.88.8.4 no-xauth
crypto isakmp key cisco address 69.1.10.5 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
mode transport
crypto map mymap local-address Ethernet0/1
crypto map mymap 10 ipsec-isakmp
set peer 88.88.8.4
set transform-set liang
match address 101
crypto map mymap 20 ipsec-isakmp
set peer 69.1.10.5
set transform-set liang
match address 102
interface Loopback0
ip address 192.168.2.2 255.255.255.0
interface Loopback1
ip address 2.2.2.2 255.255.255.255
interface Tunnel0
bandwidth 1000
ip address 10.1.24.2 255.255.255.0
ip mtu 1483
keepalive 10 3
tunnel source Ethernet0/1
tunnel destination 88.88.8.4
interface Tunnel1
ip address 10.1.25.2 255.255.255.0
ip mtu 1438
keepalive 10 3
tunnel source Ethernet0/1
tunnel destination 69.1.10.5
interface Ethernet0/1
ip address 192.1.1.2 255.255.255.0
router ospf 10
log-adjacency-changes
network 10.1.24.0 0.0.0.255 area 1
network 10.1.25.0 0.0.0.255 area 1
ip route 0.0.0.0 0.0.0.0 192.1.1.3
access-list 101 permit gre host 192.1.1.2 host 88.88.8.4
access-list 102 permit gre host 192.1.1.2 host 69.1.10.5
R4
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 192.1.1.2 no-xauth
crypto isakmp key cisco address 191.1.1.1 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
mode transport
crypto map mymap local-address Ethernet0/2
crypto map mymap 10 ipsec-isakmp
set peer 192.1.1.2
set transform-set liang
match address 101
crypto map mymap 20 ipsec-isakmp
set peer 191.1.1.1
set transform-set liang
match address 102
interface Loopback0
ip address 4.4.4.4 255.255.255.255
iterface Tunnel0
bandwidth 1000
ip address 10.1.24.4 255.255.255.0
ip mtu 1483
keepalive 10 3
tunnel source Ethernet0/2
tunnel destination 192.1.1.2
interface Tunnel1
ip address 10.1.14.4 255.255.255.0
ip mtu 1483
keepalive 10 3
tunnel source Ethernet0/2
tunnel destination 191.1.1.1
interface Ethernet0/0
ip address 192.168.3.4 255.255.255.0
full-duplex
interface Ethernet0/2
ip address 88.88.8.4 255.255.255.0
crypto map mymap
router ospf 10
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 0
network 10.1.14.0 0.0.0.255 area 1
network 10.1.24.0 0.0.0.255 area 1
network 192.168.3.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 88.88.8.3
access-list 101 permit gre host 88.88.8.4 host 192.1.1.2
access-list 102 permit gre host 88.88.8.4 host 191.1.1.1
R5
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 191.1.1.1 no-xauth 两个peer 在上为主
crypto isakmp key cisco address 192.1.1.2 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
mode transport
crypto map mymap local-address Ethernet1/3
crypto map mymap 10 ipsec-isakmp
set peer 191.1.1.1
set transform-set liang
match address 101
crypto map mymap 20 ipsec-isakmp
set peer 192.1.1.2
set transform-set liang
match address 102
interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Tunnel0
bandwidth 1000 GRE默认带宽是9我们指定1000 使其优先级高成为主线路
ip address 10.1.15.5 255.255.255.0
ip mtu 1438
keepalive 10 3
tunnel source Ethernet1/3
tunnel destination 191.1.1.1
interface Tunnel1
ip address 10.1.25.5 255.255.255.0
ip mtu 1438 指定mtu
keepalive 10 3
tunnel source Ethernet1/3
tunnel destination 192.1.1.2
interface Ethernet1/3
ip address 69.1.10.5 255.255.255.0
half-duplex
crypto map mymap
interface Vlan1
no ip address
router ospf 10
log-adjacency-changes
network 5.5.5.5 0.0.0.0 area 0
network 10.1.15.0 0.0.0.255 area 1
network 10.1.25.0 0.0.0.255 area 1
network 192.168.4.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 69.1.10.3
access-list 101 permit gre host 69.1.10.5 host 191.1.1.1
access-list 102 permit gre host 69.1.10.5 host 192.1.1.2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.1.1.3 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/11212] via 10.1.25.5, 00:19:40, Tunnel1 通过主链路学到的路由
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback1
4.0.0.0/32 is subnetted, 1 subnets
O IA 4.4.4.4 [110/11114] via 10.1.25.5, 00:19:40, Tunnel1
5.0.0.0/32 is subnetted, 1 subnets
O IA 5.5.5.5 [110/11112] via 10.1.25.5, 00:19:40, Tunnel1
6.0.0.0/32 is subnetted, 1 subnets
O IA 6.6.6.6 [110/11113] via 10.1.25.5, 00:19:40, Tunnel1
O IA 192.168.4.0/24 [110/11112] via 10.1.25.5, 00:19:40, Tunnel1
10.0.0.0/24 is subnetted, 4 subnets
O 10.1.15.0 [110/11211] via 10.1.25.5, 00:19:40, Tunnel1
O IA 10.1.14.0 [110/22224] via 10.1.25.5, 00:00:09, Tunnel1
C 10.1.25.0 is directly connected, Tunnel1
C 10.1.24.0 is directly connected, Tunnel0
C 192.1.1.0/24 is directly connected, Ethernet0/1
192.168.1.0/32 is subnetted, 1 subnets
O IA 192.168.1.1 [110/11212] via 10.1.25.5, 00:19:40, Tunnel1
C 192.168.2.0/24 is directly connected, Loopback0
O IA 192.168.3.0/24 [110/11113] via 10.1.25.5, 00:19:40, Tunnel1
S* 0.0.0.0/0 [1/0] via 192.1.1.3
当r4出现线路故障,自动切换到r5
此图与L2L站点到站点vpn优势:
1.自动切换,时间短,
2.无须匹配加密数据流,可跑动态路由协议,自己协商,方便,我们只需配置GRE其他的让她们自己去协商
3.配置简单,方便配错,特别是对于多点配置,L2Lvpn配置起来超麻烦,站点多了要配DMVPN,在这我们只需起一条 tunnel 隧道就行了!
4.还有更加简单的配置 用ipsec pro 这个有时间我补在后面
5.等等 呵呵
本文转自q狼的诱惑 51CTO博客,原文链接:http://blog.51cto.com/liangrui/533202,如需转载请自行联系原作者
高可用性GRE+IPSEC中心—分支相关推荐
- H3C IPsec多分支经由总部互通
1.总部采用MSR56设备,分支采用MSR36和MSR30 2.分支和总部之间起IPsec: 3.分支之间不直接建立IPsec,经由总部IPsec 实现分支互通. 总部PC地址为:3.3.3.3 分支 ...
- H3C GRE over ipsec配置
多分支接入的情况下,如果设备支持点到多点GRE隧道,则总部只需要配置一个GRE Tunnle,但是设备不支持此特性的话,只能在总部为每个分支建立一个GRE Tunnle. 总部: 公网地址:100.0 ...
- 双出口NAT+PBR+IPSec V*N
拓扑: 描述: 1.总部HQ有2条公网出口,出接口e0/1连接ISP-1,出接口e0/2接口连接ISP-2: 2.该拓扑有3个分支机构,分别为Branch1.Branch2.Branch3,其中Bra ...
- IaaS私有云数据中心系统设计-罗逸秀(IaaS 云数据中心)
IaaS私有云数据中心将逐步替代原有形态的企业数据中心,为企业日常IT等业务运营环境提供更加强有力的支持. IaaS私有云数据中心系统设计 文/罗逸秀 当前云计算产业正在如火如荼的发展,大型互联网运营 ...
- 学习笔记——IPSec
目录 一.整个IPsec工作过程 二.IKE阶段1 三.IKE阶段2 四.IPsec协议 五.华为设备配置命令 (一)安全提议 xxx proposal (二)IKE对等体 ike peer (三 ...
- [MSDN版本][32bit/64bit]Windows 2003 R2 With Sp2[中/英][标准/企业/数据中心]
Windows 2003 SP2版本的VOL(中英文,32位和64位)已经出来了,系统狂们又要开示'浪费电'了,我昨天第一时间下好后,安装在虚拟机中了,虽然这次下载的都带R2的CD2,不过R2确实很多 ...
- 防火墙——IPSec协议框架(IPSec1)
目录 基本概念 安全联盟SA IPSec对等体 基本概念 SA建立方式 SA唯一标识符 安全协议 协议类型比较 AH: 报头验证协议 ESP:封装安全载荷协议 协议比较 报文封装模式 传输模式 封装模 ...
- Linux拨IPSec网络不通,ISAKMP/IPSEC SA协商成功但数据不通
1.故障现象 在路由器上查看isakmp sa和ipsec sa都已经成功建立,但通过ipsec保护的业务无法正常通信 1)查看isakmp sa,成功建立: Ruijie#show crypto i ...
- Git 最佳实践:分支管理
5月份,为统一团队git分支管理规范,刚开始准备自己写,在网上搜了下,发现不少不错的git分支管理实践.最后我为团队选择了这个git分支管理实践 A successful Git branching ...
最新文章
- 为SharePoint顶部链接开发自定义数据源
- fedora下重用ssh连接 类似secureCRT的clone session功能
- 基于吉日嘎拉的通用权限管理WebForm版扩展:字典选项管理和缓存管理
- 阿里云李响荣获 2020 中国开源杰出贡献人物奖,我们找他聊了聊开源和云原生
- Qt Creator进阶使用
- C语言重复加一个数的所有位数字的算法(附完整源码)
- 工作373-前端 import与export区别
- 又拍云 php,GitHub - NoDurex/php-sdk: 又拍云存储PHP SDK
- 【Spring】使用数据源连接池访问数据库
- vcpkg安装boost的一些问题,
- VM虚拟机浏览器替代软件-VMLogin虚拟多登指纹浏览器,超级浏览器,防关联浏览器
- 手术麻醉管理系统方案/案列/小程序/网站
- 2021年最新程序员培训机构排名,学习前避坑必看
- 【CS学习笔记】14、powerup提权的方法
- Flutter绘制指南06-颜色的基本操作
- ev4视频转换为mp4工具使用教程
- 2007年开关稳压电源设计报告!!!
- dell服务器安装(dellemc服务器)
- 零起点Python大数据与量化交易
- java编程-计算两个坐标点之间的距离
热门文章
- 儿童磁铁玩具,磁性积木片CPC认证,ASTM F963、CPSIA测试
- linux服务器安装gmt,linux GMT简易安装
- c语言表示整型变量,在表示 C语言的整型变量时,表示“无符号长整型”的符号是( )。...
- 实力踩坑:There is no getter for property named ‘XXX‘ ‘class XXX‘
- 自动驾驶相关技术网址汇总
- [原创]高熵合金分子动力学仿真---前篇
- aix 磁带机增量备份
- 聊天室项目(一)-展示
- matlab经典教程分享
- 参加英特尔迅驰二代风尚盛典发布会小记