IPsec VPN配置:IPsec VPN的高可用性
作者:紅頭發(fā)
對于IPsec VPN的基本配置我們已經(jīng)有一個大概的了解了,那么這篇文章我們主要討論IPsec VPN的高可用性及其相關(guān)配置。
通常情況下,我們希望IPsec VPN流量可以在主從路由器之間做到無縫切換,可以通過HSRP與SSO相結(jié)合的方式來達到此目的.HSRP用于保證接入流量的熱備份.一旦主路由器down掉后,HSRP立即將IKE信息與SA傳遞給備份路由器;而SSO允許主從路由器之間共享IKE與SA信息.
SPOKE配置如下:
1.定義感興趣流量與路由協(xié)議:
- SPOKE(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
- SPOKE(config)#ip route 0.0.0.0 0.0.0.0 serial0/0
2.全局啟用ISAKMP并定義對等體及其PSK(預(yù)共享密鑰):
- SPOKE(config)#crypto isakmp enable
- SPOKE(config)#crypto isakmp key 91lab address 0.0.0.0 0.0.0.0
3.定義IKE策略:
- SPOKE(config)#crypto isakmp policy 10
- SPOKE(config-isakmp)#encryption aes 128 /---默認是DES加密---/
- SPOKE(config-isakmp)#hash sha /---默認是SHA-1---/
- SPOKE(config-isakmp)#authentication pre-share
- SPOKE(config-isakmp)#group 2 /---默認是768位的DH1---/
- SPOKE(config-isakmp)#lifetime 3600 /---默認是86400秒---/
- SPOKE(config-isakmp)#exit
4.定義IPSec轉(zhuǎn)換集(transform set):
- SPOKE(config)#crypto ipsec transform-set nuaiko esp-aes 128 esp-sha-hmac
- SPOKE(cfg-crypto-trans)#exit
5.定義crypto map并應(yīng)用在接口上:
- SPOKE(config)#crypto map ccsp 10 ipsec-isakmp
- SPOKE(config-crypto-map)#match address 100
- SPOKE(config-crypto-map)#set peer 16.1.1.254 /---定義crypto map的對等體地址,這里為對端HSRP的虛擬IP地址---/
- SPOKE(config-crypto-map)#set transform-set nuaiko /---定義crypto map要應(yīng)用的IPsec轉(zhuǎn)換集---/
- SPOKE(config-crypto-map)#exit
- SPOKE(config)#interface serial0/0
- SPOKE(config-if)#crypto map ccsp
- *Mar 1 00:08:31.131: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
- SPOKE(config-if)#end
- SPOKE#
SPOKE配置完成.
HUB1配置如下:
1.定義感興趣流量與路由協(xié)議:
- HUB1(config)#access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
- HUB1(config)#ip route 0.0.0.0 0.0.0.0 16.1.1.3
2.全局啟用ISAKMP并定義對等體及其PSK(預(yù)共享密鑰):
- HUB1(config)#crypto isakmp enable
- HUB1(config)#crypto isakmp key 91lab address 0.0.0.0 0.0.0.0
3.定義IKE策略:
- HUB1(config)#crypto isakmp policy 10
- HUB1(config-isakmp)#encryption aes 128 /---默認是DES加密---/
- HUB1(config-isakmp)#hash sha /---默認是SHA-1---/
- HUB1(config-isakmp)#authentication pre-share
- HUB1(config-isakmp)#group 2 /---默認是768位的DH1---/
- HUB1(config-isakmp)#lifetime 3600 /---默認是86400秒---/
- HUB1(config-isakmp)#exit
4.定義IPSec轉(zhuǎn)換集(transform set):
- HUB1(config)#crypto ipsec transform-set nuaiko esp-aes 128 esp-sha-hmac
- HUB1(cfg-crypto-trans)#exit
5.定義crypto map:
- HUB1(config)#crypto map ccsp 10 ipsec-isakmp
- HUB1(config-crypto-map)#match address 100
- HUB1(config-crypto-map)#set peer 173.1.1.1 /---定義要應(yīng)用crypto map的對等體地址---/
- HUB1(config-crypto-map)#set transform-set nuaiko /---定義crypto map要應(yīng)用的IPsec轉(zhuǎn)換集---/
- HUB1(config-crypto-map)#exit
6.啟用HSRP并應(yīng)用crypto map:
- HUB1(config)#interface ethernet 0/0
- HUB1(config-if)#standby 1 ip 16.1.1.254 /---定義HSRP組1的虛擬IP地址---/
- HUB1(config-if)#standby 1 priority 105
- HUB1(config-if)#standby 1 preempt /---啟用搶占特性---/
- *Mar 1 00:45:37.987: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 1 state Speak -> Standby
- *Mar 1 00:45:37.987: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 1 state Standby -> Active
- HUB1(config-if)#standby 1 name ss1 /---定義HSRP冗余組名---/
- HUB1(config-if)#standby 1 track ethernet 0/1 /---定義HSRP接口跟蹤特性---/
- HUB1(config-if)#crypto map ccsp redundancy ss1 stateful /---應(yīng)用crypto map,并定義備份IPsec對等體---/
- *Mar 1 00:46:47.591: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
- HUB1(config-if)#standby delay reload 120 /---定義HSRP組初始化的延遲間隔,官方建議120秒---/
- HUB1(config)#interface ethernet 0/1
- HUB1(config-if)#standby 2 ip 10.2.2.254
- HUB1(config-if)#standby 2 preempt
- *Mar 1 00:49:20.791: %HSRP-6-STATECHANGE: Ethernet0/1 Grp 2 state Speak -> Standby
- *Mar 1 00:49:20.791: %HSRP-6-STATECHANGE: Ethernet0/1 Grp 2 state Standby -> Active
- HUB1(config-if)#standby 2 track ethernet 0/0
- HUB1(config-if)#standby 2 name ss2
7.啟用基于狀態(tài)的轉(zhuǎn)換SSO:
- HUB1(config)#redundancy inter-device
- HUB1(config-red-interdevice)#scheme standby ss2
- HUB1(config-red-interdevice)#exit
- HUB1(config)#ipc zone default
- HUB1(config-ipczone)#association 1
- HUB1(config-ipczone)#no shutdown
- HUB1(config-ipczone-assoc)#protocol sctp
- HUB1(config-ipc-protocol-sctp)#local-port 5000
- HUB1(config-ipc-local-sctp)#local-ip 10.2.2.1
- HUB1(config-ipc-local-sctp)#exit
- HUB1(config-ipc-protocol-sctp)#remote-port 5000
- HUB1(config-ipc-remote-sctp)#remote-ip 10.2.2.2
同理,HUB2相關(guān)配置如下:
- !
- crypto isakmp policy 10
- encr aes
- authentication pre-share
- group 2
- crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0
- !
- crypto ipsec transform-set nuaiko esp-aes esp-sha-hmac
- !
- crypto map cisco 10 ipsec-isakmp
- set peer 173.1.1.2
- set transform-set ccsp
- match address 100
- !
- interface ethernet 0/0
- standby 1 ip 16.1.1.254
- standby 1 priority 105
- standby 1 preempt
- standby 1 name ss1
- standby 1 track ethernet 0/0
- crypto map cisco redundancy ss1 stateful
- standby delay reload 120
- !
- interface ethernet 0/1
- ip address 10.2.2.2 255.255.255.0
- standby 2 ip 10.2.2.254
- standby 2 priority 105
- standby 2 preempt
- standby 2 name ss2
- standby 2 track ethernet 0/0
- standby delay reload 120
- !
- ip route 0.0.0.0 0.0.0.0 16.1.1.3
- !
- access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
- !
- redundancy inter-device
- scheme standby ss2
- !
- ipc zone default
- association 1
- no shutdown
- protocol sctp
- local-port 5000
- local-ip 10.2.2.2
- remote-port 5000
- remote-ip 10.2.2.1
HUB2配置完成.
責任編輯:佟健
來源:
51CTO整理
