高可用性GRE+IPSEC中心—分支

在實際網絡運用中我們時常跑GRE+IPSEC來實現我們中心到分支的遠程訪問回話，這樣以來容易配置，而來可用性高，我們知道L2L無論是鏈路備份還是設備備份，都不是狀態備份，當一個點斷掉後，用經過幾十秒甚至1分多種的時間收斂，才能切換到另一條線路上，重新構建ipsec回話。我們用GRE+IPSEC則可以用更少的時間來切換線路。

 

要求：

1.實現ipsec高可用性切換

2.在中心站點部署兩臺***網管，跑gre

R1:

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key cisco address 69.1.10.5 no-xauth
crypto isakmp key cisco address 88.88.8.4 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
 mode transport
crypto map mymap local-address Ethernet0/0
crypto map mymap 10 ipsec-isakmp
 set peer 69.1.10.5
 set transform-set liang
 match address 101
crypto map mymap 20 ipsec-isakmp
 set peer 88.88.8.4
 set transform-set liang
 match address 102
!interface Loopback0
 ip address 192.168.1.1 255.255.255.0
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
interface Tunnel0
 bandwidth 1000
 ip address 10.1.15.1 255.255.255.0
 ip mtu 1438
 keepalive 10 3
 tunnel source Ethernet0/0
 tunnel destination 69.1.10.5
interface Tunnel1
 ip address 10.1.14.1 255.255.255.0
 ip mtu 1438
 keepalive 10 3
 tunnel source Ethernet0/0
 tunnel destination 88.88.8.4
interface Ethernet0/0
 ip address 191.1.1.1 255.255.255.0
 half-duplex
 crypto map mymap
router ospf 10
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 10.1.15.0 0.0.0.255 area 1

network 10.1.14.0 0.0.0.255 area 1
 network 192.168.1.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 191.1.1.3
access-list 101 permit gre host 191.1.1.1 host 69.1.10.5
access-list 102 permit gre host 191.1.1.1 host 88.88.8.4

R2:

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key cisco address 88.88.8.4 no-xauth
crypto isakmp key cisco address 69.1.10.5 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
 mode transport
crypto map mymap local-address Ethernet0/1
crypto map mymap 10 ipsec-isakmp
 set peer 88.88.8.4
 set transform-set liang
 match address 101
crypto map mymap 20 ipsec-isakmp
 set peer 69.1.10.5
 set transform-set liang
 match address 102
interface Loopback0
 ip address 192.168.2.2 255.255.255.0
interface Loopback1
 ip address 2.2.2.2 255.255.255.255      
interface Tunnel0
 bandwidth 1000
 ip address 10.1.24.2 255.255.255.0
 ip mtu 1483
 keepalive 10 3
 tunnel source Ethernet0/1
 tunnel destination 88.88.8.4
interface Tunnel1
 ip address 10.1.25.2 255.255.255.0
 ip mtu 1438
 keepalive 10 3
 tunnel source Ethernet0/1
 tunnel destination 69.1.10.5
interface Ethernet0/1
 ip address 192.1.1.2 255.255.255.0
router ospf 10
 log-adjacency-changes
 network 10.1.24.0 0.0.0.255 area 1
 network 10.1.25.0 0.0.0.255 area 1
ip route 0.0.0.0 0.0.0.0 192.1.1.3     
access-list 101 permit gre host 192.1.1.2 host 88.88.8.4
access-list 102 permit gre host 192.1.1.2 host 69.1.10.5

R4

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.1.1.2 no-xauth
crypto isakmp key cisco address 191.1.1.1 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
 mode transport
crypto map mymap local-address Ethernet0/2
crypto map mymap 10 ipsec-isakmp
 set peer 192.1.1.2
 set transform-set liang
 match address 101
crypto map mymap 20 ipsec-isakmp
 set peer 191.1.1.1
 set transform-set liang
 match address 102
interface Loopback0
 ip address 4.4.4.4 255.255.255.255

iterface Tunnel0
 bandwidth 1000
 ip address 10.1.24.4 255.255.255.0
 ip mtu 1483
 keepalive 10 3
 tunnel source Ethernet0/2
 tunnel destination 192.1.1.2
interface Tunnel1
 ip address 10.1.14.4 255.255.255.0
 ip mtu 1483
 keepalive 10 3
 tunnel source Ethernet0/2
 tunnel destination 191.1.1.1
interface Ethernet0/0
 ip address 192.168.3.4 255.255.255.0
 full-duplex
interface Ethernet0/2
 ip address 88.88.8.4 255.255.255.0
 crypto map mymap
router ospf 10
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 10.1.14.0 0.0.0.255 area 1
 network 10.1.24.0 0.0.0.255 area 1
 network 192.168.3.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 88.88.8.3
access-list 101 permit gre host 88.88.8.4 host 192.1.1.2
access-list 102 permit gre host 88.88.8.4 host 191.1.1.1

R5

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key cisco address 191.1.1.1 no-xauth       兩個peer 在上爲主
crypto isakmp key cisco address 192.1.1.2 no-xauth
crypto ipsec transform-set liang esp-des esp-md5-hmac
 mode transport
crypto map mymap local-address Ethernet1/3
crypto map mymap 10 ipsec-isakmp
 set peer 191.1.1.1
 set transform-set liang
 match address 101
crypto map mymap 20 ipsec-isakmp
 set peer 192.1.1.2
 set transform-set liang
 match address 102
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
interface Tunnel0
 bandwidth 1000                             GRE默認帶寬是9我們指定1000 使其優先級高成爲主線路
 ip address 10.1.15.5 255.255.255.0
 ip mtu 1438
 keepalive 10 3
 tunnel source Ethernet1/3
 tunnel destination 191.1.1.1
interface Tunnel1
 ip address 10.1.25.5 255.255.255.0
 ip mtu 1438                                              指定mtu
 keepalive 10 3
 tunnel source Ethernet1/3
 tunnel destination 192.1.1.2
interface Ethernet1/3
 ip address 69.1.10.5 255.255.255.0
 half-duplex
 crypto map mymap
interface Vlan1
 no ip address    
router ospf 10
 log-adjacency-changes
 network 5.5.5.5 0.0.0.0 area 0
 network 10.1.15.0 0.0.0.255 area 1
 network 10.1.25.0 0.0.0.255 area 1
 network 192.168.4.0 0.0.0.255 area 0

ip route 0.0.0.0 0.0.0.0 69.1.10.3
access-list 101 permit gre host 69.1.10.5 host 191.1.1.1
access-list 102 permit gre host 69.1.10.5 host 192.1.1.2

r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.1.1.3 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/11212] via 10.1.25.5, 00:19:40, Tunnel1   通過主鏈路學到的路由
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback1
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/11114] via 10.1.25.5, 00:19:40, Tunnel1
     5.0.0.0/32 is subnetted, 1 subnets
O IA    5.5.5.5 [110/11112] via 10.1.25.5, 00:19:40, Tunnel1
     6.0.0.0/32 is subnetted, 1 subnets
O IA    6.6.6.6 [110/11113] via 10.1.25.5, 00:19:40, Tunnel1
O IA 192.168.4.0/24 [110/11112] via 10.1.25.5, 00:19:40, Tunnel1
     10.0.0.0/24 is subnetted, 4 subnets
O       10.1.15.0 [110/11211] via 10.1.25.5, 00:19:40, Tunnel1
O IA    10.1.14.0 [110/22224] via 10.1.25.5, 00:00:09, Tunnel1
C       10.1.25.0 is directly connected, Tunnel1
C       10.1.24.0 is directly connected, Tunnel0
C    192.1.1.0/24 is directly connected, Ethernet0/1
     192.168.1.0/32 is subnetted, 1 subnets
O IA    192.168.1.1 [110/11212] via 10.1.25.5, 00:19:40, Tunnel1
C    192.168.2.0/24 is directly connected, Loopback0
O IA 192.168.3.0/24 [110/11113] via 10.1.25.5, 00:19:40, Tunnel1
S*   0.0.0.0/0 [1/0] via 192.1.1.3

 

當r4出現線路故障，自動切換到r5

此圖與L2L站點到站點***優勢：

1.自動切換，時間短，

2.無須匹配加密數據流，可跑動態路由協議，自己協商，方便，我們只需配置GRE其他的讓她們自己去協商

3.配置簡單，方便配錯，特別是對於多點配置，L2L***配置起來超麻煩，站點多了要配DM***，在這我們只需起一條 tunnel 隧道就行了!

4.還有更加簡單的配置  用ipsec pro 這個有時間我補在後面

5.等等 呵呵