實驗目的:
當GW1 DOWN後,***流量可以自動切換到GW2到達Inside
使用技術:
1.RRI(Reverse Route Injection) 反向路由注入
2.DPD(Dead Peer Dection) 死亡對等體檢測
3.Default Peer 默認對等體
4.IPSec SA IDLE-TIME 設置超時時間
配置:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 64.1.1.1 //配置對等體GW1
crypto isakmp key cisco address 123.1.1.1 //配置對等體GW2
crypto isakmp keepalive 10 periodic //配置DPD模式爲periodic,時間爲10s
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 64.1.1.1 default //配置爲主Peer
set peer 123.1.1.1 //備份Peer
set security-association idle-time 1200 //20分鐘沒有***流量,IPSec SA自動被清除,減少SA所消耗的memory
set transform-set SET
set pfs group5
match address ***
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet1/0
ip address 202.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 202.1.1.10
!
ip access-list extended ***
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
Internet:
interface FastEthernet1/0
ip address 202.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 64.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 123.1.1.10 255.255.255.0
duplex auto
speed auto
GW1:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.1.1.1
crypto isakmp keepalive 10 periodic //配置DPD
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.1.1.1
set security-association idle-time 1200
set transform-set SET
set pfs group5
set reverse-route tag 10 //反向路由注入的靜態路由打上標記10
match address ***
reverse-route //當產生IPSec SA時,反向路由注入一條靜態路由,不敲static關鍵字,只能對方主動發起***流量
!
interface FastEthernet1/0
ip address 64.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
interface FastEthernet1/1
ip address 10.1.1.10 255.255.255.0
duplex auto
speed auto
!
router ospf 1
redistribute static subnets route-map ***-static-to-ospf //重分佈進Inside
network 10.1.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 64.1.1.10
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
route-map ***-static-to-ospf permit 10 //匹配反向注入路由
match tag 10
GW2:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.1.1.1
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.1.1.1
set security-association idle-time 1200
set transform-set SET
set pfs group5
set reverse-route tag 10
match address ***
reverse-route
!
interface FastEthernet1/0
ip address 123.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
interface FastEthernet1/1
ip address 10.1.1.20 255.255.255.0
duplex auto
speed auto
!
router ospf 1
redistribute static subnets route-map ***-static-to-ospf
network 10.1.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 123.1.1.10
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
route-map ***-static-to-ospf permit 10
match tag 10
Inside:
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
network 2.2.2.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
測試:
Inside獲得一條通往通訊點1.1.1.0/24的路由,下一跳爲10.1.1.10.
當GW1 DOWN後
切換時間較長
GW2反向注入一條靜態路由
Inside獲得一條通往通訊點1.1.1.0/24的路由,下一跳爲10.1.1.20.