高可用性***(鏈路備份)

實驗目的:

當GW1 DOWN後，***流量可以自動切換到GW2到達Inside

使用技術:
1.RRI（Reverse Route Injection) 反向路由注入

2.DPD(Dead Peer Dection) 死亡對等體檢測

3.Default Peer 默認對等體

4.IPSec SA IDLE-TIME 設置超時時間

配置:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 64.1.1.1 //配置對等體GW1
crypto isakmp key cisco address 123.1.1.1 //配置對等體GW2
crypto isakmp keepalive 10 periodic //配置DPD模式爲periodic,時間爲10s
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 64.1.1.1 default //配置爲主Peer
set peer 123.1.1.1 //備份Peer
set security-association idle-time 1200 //20分鐘沒有***流量，IPSec SA自動被清除，減少SA所消耗的memory
set transform-set SET
set pfs group5
match address ***
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet1/0
ip address 202.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 202.1.1.10
!
ip access-list extended ***
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

Internet:

interface FastEthernet1/0
ip address 202.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 64.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 123.1.1.10 255.255.255.0
duplex auto
speed auto

GW1:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.1.1.1
crypto isakmp keepalive 10 periodic //配置DPD
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.1.1.1
set security-association idle-time 1200
set transform-set SET
set pfs group5
set reverse-route tag 10 //反向路由注入的靜態路由打上標記10
match address ***
reverse-route //當產生IPSec SA時，反向路由注入一條靜態路由，不敲static關鍵字，只能對方主動發起***流量
!
interface FastEthernet1/0
ip address 64.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
interface FastEthernet1/1
ip address 10.1.1.10 255.255.255.0
duplex auto
speed auto
!
router ospf 1
redistribute static subnets route-map ***-static-to-ospf //重分佈進Inside
network 10.1.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 64.1.1.10
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
route-map ***-static-to-ospf permit 10 //匹配反向注入路由
match tag 10

GW2:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.1.1.1
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.1.1.1
set security-association idle-time 1200
set transform-set SET
set pfs group5
set reverse-route tag 10
match address ***
reverse-route
!
interface FastEthernet1/0
ip address 123.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
interface FastEthernet1/1
ip address 10.1.1.20 255.255.255.0
duplex auto
speed auto
!
router ospf 1
redistribute static subnets route-map ***-static-to-ospf
network 10.1.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 123.1.1.10
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
route-map ***-static-to-ospf permit 10
match tag 10

Inside:

interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
network 2.2.2.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0

測試: