雙SVTI高可用性 VPN的最佳解決方案
高可用性VPN的最佳解決方案
1、方案介紹
本章主要介紹在純cisco裝置的情況下,一種簡單而又實用的高可用性的ipsec最佳解決方案。
2、拓撲圖
方案拓撲圖解析
上圖為高可用性站點到站點ipsec vpn的最佳解決方案接線圖,從左到右依次是總部公司的路由器,internet路由器,分部master路由,分部slave路由器,公司網路環境,從R4以後就模擬整個公司的核心網路。
該拓撲最核心的地方在於在總部和分部之間建立兩條SVTI通道,然後全網執行EIGRP,選擇EIGRP是因為收斂速度較快,隧道介面10.0.0.0/24和10.0.1.0/24分別都執行EIGRP,並實現負載均衡。這裡有一個非常大的特點,就是我們用
3、configure
R1#show run
Building configuration...
Current configuration : 1779 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 26.26.26.2
crypto isakmp key cisco address 36.36.36.3
!
!
crypto ipsec transform-set mytrans esp-3desesp-md5-hmac
!
crypto ipsec profile ipsecprof
settransform-set mytrans
!
!
!
!
!
interface Loopback1
ipaddress 1.1.1.1 255.255.255.255
!
interface Loopback2
ipaddress 1.1.2.1 255.255.255.255
!
interface Loopback3
ipaddress 1.1.3.1 255.255.255.255
!
interface Tunnel0
ipaddress 10.0.0.1 255.255.255.0
tunnel source 16.16.16.1
tunneldestination 26.26.26.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprof
!
interface Tunnel1
ipaddress 10.0.1.1 255.255.255.0
tunnel source 16.16.16.1
tunnel destination 36.36.36.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprof
!
interface FastEthernet0/0
ipaddress 16.16.16.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
noip address
shutdown
duplex auto
speed auto
!
router eigrp 100
network 1.1.1.0 0.0.0.255
network 1.1.2.0 0.0.0.255
network 1.1.3.0 0.0.0.255
network 10.0.0.0 0.0.0.255
network 10.0.1.0 0.0.0.255
noauto-summary
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 16.16.16.6
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
End
R6#show run
Building configuration...
Current configuration : 877 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
ipaddress 16.16.16.6 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ipaddress 26.26.26.6 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2/0
ipaddress 36.36.36.6 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R2#show run
Building configuration...
Current configuration : 1316 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 16.16.16.1
!
!
crypto ipsec transform-set mytrans esp-3desesp-md5-hmac
!
crypto ipsec profile ipsecprof
settransform-set mytrans
!
!
!
!
!
interface Tunnel0
ipaddress 10.0.0.2 255.255.255.0
tunnel source 26.26.26.2
tunnel destination 16.16.16.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprof
!
interface FastEthernet0/0
ipaddress 26.26.26.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ipaddress 24.24.24.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 10.0.0.0 0.0.0.255
network 24.24.24.0 0.0.0.255
noauto-summary
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 26.26.26.6
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
End
R3#show run
Building configuration...
*Mar1 01:43:25.395: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 1316 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 16.16.16.1
!
!
crypto ipsec transform-set mytrans esp-3desesp-md5-hmac
!
crypto ipsec profile ipsecprof
settransform-set mytrans
!
!
!
!
!
interface Tunnel1
ipaddress 10.0.1.2 255.255.255.0
tunnel source 36.36.36.3
tunnel destination 16.16.16.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprof
!
interface FastEthernet0/0
ipaddress 36.36.36.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ipaddress 34.34.34.3 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 10.0.1.0 0.0.0.255
network 34.34.34.0 0.0.0.255
noauto-summary
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 36.36.36.6
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R3#
R4#show run
Building configuration...
Current configuration : 1003 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
--More--
*Mar1 01:43:55.363: %SYS-5-CONFIG_I: Configured from console !e
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
ipaddress 24.24.24.4 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ipaddress 34.34.34.4 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2/0
ipaddress 45.45.45.4 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 24.24.24.0 0.0.0.255
network 34.34.34.0 0.0.0.255
network 45.45.45.0 0.0.0.255
noauto-summary
!
no ip http server
no ip http secure-server
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
End
R5#show run
Building configuration...
Current configuration : 1018 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
--More--
*Mar1 01:44:28.823: %SYS-5-CONFIG_I: Configured from console !e
!
ip tcp synwait-time 5
!
interface Loopback1
ipaddress 2.2.1.2 255.255.255.255
!
interface Loopback2
ipaddress 2.2.2.2 255.255.255.255
!
interface Loopback3
ipaddress 2.2.3.2 255.255.255.255
!
interface FastEthernet0/0
ipaddress 45.45.45.5 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 2.2.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
network 2.2.3.0 0.0.0.255
network 45.45.45.0 0.0.0.255
noauto-summary
!
no ip http server
no ip http secure-server
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R5#
4、測試
我們會在R1上看到有兩條通往目的網路的路由,且能實現負載均衡
R1#show ip route
Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 16.16.16.6 tonetwork 0.0.0.0
34.0.0.0/24 is subnetted, 1 subnets
D34.34.34.0 [90/297246976] via 10.0.1.2, 00:33:52, Tunnel1
16.0.0.0/24 is subnetted, 1 subnets
C16.16.16.0 is directly connected, FastEthernet0/0
1.0.0.0/32 is subnetted, 3 subnets
C1.1.1.1 is directly connected, Loopback1
C1.1.3.1 is directly connected, Loopback3
C1.1.2.1 is directly connected, Loopback2
2.0.0.0/32 is subnetted, 3 subnets
D2.2.2.2 [90/297377536] via 10.0.1.2, 00:33:53, Tunnel1
[90/297377536] via 10.0.0.2,00:33:53, Tunnel0
D2.2.3.2 [90/297377536] via 10.0.1.2, 00:33:53, Tunnel1
[90/297377536] via 10.0.0.2,00:33:53, Tunnel0
D2.2.1.2 [90/297377536] via 10.0.1.2, 00:33:54, Tunnel1
[90/297377536] via 10.0.0.2,00:33:54, Tunnel0
24.0.0.0/24 is subnetted, 1 subnets
D24.24.24.0 [90/297246976] via 10.0.0.2, 00:33:54, Tunnel0
10.0.0.0/24 is subnetted, 2 subnets
C10.0.0.0 is directly connected, Tunnel0
C10.0.1.0 is directly connected, Tunnel1
45.0.0.0/24 is subnetted, 1 subnets
D45.45.45.0 [90/297249536] via 10.0.1.2, 00:33:54, Tunnel1
[90/297249536] via 10.0.0.2,00:33:54, Tunnel0
S*0.0.0.0/0 [1/0] via 16.16.16.6
R1#
R1#traceroute 2.2.2.2 source loopback 1
Type escape sequence to abort.
Tracing the route to 2.2.2.2
110.0.0.2 44 msec
10.0.1.2 44 msec
10.0.0.2 36 msec
234.34.34.4 40 msec
24.24.24.4 60 msec
34.34.34.4 36 msec
345.45.45.5 76 msec 68 msec 60 msec
切換down掉R2的f0/0口,觀察現象
R1#traceroute 2.2.2.2 source loopback 1
Type escape sequence to abort.
Tracing the route to 2.2.2.2
110.0.1.2 52 msec 40 msec 20 msec
234.34.34.4 44 msec 68 msec 32 msec
345.45.45.5 96 msec 88 msec 60 msec
R1#
能直接切換到34.34.34.4的備用鏈路上
Mar1 01:57:06.051: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.0.0.2(Tunnel0) is up: new adjacency
當R2恢復正常後,新鄰居再次建立,我們再看
R1#traceroute 2.2.2.2 source loopback 1
Type escape sequence to abort.
Tracing the route to 2.2.2.2
110.0.1.2 44 msec
10.0.0.2 60 msec
10.0.1.2 40 msec
224.24.24.4 60 msec
34.34.34.4 56 msec
24.24.24.4 40 msec
345.45.45.5 44 msec 88 msec 60 msec
R1#
鏈路又重新回到負載均衡狀態。。。
==============================================================================================================
5、加解密流量
R1#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 16.16.16.1
protected vrf: (none)
localident (addr/mask/prot/port):(0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 892, #pkts encrypt: 892, #pkts digest: 892
#pkts decaps: 770, #pkts decrypt: 770, #pkts verify: 770
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xCF74CA99(3480537753)
inbound esp sas:
spi: 0x42A925C7(1118381511)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4553001/279)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCF74CA99(3480537753)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4552992/265)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 16.16.16.1
protected vrf: (none)
localident(addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 36.36.36.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1188, #pkts encrypt: 1188, #pkts digest: 1188
#pkts decaps: 1317, #pkts decrypt: 1317, #pkts verify: 1317
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 36.36.36.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x7C3B9CEE(2084281582)
inbound esp sas:
spi: 0x2F87FB44(797440836)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4482892/1480)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7C3B9CEE(2084281582)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4482892/1478)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas: