实验目的:
当GW1 DOWN后,×××流量可以自动切换到GW2到达Inside
使用技术:
1.RRI(Reverse Route Injection) 反向路由注入2.DPD(Dead Peer Dection) 死亡对等体检测
3.Default Peer 默认对等体
4.IPSec SA IDLE-TIME 设置超时时间
配置:
crypto isakmp policy 10
authentication pre-share crypto isakmp key cisco address 64.1.1.1 //配置对等体GW1 crypto isakmp key cisco address 123.1.1.1 //配置对等体GW2 crypto isakmp keepalive 10 periodic //配置DPD模式为periodic,时间为10s ! crypto ipsec transform-set SET esp-3des esp-md5-hmac ! crypto map cisco 10 ipsec-isakmp set peer 64.1.1.1 default //配置为主Peer set peer 123.1.1.1 //备份Peer set security-association idle-time 1200 //20分钟没有×××流量,IPSec SA自动被清除,减少SA所消耗的memory set transform-set SET set pfs group5 match address *** ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet1/0 ip address 202.1.1.1 255.255.255.0 duplex auto speed auto crypto map cisco ! ip route 0.0.0.0 0.0.0.0 202.1.1.10 ! ip access-list extended *** permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
Internet:
interface FastEthernet1/0
ip address 202.1.1.10 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 ip address 64.1.1.10 255.255.255.0 duplex auto speed auto ! interface FastEthernet2/0 ip address 123.1.1.10 255.255.255.0 duplex auto speed auto
GW1:
crypto isakmp policy 10
authentication pre-share crypto isakmp key cisco address 202.1.1.1 crypto isakmp keepalive 10 periodic //配置DPD ! crypto ipsec transform-set SET esp-3des esp-md5-hmac ! crypto map cisco 10 ipsec-isakmp set peer 202.1.1.1 set security-association idle-time 1200 set transform-set SET set pfs group5 set reverse-route tag 10 //反向路由注入的静态路由打上标记10 match address *** reverse-route //当产生IPSec SA时,反向路由注入一条静态路由,不敲static关键字,只能对方主动发起×××流量 ! interface FastEthernet1/0 ip address 64.1.1.1 255.255.255.0 duplex auto speed auto crypto map cisco ! interface FastEthernet1/1 ip address 10.1.1.10 255.255.255.0 duplex auto speed auto ! router ospf 1 redistribute static subnets route-map ***-static-to-ospf //重分布进Inside network 10.1.1.0 0.0.0.255 area 0 ! ip route 0.0.0.0 0.0.0.0 64.1.1.10 ! ip access-list extended *** permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 ! route-map ***-static-to-ospf permit 10 //匹配反向注入路由 match tag 10
GW2:
crypto isakmp policy 10
authentication pre-share crypto isakmp key cisco address 202.1.1.1 crypto isakmp keepalive 10 periodic ! crypto ipsec transform-set SET esp-3des esp-md5-hmac ! crypto map cisco 10 ipsec-isakmp set peer 202.1.1.1 set security-association idle-time 1200 set transform-set SET set pfs group5 set reverse-route tag 10 match address *** reverse-route ! interface FastEthernet1/0 ip address 123.1.1.1 255.255.255.0 duplex auto speed auto crypto map cisco ! interface FastEthernet1/1 ip address 10.1.1.20 255.255.255.0 duplex auto speed auto ! router ospf 1 redistribute static subnets route-map ***-static-to-ospf network 10.1.1.0 0.0.0.255 area 0 ! ip route 0.0.0.0 0.0.0.0 123.1.1.10 ! ip access-list extended *** permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 ! route-map ***-static-to-ospf permit 10 match tag 10
Inside:
interface Loopback0
ip address 2.2.2.2 255.255.255.0 ! interface FastEthernet1/0 ip address 10.1.1.1 255.255.255.0 duplex auto speed auto ! router ospf 1 network 2.2.2.0 0.0.0.255 area 0 network 10.1.1.0 0.0.0.255 area 0测试:
Inside获得一条通往通讯点1.1.1.0/24的路由,下一跳为10.1.1.10.
当GW1 DOWN后
切换时间较长
GW2反向注入一条静态路由
Inside获得一条通往通讯点1.1.1.0/24的路由,下一跳为10.1.1.20.