В данном примере настроим отказоустойчивый site-to-site IPSec VPN с протоколом VRRP между основным офисом и филиалом компании.
Маршрутизаторы AR1, AR2 и AR3 находятся в основном офисе компании и AR4 в филиале. Настроим IPSec VPN туннель с использованием виртуального IP адреса активного маршрутизатора VRRP группы. В данном примере активным будет выступать AR2, если с ним что-нибудь случится, то туннель автоматически переключится на запасной маршрутизатор VRRP группы (AR3). Перейдем к настройке.
1. Назначим IP адреса на интерфейсы:
AR1
interface GigabitEthernet0/0/2
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/0/0
ip address 1.1.2.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 1.1.3.1 255.255.255.0
AR2
interface GigabitEthernet0/0/0
ip address 1.1.2.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 1.1.1.2 255.255.255.0
AR3
interface GigabitEthernet0/0/1
ip address 1.1.3.3 255.255.255.0
interface GigabitEthernet0/0/2
ip address 1.1.1.3 255.255.255.0
AR4
interface GigabitEthernet0/0/0
ip address 1.1.1.4 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.2.1 255.255.255.0
2. Настроим протокол VRRP между маршрутизаторами AR2 и AR3. AR2 будет выступать в роли active, а AR3 в роли backup. Виртуальный IP адрес 1.1.1.1 будет использоваться для установления туннеля с AR4.
AR2
interface GigabitEthernet0/0/1
vrrp vrid 1 virtual-ip 1.1.1.1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
AR3
interface GigabitEthernet0/0/2
vrrp vrid 1 virtual-ip 1.1.1.1
vrrp vrid 1 priority 90
Теперь проверим правильность работы VRRP:
[AR2] display vrrp brief
Total:1 Master:1 Backup:0 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master GE0/0/1 Normal 1.1.1.1
[AR3] display vrrp brief
Total:1 Master:0 Backup:1 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup GE0/0/2 Normal 1.1.1.1
3. Настроим маршрутизацию.
AR1
ospf 1
area 0
network 1.1.2.0 0.0.0.255
network 1.1.3.0 0.0.0.255
network 192.168.1.0 0.0.0.255
interface GigabitEthernet0/0/0
ospf cost 1
interface GigabitEthernet0/0/1
ospf cost 10
AR2
ospf 1
import-route static
area 0
network 1.1.2.0 0.0.0.255
network 1.1.1.0 0.0.0.255
interface GigabitEthernet0/0/0
ospf cost 1
ip route-static 192.168.2.0 255.255.255.0 1.1.1.4
AR3
ospf 1
import-route static
area 0
network 1.1.3.0 0.0.0.255
network 1.1.1.0 0.0.0.255
interface GigabitEthernet0/0/1
ospf cost 10
ip route-static 192.168.2.0 255.255.255.0 1.1.1.4
AR4
ip route-static 192.168.1.0 255.255.255.0 1.1.1.1
Проверим таблицу маршрутизации на AR1:
[AR1] display ip routing-table | exclude Direct
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 16 Routes : 16
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.0/24 OSPF 10 2 D 1.1.2.2 GigabitEthernet0/0/0
1.1.1.1/32 OSPF 10 2 D 1.1.2.2 GigabitEthernet0/0/0
192.168.2.0/24 O_ASE 150 1 D 1.1.2.2 GigabitEthernet0/0/0
Как видим, сеть 192.168.2.0 доступна через маршрутизатор AR2.
4. Перейдем к настройке IPSec.
a.
AR2
acl 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
AR3
acl 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
AR4
acl 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
b.
AR2
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
AR3
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
AR4
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
c.
AR2
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha1
dh group2
sa duration 86400
AR3
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha1
dh group2
sa duration 86400
AR4
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha1
dh group2
sa duration 86400
d.
AR2
ike peer 1.1.1.4 V1
ike-proposal 1
pre-shared-key cipher huawei
local-address 1.1.1.1
remote-address 1.1.1.4
AR3
ike peer 1.1.1.4 V1
ike-proposal 1
pre-shared-key cipher huawei
local-address 1.1.1.1
remote-address 1.1.1.4
AR4
ike peer 1.1.1.1 V1
ike-proposal 1
pre-shared-key cipher huawei
remote-address 1.1.1.1
e.
AR2
ipsec policy map1 1 isakmp
ike-peer 1.1.1.4
proposal tran1
security acl 3000
interface GigabitEthernet0/0/1
ipsec policy map1
AR3
ipsec policy map1 1 isakmp
ike-peer 1.1.1.4
proposal tran1
security acl 3000
interface GigabitEthernet0/0/2
ipsec policy map1
AR4
ipsec policy map1 1 isakmp
ike-peer 1.1.1.1
proposal tran1
security acl 3000
interface GigabitEthernet0/0/0
ipsec policy map1
5. Настройка завершена.Проверим работоспособность.
Чтобы наш туннель поднялся, необходимо пропинговать IP адрес хоста удаленной стороны. Запустим пинг с хоста PC1 до PC2.
PC1> ping 192.168.2.10
Ping 192.168.2.10: 32 data bytes, Press Ctrl_C to break
From 192.168.2.10: bytes=32 seq=1 ttl=126 time=47 ms
From 192.168.2.10: bytes=32 seq=2 ttl=126 time=47 ms
From 192.168.2.10: bytes=32 seq=3 ttl=126 time=62 ms
From 192.168.2.10: bytes=32 seq=4 ttl=126 time=47 ms
From 192.168.2.10: bytes=32 seq=5 ttl=126 time=47 ms
--- 192.168.2.10 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 47/50/62 ms
Как видим, пинги проходят, значит туннель поднялся. Мы можем проверить его работоспособность следующей командой:
[AR2] display ipsec sa
===============================
Interface: GigabitEthernet0/0/1
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "map1"
Sequence number : 1
Acl Group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 1.1.1.1
Tunnel remote : 1.1.1.4
Flow source : 192.168.1.0/255.255.255.0 0/0
Flow destination : 192.168.2.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 501526858 (0x1de4b14a)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436800/2799
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 2996220335 (0xb296b1af)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436800/2799
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
[AR3] display ipsec sa
No Security Associations established.
[AR4] display ipsec sa
===============================
Interface: GigabitEthernet0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "map1"
Sequence number : 1
Acl Group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 1.1.1.4
Tunnel remote : 1.1.1.1
Flow source : 192.168.2.0/255.255.255.0 0/0
Flow destination : 192.168.1.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 2996220335 (0xb296b1af)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887298560/2717
Max sent sequence-number: 9
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 501526858 (0x1de4b14a)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436200/2717
Max received sequence-number: 10
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
Теперь проверим работоспособностьVRRP. Выключим активный маршрутизатор группы и проверим таблицу маршрутизации на AR1:
[AR1] display ip routing-table | exclude Direct
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.0/24 OSPF 10 11 D 1.1.3.3 GigabitEthernet0/0/1
1.1.1.1/32 OSPF 10 11 D 1.1.3.3 GigabitEthernet0/0/1
192.168.2.0/24 O_ASE 150 1 D 1.1.3.3 GigabitEthernet0/0/1
Как видим, теперь трафик идет через маршрутизатор AR3. Пропингуем PC2 с PC1:
PC1> ping 192.168.2.10
Ping 192.168.2.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.10: bytes=32 seq=2 ttl=126 time=46 ms
From 192.168.2.10: bytes=32 seq=3 ttl=126 time=47 ms
From 192.168.2.10: bytes=32 seq=4 ttl=126 time=63 ms
From 192.168.2.10: bytes=32 seq=5 ttl=126 time=47 ms
--- 192.168.2.10 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/50/63 ms
Проверим статус VPN подключения. Как видим, на AR3 сессия стала активной, когда AR2 стал недоступен:
[AR3] display ipsec sa
===============================
Interface: GigabitEthernet0/0/2
Path MTU: 1500
===============================
----------------------------
IPSec policy name: "map1"
Sequence number : 1
Acl Group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 24
Encapsulation mode: Tunnel
Tunnel local : 1.1.1.1
Tunnel remote : 1.1.1.4
Flow source : 192.168.1.0/255.255.255.0 0/0
Flow destination : 192.168.2.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 979803215 (0x3a669c4f)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887360000/3493
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 1997623317 (0x77115015)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436560/3493
Max received sequence-number: 4
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
На маршрутизаторе AR4, VPN сессия не прерывалась и соединение всё ещё установлено с нашим виртуальным IP адресом 1.1.1.1:
[AR4] display ipsec sa
===============================
Interface: GigabitEthernet0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "map1"
Sequence number : 1
Acl Group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 4
Encapsulation mode: Tunnel
Tunnel local : 1.1.1.4
Tunnel remote : 1.1.1.1
Flow source : 192.168.2.0/255.255.255.0 0/0
Flow destination : 192.168.1.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 1997623317 (0x77115015)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887375360/3464
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 979803215 (0x3a669c4f)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436500/3464
Max received sequence-number: 5
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N