通常情况下,我们希望IPsec VPN流量可以在主从路由器之间做到无缝切换,可以通过HSRP与SSO相结合的方式来达到此目的.HSRP用于保证接入流量的热备份.一旦主路由器down掉后,HSRP立即将IKE信息与SA传递给备份路由器;而SSO允许主从路由器之间共享IKE与SA信息.
SPOKE配置如下:
1.定义感兴趣流量与路由协议:
- SPOKE(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
- SPOKE(config)#ip route 0.0.0.0 0.0.0.0 serial0/0
2.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):
- SPOKE(config)#crypto isakmp enable
- SPOKE(config)#crypto isakmp key 91lab address 0.0.0.0 0.0.0.0
3.定义IKE策略:
- SPOKE(config)#crypto isakmp policy 10
- SPOKE(config-isakmp)#encryption aes 128 /---默认是DES加密---/
- SPOKE(config-isakmp)#hash sha /---默认是SHA-1---/
- SPOKE(config-isakmp)#authentication pre-share
- SPOKE(config-isakmp)#group 2 /---默认是768位的DH1---/
- SPOKE(config-isakmp)#lifetime 3600 /---默认是86400秒---/
- SPOKE(config-isakmp)#exit
4.定义IPSec转换集(transform set):
- SPOKE(config)#crypto ipsec transform-set nuaiko esp-aes 128 esp-sha-hmac
- SPOKE(cfg-crypto-trans)#exit
5.定义crypto map并应用在接口上:
- SPOKE(config)#crypto map ccsp 10 ipsec-isakmp
- SPOKE(config-crypto-map)#match address 100
- SPOKE(config-crypto-map)#set peer 16.1.1.254 /---定义crypto map的对等体地址,这里为对端HSRP的虚拟IP地址---/
- SPOKE(config-crypto-map)#set transform-set nuaiko /---定义crypto map要应用的IPsec转换集---/
- SPOKE(config-crypto-map)#exit
- SPOKE(config)#interface serial0/0
- SPOKE(config-if)#crypto map ccsp
- *Mar 1 00:08:31.131: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
- SPOKE(config-if)#end
- SPOKE#
SPOKE配置完成.
HUB1配置如下:
1.定义感兴趣流量与路由协议:
- HUB1(config)#access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
- HUB1(config)#ip route 0.0.0.0 0.0.0.0 16.1.1.3
2.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):
- HUB1(config)#crypto isakmp enable
- HUB1(config)#crypto isakmp key 91lab address 0.0.0.0 0.0.0.0
3.定义IKE策略:
- HUB1(config)#crypto isakmp policy 10
- HUB1(config-isakmp)#encryption aes 128 /---默认是DES加密---/
- HUB1(config-isakmp)#hash sha /---默认是SHA-1---/
- HUB1(config-isakmp)#authentication pre-share
- HUB1(config-isakmp)#group 2 /---默认是768位的DH1---/
- HUB1(config-isakmp)#lifetime 3600 /---默认是86400秒---/
- HUB1(config-isakmp)#exit
4.定义IPSec转换集(transform set):
- HUB1(config)#crypto ipsec transform-set nuaiko esp-aes 128 esp-sha-hmac
- HUB1(cfg-crypto-trans)#exit
5.定义crypto map:
- HUB1(config)#crypto map ccsp 10 ipsec-isakmp
- HUB1(config-crypto-map)#match address 100
- HUB1(config-crypto-map)#set peer 173.1.1.1 /---定义要应用crypto map的对等体地址---/
- HUB1(config-crypto-map)#set transform-set nuaiko /---定义crypto map要应用的IPsec转换集---/
- HUB1(config-crypto-map)#exit
6.启用HSRP并应用crypto map:
- HUB1(config)#interface ethernet 0/0
- HUB1(config-if)#standby 1 ip 16.1.1.254 /---定义HSRP组1的虚拟IP地址---/
- HUB1(config-if)#standby 1 priority 105
- HUB1(config-if)#standby 1 preempt /---启用抢占特性---/
- *Mar 1 00:45:37.987: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 1 state Speak -> Standby
- *Mar 1 00:45:37.987: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 1 state Standby -> Active
- HUB1(config-if)#standby 1 name ss1 /---定义HSRP冗余组名---/
- HUB1(config-if)#standby 1 track ethernet 0/1 /---定义HSRP接口跟踪特性---/
- HUB1(config-if)#crypto map ccsp redundancy ss1 stateful /---应用crypto map,并定义备份IPsec对等体---/
- *Mar 1 00:46:47.591: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
- HUB1(config-if)#standby delay reload 120 /---定义HSRP组初始化的延迟间隔,官方建议120秒---/
- HUB1(config)#interface ethernet 0/1
- HUB1(config-if)#standby 2 ip 10.2.2.254
- HUB1(config-if)#standby 2 preempt
- *Mar 1 00:49:20.791: %HSRP-6-STATECHANGE: Ethernet0/1 Grp 2 state Speak -> Standby
- *Mar 1 00:49:20.791: %HSRP-6-STATECHANGE: Ethernet0/1 Grp 2 state Standby -> Active
- HUB1(config-if)#standby 2 track ethernet 0/0
- HUB1(config-if)#standby 2 name ss2
7.启用基于状态的转换SSO:
- HUB1(config)#redundancy inter-device
- HUB1(config-red-interdevice)#scheme standby ss2
- HUB1(config-red-interdevice)#exit
- HUB1(config)#ipc zone default
- HUB1(config-ipczone)#association 1
- HUB1(config-ipczone)#no shutdown
- HUB1(config-ipczone-assoc)#protocol sctp
- HUB1(config-ipc-protocol-sctp)#local-port 5000
- HUB1(config-ipc-local-sctp)#local-ip 10.2.2.1
- HUB1(config-ipc-local-sctp)#exit
- HUB1(config-ipc-protocol-sctp)#remote-port 5000
- HUB1(config-ipc-remote-sctp)#remote-ip 10.2.2.2
同理,HUB2相关配置如下:
- !
- crypto isakmp policy 10
- encr aes
- authentication pre-share
- group 2
- crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0
- !
- crypto ipsec transform-set nuaiko esp-aes esp-sha-hmac
- !
- crypto map cisco 10 ipsec-isakmp
- set peer 173.1.1.2
- set transform-set ccsp
- match address 100
- !
- interface ethernet 0/0
- standby 1 ip 16.1.1.254
- standby 1 priority 105
- standby 1 preempt
- standby 1 name ss1
- standby 1 track ethernet 0/0
- crypto map cisco redundancy ss1 stateful
- standby delay reload 120
- !
- interface ethernet 0/1
- ip address 10.2.2.2 255.255.255.0
- standby 2 ip 10.2.2.254
- standby 2 priority 105
- standby 2 preempt
- standby 2 name ss2
- standby 2 track ethernet 0/0
- standby delay reload 120
- !
- ip route 0.0.0.0 0.0.0.0 16.1.1.3
- !
- access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
- !
- redundancy inter-device
- scheme standby ss2
- !
- ipc zone default
- association 1
- no shutdown
- protocol sctp
- local-port 5000
- local-ip 10.2.2.2
- remote-port 5000
- remote-ip 10.2.2.1
HUB2配置完成.
