Схема:
Задача: Настроить резервирование Route-based IPsec VPN туннеля для LAN подсети 192.0.2.128/25 с использованием протокола VRRP. Для передачи маршрута 192.0.2.128/25 использовать протокол OSPF.
Решение:
1) Пример конфигурации ESR-MASTER:
ESR-MASTER# show running-config
hostname ESR-MASTER
router ospf log-adjacency-changes
router ospf 1
router-id 192.0.2.2
area 0.0.0.0
network 192.0.2.128/25
enable
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 198.51.100.1/30
vrrp id 1
vrrp ip 203.0.113.6/30
vrrp priority 110
vrrp group 1
vrrp
exit
interface gigabitethernet 1/0/2
ip firewall disable
ip address 192.0.2.130/25
vrrp id 2
vrrp ip 192.0.2.129/25
vrrp priority 110
vrrp group 1
vrrp
exit
tunnel vti 1
ip firewall disable
local address 203.0.113.6
remote address 203.0.113.2
ip address 192.0.2.2/30
ip ospf instance 1
ip ospf
enable
exit
security ike proposal IKE_PROPOSAL
encryption algorithm aes128
dh-group 2
exit
security ike policy IKE_POLICY
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal IKE_PROPOSAL
exit
security ike gateway IKE_GATEWAY
ike-policy IKE_POLICY
mode route-based
bind-interface vti 1
dead-peer-detection action clear
exit
security ipsec proposal IPSEC_PROPOSAL
encryption algorithm aes128
exit
security ipsec policy IPSEC_POLICY
proposal IPSEC_PROPOSAL
exit
security ipsec vpn IPSEC_VPN_POLICY_BASED
mode ike
ike establish-tunnel route
ike gateway IKE_GATEWAY
ike ipsec-policy IPSEC_POLICY
enable
exit
ip route 0.0.0.0/0 203.0.113.5
2) Пример конфигурации ESR-BACKUP:
ESR-BACKUP# show running-config
hostname ESR-BACKUP
router ospf log-adjacency-changes
router ospf 1
router-id 1.1.1.2
area 0.0.0.0
network 192.0.2.128/25
enable
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 198.51.100.2/30
vrrp id 1
vrrp ip 203.0.113.6/30
vrrp priority 90
vrrp group 1
vrrp
exit
interface gigabitethernet 1/0/2
ip firewall disable
ip address 192.0.2.131/25
vrrp id 2
vrrp ip 192.0.2.129/25
vrrp priority 90
vrrp group 1
vrrp
exit
tunnel vti 1
ip firewall disable
local address 203.0.113.6
remote address 203.0.113.2
ip address 192.0.2.2/30
ip ospf instance 1
ip ospf
enable
exit
security ike proposal IKE_PROPOSAL
encryption algorithm aes128
dh-group 2
exit
security ike policy IKE_POLICY
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal IKE_PROPOSAL
exit
security ike gateway IKE_GATEWAY
ike-policy IKE_POLICY
mode route-based
bind-interface vti 1
dead-peer-detection action clear
exit
security ipsec proposal IPSEC_PROPOSAL
encryption algorithm aes128
exit
security ipsec policy IPSEC_POLICY
proposal IPSEC_PROPOSAL
exit
security ipsec vpn IPSEC_VPN_POLICY_BASED
mode ike
ike establish-tunnel route
ike gateway IKE_GATEWAY
ike ipsec-policy IPSEC_POLICY
enable
exit
ip route 0.0.0.0/0 203.0.113.5
3) Пример конфигурации ESR-VPN-HOST:
ESR-VPN-HOST# show running-config
hostname ESR-VPN-HOST
router ospf log-adjacency-changes
router ospf 1
router-id 192.0.2.1
area 0.0.0.0
enable
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.2/30
exit
tunnel vti 1
ip firewall disable
local address 203.0.113.2
remote address 203.0.113.6
ip address 192.0.2.1/30
ip ospf instance 1
ip ospf
enable
exit
security ike proposal IKE_PRO
encryption algorithm aes128
dh-group 2
exit
security ike policy IKE_POLICY
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal IKE_PRO
exit
security ike gateway IKE_GATEWAY
ike-policy IKE_POLICY
mode route-based
bind-interface vti 1
dead-peer-detection action clear
exit
security ipsec proposal IPSEC_PROPOSAL
encryption algorithm aes128
exit
security ipsec policy IPSEC_POLICY
proposal IPSEC_PROPOSAL
exit
security ipsec vpn IPSEC_VPN_POLICY_BASED
mode ike
ike establish-tunnel route
ike gateway IKE_GATEWAY
ike ipsec-policy IPSEC_POLICY
enable
exit
4) В результате после настройки маршрутизаторов ESR-MASTER, ESR-BACKUP, ESR-VPN-HOST и поднятых интерфейсах (в состоянии UP) маршрутизатор ESR-MASTER будет находиться в состоянии "Master" и через данный маршрутизатор будет построен VTI-туннель до ESR-VPN-HOST. С помощью OSPF будет передан маршрут 192.0.2.128/25 и трафик от LAN (192.0.2.128/25) до ESR-VPN-HOST будет передаваться через ESR-MASTER.
Вывод информации на ESR-MASTER:
ESR-MASTER# show vrrp
Virtual router Virtual IP Priority Preemption State
-------------- --------------------------------- -------- ---------- ------
1 203.0.113.6/30 110 Enabled Master
2 192.0.2.129/25 110 Enabled Master
ESR-MASTER# ping 192.0.2.1
PING 192.0.2.1 (192.0.2.1) 56 bytes of data.
!!!!!
--- 192.0.2.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 0.574/0.644/0.766/0.069 ms
ESR-MASTER# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSEC_VPN_POLICY_BASED 203.0.113.6 203.0.113.2 0xd30deda1d911fdf5 0x1d0638c3bfdfb428 Established
ESR-MASTER# show ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
192.0.2.1 128 Full/BDR 00:34 vti1 192.0.2.1
Вывод информации на ESR-VPN-HOST:
ESR-VPN-HOST# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSEC_VPN_POLICY_BASED 203.0.113.2 203.0.113.6 0xd30deda1d911fdf5 0x1d0638c3bfdfb428 Established
ESR-VPN-HOST# show ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
192.0.2.2 128 Full/DR 00:39 vti1 192.0.2.2
ESR-VPN-HOST# show ip route ospf
O 192.0.2.0/30 [150/10] dev vti1 [ospf1 21:17:43] (192.0.2.2)
O E2 * 192.0.2.128/25 [150/10/10000] via 192.0.2.2 on vti1 [ospf1 21:17:47] (192.0.2.2)
ESR-VPN-HOST# ping 192.0.2.2
PING 192.0.2.2 (192.0.2.2) 56 bytes of data.
!!!!!
--- 192.0.2.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.597/0.647/0.717/0.050 ms
ESR-VPN-HOST# ping 192.0.2.129
PING 192.0.2.129 (192.0.2.129) 56 bytes of data.
!!!!!
--- 192.0.2.129 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.604/0.638/0.689/0.030 ms
5) Если один из интерфейсов (gi 1/0/1 или gi 1/0/2) на ESR-MASTER перейдет в статус "down", то ESR-BACKUP перейдет в состояние Master и произойдет перестроение VTI-туннеля. Трафик от LAN (192.0.2.128/25) до ESR-VPN-HOST будет передаваться через ESR-BACKUP.
Для быстрого перестроения IPsec-туннелей необходимо настроить DPD в режиме action clear:security ike gateway IKE_GATEWAY
dead-peer-detection action clear
exit
Вывод информации с ESR-MASTER при отключении интерфейса gi 1/0/1:
2023-03-06T05:47:57+00:00 %LINK-W-DOWN: gigabitethernet 1/0/1 changed state to down
2023-03-06T05:47:58+00:00 %LINK-W-DOWN: interface vrrp.1 changed state to down
2023-03-06T05:47:58+00:00 %VRRP-I-INSTANCE: VRRP1 Entering FAULT state
2023-03-06T05:47:58+00:00 %VRRP-I-INSTANCE: VRRP1 Now in FAULT state
2023-03-06T05:47:58+00:00 %VRRP-I-GROUP: GROUP1 Syncing instances to FAULT state
2023-03-06T05:47:58+00:00 %VRRP-I-INSTANCE: VRRP2 Entering FAULT state
2023-03-06T05:47:58+00:00 %VRRP-I-INSTANCE: VRRP2 Now in FAULT state
2023-03-06T05:48:30+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from Full to Down
2023-03-06T05:48:30+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 removed
ESR-MASTER# show vrrp
Virtual router Virtual IP Priority Preemption State
-------------- --------------------------------- -------- ---------- ------
1 203.0.113.6/30 110 Enabled Fault
2 192.0.2.129/25 110 Enabled Fault
ESR-MASTER# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSEC_VPN_POLICY_BASED 203.0.113.6 203.0.113.2 0x015d1c301753fc40 0x0000000000000000 Connecting
Вывод информации на ESR-BACKUP при переходе в состояние VRRP Master:
2023-03-06T09:38:53+00:00 %VRRP-I-INSTANCE: VRRP2 Transition to MASTER state
2023-03-06T09:38:53+00:00 %VRRP-I-GROUP: GROUP1 Syncing instances to MASTER state
2023-03-06T09:38:53+00:00 %VRRP-I-INSTANCE: VRRP1 Transition to MASTER state
2023-03-06T09:38:54+00:00 %VRRP-I-INSTANCE: VRRP2 Entering MASTER state
2023-03-06T09:38:56+00:00 %VRRP-I-INSTANCE: VRRP1 Entering MASTER state
2023-03-06T09:39:05+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from Down to Init
2023-03-06T09:39:14+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from Init to 2-Way
2023-03-06T09:39:14+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from 2-Way to ExStart
2023-03-06T09:39:14+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from ExStart to Exchange
2023-03-06T09:39:14+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from Exchange to Loading
2023-03-06T09:39:14+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from Loading to Full
ESR-BACKUP# show vrrp
Virtual router Virtual IP Priority Preemption State
-------------- --------------------------------- -------- ---------- ------
1 203.0.113.6/30 90 Enabled Master
2 192.0.2.129/25 90 Enabled Master
ESR-BACKUP# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPSEC_VPN_POLICY_BASED 203.0.113.6 203.0.113.2 0x2cc815aa4bfac1f7 0xf4a28e0caeab5fb8 Established
ESR-BACKUP# show ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
192.0.2.1 128 Full/DR 00:37 vti1 192.0.2.1
ESR-BACKUP# ping 192.0.2.1
PING 192.0.2.1 (192.0.2.1) 56 bytes of data.
!!!!!
--- 192.0.2.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 0.554/0.608/0.740/0.075 ms
Вывод информации с ESR-VPN-HOST при перестроении VTI-туннеля:
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from Full to Down
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 removed
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from Down to Init
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from Init to 2-Way
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from 2-Way to ExStart
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from ExStart to Exchange
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from Exchange to Loading
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from Loading to Full
ESR-VPN-HOST# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
IPS_VPN_POLICY_BASED 203.0.113.2 203.0.113.6 0x2cc815aa4bfac1f7 0xf4a28e0caeab5fb8 Established
ESR-VPN-HOST# show ip ospf neighbors
Router ID Pri State DTime Interface Router IP
--------- --- ----- ----- ----------------- ---------
1.1.1.2 128 Full/BDR 00:34 vti1 192.0.2.2
ESR-VPN-HOST# show ip route ospf
O 192.0.2.0/30 [150/10] dev vti1 [ospf1 21:23:12] (192.0.2.1)
O E2 * 192.0.2.128/25 [150/10/10000] via 192.0.2.2 on vti1 [ospf1 21:23:19] (1.1.1.2)
ESR-VPN-HOST# ping 192.0.2.2
PING 192.0.2.2 (192.0.2.2) 56 bytes of data.
!!!!!
--- 192.0.2.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.549/0.633/0.688/0.053 ms
ESR-VPN-HOST# ping 192.0.2.129
PING 192.0.2.129 (192.0.2.129) 56 bytes of data.
!!!!!
--- 192.0.2.129 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.623/0.653/0.694/0.037 ms