Описание:
Один из вариантов организации связи при использовании 2х каналов (линков) для резервирования возможен при условии, что весь трафик должен передаваться через основной канал и при недоступности основного канала, должно происходить переключение на резервный канал (и возврат на основной канал при его восстановлении).
Решение:
На маршрутизаторах ESR доступна возможность отключения (shutdown) интерфейса с помощью track. Логика процесса следующая: при успешной работе ip sla test 1 IPSec VPN работает через интерфейс gigabitethernet 1/0/1 (основной канал), в это время интерфейс gigabitethernet 1/0/2 (резервный канал) находится состоянии Down (shutdown согласно работе track 1). При переходе ip sla test 1 в состояние Fail, перестраивается таблица маршрутизации (согласно работе track 1) и интерфейс gigabitethernet 1/0/2 переходит в состояние UP (согласно работе track 1), IPSec VPN строится от ip адреса, который назначен на интерфейсе gigabitethernet 1/0/2. При восстановлении основного канала (переход ip sla test 1 в статус Successful), установка IPSec VPN производится от ip адреса, который назначен на интерфейсе gigabitethernet 1/0/1.
Настройка:
object-group service ISAKMP
port-range 500
port-range 4500
exit
security zone untrusted
exit
security zone trusted
exit
interface gigabitethernet 1/0/1
description "ISP1"
security-zone untrusted
ip address 192.0.2.1/30
exit
interface gigabitethernet 1/0/2
shutdown track 1
description "ISP2"
security-zone untrusted
ip address 198.51.100.1/30
exit
interface gigabitethernet 1/0/3
description "LAN"
security-zone trusted
ip address 192.168.10.1/24
exit
security zone-pair untrusted self
rule 10
action permit
match protocol udp
match destination-port ISAKMP
enable
exit
rule 20
action permit
match protocol esp
enable
exit
rule 30
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
enable
exit
exit
security zone-pair untrusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security ike proposal ike_proposal
authentication algorithm sha2-256
encryption algorithm aes128
dh-group 2
exit
security ike policy ike_policy
pre-shared-key ascii-text <password>
proposal ike_proposal
exit
security ike gateway ike_gateway
version v2-only
ike-policy ike_policy
local address any
local network 192.168.10.0/24
remote address 203.0.113.1
remote network 172.16.10.0/24
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes128
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_vpn
mode ike
ike establish-tunnel route
ike gateway ike_gateway
ike ipsec-policy ipsec_policy
enable
exit
ip route 203.0.113.1/32 192.0.2.2 track 1
ip route 203.0.113.1/32 198.51.100.2 2
ip sla
ip sla test 1
icmp-echo 192.0.2.2 source-ip 192.0.2.1 num-packets 20 interval 15
enable
exit
ip sla schedule 1 life forever start-time now
track 1
track sla test 1
enable
exit
Диагностика:
1) Работа функционала при доступности основного канала
esr# show ip sla test statistics 1
Test number: 1
Test status: Successful
Transmitted packets: 20
Lost packets: 0 (0.00%)
Lost packets in forward direction: 0 (0.00%)
Lost packets in reverse direction: 0 (0.00%)
One-way delay forward min/avg/max: 0.00/0.00/0.00 milliseconds
One-way delay reverse min/avg/max: 0.00/0.00/0.00 milliseconds
One-way jitter forward: 0.00 milliseconds
One-way jitter reverse: 0.00 milliseconds
Two-way delay min/avg/max: 0.00/0.08/0.15 milliseconds
Duplicate packets: 0
Out of sequence packets in forward direction: 0
Out of sequence packets in reverse direction: 0
esr#
esr# show ip route
Codes: C - connected, S - static, R - RIP derived,
O - OSPF derived, IA - OSPF inter area route,
E1 - OSPF external type 1 route, E2 - OSPF external type 2 route
B - BGP derived, D - DHCP derived, K - kernel route, V - VRRP route
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - FIB route
C * 192.0.2.0/30 [0/0] dev gi1/0/1 [direct 11:40:41]
C * 192.168.10.0/24 [0/0] dev gi1/0/3 [direct 11:40:43]
S * 203.0.113.1/32 [1/0] via 192.0.2.2 on gi1/0/1 [static 13:57:14] esr#
esr# show track 1
Track 1:
State: Up
Changes count: 13 (last 15 hours, 48 minutes and 32 seconds)
Mode: And
Delay up: 0s
Delay down: 0s
Conditions:
Type ID State Mode Last time change VRF
---- ----- ----- ------------ ------------------------- --------------------------------
SLA 1 True State 15 hours, 48 minutes and --
32 seconds
Actions:
Interfaces:
Gigabitethernet 1/0/2: Down
Static routes:
203.0.113.1/32 via 192.0.2.2: Installed
esr#
esr# show interfaces status
Interface Admin Link MTU MAC address Last change Mode
state state
-------------------- ----- ----- ------ ------------------ ------------------------- ------------
gi1/0/1 Up Up 1500 a8:f9:4b:ab:d5:66 5 hours, 26 minutes and routerport
24 seconds
gi1/0/2 Down Down 1500 a8:f9:4b:ab:d5:67 7 seconds routerport
gi1/0/3 Up Up 1500 a8:f9:4b:ab:d5:68 5 hours, 17 minutes and routerport
45 seconds
gi1/0/4 Up Down 1500 a8:f9:4b:ab:d5:69 5 hours, 27 minutes and routerport
27 seconds
esr# show security ipsec vpn status ipsec_vpn
Currently active IKE SA:
Name: ipsec_vpn
State: Established
Version: v2-only
Unique ID: 2
Local host: 192.0.2.1
Remote host: 203.0.113.1
Role: Initiator
Initiator spi: 0xa2b6970f4f1e381a
Responder spi: 0x41cd6a54e8b67b63
Encryption algorithm: aes128
Authentication algorithm: sha2-256
Diffie-Hellman group: 2
Established: 2 hours and 22 minutes ago
Rekey time: 2 hours and 22 minutes
Reauthentication time: 16 minutes and 11 seconds
Child IPsec SAs:
Name: ipsec_vpn-9
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes128
Authentication algorithm: sha2-256
Rekey time: 33 minutes and 9 seconds
Life time: 46 minutes and 53 seconds
Established: 13 minutes and 7 seconds ago
Traffic statistics:
Input bytes: 1579956
Output bytes: 1579956
Input packets: 18809
Output packets: 18809
-------------------------------------------------------------
2) Работа функционала при недоступности основного канала (через резервный канал):
esr# ping 172.16.10.1 source ip 192.168.10.1 packets unlimited
PING 172.16.10.1 (172.16.10.1) from 192.168.10.1 : 56 bytes of data.
!!!!!!!!!!!!!..........!!!!!!!!!!!
--- 172.16.10.1 ping statistics ---
34 packets transmitted, 24 received, 29% packet loss, time 33037ms
rtt min/avg/max/mdev = 0.257/0.314/0.436/0.040 ms
esr# show ip sla test statistics 1
Test number: 1
Test status: Fail
Transmitted packets: 0
Lost packets: 0 (0.00%)
Lost packets in forward direction: 0 (0.00%)
Lost packets in reverse direction: 0 (0.00%)
One-way delay forward min/avg/max: 0.00/0.00/0.00 milliseconds
One-way delay reverse min/avg/max: 0.00/0.00/0.00 milliseconds
One-way jitter forward: 0.00 milliseconds
One-way jitter reverse: 0.00 milliseconds
Two-way delay min/avg/max: 0.00/0.00/0.00 milliseconds
Duplicate packets: 0
Out of sequence packets in forward direction: 0
Out of sequence packets in reverse direction: 0
esr#
esr# show track 1
Track 1:
State: Down
Changes count: 14 (last 7 seconds)
Mode: And
Delay up: 0s
Delay down: 0s
Conditions:
Type ID State Mode Last time change VRF
---- ----- ----- ------------ ------------------------- --------------------------------
SLA 1 False State 7 seconds --
Actions:
Interfaces:
Gigabitethernet 1/0/2: Up
Static routes:
203.0.113.1/32 via 192.0.2.2: Not installed
esr#
esr# show ip route
Codes: C - connected, S - static, R - RIP derived,
O - OSPF derived, IA - OSPF inter area route,
E1 - OSPF external type 1 route, E2 - OSPF external type 2 route
B - BGP derived, D - DHCP derived, K - kernel route, V - VRRP route
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - FIB route
C * 198.51.100.0/30 [0/0] dev gi1/0/2 [direct 17:06:21]
C * 192.0.2.0/30 [0/0] dev gi1/0/1 [direct 11:40:41]
C * 192.168.10.0/24 [0/0] dev gi1/0/3 [direct 11:40:43]
S * 203.0.113.1/32 [1/2] via 198.51.100.2 on gi1/0/2 [static 17:06:21]
esr#
esr# show interfaces status
Interface Admin Link MTU MAC address Last change Mode
state state
-------------------- ----- ----- ------ ------------------ ------------------------- ------------
gi1/0/1 Up Up 1500 a8:f9:4b:ab:d5:66 5 hours, 35 minutes and routerport
14 seconds
gi1/0/2 Up Up 1500 a8:f9:4b:ab:d5:67 58 seconds routerport
gi1/0/3 Up Up 1500 a8:f9:4b:ab:d5:68 5 hours, 26 minutes and routerport
35 seconds
gi1/0/4 Up Down 1500 a8:f9:4b:ab:d5:69 5 hours, 36 minutes and routerport
17 seconds
esr# show security ipsec vpn status ipsec_vpn
Currently active IKE SA:
Name: ipsec_vpn
State: Established
Version: v2-only
Unique ID: 2
Local host: 198.51.100.1
Remote host: 203.0.113.1
Role: Initiator
Initiator spi: 0xa2b6970f4f1e381a
Responder spi: 0x41cd6a54e8b67b63
Encryption algorithm: aes128
Authentication algorithm: sha2-256
Diffie-Hellman group: 2
Established: 2 hours, 28 minutes and 49 seconds ago
Rekey time: 2 hours, 28 minutes and 49 seconds
Reauthentication time: 9 minutes and 22 seconds
Child IPsec SAs:
Name: ipsec_vpn-9
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes128
Authentication algorithm: sha2-256
Rekey time: 26 minutes and 20 seconds
Life time: 40 minutes and 4 seconds
Established: 19 minutes and 56 seconds ago
Traffic statistics:
Input bytes: 2016084
Output bytes: 2025492
Input packets: 24001
Output packets: 24113
-------------------------------------------------------------
3) При переходе ip sla test 1 в статус Successful, IPSec VPN (при наличии трафика в туннеле) фактически безшовно устанавливается с ip адреса 192.0.2.1.