Резервирование Route-based IPsec VPN туннелей в схеме с VRRP (с версии 1.18.1)

ESR-MASTER# show running-config 
hostname ESR-MASTER

router ospf log-adjacency-changes
router ospf 1
  router-id 192.0.2.2
  area 0.0.0.0
    network 192.0.2.128/25
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/1
  ip firewall disable
  ip address 198.51.100.1/30
  vrrp id 1
  vrrp ip 203.0.113.6/30
  vrrp priority 110
  vrrp group 1
  vrrp
exit
interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 192.0.2.130/25
  vrrp id 2
  vrrp ip 192.0.2.129/25
  vrrp priority 110
  vrrp group 1
  vrrp
exit
tunnel vti 1
  ip firewall disable
  local address 203.0.113.6
  remote address 203.0.113.2
  ip address 192.0.2.2/30
  ip ospf instance 1
  ip ospf
  enable
exit

security ike proposal IKE_PROPOSAL
  encryption algorithm aes128
  dh-group 2
exit

security ike policy IKE_POLICY
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKE_PROPOSAL
exit

security ike gateway IKE_GATEWAY
  ike-policy IKE_POLICY
  mode route-based
  bind-interface vti 1
  dead-peer-detection action clear
exit

security ipsec proposal IPSEC_PROPOSAL
  encryption algorithm aes128
exit

security ipsec policy IPSEC_POLICY
  proposal IPSEC_PROPOSAL
exit

security ipsec vpn IPSEC_VPN_POLICY_BASED
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GATEWAY
  ike ipsec-policy IPSEC_POLICY
  enable
exit

ip route 0.0.0.0/0 203.0.113.5

ESR-BACKUP# show running-config 
hostname ESR-BACKUP

router ospf log-adjacency-changes
router ospf 1
  router-id 1.1.1.2
  area 0.0.0.0
    network 192.0.2.128/25
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/1
  ip firewall disable
  ip address 198.51.100.2/30
  vrrp id 1
  vrrp ip 203.0.113.6/30
  vrrp priority 90
  vrrp group 1
  vrrp
exit
interface gigabitethernet 1/0/2
  ip firewall disable
  ip address 192.0.2.131/25
  vrrp id 2
  vrrp ip 192.0.2.129/25
  vrrp priority 90
  vrrp group 1
  vrrp
exit
tunnel vti 1
  ip firewall disable
  local address 203.0.113.6
  remote address 203.0.113.2
  ip address 192.0.2.2/30
  ip ospf instance 1
  ip ospf
  enable
exit

security ike proposal IKE_PROPOSAL
  encryption algorithm aes128
  dh-group 2
exit

security ike policy IKE_POLICY
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKE_PROPOSAL
exit

security ike gateway IKE_GATEWAY
  ike-policy IKE_POLICY
  mode route-based
  bind-interface vti 1
  dead-peer-detection action clear
exit

security ipsec proposal IPSEC_PROPOSAL
  encryption algorithm aes128
exit

security ipsec policy IPSEC_POLICY
  proposal IPSEC_PROPOSAL
exit

security ipsec vpn IPSEC_VPN_POLICY_BASED
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GATEWAY
  ike ipsec-policy IPSEC_POLICY
  enable
exit

ip route 0.0.0.0/0 203.0.113.5

ESR-VPN-HOST# show running-config 
hostname ESR-VPN-HOST

router ospf log-adjacency-changes
router ospf 1
  router-id 192.0.2.1
  area 0.0.0.0
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/1
  ip firewall disable
  ip address 203.0.113.2/30
exit

tunnel vti 1
  ip firewall disable
  local address 203.0.113.2
  remote address 203.0.113.6
  ip address 192.0.2.1/30
  ip ospf instance 1
  ip ospf
  enable
exit

security ike proposal IKE_PRO
  encryption algorithm aes128
  dh-group 2
exit

security ike policy IKE_POLICY
  pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
  proposal IKE_PRO
exit

security ike gateway IKE_GATEWAY
  ike-policy IKE_POLICY
  mode route-based
  bind-interface vti 1
  dead-peer-detection action clear
exit

security ipsec proposal IPSEC_PROPOSAL
  encryption algorithm aes128
exit

security ipsec policy IPSEC_POLICY
  proposal IPSEC_PROPOSAL
exit

security ipsec vpn IPSEC_VPN_POLICY_BASED
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GATEWAY
  ike ipsec-policy IPSEC_POLICY
  enable
exit

ESR-MASTER# show vrrp 
Virtual router   Virtual IP                          Priority   Preemption   State    
--------------   ---------------------------------   --------   ----------   ------   
1                203.0.113.6/30                      110        Enabled      Master   
2                192.0.2.129/25                      110        Enabled      Master  

ESR-MASTER# ping 192.0.2.1
PING 192.0.2.1 (192.0.2.1) 56 bytes of data.
!!!!!
--- 192.0.2.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 0.574/0.644/0.766/0.069 ms

ESR-MASTER# show security ipsec vpn status 
Name                              Local host        Remote host       Initiator spi        Responder spi        State         
-------------------------------   ---------------   ---------------   ------------------   ------------------   -----------   
IPSEC_VPN_POLICY_BASED            203.0.113.6       203.0.113.2       0xd30deda1d911fdf5   0x1d0638c3bfdfb428   Established

ESR-MASTER# show ip ospf neighbors 
Router ID        Pri  State          DTime  Interface          Router IP
---------        ---  -----          -----  -----------------  ---------
192.0.2.1          128  Full/BDR       00:34  vti1               192.0.2.1

ESR-VPN-HOST# show security ipsec vpn status 
Name                              Local host        Remote host       Initiator spi        Responder spi        State         
-------------------------------   ---------------   ---------------   ------------------   ------------------   -----------   
IPSEC_VPN_POLICY_BASED              203.0.113.2       203.0.113.6       0xd30deda1d911fdf5   0x1d0638c3bfdfb428   Established   

ESR-VPN-HOST# show ip ospf neighbors 
Router ID        Pri  State          DTime  Interface          Router IP
---------        ---  -----          -----  -----------------  ---------
192.0.2.2        128  Full/DR        00:39  vti1               192.0.2.2

ESR-VPN-HOST# show ip route ospf 
O       192.0.2.0/30       [150/10]          dev vti1                          [ospf1 21:17:43]  (192.0.2.2)
O E2  * 192.0.2.128/25     [150/10/10000]    via 192.0.2.2 on vti1             [ospf1 21:17:47]  (192.0.2.2)

ESR-VPN-HOST# ping 192.0.2.2
PING 192.0.2.2 (192.0.2.2) 56 bytes of data.
!!!!!
--- 192.0.2.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.597/0.647/0.717/0.050 ms

ESR-VPN-HOST# ping 192.0.2.129
PING 192.0.2.129 (192.0.2.129) 56 bytes of data.
!!!!!
--- 192.0.2.129 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.604/0.638/0.689/0.030 ms

2023-03-06T05:47:57+00:00 %LINK-W-DOWN: gigabitethernet 1/0/1 changed state to down
2023-03-06T05:47:58+00:00 %LINK-W-DOWN: interface vrrp.1 changed state to down
2023-03-06T05:47:58+00:00 %VRRP-I-INSTANCE: VRRP1 Entering FAULT state
2023-03-06T05:47:58+00:00 %VRRP-I-INSTANCE: VRRP1 Now in FAULT state
2023-03-06T05:47:58+00:00 %VRRP-I-GROUP: GROUP1 Syncing instances to FAULT state
2023-03-06T05:47:58+00:00 %VRRP-I-INSTANCE: VRRP2 Entering FAULT state
2023-03-06T05:47:58+00:00 %VRRP-I-INSTANCE: VRRP2 Now in FAULT state

2023-03-06T05:48:30+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from Full to Down
2023-03-06T05:48:30+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 removed
ESR-MASTER# show vrrp 
Virtual router   Virtual IP                          Priority   Preemption   State    
--------------   ---------------------------------   --------   ----------   ------   
1                203.0.113.6/30                      110        Enabled      Fault    
2                192.0.2.129/25                      110        Enabled      Fault 
ESR-MASTER# show security ipsec vpn status 
Name                              Local host        Remote host       Initiator spi        Responder spi        State         
-------------------------------   ---------------   ---------------   ------------------   ------------------   -----------   
IPSEC_VPN_POLICY_BASED            203.0.113.6       203.0.113.2       0x015d1c301753fc40   0x0000000000000000   Connecting 

2023-03-06T09:38:53+00:00 %VRRP-I-INSTANCE: VRRP2 Transition to MASTER state
2023-03-06T09:38:53+00:00 %VRRP-I-GROUP: GROUP1 Syncing instances to MASTER state
2023-03-06T09:38:53+00:00 %VRRP-I-INSTANCE: VRRP1 Transition to MASTER state
2023-03-06T09:38:54+00:00 %VRRP-I-INSTANCE: VRRP2 Entering MASTER state
2023-03-06T09:38:56+00:00 %VRRP-I-INSTANCE: VRRP1 Entering MASTER state
2023-03-06T09:39:05+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from Down to Init
2023-03-06T09:39:14+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from Init to 2-Way
2023-03-06T09:39:14+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from 2-Way to ExStart
2023-03-06T09:39:14+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from ExStart to Exchange
2023-03-06T09:39:14+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from Exchange to Loading
2023-03-06T09:39:14+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.1 on vti1 changed state from Loading to Full

ESR-BACKUP# show vrrp 
Virtual router   Virtual IP                          Priority   Preemption   State    
--------------   ---------------------------------   --------   ----------   ------   
1                203.0.113.6/30                      90         Enabled      Master   
2                192.0.2.129/25                      90         Enabled      Master   

ESR-BACKUP# show security ipsec vpn status 
Name                              Local host        Remote host       Initiator spi        Responder spi        State         
-------------------------------   ---------------   ---------------   ------------------   ------------------   -----------   
IPSEC_VPN_POLICY_BASED              203.0.113.6       203.0.113.2       0x2cc815aa4bfac1f7   0xf4a28e0caeab5fb8   Established   

ESR-BACKUP# show ip ospf neighbors 
Router ID        Pri  State          DTime  Interface          Router IP
---------        ---  -----          -----  -----------------  ---------
192.0.2.1        128  Full/DR        00:37  vti1               192.0.2.1

ESR-BACKUP# ping 192.0.2.1
PING 192.0.2.1 (192.0.2.1) 56 bytes of data.
!!!!!
--- 192.0.2.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 0.554/0.608/0.740/0.075 ms

2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from Full to Down
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 removed
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from Down to Init
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from Init to 2-Way
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from 2-Way to ExStart
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from ExStart to Exchange
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from Exchange to Loading
2090-11-25T21:23:11+00:00 %OSPF-W-NEIG: OSPF 1 routing: Neighbor 192.0.2.2 on vti1 changed state from Loading to Full

ESR-VPN-HOST# show security ipsec vpn status 
Name                              Local host        Remote host       Initiator spi        Responder spi        State         
-------------------------------   ---------------   ---------------   ------------------   ------------------   -----------   
IPS_VPN_POLICY_BASED              203.0.113.2       203.0.113.6       0x2cc815aa4bfac1f7   0xf4a28e0caeab5fb8   Established   

ESR-VPN-HOST# show ip ospf neighbors 
Router ID        Pri  State          DTime  Interface          Router IP
---------        ---  -----          -----  -----------------  ---------
1.1.1.2          128  Full/BDR       00:34  vti1               192.0.2.2

ESR-VPN-HOST# show ip route ospf 
O       192.0.2.0/30       [150/10]          dev vti1                          [ospf1 21:23:12]  (192.0.2.1)
O E2  * 192.0.2.128/25     [150/10/10000]    via 192.0.2.2 on vti1             [ospf1 21:23:19]  (1.1.1.2)

ESR-VPN-HOST# ping 192.0.2.2
PING 192.0.2.2 (192.0.2.2) 56 bytes of data.
!!!!!
--- 192.0.2.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.549/0.633/0.688/0.053 ms

ESR-VPN-HOST# ping 192.0.2.129
PING 192.0.2.129 (192.0.2.129) 56 bytes of data.
!!!!!
--- 192.0.2.129 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.623/0.653/0.694/0.037 ms