组网是一台防火墙做出口,当前有两条进线,电信和联通都有公网ip,现在是做了策略路由,电信做主的,现在客户vpn访问需求,是设置电信上,客户想要实现冗余,当电信出现问题,能切换到联通。对端都是只有一个公网IP的。相当于两个公网ip对接一个公网ip,并且感兴趣流量一样。
要怎么实现?
(0)
(0)
对端是飞塔防火墙,当前是防火墙页面配置的ipsecvpn,不是gre over ipsec,这样要改的话,有什么思路吗?
F1与F2建立两条IPsec隧道,一条主用,一条备用,当主用隧道出现故障时,流量切换到备用隧道。
1.
interface GigabitEthernet0/0
ip address 100.100.100.1 255.255.255.0
#
interface GigabitEthernet0/1
ip address 150.150.150.1 255.255.255.0
#
interface GigabitEthernet0/2
ip address 200.200.200.1 255.255.255.0
2.
interface LoopBack0 # 配置作为建立GRE隧道源地址的环回口
ip address 192.168.1.1 255.255.255.255
#
interface LoopBack1 # 配置作为建立GRE隧道源地址的环回口
ip address 192.168.1.3 255.255.255.255
#
interface LoopBack10 # 配置作为内网地址的环回口
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet1/0/0 # 配置ISP1公网接口,调用IPSec策略
ip address 100.100.100.100 255.255.255.0
nat outbound name nat
ipsec apply policy ipsec-isp1
#
interface GigabitEthernet1/0/1 # 配置ISP2公网接口,调用IPSec策略
ip address 150.150.150.150 255.255.255.0
nat outbound name nat
ipsec apply policy ipsec-isp2
#
interface Tunnel1 mode gre # 配置GRE隧道1
ip address 192.168.2.1 255.255.255.252
source 192.168.1.1 # 源地址为lo 0地址
destination 192.168.1.2 # 目的地址为对端lo 0地址
keepalive 10 3 # 配置Keepalive检测GRE隧道是否正常通信
#
interface Tunnel2 mode gre # 配置GRE隧道2
ip address 192.168.2.5 255.255.255.252
source 192.168.1.3 # 源地址为lo 1地址
destination 192.168.1.4 # 目的地址为对端lo 1地址
keepalive 10 3
#
policy-based-route ipsec permit node 10 # 配置PBR,匹配主用公网出口和对端建立ipsec的流量走主用出口
if-match acl 3500
apply next-hop 100.100.100.1
#
policy-based-route ipsec permit node 20 # 配置PBR,匹配备用公网出口和对端建立ipsec的流量走备用出口
if-match acl 3501
apply next-hop 150.150.150.1
#
ip local policy-based-route ipsec # 本地调用策略路由,如果不配置这个,会导致备用出口的ipsec流量根据路由表走主用出口,从而导致ipsec协商失败。
#
security-zone name Trust # 将GRE隧道口与内网口加入Trust域
import interface LoopBack10
import interface Tunnel1
import interface Tunnel2
#
security-zone name Untrust # 将公网口加入Untrust域
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/1
#
zone-pair security source Local destination Trust # 放通Local到Trust,用于业务网段互访,由于实验环境时环回口模拟内网网段,因此是Local到Trust而不是Trust到Trust
packet-filter 2000
#
zone-pair security source Local destination Untrust # 放通Local到Untrust,使GRE over IPSec隧道正常建立
packet-filter 2000
#
zone-pair security source Trust destination Local # 放通Trust到Local,用于业务网段互访,由于实验环境时环回口模拟内网网段,因此是Trust到Local而不是Trust到Trust
packet-filter 2000
#
zone-pair security source Trust destination Trust # 放通Trust到Trust,在真实的环境下配置实现业务网段互访
packet-filter 2000
#
zone-pair security source Untrust destination Local # 放通Untrust到Local,使GRE over IPSec隧道正常建立
packet-filter 2000
#
ip route-static 0.0.0.0 0 100.100.100.1 # 公网主用路由
ip route-static 0.0.0.0 0 150.150.150.1 preference 65 # 公网备份路由
ip route-static 10.20.20.0 24 192.168.2.2 # 业务互访走主用隧道
ip route-static 10.20.20.0 24 192.168.2.6 preference 65 # 业务网段备份路由
ip route-static 192.168.1.2 32 100.100.100.1 # GRE over IPsec隧道1走ISP1
ip route-static 192.168.1.4 32 150.150.150.1 # GRE over IPSec隧道2走ISP2,若没有此条路由,会因为接口地址与需协商的IPsec SA不一致导致无法正常协商IPSec SA
#
acl basic 2000 # 域间策略ACL
rule 0 permit
#
acl advance 3500 # PBR ACL1
rule 10 permit ip source 100.100.100.100 0 destination 200.200.200.200 0
#
acl advance 3501 # PBR ACL2
rule 10 permit ip source 150.150.150.150 0 destination 200.200.200.200 0
#
acl advanced name ipsec # IPSec ACL
rule 10 permit ip source 192.168.1.1 0 destination 192.168.1.2 0
rule 20 permit ip source 192.168.1.3 0 destination 192.168.1.4 0
#
acl advanced name nat # NAT ACL,拒绝IPSec流量
rule 10 deny ip source 192.168.1.1 0 destination 192.168.1.2 0
rule 20 deny ip source 192.168.1.3 0 destination 192.168.1.4 0
rule 30 permit ip
#
ipsec transform-set 1 # 配置IPSec转换集
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha1
#
ipsec policy ipsec-isp1 10 isakmp # 配置ISP1的IPSec策略
transform-set 1
security acl name ipsec # 匹配GRE隧道流
local-address 100.100.100.100
remote-address 200.200.200.200 # policy必须配置remote-address,若采用policy-template则不是必选
ike-profile isp1
#
ipsec policy ipsec-isp2 10 isakmp # 配置ISP2的IPSec策略
transform-set 1
security acl name ipsec # 匹配GRE隧道流
local-address 150.150.150.150
remote-address 200.200.200.200
ike-profile isp2
#
ike profile isp1 # 配置ISP1的IKE策略集
keychain 1
local-identity address 100.100.100.100
match remote identity address 200.200.200.200 255.255.255.255
proposal 1
#
ike profile isp2 # 配置ISP2的IKE策略集
keychain 1
local-identity address 150.150.150.150
match remote identity address 200.200.200.200 255.255.255.255
proposal 1
#
ike proposal 1 # 配置IKE proposal
encryption-algorithm aes-cbc-256
dh group2
#
ike keychain 1 # 配置IKE密钥
pre-shared-key address 200.200.200.200 255.255.255.255 key simple ipsec
3.
interface LoopBack0 # 配置作为建立GRE隧道源地址的环回口
ip address 192.168.1.2 255.255.255.255
#
interface LoopBack1 # 配置作为建立GRE隧道源地址的环回口
ip address 192.168.1.4 255.255.255.255
#
interface LoopBack10 # 配置作为内网地址的环回口
ip address 10.20.10.1 255.255.255.0
#
interface GigabitEthernet1/0/0 # 配置公网接口,调用IPSec策略
ip address 200.200.200.200 255.255.255.0
nat outbound name nat
ipsec apply policy ipsec
#
interface Tunnel1 mode gre # 配置GRE隧道1
ip address 192.168.2.2 255.255.255.252
source 192.168.1.2
destination 192.168.1.1
keepalive 10 3
#
interface Tunnel2 mode gre # 配置GRE隧道2
ip address 192.168.2.6 255.255.255.252
source 192.168.1.4
destination 192.168.1.3
keepalive 10 3
#
security-zone name Trust # 将GRE隧道口与内网口加入Trust域
import interface LoopBack10
import interface Tunnel1
import interface Tunnel2
#
security-zone name Untrust # 将公网口加入Untrust域
import interface GigabitEthernet1/0/0
#
zone-pair security source Local destination Trust # 放通Local到Trust
packet-filter 2000
#
zone-pair security source Local destination Untrust # 放通Local到Untrust
packet-filter 2000
#
zone-pair security source Trust destination Local # 放通Trust到Local
packet-filter 2000
#
zone-pair security source Trust destination Trust # 放通Trust到Trust
packet-filter 2000
#
zone-pair security source Untrust destination Local # 放通Untrust到Local
packet-filter 2000
#
ip route-static 0.0.0.0 0 200.200.200.1 # 默认路由
ip route-static 10.20.10.0 24 192.168.2.1 # 业务互访走主用隧道
ip route-static 10.20.10.0 24 192.168.2.5 preference 65 # 业务网段备份路由
#
acl basic 2000 # 域间策略ACL
rule 0 permit
#
acl advanced name ipsec_to_isp1 # 前往ISP1的IPSec ACL
rule 10 permit ip source 192.168.1.2 0 destination 192.168.1.1 0
#
acl advanced name ipsec_to_isp2 # 前往ISP2的IPSec ACL
rule 10 permit ip source 192.168.1.4 0 destination 192.168.1.3 0
#
acl advanced name nat # NAT ACL
rule 10 deny ip source 192.168.1.2 0 destination 192.168.1.1 0
rule 20 deny ip source 192.168.1.4 0 destination 192.168.1.3 0
rule 30 permit ip
#
ipsec transform-set 1 # 配置IPSec转换集
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha1
#
ipsec policy ipsec 10 isakmp # 配置前往ISP1的IPSec策略
transform-set 1
security acl name ipsec_to_isp1
local-address 200.200.200.200
remote-address 100.100.100.100
ike-profile to_isp1
#
ipsec policy ipsec 20 isakmp # 配置前往ISP2的IPSec策略
transform-set 1
security acl name ipsec_to_isp2
local-address 200.200.200.200
remote-address 150.150.150.150
ike-profile to_isp2
#
ike profile to_isp1 # 配置前往ISP1的IKE策略集
keychain to_isp1
local-identity address 200.200.200.200
match remote identity address 100.100.100.100 255.255.255.255
proposal 1
#
ike profile to_isp2 # 配置前往ISP2的IKE策略集
keychain to_isp2
local-identity address 200.200.200.200
match remote identity address 150.150.150.150 255.255.255.255
proposal 1
#
ike proposal 1 # 配置IKE proposal
encryption-algorithm aes-cbc-256
dh group2
#
ike keychain to_isp1 # 配置前往ISP1的IKE密钥
pre-shared-key address 100.100.100.100 255.255.255.255 key simple ipsec
#
ike keychain to_isp2 # 配置前往ISP2的IKE密钥
pre-shared-key address 150.150.150.150 255.255.255.255 key simple ipsec
1.
2.
3.
(0)
在路由层面实现,先把先把两个出口都建立ipsec,然后再内网使用浮动路由指向隧道
(0)
两个感兴趣流量一样可以吗?
两个感兴趣流量一样可以吗?
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
对端是飞塔防火墙,当前是防火墙页面配置的ipsecvpn,不是gre over ipsec,这样要改的话,有什么思路吗?