博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 2178|回复: 1

Redundancy VPN

[复制链接]
发表于 2008-6-26 05:21:49 | 显示全部楼层 |阅读模式
Redundancy VPN



R2,R3对外的地址是123.0.0.23,做一个HSRP,R4的LP0口是模拟身后的局域网络。

R2做VPN的终结点(当R2处于active状态时),加解密点是R2外口,通信点是R4内口


R1需要的路由条目:去往R2的公网路由,192.168.4.0的路由

R2需要的路由条目:去往R1的公网路由,192.168.4.0的路由,192.168.1.0的路由

R4需要的路由条目:192.168.1.0的路由。



R2:

int e 0/0.123

standby 1 ip 123.0.0.23

standby 1 preempt

standby 1 priority 105

standby 1 name HSRP

standby 1 track e 0/0.234


R3

int e 0/0.123

standby 1 ip 123.0.0.23

standby 1 preempt

standby 1 name HSRP

standby 1 track e 0/0.234


R1上起静态R1上也可以用反向路由注入

R1

ip route 192.168.4.0 255.255.255.0 123.0.0.23


OSPF

R2/R3

router ospf 110

net 192.168.234.0 0.0.0.255 a 0


R4:

router ospf 110

net 192.168.234.0 0.0.0.255 a 0

net 192.168.4.0 0.0.0.255 a 0


VPN

R2/R3

crypto keyring KEYRING


pre-shared-key address 123.0.0.1 key cisco


crypto isakmp profile HSRP


keyring KEYRING


match identity address 123.0.0.1 255.255.255.255


crypto isakmp policy 10


encr 3des


hash md5


authentication pre-share


group 2


crypto ipsec transform-set MYSET esp-3des esp-md5-hmac


ip access-list extended VPN


permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255


crypto map MYMAP 10 ipsec-isakmp


set peer 123.0.0.1


set transform-set MYSET


set pfs group1


set isakmp-profile HSRP


match address VPN


reverse-route

 楼主| 发表于 2008-6-26 05:22:06 | 显示全部楼层
interface Ethernet0/0.123

crypto map MYMAP redundancy HSRP  (这里的意思是:谁处于HSRP的ACTIVE,谁写反向路由注入)


R2/R3:

router ospf 110

redistribute static subnets route-map S2O     (一般后面挂一个ROUTE MAP只分配需要的静态)



route-map S2O

match ip add S2O



ip access-list stand S2O

permit 192.168.1.0



设置KEEPLIVE:

R1/R2/R3:

crypto isakmp keepalive 10



R1:

crypto keyring KEYRING

  pre-shared-key address 123.0.0.23 key cisco



crypto isakmp profile HSRP

   keyring KEYRING

   match identity address 123.0.0.23 255.255.255.255



crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2



crypto ipsec transform-set MYSET esp-3des esp-md5-hmac



crypto map MYMAP 10 ipsec-isakmp

set peer 123.0.0.23

set transform-set MYSET

set pfs group1

set isakmp-profile HSRP

match address VPN

reverse-route



ip access-list extended VPN

permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255



interface Ethernet0/0

crypto map MYMAP
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-24 09:01 , Processed in 0.085774 second(s), 16 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表