本文主要是介绍IPsec VPN 主备链路备份及流统,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
华为防火墙,主备链路备份cd 出口: 7.7.7.48.8.8.8
bj 出口 6.6.6.254
6.0 to 7.0```bash
ip-link check enable
ip-link name TO-bj
destination 6.6.6.254 interface GigabitEthernet 0/0/1 next-hop 7.7.7.1
quitip route-static 192.168.7.0 255.255.255.0 7.7.7.1 preference 10 track ip-link TO-bj
ip route-static 192.168.7.0 255.255.255.0 8.8.8.1 preference 20
ip route-static 6.6.6.254 255.255.255.255 7.7.7.1 preference 10 track ip-link TO-bj
ip route-static 6.6.6.254 255.255.255.255 8.8.8.1 preference 20acl 3101
rule 5 permit ip source 192.168.6.0 0.0.0.255 destination 192.168.7.0 0.0.0.255
quitipsec proposal tran-bj
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
quitike proposal 10encryption-algorithm aes-256dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256
quitike peer bj
ike-proposal 10
pre-shared-key alsjdflajsld
remote-address 6.6.6.254
quitipsec policy ipsec-CD-BJ 10 isakmp
security acl 3101
proposal tran-bj
ike-peer bj
quit
ipsec policy ipsec-CD-BJ1 10 isakmp
security acl 3101
proposal tran-bj
ike-peer bj
quitinterface GigabitEthernet 0/0/1
ipsec policy ipsec-CD-BJ
interface GigabitEthernet 0/0/3
ipsec policy ipsec-CD-BJ1
分支
[FW_B] interface tunnel 1
[FW_B-Tunnel1] ip address unnumbered interface GigabitEthernet 0/0/1
[FW_B-Tunnel1] tunnel-protocol ipsec
[FW_B-Tunnel1] quit
[FW_B] interface tunnel 2
[FW_B-Tunnel2] ip address unnumbered interface GigabitEthernet 0/0/1
[FW_B-Tunnel2] tunnel-protocol ipsec
[FW_B-Tunnel2] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] add interface Tunnel 1
[FW_B-zone-untrust] add interface Tunnel 2ip-link check enable
ip-link name To-cd
destination 7.7.7.4 interface GigabitEthernet 0/0/1 next-hop 6.6.6.253
quit
ip route-static 192.168.6.0 24 Tunnel 1 preference 10 track ip-link To-cd
ip route-static 192.168.6.0 24 Tunnel 2 preference 20
ip route-static 7.7.7.4 32 6.6.6.253
ip route-static 8.8.8.8 32 6.6.6.253acl 3101
rule 5 permit ip source 192.168.7.0 0.0.0.255 destination 192.168.6.0 0.0.0.255
quitipsec proposal tran-cd
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
quitike proposal 10encryption-algorithm aes-256dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256
quitike peer cd1
ike-proposal 10
pre-shared-key asdfasfaasd
remote-address 7.7.7.4
quitike peer cd2
ike-proposal 10
pre-shared-key asdfasdfasdf
remote-address 8.8.8.8
quitipsec policy BJ-CD 10 isakmp
security acl 3101
proposal tran-cd
ike-peer cd1
quit
ipsec policy BJ-CD1 10 isakmp
security acl 3101
proposal tran-cd
ike-peer cd2
quitinterface Tunnel 1
ipsec policy BJ-CD
interface Tunnel 2
ipsec policy BJ-CD1说明:
分支可以采用tunnel接口的模式,也可以直接和总部,分别直接建立vpn连接,
分支和总部建立多条ipsec通道,通过nqa或者iplink 实现路由联动切换,从而实现VPN隧道的自动切换
dis ipsec sa policy policyname sequence-number
eg:dis ipsec sa policy ipsec441953 2
这篇关于IPsec VPN 主备链路备份及流统的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!