Saturday, November 12, 2011

Cisco IOS Ipsec Redundancy with HSRP

In this configuration example we will provide Cisco IOS Ipsec Redundancy with HSRP.

When all links are up, the ipsec tunneled traffic will pass through R1 and R3.When a problem occurs on any link of R1, traffic will pass through R2 and R3.

Here is the topology for this example:



Configuration of R1:

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 192.168.1.3
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
 set peer 192.168.1.3
 set transform-set testset
 match address 101
 reverse-route
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 standby 1 ip 192.168.1.10
 standby 1 priority 150
 standby 1 preempt
 standby 1 name vpntest
 standby 1 track FastEthernet0/1 60
 crypto map testmap redundancy vpntest
!
interface FastEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 standby 1 ip 10.10.10.10
 standby 1 priority 110
 standby 1 preempt
 standby 1 track FastEthernet0/0 20

access-list 101 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

Configuration of R2:

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 192.168.1.3
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
 set peer 192.168.1.3
 set transform-set testset
 match address 101
 reverse-route
!       
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 standby 1 ip 192.168.1.10
 standby 1 preempt
 standby 1 name vpntest
 crypto map testmap redundancy vpntest
!        
interface FastEthernet0/1
 ip address 10.10.10.2 255.255.255.0
 standby 1 ip 10.10.10.10
 standby 1 preempt

access-list 101 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

Configuration of R3:

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 192.168.1.10
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
 set peer 192.168.1.10
 set transform-set testset
 match address 101
 reverse-route
!
interface FastEthernet0/0
 ip address 192.168.1.3 255.255.255.0
 crypto map testmap
!
interface FastEthernet0/1
 ip address 20.20.20.3 255.255.255.0

access-list 101 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

Tests:

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.1.10    192.168.1.3     QM_IDLE           1002    0 ACTIVE
IPv6 Crypto ISAKMP SA

R1#show crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: testmap, local addr 192.168.1.10
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
   current_peer 192.168.1.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 895, #pkts encrypt: 895, #pkts digest: 895
    #pkts decaps: 896, #pkts decrypt: 896, #pkts verify: 896
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.1.10, remote crypto endpt.: 192.168.1.3
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x252E2551(623781201)
     inbound esp sas:
      spi: 0xC083301(201863937)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, crypto map: testmap
        sa timing: remaining key lifetime (k/sec): (4560590/3234)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x252E2551(623781201)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, crypto map: testmap
        sa timing: remaining key lifetime (k/sec): (4560590/3234)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

R1#show standby brief
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    150 P Active  local           192.168.1.2     192.168.1.10
Fa0/1       1    110 P Active  local           10.10.10.2      10.10.10.10

R1#show track
Track 1  (via HSRP)
  Interface FastEthernet0/1 line-protocol
  Line protocol is Up
    5 changes, last change 00:07:02
  Tracked by:
    HSRP FastEthernet0/0 1

Lets close the inside link of R1:

R1(config)#int f0/1
R1(config-if)#shut
R1(config-if)#
*Mar  1 00:37:27.875: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Active -> Init
*Mar  1 00:37:27.887: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Up->Down
*Mar  1 00:37:28.491: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
R1(config-if)#
*Mar  1 00:37:29.887: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
*Mar  1 00:37:30.887: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
R1(config-if)#
*Mar  1 00:37:38.491: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby

Ping test results during recovery:

R4#ping 10.10.10.5 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!................................
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 96 percent (968/1000), round-trip min/avg/max = 12/57/144 ms

No comments:

Post a Comment