In this configuration example we will provide Cisco IOS Ipsec Redundancy with HSRP.
When all links are up, the ipsec tunneled traffic will pass through R1 and R3.When a problem occurs on any link of R1, traffic will pass through R2 and R3.
Here is the topology for this example:
Configuration of R1:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.3
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.3
set transform-set testset
match address 101
reverse-route
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
standby 1 ip 192.168.1.10
standby 1 priority 150
standby 1 preempt
standby 1 name vpntest
standby 1 track FastEthernet0/1 60
crypto map testmap redundancy vpntest
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
standby 1 ip 10.10.10.10
standby 1 priority 110
standby 1 preempt
standby 1 track FastEthernet0/0 20
access-list 101 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Configuration of R2:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.3
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.3
set transform-set testset
match address 101
reverse-route
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
standby 1 ip 192.168.1.10
standby 1 preempt
standby 1 name vpntest
crypto map testmap redundancy vpntest
!
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
standby 1 ip 10.10.10.10
standby 1 preempt
access-list 101 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Configuration of R3:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.10
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.10
set transform-set testset
match address 101
reverse-route
!
interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0
crypto map testmap
!
interface FastEthernet0/1
ip address 20.20.20.3 255.255.255.0
access-list 101 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
Tests:
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.10 192.168.1.3 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: testmap, local addr 192.168.1.10
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
current_peer 192.168.1.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 895, #pkts encrypt: 895, #pkts digest: 895
#pkts decaps: 896, #pkts decrypt: 896, #pkts verify: 896
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.10, remote crypto endpt.: 192.168.1.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x252E2551(623781201)
inbound esp sas:
spi: 0xC083301(201863937)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, crypto map: testmap
sa timing: remaining key lifetime (k/sec): (4560590/3234)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x252E2551(623781201)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, crypto map: testmap
sa timing: remaining key lifetime (k/sec): (4560590/3234)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 150 P Active local 192.168.1.2 192.168.1.10
Fa0/1 1 110 P Active local 10.10.10.2 10.10.10.10
R1#show track
Track 1 (via HSRP)
Interface FastEthernet0/1 line-protocol
Line protocol is Up
5 changes, last change 00:07:02
Tracked by:
HSRP FastEthernet0/0 1
Lets close the inside link of R1:
R1(config)#int f0/1
R1(config-if)#shut
R1(config-if)#
*Mar 1 00:37:27.875: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Active -> Init
*Mar 1 00:37:27.887: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Up->Down
*Mar 1 00:37:28.491: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
R1(config-if)#
*Mar 1 00:37:29.887: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
*Mar 1 00:37:30.887: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
R1(config-if)#
*Mar 1 00:37:38.491: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
Ping test results during recovery:
R4#ping 10.10.10.5 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!................................
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 96 percent (968/1000), round-trip min/avg/max = 12/57/144 ms
When all links are up, the ipsec tunneled traffic will pass through R1 and R3.When a problem occurs on any link of R1, traffic will pass through R2 and R3.
Here is the topology for this example:
Configuration of R1:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.3
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.3
set transform-set testset
match address 101
reverse-route
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
standby 1 ip 192.168.1.10
standby 1 priority 150
standby 1 preempt
standby 1 name vpntest
standby 1 track FastEthernet0/1 60
crypto map testmap redundancy vpntest
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
standby 1 ip 10.10.10.10
standby 1 priority 110
standby 1 preempt
standby 1 track FastEthernet0/0 20
access-list 101 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Configuration of R2:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.3
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.3
set transform-set testset
match address 101
reverse-route
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
standby 1 ip 192.168.1.10
standby 1 preempt
standby 1 name vpntest
crypto map testmap redundancy vpntest
!
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
standby 1 ip 10.10.10.10
standby 1 preempt
access-list 101 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Configuration of R3:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.10
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.10
set transform-set testset
match address 101
reverse-route
!
interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0
crypto map testmap
!
interface FastEthernet0/1
ip address 20.20.20.3 255.255.255.0
access-list 101 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
Tests:
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.10 192.168.1.3 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: testmap, local addr 192.168.1.10
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
current_peer 192.168.1.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 895, #pkts encrypt: 895, #pkts digest: 895
#pkts decaps: 896, #pkts decrypt: 896, #pkts verify: 896
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.10, remote crypto endpt.: 192.168.1.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x252E2551(623781201)
inbound esp sas:
spi: 0xC083301(201863937)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, crypto map: testmap
sa timing: remaining key lifetime (k/sec): (4560590/3234)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x252E2551(623781201)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, crypto map: testmap
sa timing: remaining key lifetime (k/sec): (4560590/3234)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 150 P Active local 192.168.1.2 192.168.1.10
Fa0/1 1 110 P Active local 10.10.10.2 10.10.10.10
R1#show track
Track 1 (via HSRP)
Interface FastEthernet0/1 line-protocol
Line protocol is Up
5 changes, last change 00:07:02
Tracked by:
HSRP FastEthernet0/0 1
Lets close the inside link of R1:
R1(config)#int f0/1
R1(config-if)#shut
R1(config-if)#
*Mar 1 00:37:27.875: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Active -> Init
*Mar 1 00:37:27.887: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Up->Down
*Mar 1 00:37:28.491: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
R1(config-if)#
*Mar 1 00:37:29.887: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
*Mar 1 00:37:30.887: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
R1(config-if)#
*Mar 1 00:37:38.491: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
Ping test results during recovery:
R4#ping 10.10.10.5 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!................................
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 96 percent (968/1000), round-trip min/avg/max = 12/57/144 ms
No comments:
Post a Comment