背景:在做毕设时,发现规划的不是那么合理,vrrp主备切换后,ipsec隧道并没有跟着切换到与备防火墙建立隧道,这是因为配置了双出口,路由的设计导致vrrp主备切换ipsec隧道没有跟着切换。
fw1为主,fw2为备
vrrp配置:
ip service-set isakmp type object 16
service 0 protocol udp destination-port 500
service 1 protocol udp destination-port 4500
quitipsec proposal 10
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
quitike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
quitike peer fw
undo version 2
pre-shared-key huawei@123
ike-proposal 1
remote-address 142.42.42.1
quitacl number 3000
rule 5 permit ip source 10.0.0.0 0.0.255.255 destination 142.42.42.0 0.0.0.255
quitipsec policy ipsec 10 isakmp
security acl 3000
ike-peer fw
proposal 10
quitrule name isakmp
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.0.28.2 mask 255.255.255.255
source-address 142.42.42.1 mask 255.255.255.255
destination-address 10.0.28.2 mask 255.255.255.255
destination-address 142.42.42.1 mask 255.255.255.255
service esp
service isakmp
action permit注:对端需要配置两个ike peer ?(rt1、rt2)
ike peer fw1
undo version 2
pre-shared-key huawei@123
ike-proposal 1
remote-address 142.42.2.100
quitike peer fw2
undo version 2
pre-shared-key huawei@123
ike-proposal 1
remote-address 142.42.4.100
quit这边只放了单台防火墙ipsec配置,另外两台防火墙配置大差不差,需要修改安全策略,对端防火墙的ike peer的remote address,以及acl的感兴趣流。
另外就是要考虑好路由的走向,因为是双出口,当主备切换后,确保路由也会进行切换,fw1走r1出口出去,fw2走r2出口出去,避免来回路径不一致,确保ipsec隧道协商成功。
