IPSec VPN High Availability
介绍
接下来要说的是IPSec VPN的高可用性,在之前介绍IPSec VPN的时候通常都是以Site-to-Site的方式进行介绍的,但是这样的网络就存在单点故障的隐患。所以高可用性讨论的就是如何进行冗余、备份,负载分担,使得IPSec VPN能进行不间断的工作。
HSRP(Hot Standby Router Protocol)
HSRP是一种网关备份技术,如下图所示:
IOS:c7200p-adventerprisek9-mz.152-4.M7,c7200p-adventerprisek9-mz.151-4.M9
GNS3 Version:1.3.13
1.3.4.3/24+----+3.4.6.3/24
----------| R3 |-----------
| F0/0+----+F1/0 |
| | |
| |
+----+1.3.4.1/24| | /---\ 3.4.6.6/24+----+.6 67.1.1.0/24 .7+----+
| R1 |----------+ HSRP |ISP|--------------| R6 |---------------------| R7 |
+----+F0/0 | | \---/ F1/0+----+F0/0 F0/0+----+
| |
| | |
| F0/0+----+F1/0 |
----------| R4 |-----------
1.3.4.4/24+----+3.4.6.4/24
R3和R4配置HSRP,产生虚地址(virtual IP address)1.3.4.100和3.4.6.100,只有active route ,才有使用虚拟地址的权利。同理当R3和R4配置HSRP之后,对外(R6)来说,只认为存在一个设备(3.4.6.100),当R3或R4挂掉的时候,HSRP发生角色切换,standby route声称成为active route,继续使用虚地址3.4.6.100进行IPSec VPN建立进行数据包转发。有关HSRP的更多信息请参见这里1。
缺点:
1.HSRP本身需要消耗收敛时间,不利于无间断转发;
2.在standby route上并没有保存完整的IKE状态信息,所以一旦发生切换需要重新建立IPSec VPN增加收敛时间
3.在公网IP上,出口通常都是不同的ISP,那么需要保证出口IP都是在同一个网段增加部署的成本。
4.当active route发生故障的时候,R6并不能感知到,如果R1不发送业务数据,触发standby route发送IKE协商消息,那么R7发往R1加密数据将持续丢弃,因为R4上并没有IKE状态信息。
SSO(Stateful Switchover)
前面说到因为standby route没有IKE状态信息,所以发生切换之后,standby route还需要重新创建IKE,造成业务流量的中断。所以SSO就是用来同步IKE状态信息的。
SSO allows the active and standby routers to share IKE and IPsec state information so both routers have enough information to become the active router at any time.
缺点:
1.SSO仅备份IPSecVPN的状态,不对流量切换做操作,所以需要配合HSRP共同使用
2.SSO并不能做到流量负载分担,降低了链路带宽使用效率
3.增加部署难度协议复杂性。
有关SSO的更多信息请参见2。
IKEv2 Load Balancer
IKEv2 Load Balancer很好的解决了状态冗余和流量分担两种问题,但是由于使用GNS3模拟器的原因,并没有完成这个实验。后面了解到一种通过FlexVPN 来完成IKEv2 负载分担的方法,笔者还处于学习阶段,理解透彻之后再进行分享,了解更多请参见3。
配置
配置部分,这里仅介绍IKEv2 在HSRP下的配置。
拓扑
1.3.4.3/24+----+3.4.6.3/24
----------| R3 |-------------
| F0/0+----+F0/1 |
| | |
| |
+----+1.3.4.1/24| | /---\ 3.4.6.6/24+----+.6 67.1.1.0/24 .7+----+
| R1 |----------+ inside<--HSRP-->outside |ISP|------------| R6 |---------------------| R7 |
+----+F0/0 | | \---/ F0/1+----+F0/0 F0/0+----+
| |
| | |
| F0/0+----+F0/1 |
----------| R4 |-------------
1.3.4.4/24+----+3.4.6.4/24
R1:PC
R3:VPN-Active-Gateway(HSRP)
R4:VPN-Standby-Gateway(HSRP)
R6:VPN-Site
R7:PC
R1配置:
!
interface FastEthernet0/0
ip address 1.3.4.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 1.3.4.100
!
R3配置:
crypto ikev2 proposal ikev2-proposal
encryption aes-cbc-256
integrity sha512
group 16
!
crypto ikev2 policy ikev2-policy
match fvrf any
proposal ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
peer ccie43413
address 3.4.6.6
pre-shared-key local ccie43413
pre-shared-key remote ccie43413
!
!
crypto ikev2 profile ikev2-profile
match identity remote address 3.4.6.6 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ikev2-keyring
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac
mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp
set peer 3.4.6.6
set transform-set ikev2-transform-set
set ikev2-profile ikev2-profile
match address vpn
!
ip access-list extended vpn
permit ip host 1.3.4.1 host 67.1.1.7
!
interface FastEthernet0/0
ip address 1.3.4.3 255.255.255.0
standby delay reload 120
standby 2 ip 1.3.4.100
standby 2 preempt
standby 2 name HA-inside
standby 2 track 2 decrement 10
!
interface FastEthernet0/1
ip address 3.4.6.3 255.255.255.0
standby delay reload 120
standby 1 ip 3.4.6.100
standby 1 preempt
standby 1 name HSRP-outside
standby 1 track 1 decrement 10
crypto map ikev2-map redundancy HSRP-outside stateful
!
ip route 67.1.1.0 255.255.255.0 3.4.6.6
!
track 1 interface FastEthernet0/0 line-protocol
!
track 2 interface FastEthernet0/1 line-protocol
!
R4配置:
!
crypto ikev2 proposal ikev2-proposal
encryption aes-cbc-256
integrity sha512
group 16
!
crypto ikev2 policy ikev2-policy
match fvrf any
proposal ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
peer ccie43413
address 3.4.6.6
pre-shared-key local ccie43413
pre-shared-key remote ccie43413
!
!
crypto ikev2 profile ikev2-profile
match identity remote address 3.4.6.6 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ikev2-keyring
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac
mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp
set peer 3.4.6.6
set transform-set ikev2-transform-set
set ikev2-profile ikev2-profile
match address vpn
!
ip access-list extended vpn
permit ip host 1.3.4.1 host 67.1.1.7
!
!
interface FastEthernet0/0
ip address 1.3.4.4 255.255.255.0
standby delay reload 120
standby 2 ip 1.3.4.100
standby 2 preempt
standby 2 name HA-inside
standby 2 track 2 decrement 10
!
interface FastEthernet0/1
ip address 3.4.6.4 255.255.255.0
standby delay reload 120
standby 1 ip 3.4.6.100
standby 1 preempt
standby 1 name HSRP-outside
standby 1 track 1 decrement 10
crypto map ikev2-map redundancy HSRP-outside stateful
!
track 1 interface FastEthernet0/0 line-protocol
!
track 2 interface FastEthernet0/1 line-protocol
!
ip route 67.1.1.0 255.255.255.0 3.4.6.6
!
R6配置:
!
crypto ikev2 proposal ikev2-proposal
encryption aes-cbc-256
integrity sha512
group 16
!
crypto ikev2 policy ikev2-policy
match fvrf any
proposal ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
peer ccie43413
address 3.4.6.100
pre-shared-key local ccie43413
pre-shared-key remote ccie43413
!
!
crypto ikev2 profile ikev2-profile
match identity remote address 3.4.6.100 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ikev2-keyring
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac
mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp
set peer 3.4.6.100
set transform-set ikev2-transform-set
set ikev2-profile ikev2-profile
match address vpn
!
ip access-list extended vpn
permit ip host 67.1.1.7 host 1.3.4.1
!
interface FastEthernet0/0
ip address 67.1.1.6 255.255.255.0
!
interface FastEthernet0/1
ip address 3.4.6.6 255.255.255.0
crypto map ikev2-map
!
ip route 1.3.4.0 255.255.255.0 3.4.6.100
!
R7配置:
!
interface FastEthernet0/0
ip address 67.1.1.7 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 67.1.1.6
!
