High Availability GRE + IPSEC center-branch

In actual network usage, we often run GRE + IPSEC to achieve remote access and reply from the center to the branch. This is easy to configure and provides high availability, we know that both link backup and device backup are not state backup. When a point is broken, it will take dozens of seconds or even minutes to converge, to switch to another line and rebuild the ipsec session. We can use GRE + IPSEC to switch the line in less time.

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/031F0I18-0.png "/>

Requirements:

1. Implement ipsec High Availability Switch

2. Deploy two vpn network administrators at the central site to run gre

R1:

Crypto isakmp policy 10
Authentication pre-share
Group 2
Crypto isakmp key cisco address 69.1.10.5 no-xauth
Crypto isakmp key cisco address 88.88.8.4 no-xauth
Crypto ipsec transform-set liang esp-des esp-md5-hmac
Mode transport
Crypto map mymap local-address Ethernet0/0
Crypto map mymap 10 ipsec-isakmp
Set peer 69.1.10.5
Set transform-set liang
Match address 101
Crypto map mymap 20 ipsec-isakmp
Set peer 88.88.8.4
Set transform-set liang
Match address 102
! Interface Loopback0
Ip address 192.168.1.1 255.255.255.0
Interface Loopback1
Ip address 1.1.1.1 255.255.255.255
Interface Tunnel0
Bandwidx 1000
Ip address 10.1.15.1 255.255.255.0
Ip mtu 1438
Keepalive 10 3
Tunnel source Ethernet0/0
Tunnel destination 69.1.10.5
Interface Tunnel1
Ip address 10.1.14.1 255.255.255.0
Ip mtu 1438
Keepalive 10 3
Tunnel source Ethernet0/0
Tunnel destination 88.88.8.4
Interface Ethernet0/0
Ip address 191.1.1.1 255.255.255.0
Half-duplex
Crypto map mymap
Router ospf 10
Router-id 1.1.1.1
Log-adjacency-changes
Network 1.1.1.1 0.0.0.0 area 0
Network 10.1.15.0 0.0.0.255 area 1

Network 10.1.14.0 0.0.0.255 area 1
Network 192.168.1.0 0.0.255 area 0
Ip route 0.0.0.0 0.0.0.0 191.1.1.3
Access-list 101 permit gre host 191.1.1.1 host 69.1.10.5
Access-list 102 permit gre host 191.1.1.1 host 88.88.8.4

R2:

Crypto isakmp policy 10
Authentication pre-share
Group 2
Crypto isakmp key cisco address 88.88.8.4 no-xauth
Crypto isakmp key cisco address 69.1.10.5 no-xauth
Crypto ipsec transform-set liang esp-des esp-md5-hmac
Mode transport
Crypto map mymap local-address Ethernet0/1
Crypto map mymap 10 ipsec-isakmp
Set peer 88.88.8.4
Set transform-set liang
Match address 101
Crypto map mymap 20 ipsec-isakmp
Set peer 69.1.10.5
Set transform-set liang
Match address 102
Interface Loopback0
Ip address 192.168.2.2 255.255.255.0
Interface Loopback1
Ip address 2.2.2.2 255.255.255.255
Interface Tunnel0
Bandwidx 1000
Ip address 10.1.24.2 255.255.255.0
Ip mtu 1483
Keepalive 10 3
Tunnel source Ethernet0/1
Tunnel destination 88.88.8.4
Interface Tunnel1
Ip address 10.1.25.2 255.255.255.0
Ip mtu 1438
Keepalive 10 3
Tunnel source Ethernet0/1
Tunnel destination 69.1.10.5
Interface Ethernet0/1
Ip address 192.1.1.2 255.255.255.0
Router ospf 10
Log-adjacency-changes
Network 10.1.24.0 0.0.0.255 area 1
Network 10.1.25.0 0.0.0.255 area 1
Ip route 0.0.0.0 0.0.0.0 192.1.1.3
Access-list 101 permit gre host 192.1.1.2 host 88.88.8.4
Access-list 102 permit gre host 192.1.1.2 host 69.1.10.5

R4

Crypto isakmp policy 10
Authentication pre-share
Group 2
Crypto isakmp key cisco address 192.1.1.2 no-xauth
Crypto isakmp key cisco address 191.1.1.1 no-xauth
Crypto ipsec transform-set liang esp-des esp-md5-hmac
Mode transport
Crypto map mymap local-address Ethernet0/2
Crypto map mymap 10 ipsec-isakmp
Set peer 192.1.1.2
Set transform-set liang
Match address 101
Crypto map mymap 20 ipsec-isakmp
Set peer 191.1.1.1
Set transform-set liang
Match address 102
Interface Loopback0
Ip address 4.4.4.4 255.255.255.255

Iterface Tunnel0
Bandwidx 1000
Ip address 10.1.24.4 255.255.255.0
Ip mtu 1483
Keepalive 10 3
Tunnel source Ethernet0/2
Tunnel destination 192.1.1.2
Interface Tunnel1
Ip address 10.1.14.4 255.255.255.0
Ip mtu 1483
Keepalive 10 3
Tunnel source Ethernet0/2
Tunnel destination 191.1.1.1
Interface Ethernet0/0
Ip address 192.168.3.4 255.255.255.0
Full-duplex
Interface Ethernet0/2
Ip address 88.88.8.4 255.255.255.0
Crypto map mymap
Router ospf 10
Router-id 4.4.4
Log-adjacency-changes
Network 4.4.4.4 0.0.0.0 area 0
Network 10.1.14.0 0.0.0.255 area 1
Network 10.1.24.0 0.0.0.255 area 1
Network 192.168.3.0 0.0.255 area 0
Ip route 0.0.0.0 0.0.0.0 88.88.8.3
Access-list 101 permit gre host 88.88.8.4 host 192.1.1.2
Access-list 102 permit gre host 88.88.8.4 host 191.1.1.1

R5

Crypto isakmp policy 10
Authentication pre-share
Group 2
Crypto isakmp key cisco address 191.1.1.1 no-xauth
Crypto isakmp key cisco address 192.1.1.2 no-xauth
Crypto ipsec transform-set liang esp-des esp-md5-hmac
Mode transport
Crypto map mymap local-address Ethernet1/3
Crypto map mymap 10 ipsec-isakmp
Set peer 191.1.1.1
Set transform-set liang
Match address 101
Crypto map mymap 20 ipsec-isakmp
Set peer 192.1.1.2
Set transform-set liang
Match address 102
Interface Loopback0
Ip address 5.5.5.5 255.255.255.255
Interface Tunnel0
Bandwidth 1000 GRE default bandwidth is 9 we specify 1000 so that its priority is higher than the Main Line
Ip address 10.1.15.5 255.255.255.0
Ip mtu 1438
Keepalive 10 3
Tunnel source Ethernet1/3
Tunnel destination 191.1.1.1
Interface Tunnel1
Ip address 10.1.25.5 255.255.255.0
Ip mtu 1438 specifies mtu
Keepalive 10 3
Tunnel source Ethernet1/3
Tunnel destination 192.1.1.2
Interface Ethernet1/3
Ip address 69.1.10.5 255.255.255.0
Half-duplex
Crypto map mymap
Interface Vlan1
No ip address
Router ospf 10
Log-adjacency-changes
Network 5.5.5.5 0.0.0.0 area 0
Network 10.1.15.0 0.0.0.255 area 1
Network 10.1.25.0 0.0.0.255 area 1
Network 192.168.4.0 0.0.255 area 0

Ip route 0.0.0.0 0.0.0.0 69.1.10.3
Access-list 101 permit gre host 69.1.10.5 host 191.1.1.1
Access-list 102 permit gre host 69.1.10.5 host 192.1.1.2

R2 # show ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-OSPF, EX-VPN external, O-OSPF, IA-OSPF inter area
N1-ospf nssa external type 1, N2-ospf nssa external type 2
E1-OSPF external type 1, E2-OSPF external type 2
I-IS, su-IS summary, L1-IS-level-1, L2-IS level-2
Ia-IS inter area, *-candidate default, U-per-user static route
O-ODR, P-periodic downloaded static route

Gateway of last resort is 192.1.1.3 to network 0.0.0.0

1.0.0.0/32 is subnetted, 1 subnets
O ia 1.1.1.1 [110/11212] via 10.1.25.5, 00:19:40, Tunnel1 learned through the main link
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback1
4.0.0.0/32 is subnetted, 1 subnets
O ia 4.4.4.4 [110/11114] via 10.1.25.5, 00:19:40, Tunnel1
5.0.0.0/32 is subnetted, 1 subnets
O ia 5.5.5.5 [110/11112] via 10.1.25.5, 00:19:40, Tunnel1
6.0.0.0/32 is subnetted, 1 subnets
O ia 6.6.6.6 [110/11113] via 10.1.25.5, 00:19:40, Tunnel1
O ia 192.168.4.0/24 [110/11112] via 10.1.25.5, 00:19:40, Tunnel1
10.0.0.0/24 is subnetted, 4 subnets
O 10.1.15.0 [110/11211] via 10.1.25.5, 00:19:40, Tunnel1
O ia 10.1.14.0 [110/22224] via 10.1.25.5, 00:00:09, Tunnel1
C 10.1.25.0 is directly connected, Tunnel1
C 10.1.24.0 is directly connected, Tunnel0
C 192.1.1.0/24 is directly connected, Ethernet0/1
192.168.1.0/32 is subnetted, 1 subnets
O ia 192.168.1.1 [110/11212] via 10.1.25.5, 00:19:40, Tunnel1
C 192.168.2.0/24 is directly connected, Loopback0
O ia 192.168.3.0/24 [110/11113] via 10.1.25.5, 00:19:40, Tunnel1
S * 0.0.0.0/0 [0, 1/0] via 192.1.1.3

 

When the r4 line fails, it will automatically switch to r5

This figure shows the advantages of L2L site-to-site vpn:

1. Automatic Switch, short time,

2. You do not need to match the encrypted data stream. You can run the dynamic routing protocol and negotiate with yourself. We only need to configure GRE for others to negotiate.

3. The configuration is simple and convenient for troubleshooting. Especially for Multi-Point configuration, it is very troublesome to configure L2Lvpn. If the site has more DMVPN, we only need to set up a tunnel!

4. More simple configuration. use ipsec pro. I have time to add it later.

5. Wait.

 

This article is from the cisco network blog, please be sure to keep this source http://liangrui.blog.51cto.com/1510945/533202