Huawei router uses NAT to implement the link backup VPN solution

Huawei router uses NAT to implement link backup VPN solution network topology
Networking description the current network uses a two-layer architecture, both the center and the network. The center uses a core router to converge network devices
(Point-to-point), each site is aggregated to the carrier through the network, and then the carrier provides a leased line to the center
The core router to achieve interconnection. Create a VPN over the Internet. Outlets use the Internet through 3G, adsl, broadband, and other methods
The network is connected to the central standby device (the central device is a fixed public IP address) and an ipsec-vpn is established to connect the backup network.
The central standby device accesses the central LAN through the central primary device. Under normal circumstances, the outlet data passes through the master network. When the master network fails, it switches to the backup network.
Solution resolution: www.2cto.com 1. Routing Policy: The network adopts the default static route. The priority of the main line is higher than that of the backup line. L central primary device: the central primary device uses static routes, and the routes to each outlet point to the next hop address provided by the carrier. L central standby device: the central standby device uses static routes and uses default static routes to direct to
Next Hop address, the route to the central LAN directs to the central main device. 2. Line Backup implementation method l outlet: to ensure the accessibility of the primary line, enable the ip-link function on the outlet device,
Destination points to the central address of the main line. When the primary network fails, the route is switched to the backup line. L center master: If the ip-link function is enabled on the center master device, the industry can solve the master-slave switchover problem,
However, because there are many outlets and the value exceeds the link-id value, this function cannot be enabled.
When the main line from the outlet to the center fails, the data packet goes up from the backup line,
However, the downstream data is still sent back from the main device of the center, resulting in line failure. L central backup: the IP addresses of the WAN cannot be fixed because the sites use 3G, adsl, broadband, and other access methods,
Therefore, the ip-link function cannot be used for the active and standby devices. To back up the network of the central backup device,
The nat function must be used on the central backup device (the Internet interface of the central backup device is the forward direction of NAT data,
Intranet interface is the NAT data outbound), the source address of all data packets in the network point is converted to the central Backup Device
The Intranet interface address or the address in the network segment where the interface address is located. Www.2cto.com 3. After a fault occurs in a section of the main line during the master-slave switchover process, the ip-link function is used to detect the device at the outlet,
Switch the route to the backup line. L uplink: After a packet arrives at the center-slave device through ipsec-vpn, the nat Function is used,
Convert the source address of the network point data packet to the Intranet address of the center-slave device, and then forward it to the center network. L downlink: After the data packet is returned from the server to the central master device, the destination address is the interface address of the central backup device.
(The source address after nat), after the nat session of the central backup device, convert the destination address to the outlet address,
And then send it to the outlet device through ipsec-vpn. Note that l must disable the fast forward switch on the nat translation interface (undo ip fast-forwarding qff ),
Otherwise, the packets returned from the server will not go through the ipsec-vpn tunnel. The reason is that the firewall first forwards the table,
Then proceed with the normal package processing process; l if the backup line is used, the data can only be initiated by the outlet device, if it is initiated from the center,
Cannot establish business connections; l if some services need to be initiated by the central device, you need to change the nat of the central standby device to the nat server. Main Device Configuration [vpn-B] dis cur [vpn-B] dis current-configuration05: 44: 05 2000/04/02 # sysname vpn-B # firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction ou Tbound firewall packet-filter default permit interzone local dmz ction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound fir Ewall packet-filter default permit interzone trust dmz ction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound # limit vlan batch 1 to 4 # firewall session link-state check # ip-link check enable ip-link 1 destination 1.1.1.2 interface Vlanif2 mode icmp # web-manager enable # L2fwdfast enable # acl number 3000 rule 5 permit ip source 10.0.0.0 0.20.255.255 destination 192.0.0.0 0.20.255.255 # ike proposal 1 authentication-algorithm md5 # ike peer ike_p pre-shared-key hs123 ike-proposal 1-remote- address 3.3.3.1 # ipsec proposal ipsec_p # ipsec policy p1 10 isakmp security acl 3000 ike-peer ike_p proposal ipsec_p local-address 2.2.2.1 # controller E1 2/0/0 cable short # interface Vla Nif2 ip address 1.1.1.1 255.255.255.0 # interface Vlanif3 ip address 2.2.2.1 255.255.255.0 ipsec policy p1 # interface Vlanif4 ip address 10.10.10.1 255.255.255.0 # interface Cellular5/0/0 link-protocol ppp # interface Ethernet0/0/0 # interface Ethernet1/ 0/0 portswitch port link-type access port access vlan 2 # interface Ethernet1/0/1 portswitch port link-type access port access vlan 3 # interface Ethernet1/0/2 Portswitch www.2cto.com port link-type access port access vlan 4 # interface Ethernet1/0/3 portswitch port link-type access # interface Ethernet1/0/4 portswitch port link-type access # interface Ethernet1/0/5 portswitch port link-type access # interface Ethernet1/0/6 portswitch port link-type access # interface Ethernet1/0/7 portswitch port link-type access # interface NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Vlanif4 # firewall zone untrust set priority 5 add interface Vlanif2 add interface Vlanif3 # firewall zone dmz set priority 50 # aaa local-user hs123 password simple hs123 local-user hs123 level 3 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default domain dot1x # nqa-jitter tag-version 1 # ip route -Static 0.0.0.0 0.0.0.0 2.2.2.2 preference 100 ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 ip route-static 3.3.3.1 255.255.255.255 2.2.2.2 # managing banner enable # user-interface con 0user-interface tty 2 authentication-mode none modem bothuser- interface vty 0 4 authentication-mode aaa # slb # cwmp # right-manager server-group # return ******************* **************************************** ************ * ***** Ipsec status information: [vpn-B] dis ipsec sa05: 44: 20 2000/04/02 ============================== Interface: Vlanif3 path MTU: 1500 ==============================------------------------------- IPsec policy name: "p1" sequence number: 10 mode: isakmp vpn: 0 ----------------------------- connection id: 9 rule number: 5 encapsulation mode: tunnel local: 2.2.2.1 tunnel remote: 3.3.3.1 flow source: 10.0.0. 0/255. 0.0.0 0/0 flow destination: 192.0.0.0/255.0.0.0 0/0 [inbound ESP SAs] spi: 3372503716 (0xc90452a4) vpn: 0 said: 4 cpuid: 0x0000 proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887180780/1994 max supported ed sequence-number: 983 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 2306906496 (0x89809980) vpn: 0 said: 5 cpuid: 0x0000 proposal: ESP-ENC RYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887360391/1994 max sent sequence-number: 825 udp encapsulation used for nat traversal: N [vpn-B] dis ike sa05: 44: 26 2000/04/02 current ike sa number: 2 seconds connection-id peer vpn flag phase doi ------------------------------------------------------------------ 0x9 3.3.3.1 0 RD v1: 2 IPSEC 0x7 3.3.1 0 RD v1: 1 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING configuration information: [vpn-a] dis current-configuration # www.2cto.com sysname vpn-a # firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet -filter Default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter defaul T permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone dmz untrust direction limit firewall packet-filter default permit interzone dmz untrust direction outbound # firewall permit sub-ip # firewall stat Istic system enable # ike proposal 1 authentication-algorithm md5 # ike peer ike_p pre-shared-key hs123 ike-proposal 1 remote-address 2.2.2.1 # ipsec proposal ipsec_p # ipsec policy p1 10 isakmp security acl 3000 ike-peer ike_p proposal ipsec_p # interface GigabitEthernet0/0 ip address 3.3.3.1 255.255.255.0 ipsec policy p1 # interface GigabitEthernet0/1 ip address 4.4.4.1 255.255.255.0 undo ip fast-forwardin G qff # acl number 3000 rule 5 permit ip source 192.0.0.0 0.20.255.255 destination 10.0.0.0 Protocol number 3001 rule 5 permit ip source 10.0.0.0 0.20.255.255 destination 192.168.102.0 protocol # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet0/1 # firewa Ll zone dmz set priority 50 # firewall interzone local trust # firewall interzone local untrust # firewall interzone local dmz # firewall interzone trust untrust nat outbound 3001 interface GigabitEthernet0/1 # firewall interzone trust dmz # firewall interzone dmz untrust # aaa local-user hs123 password simple hs123 local-user hs123 service-type telnet local-user hs123 level 3 # authentication-scheme default # au Thorization-scheme default # accounting-scheme default # domain default # slb # ip route-static 0.0.0.0 0.0.0 3.3.3.2 ip route-static 192.0.0.0 255.0.0.0 4.4.4.2 # snmp-agent snmp-local agent-engineid 000007db7f000004252d06 snmp-agent community read public snmp-agent sys-info version v3 # www.2cto.com user-interface con 0user-interface vty 0 4 authentication-mode aaacommon update auto ips time Update auto dpi time update server-name sec.w.weisymantec.com # surfbehavior # ips # protocol # mailfilter # return ******************* **************************************** * ************************* ipsec status information [vpn-a] dis ipsec sa = ====================================== Interface: gigabitEthernet0/0 path MTU: 1500 ==============================------------------------------- IPsec policy name: "p1" sequ Ence number: 10 mode: isakmp --------------------------- connection id: 7 encapsulation mode: tunnel local: 3.3.3.1 tunnel remote: 2.2.2.1 [inbound ESP SAs] spi: 2306906496 (0x89809980) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887367291/2212 max supported ed sequence-number: 709 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 33725037 16 (0xc90452a4) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887141416/2212 max sent sequence-number: 869 udp encapsulation used for nat traversal: N *************************************** **************************************** * ******** www.2cto.com NAT status information [vpn-a] dis firewall session table naticmp: 10.10.10.2: 512 [4.4.4.1: 63288] --> 192.168.102.254: 512 [router] dis cur Rent-configuration # version 5.20, release 1618 # sysname router # domain default enable system # vlan 1 # domain system access-limit disable state active idle-cut disable self-service-url disable # local-user admin password cipher.] @ USE = B, 53Q = ^ q'maf4 <1 !! Service-type telnet level 3 # interface Aux0 async mode flow link-protocol ppp # interface NULL0 # interface GigabitEthernet0/0 port link-mode route ip address 192.168.102.254 255.255.0 # interface GigabitEthernet0/1 port link -mode route # interface GigabitEthernet0/1.1 vlan-type dot1q vid 10 ip address 4.4.4.2 255.255.255.0 # interface mask/1.2 vlan-type dot1q vid 2 ip address 1.1.1.2 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 # www.2cto.com snmp-agent local-engineid 800007DB03000FE2A2A370 snmp-agent community read public snmp-agent sys-info version v3 # user-interface con 0user-interface aux 0user-interface vty 0 4 authentication- mode scheme # return
This article is from the fat shark network.