MSR系列路由器
与VRRP虚地址建立IPSec功能的配置
关键字:MSR;IPSec;IKE;DPD;VRRP
一、组网需求:
RTA、RTB、Branch都连接在一台交换机上,RTA和RTB组VRRP,虚地址是
设备清单:MSR系列路由器3台
二、组网图:
三、配置步骤:
设备和版本:MSR系列、Version 5.20,
Release 1509
RTA配置 |
# //配置DPD组vrrp,采用默认配置10秒空闲计时,5秒应答等候超时 ike dpd vrrp # //IKE
Peer配置 ike peer Branch pre-shared-key h remote-address local-address //指定dpd组 dpd vrrp # //IPSec提议配置 ipsec proposal def # //IPSec策略配置 ipsec policy branch 1 isakmp security acl
3000 ike-peer
branch proposal def # //ACL配置 acl number 3000 rule 0 permit ip
source 192.168.0.0 # //对接接口 interface
GigabitEthernet0/0 port link-mode route ip address //配置VRRP组1的虚地址 vrrp vrid 1 virtual-i //绑定IPSec策略 ipsec policy
branch # //内网接口 interface
GigabitEthernet0/1 port link-mode route ip address
192.168.0.1 255.255.255.0 # //静态路由配置,使其进入IPSec接口 ip route-static
192.168.1.0 255.255.255.0 # |
RTB配置 |
# //配置DPD组vrrp,采用默认配置10秒空闲计时,5秒应答等候超时 ike dpd vrrp # //IKE
Peer配置 ike peer Branch pre-shared-key h remote-address local-address //指定dpd组 dpd vrrp # //IPSec提议配置 ipsec proposal def # //IPSec策略配置 ipsec policy branch 1 isakmp security acl
3000 ike-peer
branch proposal def # //ACL配置 //ACL配置 acl number 3000 rule 0 permit ip
source 192.168.0.0 # //对接接口 interface
GigabitEthernet0/0 port link-mode route ip address //配置VRRP组1的虚地址 vrrp vrid 1 virtual-i //配置VRRP组1的优先级为80,使RTB成为Backup vrrp vrid 1 priority 80 //绑定IPSec策略 ipsec policy
branch # # //内网接口 interface
GigabitEthernet0/1 port link-mode route ip address
192.168.0.2 255.255.255.0 # //静态路由配置,使其进入IPSec接口 ip
route-static 192.168.1.0 255.255.255.0 # |
Branch上配置 |
# //配置DPD组vrrp,采用默认配置10秒空闲计时,5秒应答等候超时 ike dpd vrrp # //IKE
Peer配置 ike peer center pre-shared-key h remote-address local-address //指定dpd组 dpd vrrp # //IPSec提议配置 ipsec proposal def # //IPSec策略配置 ipsec policy center 1 isakmp security acl
3000 ike-peer
center proposal def # //ACL配置 acl number 3000 rule 0 permit ip
source 192.168.1.0 # //对接接口 interface
Ethernet0/0 port link-mode route ip address //绑定IPSec策略 ipsec policy
center # //内网接口 interface
Ethernet0/1 port link-mode route ip address 192.168.1.1
255.255.255.0 # //静态路由配置,使其进入IPSec接口 ip
route-static 192.168.0.0 255.255.255.0 # |
四、配置关键点:
1) RTA和RTB上配置VRRP,参考VRRP典型配置;
2) RTA和RTB的IPSec配置一致,都指定IKE
Local-address为VRRP虚地址;
3) Branch上IKE指定对端地址为VRRP虚地址。