21/1/55

CE_Router of IP-SEC-SSO tunnel protection project

ทำการ Configure IPSEC-R1 กับ IPSEC-R2 เพื่อ รองรับ Statefull Switch Over ให้แก่ IPSEC Tunnel Protection mode
Note: tips ใช้ eigrp เพื่อ control route ให้วิ่งบน tunnel


SSO-IPSEC-R1 ************************************************
!
class-map match-all ICMP
match access-group name MATCH_ICMP
class-map match-all GRE
match access-group name MATCH_GRE
!
policy-map Test_Match_Policy_Only
class ICMP
class GRE
!
redundancy inter-device
scheme standby HA-out
!
redundancy
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 172.16.1.2
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 172.16.1.3
!
ip cef
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key cisco123 address 172.16.1.10 no-xauth
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile sso-secure
set transform-set trans1
redundancy HA-out stateful
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback1
ip address 1.1.2.1 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
tunnel source 172.16.1.4
tunnel destination 172.16.1.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile sso-secure
qos pre-classify
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 1 ip 172.16.1.4
standby 1 priority 120
standby 1 preempt
standby 1 name HA-out
standby 1 track FastEthernet0/1 30
standby 1 authentication md5 key-string 24991
service-policy output Test_Match_Policy_Only
!
interface FastEthernet0/1
ip address 172.16.1.17 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 2 ip 172.16.1.19
standby 2 priority 120
standby 2 preempt
standby 2 name HA-in
standby 2 authentication md5 key-string 24991
standby 2 track FastEthernet0/0 30
!
router eigrp 10
network 1.1.1.0 0.0.0.255
network 172.16.1.17 0.0.0.0
no auto-summary
!
router ospf 10
router-id 1.1.2.1
log-adjacency-changes
network 172.16.1.2 0.0.0.0 area 0
!
!
ip access-list extended MATCH_GRE
permit gre any any
ip access-list extended MATCH_ICMP
permit icmp any any
!
!


SSO-IPSEC-2 ************************************************
!
class-map match-all ICMP
match access-group name MATCH_ICMP
class-map match-all GRE
match access-group name MATCH_GRE
!
policy-map Test_Match_Policy_Only
class ICMP
class GRE
!
redundancy inter-device
scheme standby HA-out
!
redundancy
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 172.16.1.3
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 172.16.1.2
!
ip cef
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key cisco123 address 172.16.1.10 no-xauth
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile sso-secure
set transform-set trans1
redundancy HA-out stateful
!
interface Loopback0
ip address 1.1.1.2 255.255.255.0
!
interface Loopback1
ip address 1.1.2.2 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
tunnel source 172.16.1.4
tunnel destination 172.16.1.10
tunnel protection ipsec profile sso-secure
qos pre-classify
!
interface FastEthernet0/0
ip address 172.16.1.3 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 1 ip 172.16.1.4
standby 1 preempt
standby 1 name HA-out
standby 1 authentication md5 key-string 24991
service-policy output Test_Match_Policy_Only
!
interface FastEthernet0/1
ip address 172.16.1.18 255.255.255.248
duplex auto
speed auto
standby delay reload 120
standby 2 ip 172.16.1.19
standby 2 preempt
standby 2 name HA-in
standby 2 authentication md5 key-string 24991
!
router eigrp 10
network 1.1.1.0 0.0.0.255
network 172.16.1.18 0.0.0.0
no auto-summary
!
router ospf 10
router-id 1.1.2.2
log-adjacency-changes
network 172.16.1.3 0.0.0.0 area 0
!
!
ip access-list extended MATCH_GRE
permit gre any any
ip access-list extended MATCH_ICMP
permit icmp any any
!
!

################################################
show cry map
show cry isa sa
show cry ipsec sa
show cry policy
debug crypto ha
debug crypto isakmp ha
debug crypto ipsec ha
show redundancy inter-device
show redundancy states
################################################


REMOTE-IPSEC-2  (IPSEC-R3) ************************************************
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
hash md5
group 2
lifetime 120
!
crypto isakmp key cisco123 address 172.16.1.4 no-xauth
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile soo-secure
set transform-set trans1
!
interface f0/0
ip add 172.16.1.10 255.255.255.248
!
interface f0/1
ip add 172.16.1.25 255.255.255.248
no sh
!
interface lo 0
ip add 1.1.1.3 255.255.255.0
!
interface lo 1
ip add 1.1.2.3 255.255.255.255
!
interface tunnel1
ip unnumbered lo0
tunnel mode ipsec ipv4
tunnel source 172.16.1.10
tunnel destination 172.16.1.4
tunnel protection ipsec profile soo-secure
!
router eigrp 10
network 1.1.1.0 0.0.0.255
network 172.16.1.25 0.0.0.0
no auto-summary
!
router ospf 10
router-id 1.1.2.3
log-adjacency-changes
network 172.16.1.10 0.0.0.0 area 0
!
เขียนโดย ที่

ไม่มีความคิดเห็น:

แสดงความคิดเห็น

สมัครสมาชิก: ส่งความคิดเห็น (Atom)