Shulou(Shulou.com)06/01 Report--

R1 and R2 run xxx gateways and GLBP,R3 to simulate ISP routers, and R1 and R4 establish ipsec sites for SVTI.

If you use a × × site established by a traditional IPsec, because the source address cannot specify IP, R1 cannot use virtual IP and R4 to establish an × × × association.

SVTI embeds GRE in IPsec, and the source IP and destination IP are specified by tunnel. The starting point and end point of adding IPsec,IPsec are the same as those specified by tunnel, so that the source IP assignment of IPsec can be realized.

Take a look at R1 configuration

Crypto isakmp policy 10

Authentication pre-share

Crypto isakmp key cisco address 40.1.1.2

!

!

Crypto ipsec transform-set ESP-des-md5 esp-des esp-md5-hmac

!

Crypto ipsec profile ipsec-profile

Set transform-set ESP-des-md5

!

!

!

!

!

Interface Tunnel0

Ip address 172.16.1.1 255.255.255.0

Tunnel source 61.1.1.1

Tunnel destination 40.1.1.2

Tunnel mode ipsec ipv4

Tunnel protection ipsec profile ipsec-profile

!

Interface FastEthernet0/0

Ip address 61.1.1.4 255.255.255.0

Duplex auto

Speed auto

Glbp 1 ip 61.1.1.1

Glbp 1 load-balancing host-dependent

!

No ip http server

No ip http secure-server

Ip route 0.0.0.0 0.0.0.0 61.1.1.3

/

The configuration of R2 is that the IP of the interface is 61.1.1.2, and all other interfaces are the same.

Besides, glbp 1 load-balancing host-dependent

In this way, you can stick to R3, and the packet sent to 61.1.1.1 will remain the same to R1 or R2. By default, the packet will be sent to another route with the timeout of ARP, or for some other reason, causing IPsec interruption.

R3 just configure the interface, slightly.

Configuration of R4

Crypto isakmp policy 10

Authentication pre-share

Crypto isakmp key cisco address 61.1.1.1

!

!

Crypto ipsec transform-set ESP-des-md5 esp-des esp-md5-hmac

!

Crypto ipsec profile ipsec-profile

Set transform-set ESP-des-md5

!

!

!

!

!

Interface Tunnel0

Ip address 172.16.1.4 255.255.255.0

Tunnel source 40.1.1.2

Tunnel destination 61.1.1.1

Tunnel mode ipsec ipv4

Tunnel protection ipsec profile ipsec-profile

!

Interface FastEthernet0/0

Ip address 40.1.1.2 255.255.255.0

Duplex auto

Speed auto

!

No ip http server

No ip http secure-server

Ip route 0.0.0.0 0.0.0.0 40.1.1.1

Of course, HSRP and VRRP can achieve the same effect, and there is no need for glbp 1 load-balancing host-dependent.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.