华为巧用NAT实现链路备份VPN方案
来源:互联网 发布:曲无忆捏脸详细数据 编辑:程序博客网 时间:2024/06/07 04:05
网络拓扑
组网说明
目前该网采用二层架构,既中心和网点。中心采用一台核心路由器汇聚网点设备(点对多点),各网点分别通过网络汇聚到运营商,然后运营商提供一条专线到中心核心路由器,从而达到互联互通。
新增备份网络通过Internet建立VPN。网点采用3G、adsl、宽带等方式通过Internet网络连接到中心备设备(中心设备为固定公网IP),建立ipsec-vpn,从而达到备份网络互联。中心备设备通过中心主设备接入中心局域网。
正常情况下,网点数据从主用网络通过,当主用网络出现故障时,切换到备份网络。
方案解析
1、路由策略
l 网点:网点采用默认静态路由,其中主线路的优先级高于备份线路的优先级。
l 中心主设备:中心主设备采用静态路由,到各网点的路由都指向运营商提供的下一跳地址。
l 中心备设备:中心备设备采用静态路由,到Internet采用默认静态路由指向运营商提供的下一跳地址,到中心局域网的路由指向中心主设备。
2、线路备份实现方法
l 网点:为了保证主线路的可达性,在网点设备上启用ip-link功能,destination指向主用线路的中心地址。当主用网络出现故障时,路由切换到备份线路。
l 中心主:如果在中心主设备启用ip-link功能,那么业可以解决主备切换的问题,但是由于网点很多,数值超过了link-id值,所以无法启用该功能。当网点到中心的主线路发送故障时主备切换后,数据包从备份线路上行,但是下行数据还是从中心主设备发回网点,从而导致线路不通。
l 中心备:由于网点采用3G、adsl、宽带等接入方式,导致广域网的ip地址无法固定,所以中心备设备无法采用ip-link功能。为了实现中心备设备的网络备份功能,需要在中心备设备上采用nat功能(中心备设备的外网接口为NAT数据进方向,内网接口为NAT数据出方向),把网点的所有数据包的源地址转换为中心备设备的内网接口地址或者是接口地址所在网段内的地址。
3、主备切换流程
当主线路的某一段出现故障时,网点设备通过ip-link功能检测到后,切换路由到备份线路。
l 上行方向:数据包通过ipsec-vpn到达中心备设备后,使用nat功能,把网点数据包的源地址转换成中心备设备的内网地址,然后再转发到中心网络中。
l 下行方向:数据包从服务器返回中心主设备后,目的地址为中心备设备的接口地址(nat后的源地址),经过中心备设备nat session后,把目的地址转换成网点地址,然后通过ipsec-vpn发送到网点设备。
方案中需要注意的地方
l 一定要把nat转换的那个接口上的快转关闭了( undo ip fast-forwarding qff),不然从服务器回来的数据包不会走ipsec-vpn隧道。原因是先查防火墙先快转表,然后再走正常的包处理流程;
l 如果使用备份线路的话,数据只能由网点设备发起,如果是从中心发起的话,是不能建立业务连接的;
l 如果某些业务需要由中心设备发起的话,需要把中心备设备的nat改成nat server。
主要设备配置
[vpn-b]dis cur
[vpn-b]dis current-configuration
05:44:05 2000/04/02
#
sysname vpn-b
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
vlan batch 1 to 4
#
firewall session link-state check
#
#
ip-link check enable
ip-link 1 destination 1.1.1.2 interface Vlanif2 mode icmp
#
web-manager enable
#
l2fwdfast enable
#
acl number 3000
rule 5 permit ip source 10.0.0.0 0.255.255.255 destination 192.0.0.0 0.255.255.255
#
ike proposal 1
authentication-algorithm md5
#
ike peer ike_p
pre-shared-key hs123
ike-proposal 1
remote-address 3.3.3.1
#
ipsec proposal ipsec_p
#
ipsec policy p1 10 isakmp
security acl 3000
ike-peer ike_p
proposal ipsec_p
local-address 2.2.2.1
#
controller E1 2/0/0
cable short
#
interface Vlanif2
ip address 1.1.1.1 255.255.255.0
#
interface Vlanif3
ip address 2.2.2.1 255.255.255.0
ipsec policy p1
#
interface Vlanif4
ip address 10.10.10.1 255.255.255.0
#
interface Cellular5/0/0
link-protocol ppp
#
interface Ethernet0/0/0
#
interface Ethernet1/0/0
portswitch
port link-type access
port access vlan 2
#
interface Ethernet1/0/1
portswitch
port link-type access
port access vlan 3
#
interface Ethernet1/0/2
portswitch
port link-type access
port access vlan 4
#
interface Ethernet1/0/3
portswitch
port link-type access
#
interface Ethernet1/0/4
portswitch
port link-type access
#
interface Ethernet1/0/5
portswitch
port link-type access
#
interface Ethernet1/0/6
portswitch
port link-type access
#
interface Ethernet1/0/7
portswitch
port link-type access
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Vlanif4
#
firewall zone untrust
set priority 5
add interface Vlanif2
add interface Vlanif3
#
firewall zone dmz
set priority 50
#
aaa
local-user hs123 password simple hs123
local-user hs123 level 3
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 preference 100
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
ip route-static 3.3.3.1 255.255.255.255 2.2.2.2
#
banner enable
#
user-interface con 0
user-interface tty 2
authentication-mode none
modem both
user-interface vty 0 4
authentication-mode aaa
#
slb
#
cwmp
#
right-manager server-group
#
return
******************************************************************************
ipsec状态信息:
[vpn-b]dis ipsec sa
05:44:20 2000/04/02
===============================
Interface: Vlanif3
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "p1"
sequence number: 10
mode: isakmp
vpn: 0
-----------------------------
connection id: 9
rule number: 5
encapsulation mode: tunnel
tunnel local : 2.2.2.1 tunnel remote: 3.3.3.1
flow source: 10.0.0.0/255.0.0.0 0/0
flow destination: 192.0.0.0/255.0.0.0 0/0
[inbound ESP SAs]
spi: 3372503716 (0xc90452a4)
vpn: 0 said: 4 cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887180780/1994
max received sequence-number: 983
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2306906496 (0x89809980)
vpn: 0 said: 5 cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887360391/1994
max sent sequence-number: 825
udp encapsulation used for nat traversal: N
[vpn-b]dis ike sa
05:44:26 2000/04/02
current ike sa number: 2
---------------------------------------------------------------------
connection-id peer vpn flag phase doi
--------------------------------------------------------------------
0x9 3.3.3.1 0 RD v1:2 IPSEC
0x7 3.3.3.1 0 RD v1:1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD
配置信息:
[vpn-a]dis current-configuration
#
sysname vpn-a
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
firewall permit sub-ip
#
firewall statistic system enable
#
ike proposal 1
authentication-algorithm md5
#
ike peer ike_p
pre-shared-key hs123
ike-proposal 1
remote-address 2.2.2.1
#
ipsec proposal ipsec_p
#
ipsec policy p1 10 isakmp
security acl 3000
ike-peer ike_p
proposal ipsec_p
#
interface GigabitEthernet0/0
ip address 3.3.3.1 255.255.255.0
ipsec policy p1
#
interface GigabitEthernet0/1
ip address 4.4.4.1 255.255.255.0
undo ip fast-forwarding qff
#
acl number 3000
rule 5 permit ip source 192.0.0.0 0.255.255.255 destination 10.0.0.0 0.255.255.255
acl number 3001
rule 5 permit ip source 10.0.0.0 0.255.255.255 destination 192.168.102.0 0.0.0.255
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/1
#
firewall zone dmz
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local dmz
#
firewall interzone trust untrust
nat outbound 3001 interface GigabitEthernet0/1
#
firewall interzone trust dmz
#
firewall interzone dmz untrust
#
aaa
local-user hs123 password simple hs123
local-user hs123 service-type telnet
local-user hs123 level 3
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
slb
#
ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
ip route-static 192.0.0.0 255.0.0.0 4.4.4.2
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100002D06
snmp-agent community read public
snmp-agent sys-info version v3
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
common
update auto ips time 1:38
update auto dpi time 1:38
update server server-name sec.huaweisymantec.com
#
surfbehavior
#
ips
#
protocol
#
mailfilter
#
return
***************************************************************************************
ipsec状态信息
[vpn-a]dis ipsec sa
===============================
Interface: GigabitEthernet0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "p1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 7
encapsulation mode: tunnel
tunnel local : 3.3.3.1 tunnel remote: 2.2.2.1
[inbound ESP SAs]
spi: 2306906496 (0x89809980)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887367291/2212
max received sequence-number: 709
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3372503716 (0xc90452a4)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887141416/2212
max sent sequence-number: 869
udp encapsulation used for nat traversal: N
****************************************************************************************
NAT状态信息
[vpn-a]dis firewall session table nat
icmp:10.10.10.2:512[4.4.4.1:63288]-->192.168.102.254:512
[router]dis current-configuration
#
version 5.20, Release 1618
#
sysname router
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet
level 3
#
interface Aux0
async mode flow
link-protocol ppp
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.102.254 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/1.1
vlan-type dot1q vid 10
ip address 4.4.4.2 255.255.255.0
#
interface GigabitEthernet0/1.2
vlan-type dot1q vid 2
ip address 1.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
#
snmp-agent
snmp-agent local-engineid 800007DB03000FE2A2A370
snmp-agent community read public
snmp-agent sys-info version v3
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
- 华为巧用NAT实现链路备份VPN方案
- VPN备份方案
- 华为2621电信+网通+vpn+nat
- VPN+NAT实现代理服务器功能
- WindowsXP 实现VPN+PPPOE+NAT 服务器
- 华为 AR系列路由器实现IPSec vpn
- 华为Basic NAT和NAPT实现原理
- L2TP VPN实现摄像头访问方案
- Win 2003单网卡实现VPN+NAT完整攻略
- Win ser2003单网卡实现VPN+NAT完整攻略
- Win 2003单网卡实现VPN+NAT完整攻略
- 在NAT环境中实现Site-to-Site VPN
- Windows 2003单网卡实现VPN+NAT完整攻略
- xp服务器下单网卡实现vpn+nat共享上网
- 华为 Secpath 1000F 防火墙 IPsec VPN NAT穿越模板方式
- IPsec vpn with NAT
- LINUX-VPN-NAT
- VPN+NAT配置
- Ubuntu-10.10下tftp服务器搭建
- jquery检验用户密码输入合法性程序
- DCCD-CDIO驱动为线,TEST-certificate驱动为面(未完)
- 使用mysql函数实现多步查询中的回滚操作
- 对于已经学过基本VB的同学来说,放弃VB从新学习C或其他,合适吗?
- 华为巧用NAT实现链路备份VPN方案
- Java程序员面试中的多线程问题
- Linux基础
- Java中i=i++;运算结果
- 我的第二十五个教师节
- 如何在Android系统启动后自动运行程序 [
- 如何让系统充电时不休眠
- 让自己成为太阳
- linux定时备份mongodb