Table of contents
Features
The IPSEC multi-peer mutual backup function can automatically switch to the backup peer (multiple backup peers can be configured) for IPSEC VPN negotiation after the IPSEC VPN negotiation with the primary peer fails, so as to achieve the purpose of IPSEC VPN redundant backup.
1. Networking requirements
The headquarters router is connected to the Internet through dual exports of China Telecom and China Unicom; when the telecommunications line is abnormally interrupted, the branch can establish an IPSEC VPN with the headquarters router through the China Unicom line to ensure normal communication between the branch and the headquarters.
2. Network topology
3. Configuration points
1. Configure basic IPSEC functions
2. Configure the IPSEC multi-peer mutual backup function on the branch router
3. Configure the IPSEC DPD function on the branch router
4. Configuration steps
1. Configure basic IPSEC functions
According to the on-site environment and customer needs, select the appropriate IPSEC deployment solution. For detailed configuration, refer to the IPSEC " Basic Configuration " chapter (Typical Configuration--->Security--->IPSEC--->Basic Configuration)
1) Apply IPSEC encryption images to both the telecom and China Unicom exports of the headquarters router
interface GigabitEthernet 0/0
crypto map mymap //Apply crypto map to telecom exit
interface GigabitEthernet 0/1
crypto map mymap //Apply the encryption map to China Unicom export
2) If pre-shared key authentication is used, the pre-shared key corresponding to the IP of the telecom outlet and China Unicom outlet needs to be specified on the branch.
crypto isakmp key 0 ruijie address x.x.x.x
crypto isakmp key 0 ruijie address yyyy //Specify the pre-shared keys corresponding to Telecom IP and China Unicom IP respectively.
2. Configure the IPSEC multi-peer mutual backup function on the branch router
crypto map mymap 5 ipsec-isakmp
set peer xxxx //Specify the telecom public network IP as the first peer
set peer yyyy //Specify China Unicom public network IP as the alternative peer
3. Configure the IPSEC DPD function on the branch router
For the IPSEC DPD configuration method, refer to the "IPSEC DPD Configuration" chapter (Typical Configuration--->Security--->IPSEC--->Extended Configuration--->IPSEC DPD Configuration " )
Notice:
When using the IPSEC multi-peer mutual backup function, you need to configure the IPSEC DPD function on the branch router so that the branch router can detect peer failure and automatically switch to the second peer.
5. Configuration verification
1. Initiate a data connection to the headquarters on the branch to trigger the establishment of IPSEC VPN.
At this time, you can see that the IPSEC VPN has been successfully established between the public telecom IP addresses of the branch and the headquarters.
Ruijie#show crypto isakmp to
destination source state conn-id lifetime(second)
xxxx 10.0.0.1 IKE_IDLE 0 84129 //xxxx is the telecom public network IP
2. Disconnect the telecommunications outlet cable of the headquarters router and continue to initiate data access to the headquarters at the branch.
At this time, you can see that the IPSEC VPN has been successfully established between the public IP addresses of the branch and the headquarters.
Ruijie#show crypto isakmp to
destination source state conn-id lifetime(second)
yyyy 10.0.0.1 IKE_IDLE 0 84129 //yyyy is China Unicom’s public network IP