我将在位置A处为两个思科路由器提供相同的内部网络,并在位置B中使用一个路由器.
目前,我在每个位置都有一个路由器,它们连接着一个IPSec站点到站点隧道.它看起来像:
位置A:
crypto map crypto-map-1 1 ipsec-isakmp description Tunnel to Location B set peer 12.12.12.12 set transform-set ESP-3DES-SHA match address internal-ips
位置B:
crypto map crypto-map-1 1 ipsec-isakmp description Tunnel to Location A set peer 11.11.11.11 set transform-set ESP-3DES-SHA match address internal-ips
我可以通过在B位置添加另一个set peer来实现故障转移吗?:
位置A(新的辅助路由器,以前路由器上的配置保持不变):
crypto map crypto-map-1 1 ipsec-isakmp
description Tunnel to Location B
set peer 12.12.12.12
set transform-set ESP-3DES-SHA
match address internal-ips
位置B(配置已更改):
crypto map crypto-map-1 1 ipsec-isakmp
description Tunnel to Location A
set peer 11.11.11.11
! 11.11.11.100 is the ip of the new second router at location A
set peer 11.11.11.100
set transform-set ESP-3DES-SHA
match address internal-ips
思科说:
For crypto map entries created with
the crypto map map-name seq-num ipsec-isakmp command, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange (IKE) tries the next peer on the crypto map list.
但我并不完全理解在故障转移场景中的情况(其中一个路由器如位置A爆炸).
是的,这是正确的方法.如果您希望默认使用两个路由器中的一个,也可以在set peer …之后设置default关键字
加载中,请稍侯......
精彩评论