IPSec的高可用性技术

9、IPSec VPN 的高可用性技术：

①、DPD （Dead Peer Detection ）对等体检测

——旨在检查有问题的IPSec VPN 网络，并快速的切换到备用网关

②、RRI （Reverse Route Injection ）反向路由注入

——解决高可用性的路由问题

****************DPD**************

1、DPD 的工作模式：周期性的工作模式——设置一个定时器，路由器会按照这个定时器所设置的时间周期性的发送DPD 数据包

好处在于快速的检测到对等体的问题；缺点是这样周期的发送DPD 会消耗较多的设备资源和网络资源

按需工作模式——DPD 默认的工作模式，这样的情况下，DPD 信息会基于流量形式的不同而采取不同的发送方式。 好处是需要发送DPD

的时候才发，节约资源和网络带宽；缺点是检测到IPSec VPN 网关故障所需时间稍长。

实验拓扑：

默认配置完成，此时是可以建立起IPSec VPN 的：Site2#sho cry en conn active

Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address

1 IPsec DES+MD5 0 10 13 23.1.1.3

2 IPsec DES+MD5 10 0 0 23.1.1.3

1001 IKE SHA+DES 0 0 0 23.1.1.3

那么我们来看一下在没有DPD 功能的时候：

Site1#debug crypto isakmp

Crypto ISAKMP debugging is on

Internet(config)#int f1/0

Internet(config-if)#shu

Site1#ping 3.3.3.3 so 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.....

Success rate is 0 percent (0/5)

Site1#sho cry en conn active

Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address

1 IPsec DES+MD5 0 8 9 12.1.1.1

2 IPsec DES+MD5 19 0 0 12.1.1.1

1001 IKE SHA+DES 0 0 0 12.1.1.1

这说明没有启用DPD 技术的时候，IPSec VPN 无法探测有问题的网关，因此会继续使用又问题的IPSec SA 加密数据包，接下来再看启用了DPD 的情况：

Site1(config)#crypto isakmp keepalive ?

<10-3600> Number of seconds between keep alives

Site1(config)#crypto isakmp keepalive 10 periodic

Site2(config)#crypto isakmp keepalive 10 periodic

Site 1/2#cle crypto isakmp

Site 1/2#cle crypto sa

Internet(config)#int f1/0

Internet(config-if)#no shu

此时Site1和Site2之间又恢复了通信：

Site1#ping 3.3.3.3 so 1.1.1.1

Type escape sequence to abort.

IPSec 的高可用性技术

2015年8月12日17:11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 184/208/240 ms

那么在来看一下DPD检测失效网关的效果：

Apr 22 23:56:20.535: ISAKMP:(1002):Sending NOTIFY DPD/R_U_THERE protocol 1

spi 1746747408, message ID = 1135002381

*Apr 22 23:56:20.535: ISAKMP:(1002): seq. no 0x1B47B85D

*Apr 22 23:56:20.535: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE *Apr 22 23:56:20.535: ISAKMP:(1002):Sending an IKE IPv4 Packet.

*Apr 22 23:56:20.539: ISAKMP:(1002):purging node 1135002381

*Apr 22 23:56:20.539: ISAKMP:(1002):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE

*Apr 22 23:56:20.543: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Site1#

*Apr 22 23:56:20.767: ISAKMP:(1002):purging node 593664099

Site1#

*Apr 22 23:56:22.539: ISAKMP:(1002):DPD incrementing error counter (1/5)

*Apr 22 23:56:22.539: ISAKMP: set new node 511611758 to QM_IDLE

*Apr 22 23:56:22.539: ISAKMP:(1002):Sending NOTIFY DPD/R_U_THERE protocol 1

spi 1746747408, message ID = 511611758

*Apr 22 23:56:22.539: ISAKMP:(1002): seq. no 0x1B47B85E

*Apr 22 23:56:22.539: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE *Apr 22 23:56:22.543: ISAKMP:(1002):Sending an IKE IPv4 Packet.

*Apr 22 23:56:22.543: ISAKMP:(1002):purging node 511611758

*Apr 22 23:56:22.547: ISAKMP:(1002):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE

Site1#

*Apr 22 23:56:22.547: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Site1#

*Apr 22 23:56:24.543: ISAKMP:(1002):DPD incrementing error counter (2/5)

*Apr 22 23:56:24.543: ISAKMP: set new node -2042738143 to QM_IDLE

*Apr 22 23:56:24.547: ISAKMP:(1002):Sending NOTIFY DPD/R_U_THERE protocol 1

spi 1746747408, message ID = -2042738143

*Apr 22 23:56:24.547: ISAKMP:(1002): seq. no 0x1B47B85F

*Apr 22 23:56:24.551: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE *Apr 22 23:56:24.551: ISAKMP:(1002):Sending an IKE IPv4 Packet.

*Apr 22 23:56:24.551: ISAKMP:(1002):purging node -2042738143

*Apr 22 23:56:24.555: ISAKMP:(1002):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE

Site1#

*Apr 22 23:56:24.555: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Site1#

*Apr 22 23:56:26.555: ISAKMP:(1002):DPD incrementing error counter (3/5)

*Apr 22 23:56:26.555: ISAKMP: set new node 1264419706 to QM_IDLE

*Apr 22 23:56:26.559: ISAKMP:(1002):Sending NOTIFY DPD/R_U_THERE protocol 1

spi 1746747408, message ID = 1264419706

*Apr 22 23:56:26.559: ISAKMP:(1002): seq. no 0x1B47B860

*Apr 22 23:56:26.559: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE *Apr 22 23:56:26.563: ISAKMP:(1002):Sending an IKE IPv4 Packet.

*Apr 22 23:56:26.563: ISAKMP:(1002):purging node 1264419706

*Apr 22 23:56:26.567: ISAKMP:(1002):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE

Site1#

*Apr 22 23:56:26.567: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Site1#

*Apr 22 23:56:28.007: ISAKMP:(1002):purging node 519630341

*Apr 22 23:56:28.567: ISAKMP:(1002):DPD incrementing error counter (4/5)

*Apr 22 23:56:28.567: ISAKMP: set new node 2041023417 to QM_IDLE

*Apr 22 23:56:28.571: ISAKMP:(1002):Sending NOTIFY DPD/R_U_THERE protocol 1

spi 1746747408, message ID = 2041023417

*Apr 22 23:56:28.571: ISAKMP:(1002): seq. no 0x1B47B861

*Apr 22 23:56:28.571: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE *Apr 22 23:56:28.575: ISAKMP:(1002):Sending an IKE IPv4 Packet.

*Apr 22 23:56:28.575: ISAKMP:(1002):purging node 2041023417

Site1#

*Apr 22 23:56:28.579: ISAKMP:(1002):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE

*Apr 22 23:56:28.579: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE