主备链路备份场景组网
0 拓扑图
1 基本信息
FW1
IP地址配置
Interface IP Address/Mask Physical Protocol
GigabitEthernet1/0/0 202.53.163.1/24 up up
GigabitEthernet1/0/1 202.53.164.1/24 up up
GigabitEthernet1/0/2 10.1.1.254/24 up up
安全区域配置
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
配置IP-link
ip-link check enable
ip-link name iplink1
destination 2.2.2.2 interface GigabitEthernet1/0/0 mode icmp next-hop 202.53.163.1
路由配置
配置思路:配置去往目标内网的路由,主走G1/0/0,绑定ip-link,同时配置2条默认路由,同样主走G1/0/0
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 202.53.163.2 preference 10 track ip-link iplink1
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 202.53.164.2 preference 20
ip route-static 10.2.1.0 255.255.255.0 GigabitEthernet1/0/0 202.53.163.2 preference 10 track ip-link iplink1
ip route-static 10.2.1.0 255.255.255.0 GigabitEthernet1/0/1 202.53.164.2 preference 20
FW2
安全区域
IP地址
Interface IP Address/Mask Physical Protocol
GigabitEthernet1/0/0 10.2.1.254/24 up up
GigabitEthernet1/0/1 2.2.2.2/24 up up
安全区域
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface Tunnel1
add interface Tunnel2
IP-link
ip-link check enable
ip-link name iplink1
destination 202.53.163.1 interface GigabitEthernet1/0/1 mode icmp next-hop 2.2.2.1
路由配置
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 2.2.2.1
ip route-static 10.1.1.0 255.255.255.0 Tunnel1 202.53.163.1 preference 10 track ip-link iplink1
ip route-static 10.1.1.0 255.255.255.0 Tunnel2 202.53.164.1 preference 20
2 IPSEC 基础配置
FW1
#
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer fenzhi
pre-shared-key Huawei@123
ike-proposal 10
remote-address 2.2.2.2
#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
#
ipsec proposal pro1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer fenzhi
proposal pro1
#
ipsec policy map2 10 isakmp
security acl 3001
ike-peer fenzhi
proposal pro1
#
ipsec policy map1
ipsec policy map2
FW2
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer a1
pre-shared-key Huawei@123
ike-proposal 10
remote-address 202.53.163.1
#
ike peer a2
pre-shared-key Huawei@123
ike-proposal 10
remote-address 202.53.164.1
#
acl number 3000
rule 5 permit ip source 10.2.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.2.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal pro1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer a1
proposal pro1
ipsec policy map2 10 isakmp
security acl 3001
ike-peer a2
proposal pro1
#
interface Tunnel1
ip address unnumbered interface GigabitEthernet1/0/1
tunnel-protocol ipsec
ipsec policy map1
#
interface Tunnel2
ip address unnumbered interface GigabitEthernet1/0/1
tunnel-protocol ipsec
ipsec policy map2