1、环境概述
企业防火墙:ASA5525 9.14(4)23
Zenlayer云网络
通过在ASA与Zenlayer之间配置IPSEC,实现在ASA与Zenlayer之间运行BGP路由协议。ASA侧使用双链路到ISP,Zenlayer云提供单IP。目的实现主备切换,和BGP路由传递。
2、配置
配置说明:只列出了重要步骤,并未列出全部的配置。
(1)IPSEC相关配置
crypto ikev2 policy 10
encryption aes
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal zenlayer
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec profile zenlayer
set ikev2 ipsec-proposal zenlayer
set pfs group14
set security-association lifetime seconds 43200
interface Tunnel3
nameif To_Zenlayer_A
ip address 与Zenlayer互联地址1
tunnel source interface outside1
tunnel destination Zenlayer公网IP
tunnel mode ipsec ipv4
tunnel protection ipsec profile zenlayer
!
interface Tunnel4
nameif To_Zenlayer_S
ip address 与Zenlayer互联地址2
tunnel source interface outside2
tunnel destination Zenlayer公网IP
tunnel mode ipsec ipv4
tunnel protection ipsec profile zenlayer
group-policy Zenlayer internal
group-policy Zenlayer attributes
vpn-tunnel-protocol ikev2
tunnel-group Zenlayer type ipsec-l2l
tunnel-group Zenlayer general-attributes
default-group-policy Zenlayer
tunnel-group Zenlayer ipsec-attributes
isakmp keepalive threshold 10 retry 10
ikev2 remote-authentication pre-shared-key 共享密钥
ikev2 local-authentication pre-shared-key 共享密钥
(2)BGP相关配置
router bgp 10000
address-family ipv4 unicast
neighbor 与Zenlayer互联地址1 remote-as ZenlayerAS号
neighbor 与Zenlayer互联地址1 activate
neighbor 与Zenlayer互联地址1 prefix-list 前缀列表 out
neighbor 与Zenlayer互联地址2 remote-as ZenlayerAS号
neighbor 与Zenlayer互联地址2 activate
neighbor 与Zenlayer互联地址2 prefix-list 前缀列表 out