Сообщения без ответов | Активные темы Текущее время: 01 июл 2022, 11:31



Ответить на тему  [ 1 сообщение ] 
Настройка BGP в сети FlexVPN 
Автор Сообщение

Зарегистрирован: 01 июл 2019, 10:35
Сообщения: 33
Приветствую!
Помогите со следующей проблемой:
Настроено Hub-Spoke
HUB:
!
!
!
redundancy
!
crypto ikev2 proposal FLEX-VPN-Proposal
encryption aes-cbc-256
integrity sha256
group 20
!
crypto ikev2 policy FlexVPN
match fvrf any
proposal FLEX-VPN-Proposal
!
crypto ikev2 keyring KEYRING
peer FLEXVPN
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
pre-shared-key local CnhtktwF*
pre-shared-key remote CnhtktwF*
!
!
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote fqdn domain sberlogistica.ru
identity local fqdn R1-COD.sberlogistica.ru
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
virtual-template 1
!
!
!
!
!
!
crypto ipsec transform-set FLEX esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile FlexVPN2
set transform-set FLEX
set pfs group19
set ikev2-profile IKEV2-PROFILE
!
!
!
!
!
!
!
!
!
!
interface Loopback2
description For FlexVPN
ip address 172.18.100.1 255.255.255.255
!
interface GigabitEthernet1
description ISP1
ip address 82.151.100.2 255.255.255.252
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
description ISP2
ip address 72.151.100.2 255.255.255.252
negotiation auto
no mop enabled
no mop sysid
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback2
ip nhrp network-id 100
ip nhrp redirect
tunnel protection ipsec profile FlexVPN2
!
router bgp 65001
bgp log-neighbor-changes
bgp listen range 172.18.100.0/24 peer-group SPOKE
neighbor SPOKE peer-group
neighbor SPOKE remote-as 65002
neighbor SPOKE update-source Loopback2
neighbor SPOKE timers 1 3
!
address-family ipv4
neighbor SPOKE activate
exit-address-family
!!!
SPOKE:

redundancy
!
crypto ikev2 proposal FLEX-VPN-Proposal
encryption aes-cbc-256
integrity sha256
group 20
!
crypto ikev2 policy FlexVPN
match fvrf any
proposal FLEX-VPN-Proposal
!
crypto ikev2 keyring KEYRING
peer FLEXVPN
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
pre-shared-key local CnhtktwF*
pre-shared-key remote CnhtktwF*
!
!
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote fqdn domain sberlogistica.ru
identity local fqdn Office-C.sberlogistica.ru
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
virtual-template 1
!
crypto ikev2 client flexvpn toDC
peer 1 82.151.100.2 track 52
peer 2 72.151.100.2 track 57
peer 3 82.151.100.6 track 60
peer 4 72.151.100.6 track 63
peer reactivate
source 1 GigabitEthernet1 track 100
source 2 GigabitEthernet2 track 200
client connect Tunnel0
!
!
!
crypto ipsec transform-set FLEX esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile FlexVPN2
set transform-set FLEX
set pfs group19
set ikev2-profile IKEV2-PROFILE
!
!
interface Loopback2
description For FlexVPN
ip address 172.18.100.3 255.255.255.255
!
interface Tunnel0
description to COD
ip unnumbered Loopback2
ip nhrp network-id 100
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel source dynamic
tunnel destination dynamic
tunnel path-mtu-discovery
tunnel protection ipsec profile FlexVPN2
!
interface GigabitEthernet1
description ISP1
ip address 92.151.100.10 255.255.255.252
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
description ISP2
ip address 100.151.100.10 255.255.255.252
negotiation auto
no mop enabled
no mop sysid
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback2
ip nhrp network-id 100
ip nhrp shortcut virtual-template 1
tunnel protection ipsec profile FlexVPN2
!
router bgp 65002
bgp log-neighbor-changes
neighbor 172.18.100.1 remote-as 65001
neighbor 172.18.100.1 update-source Loopback2
neighbor 172.18.100.1 timers 1 3
!
address-family ipv4
neighbor 172.18.100.1 activate
exit-address-family
!
!!

Office-C#sh crypto session
Crypto session current status

Interface: Tunnel0
Profile: IKEV2-PROFILE
Session status: UP-ACTIVE
Peer: 82.151.100.2 port 500
Session ID: 2
IKEv2 SA: local 92.151.100.10/500 remote 82.151.100.2/500 Active
IPSEC FLOW: permit 47 host 92.151.100.10 host 82.151.100.2
Active SAs: 2, origin: crypto map
Но после поднятия туннеля LoopBack интерфейсы HUB и SPOKE и, соответственно, нет возможности поднять BGP.


20 окт 2020, 14:48
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ 1 сообщение ] 

Кто сейчас на конференции

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 5


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB