Topic expression

As shown in the figure, FW1 and FW2 are active and standby HA, FW1 is active access, FW2 is standby access, FW3 and FW4 establish IPSec VPN tunnel with FW1 and FW2 through isp1 line. When isp1 line fails, use standby ISP2 line, FW1 and FW2 establish VPN tunnel, in which FW3 is located behind NAT equipment, and the external address is not fixed
Requirement: the traffic priority is to establish IPSEC tunnel through ISP1

Interface condition

1. FW1 interface fails, and the flow is switched to FW2-ISP1
2. FW1 interface failure and ISP1 failure, flow switching to FW2-ISP2
3. After the interface is restored, the flow returns to FW1-ISP1

Equipment condition

1. When FW1 fails, flow FW2-ISP1
2. When FW1 fails and ISP1 fails, flow FW2-ISP2
3. When the equipment fault recovers, the flow returns to FW1-ISP1

Answer ideas

Backup mode of active and standby links

1. The headquarters firewall creates four ACL S, two of which are the same, two of which specify the headquarters to FW4 and two of which specify the headquarters to FW3

2. The headquarters firewall creates the corresponding Ike peer FW3 & FW4, where FW3 does not configure the peer address, and FW4 specifies the peer address

3. The headquarters creates two ipsec policy groups. Each policy group contains two policies for FW3 and FW4, which are called on G1/0/3 and G1/0/4 interfaces respectively

4. The headquarters invokes the policy template for the policy of FW3, and configures the tunnel local address as the VRRP address in the policy to prevent the matching failure when the headquarters is the initiator of the negotiation

5. FW1 and FW2 of the headquarters are respectively configured with two default routes, one to ISP1 and the other to ISP2. The default binding IP link to ISP1 detects the G0/0/0 interface of ISP1 and switches to ISP2 in time in case of interface failure

6. Branch FW3 is behind the NAT device, creates two tunnel interfaces, and the tunnel interface calls the physical interface address, creates two ipsec policy groups, and specifies two VRRP addresses of the opposite end respectively

7. Divide the tunnel interface into areas, configure two static routes, specify the intranet address of the opposite end, and select the tunnel interface. Two static routes, one active and one standby, are bound with IP link to detect the VRRP address of the interface between the opposite end firewall and ISP1.

8. FW4 is the same as FW3

9. Ensure the HA active standby relationship on FW1 and FW2, and ensure the normal synchronization of status information.

Command Reference

FW1 & FW2 key configurations (FW1 and FW2 are directly synchronized, so it only needs to be configured on FW1)

acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.32.0 0.0.0.255
acl number 3001
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.32.0 0.0.0.255
acl number 3002
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.23.0 0.0.0.255
acl number 3003
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.23.0 0.0.0.255
#
ipsec proposal hub
#
ike proposal 10
#
ike peer FW4
 pre-shared-key 123456
 ike-proposal 10
 remote-address 10.1.33.40
#
ike peer FW3
 pre-shared-key 123456
 ike-proposal 10
#
ipsec policy-template tmp1 1
 security acl 3002
 ike-peer FW3
 proposal hub
#
ipsec policy-template tmp2 1
 security acl 3003
 ike-peer FW3
 proposal hub
#
ipsec policy hub1 1 isakmp
 security acl 3000
 ike-peer FW4
 proposal hub
ipsec policy hub1 2 isakmp template tmp
#
ipsec policy hub2 1 isakmp
 security acl 3001
 ike-peer FW4
 proposal hub
ipsec policy hub2 2 isakmp template tmp
#
interface GigabitEthernet1/0/3
 ipsec policy hub1
interface GigabitEthernet1/0/4
 ipsec policy hub2
#
ip-link check enable
ip-link name ISP1
 destination 10.1.40.11 interface GigabitEthernet1/0/3 mode icmp
#
ip route-static 0.0.0.0 0.0.0.0 10.1.9.11 track ip-link ISP1
ip route-static 0.0.0.0 0.0.0.0 10.1.10.12 preference 70
#

FW3 key configuration (the same as FW4)

acl number 3000
 rule 5 permit ip source 10.1.23.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
acl number 3001
 rule 5 permit ip source 10.1.23.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal FW3
#
ike proposal 10
#
ike peer hub1
 pre-shared-key 123456
 ike-proposal 10
 remote-address 10.1.9.254
#
ike peer hub2
 pre-shared-key 123456
 ike-proposal 10
 remote-address 10.1.10.254
#
ipsec policy spoke1 1 isakmp
 security acl 3000
 ike-peer hub1
 proposal FW3
#
ipsec policy spoke2 1 isakmp
 security acl 3001
 ike-peer hub2
 proposal FW3
#
interface Tunnel1
 ip address unnumbered interface GigabitEthernet1/0/0
 tunnel-protocol ipsec
 ipsec policy spoke1
interface Tunnel2
 ip address unnumbered interface GigabitEthernet1/0/0
 tunnel-protocol ipsec
 ipsec policy spoke2
#
firewall zone untrust
add interface Tunnel1
 add interface Tunnel2
#
ip-link check enable
ip-link name ISP1
 destination 10.1.9.254 interface GigabitEthernet1/0/0 mode icmp
#
ip route-static 10.1.2.0 255.255.255.0 Tunnel1 track ip-link ISP1
ip route-static 10.1.2.0 255.255.255.0 Tunnel2

Configuration result view

Tunnel link backup mode

1. The headquarters creates the tunnel interface and assigns the public network address to ensure the connectivity of the underlying route
2. Divide the tunnel interface into areas, and configure the static routing (detailed) output interface as tunnel
3. Create two ACL S and specify the opposite end as FW4 and FW3 intranet segments respectively
4. Create an IPSec policy group, and create two policy serial numbers for FW4 and FW3 respectively, of which FW3 is configured as a policy template
5. Call ipsec Policy Group on Tunnel interface
6. The ipsec configuration of the branch is the same as the first method

The configuration command is the same as above! Note that only one policy group needs to be configured on fw1 & FW2, and two policies can be called on the tunnel interface.