某局点使用我司设备做出口路由器,同时使用4G和PPPOE两种方式做公网接入,相互备份,并以此使分支与总部建立稳定的IPSEC VPN。但是部署时发现切断PPPOE链路后,能正常切换到4G上,但是PPPOE链路恢复后,IPSEV VPN还是依然使用4G接入建立,无法恢复到PPPOE 链路上。

首先我们看一下该局点分支路由器的主要配置
#
interface Dialer1
ppp chap password cipher XXXXX
ppp chap user XXXXX
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user
dialer bundle enable
dialer-group 1
dialer timer idle 0
ip address ppp-negotiate
qos car inbound carl 1 cir 8000 cbs 500000 ebs 0 green pass red discard yellow pass
tcp mss 1024
nat outbound 3011
ipsec apply policy 1
#
interface Eth-channel1/0:0
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 60
dialer number #777 autodial
ip address cellular-alloc
tcp mss 1280
nat outbound 3011
ipsec apply policy 1
#
ip route-static 0.0.0.0 0 Dialer1
ip route-static 0.0.0.0 0 Eth-channel1/0:0 preference 120
ipsec transform-set transform1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy 1 1 isakmp
transform-set transform1
security acl 3010
remote-address xxxxx
ike-profile profile1
#
ike profile profile1
keychain keychain1
exchange-mode aggressive
local-identity fqdn fenbu
match remote identity address xxxxx
match remote identity fqdn center
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain keychain1
pre-shared-key address XXXXX key cipher XXXXXX
其实主要我们主要查看静态路由的配置,现场配置了两条默认,一条默认优先级的静态路由为PPPOE拨号使用,一条优先级为120的静态为4G拨号使用。如果当PPPOE链路中断后,4G正常拨号建立一条优先级120的默认路由,IPSEC也能正常建立。
[H3C]dis ip routing-table
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 120 0 202.111.53.5 Eth-channel1/0:0
查看IKE SA 和IPSEC SA
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 XXXXXXXXX RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1436
Tunnel:
local address: xxxxxx
remote address: xxxxxx
Flow:
sour addr: xxxxxx/xxxxxx port: 0 protocol: ip
dest addr: xxxxxx/xxxxxx port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 421129928 (0x1919eec8)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843152/1644
Max received sequence-number: 167
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 1130428997 (0x4360fa45)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843172/1644
Max sent sequence-number: 272
UDP encapsulation used for NAT traversal: N
Status: Active
此时我们将PPPOE链路恢复,此时由于路由表上4G的默认路由依然生效,PPPOE无法进行正常拨号,所以导致PPPOE的默认路由无法生效,IPSEC VPN依然依托4G线路建立,无法正常切换到PPPOE线路上。
解决该问题的思路主要是通过NQA和默认路由的联动,利用路由迭代的特性解决默认路由失效的问题。
nqa entry 1 1 //建立NQA测试组
type icmp-echo //配置测试类型为ICMP-EHCO
destination ip 114.114.114.114 //测试目地址为114.114.114.114
frequency 500 //测试间隔
probe timeout 1500 //探测超时时间
nqa schedule 1 1 start-time now lifetime forever track 1 nqa entry 1 1 reaction 1 //与track 1 建立联动项
ip route-static 0.0.0.0 0 Eth-channel0/0:0 preference 120 修持原4G默认路由不变
ip route-static 114.114.114.114 32 Dialer0 permanent 指定到114.114.114.114的默认路由强制生效,出接口为Dialer,做NQA测试。
ip route-static 0.0.0.0 0 1.2.3.4 track 1 preference 5 写一条下一跳为一个不成立的默认路由,调用track 1 ,修改优先级为5。
ip route-static 1.2.3.4 32 Dialer0 配置默认路由做迭代用。
此时当PPPOE链路断了以后,NQA探测发现链路失效,导致PPPOE的默认路由不生效,4G默认路由生效。当PPPOE链路恢复时,NQA探测生效,track联动生效,原来PPPOE的默认路由重新生效。
默认访问公网的路由走PPPoE的接口,由于Track需要跟下一跳参数,而PPPoE获取地址的dialer口IP地址不固定,下一跳不固定,所以采用路由迭代的方法。访问公网的数据默认走一个地址(任意一个地址),迭代出这个地址的出口为dialer口。