具有 VPN 客户端配置的 VPN 连接的基于策略的路由

网络工程 思科 虚拟专用网 思科-ios pbr
2021-07-18 05:24:56

我们公司有一台 Cisco 2800 路由器,它也用作 VPN 服务器。我们使用 VPN Client 连接到我们的公司网络(请不要笑,我知道它已经过时了,但我最近没有时间切换到 SSL VPN)。

路由器有两个 WAN 连接。一个是主广域网(“慢广域网”链接,上传速度较慢,10D/1U mbps),用于员工使用的企业工作站。另一个是我们的备份链接。它具有更高的上传速度 - 11D/11U mbps,(快速 wan),因此我们还为我们的网络服务器使用了高上传链接(我已经使用 PBR 完成此操作,仅用于来自网络服务器的 http 流量)。由于许多其他原因,我们不能将该fast wan连接用作我们的主要连接,它仅用作主链接发生故障时的故障转移。

fast wan还有一个静态 IP 地址,我们将这个静态 IP 用于 VPN 客户端配置。

现在的情况是,由于故障转移,当我们使用 VPN 客户端从外部连接时,流量来自fast wan接口,但从接口退出slow wan而且因为slow wan只有 1mbps 上传 vpn 连接很慢。

我们有什么方法可以重定向 vpn 流量以始终使用该fast wan接口并利用该连接的 11mbps 上传速度?

Bellow 是我们路由器的消毒配置

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group dc
key ***
dns 192.168.5.7
domain corp.local
pool SDM_POOL_1
acl 101
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group dc
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0
description *WAN*
no ip address
ip mtu 1396
duplex auto
speed auto
!
interface FastEthernet0/0.3
description FAST-WAN-11D-11U
encapsulation dot1Q 3
ip address 88.XX.XX.75 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0.4
description SLOW-WAN-10D-1U
encapsulation dot1Q 4
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1
description *LOCAL*
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
no cdp enable
!
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
!
!!! NOTE: This route map is used to PBR the http traffic for our server
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template3
no ip address
!
interface Virtual-Template4
no ip address
!
!
ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
ip forward-protocol nd
!
!
!
!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
!
!!! FAST-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
!
!
!
ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
!
!
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
!
ip access-list extended FAST-WAN-NAT
permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit icmp 10.10.0.0 0.0.0.255 any
ip access-list extended REDIRECT-VIA-FAST-WAN
deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
ip access-list extended SLOW-WAN-NAT
permit ip 192.168.5.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
!
!
route-map FAST-WAN-NAT-RMAP permit 10
match ip address FAST-WAN-NAT
match interface FastEthernet0/0.3
!
route-map REDIRECT-VIA-FAST-WAN permit 10
match ip address REDIRECT-VIA-FAST-WAN
set ip next-hop 88.XX.XX.73
!
route-map SLOW-WAN-NAT-RMAP permit 10
match ip address SLOW-WAN-NAT
match interface FastEthernet0/0.4
!
!

PS也可以随意为这篇文章建议一个更好的名字(更具描述性的名字)

更新:20.12.2013

我按照约翰肯尼迪的建议做了。然而,流量仍然路由出slow-wan接口。route-map为其他局域网单独创建了一个接口。这是配置和show输出:

在执行此命令时,我实际上是通过 VPN 进行 SSH 连接的。为了以防万一,我还尝试断开连接并再次重新连接。

您可能会注意到,当我执行show access-list命令时,没有匹配的 ESP 或 AHP 协议数据包。

同样对于新创建的路由映射REDIRECT-VIA-FAST-WAN2,没有匹配的数据包,但我的 vpn 分配的 IP 地址进入 192.168.5.0 子网。

Router# sh run inter fa0/1.10
!
interface FastEthernet0/1.10
 description VLAN 10 192-168-5-0
 encapsulation dot1Q 10
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly max-reassemblies 32
 ip policy route-map REDIRECT-VIA-FAST-WAN2
 no cdp enable
end

Router#
Router#sh run inter fa0/1.20
Building configuration...

Current configuration : 251 bytes
!
interface FastEthernet0/1.20
 description VLAN 20 10-10-0-0
 encapsulation dot1Q 20
 ip address 10.10.0.254 255.255.255.0
 ip access-group PERMIT-MNG out
 ip nat inside
 ip virtual-reassembly
 ip policy route-map REDIRECT-VIA-FAST-WAN
 no cdp enable
end

Router#
Router#sh route-map
route-map REDIRECT-VIA-FAST-WAN2, permit, sequence 10
  Match clauses:
    ip address (access-lists): REDIRECT-VIA-FAST-WAN2
  Set clauses:
    ip next-hop 88.XX.XX.73
  Policy routing matches: 0 packets, 0 bytes
!
route-map REDIRECT-VIA-FAST-WAN, permit, sequence 10
  Match clauses:
    ip address (access-lists): REDIRECT-VIA-FAST-WAN
  Set clauses:
    ip next-hop 88.XX.XX.73
  Policy routing matches: 1948323 packets, 2212263065 bytes
!
Router#
Router#sh access-lists REDIRECT-VIA-FAST-WAN
Extended IP access list REDIRECT-VIA-FAST-WAN
    10 deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255 (2068620 matches)
    20 permit tcp host 10.10.0.43 eq 443 9675 any (1948603 matches)
    30 permit esp any any
    40 permit ahp any any
    !
    !!! NOTE: FIRST I TRIED WITHOUT THESE. THEY WERE ADDED AFTERWARDS JUST IN CASE. 
    !!! ALSO THE ROUTER ITSELF CORRECTED THE PORT NUMBERS INTO THE CORRESPONDING PROTOCOLS
    50 permit udp any any eq isakmp
    60 permit udp any any eq 10000
    !
    !!! I MAY ASSUME THAT THE CORRECTED ENTRY non500-isakmp ACTUALY MEANS "THIS WILL NOT BE USED FOR ISAKMP
    70 permit udp any any eq non500-isakmp 
    80 permit tcp any any eq 4500
Router#sh access-lists REDIRECT-VIA-FAST-WAN2
Extended IP access list REDIRECT-VIA-FAST-WAN2
    10 permit ahp any any
    20 permit esp any any
    30 permit udp any any eq isakmp
    40 permit udp any any eq 10000
    50 permit udp any any eq non500-isakmp
    60 permit tcp any any eq 4500
Router#
2个回答

您可以简单地附加 ACL“REDIRECT-VIA-FAST-WAN”以将 IPSEC 流量路由出您的“fast wan”接口。

ip access-list extended REDIRECT-VIA-FAST-WAN
deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
permit ahp any any
permit esp any any

或者,如果您的路由器没有用于扩展 ACL 的“ahp”和“esp”选项,您可以简单地添加 ipsec 客户端隧道通过的特定端口,即 UDP 端口 500、10000 和 4500,以及 TCP 4500为好措施。 

ip access-list extended REDIRECT-VIA-FAST-WAN
deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
permit udp any any eq 500
permit udp any any eq 10000
permit udp any any eq 4500
permit tcp any any eq 4500

您可能还必须附加您的“PERMIT-MNG”ACL 以允许出站 IPSEC 流量(取决于该 ACL 的配置目的),但您将其从正在运行的配置中删除,因此我无法对此进行全面评论。

我们将通过将路由映射应用于虚拟模板接口,将 RAS VPN 的流量重定向到首选 WAN 接口之外。 

!
ip access-list extended VPN-ACL
permit ip any 192.168.5.0 0.0.0.255
!
!
!
route-map VPN-MAP
match ip address VPN-ACL
set ip next-hop 88.XX.XX.73
!
!
interface virtual-template 1
ip policy route-map VPN-MAP
!

此路由映射应该对通过 RAS VPN 返回的所有流量(到客户端 IP 子网目的地的任何源)进行分类,并且在封装/加密之后,它应该将流量路由出您的 fast-wan 接口。

其它你可能感兴趣的问题
上一篇从路由映射到加密映射的流量 下一篇ICMP 时间戳的 IPv6 替换