VRRP配置双出口ipsec隧道建立。

背景：在做毕设时，发现规划的不是那么合理，vrrp主备切换后，ipsec隧道并没有跟着切换到与备防火墙建立隧道，这是因为配置了双出口，路由的设计导致vrrp主备切换ipsec隧道没有跟着切换。

fw1为主，fw2为备

vrrp配置：

ip service-set isakmp type object 16
service 0 protocol udp destination-port 500
service 1 protocol udp destination-port 4500
quit

ipsec proposal 10
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
quit

ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
quit

ike peer fw
undo version 2
pre-shared-key huawei@123
ike-proposal 1
remote-address 142.42.42.1
quit

acl number 3000
rule 5 permit ip source 10.0.0.0 0.0.255.255 destination 142.42.42.0 0.0.0.255
quit

ipsec policy ipsec 10 isakmp
security acl 3000
ike-peer fw
proposal 10
quit

rule name isakmp
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.0.28.2 mask 255.255.255.255
source-address 142.42.42.1 mask 255.255.255.255
destination-address 10.0.28.2 mask 255.255.255.255
destination-address 142.42.42.1 mask 255.255.255.255
service esp
service isakmp
action permit

注：对端需要配置两个ike peer ？（rt1、rt2)

ike peer fw1
undo version 2
pre-shared-key huawei@123
ike-proposal 1
remote-address 142.42.2.100
quit

ike peer fw2
undo version 2
pre-shared-key huawei@123
ike-proposal 1
remote-address 142.42.4.100
quit

这边只放了单台防火墙ipsec配置，另外两台防火墙配置大差不差，需要修改安全策略，对端防火墙的ike peer的remote address，以及acl的感兴趣流。

另外就是要考虑好路由的走向，因为是双出口，当主备切换后，确保路由也会进行切换，fw1走r1出口出去，fw2走r2出口出去，避免来回路径不一致，确保ipsec隧道协商成功。