Dialer LAN TO LAN VPN 双NAT后部冗余问题

双链路,分支两个wan口不同ISP做两个IPSec VPN,两个隧道都正常,分支出口IP都有公网IP时,均成功实现冗余,VPN通道根据set priority 解决了优先问题;
但目前有个分支情况特殊, 2个WAN口前端均有NAT设备,没有固定或临时的公网IP,分别单WAN情况下,单独VPN导通,但是2个WAN都UP情况下但是无法实现冗余,目前没找出原因 。


一、 客户网络环境

1、 分支FortiGate 60E外网口WAN1:卫星通讯Sat,WWAN:4G,内网:192.168.59.0/24,  OS:5.6.3
2、 上海FortiGate300C外网口WAN1:电信1    ,电信通2,内网:192.168.18.0/24,  OS:5.2.12
3、 FG60E与FG300C之间建立IPSec VPN网关到网关的隧道两条即: ShgateSAT,  ShgateLte
4、  ShgateSat VPN通道作为 ShgateLte的备用VPN通道。
5.    Fortigate300C 的2条VPN通道路由均为拨号VPN建立后,自动生成。
       FG60E建立2条系统的距离与优先的VPN接口路由

二、 测试结果

1、 单独WAN1或单独WWAN 启用情况下 ShgateSAT,  ShgateLte均工作正常,WAN1和WWAN均启用情况下,ShgateSAT与ShgateLte无法同时UP(其它分支双WAN口有公网IP,可以同时UP),同一时间只有一条通道UP,而且2条VPN通道不停交替UP和DOWN,导致通讯间歇丢包。
2、  通过设置FG60E的2条VPN路由的距离和优先,以及设置FG300C的ShgateSAT与ShgateLte 阶段1的距离和优先,均没有实现VPN通道稳定工作。
3、 现有临时解决办法,FG60E,ShgateSAT 阶段1 set monitor "ShGateLte",  FG60E 2个WAN口均启用时,VPN稳定工作,切换也能工作,但是发现: ShgateSAT,  ShgateLte的阶段1,阶段2,   均已设置 set auto-negotiate enable;中断其中1条VPN通道时,备用VPN通道无法起来,必须FG60E内网机器发起PING FG300C内网IP后,备用VPN才能起来。
 
三、 结论
1.远程拨号LAN TO LAN IPSEC ,如果双WAN口均NAT设备后面,2条VPN通道无法同时UP,到时无法达到稳定的VPN线路选择。
2. 上面情况下 set auto-negotiate enable功能失效。
3. 目前情况下大量测试,可能还有遗漏之处,欢迎哪位就这种情况下,指点一下;如果类似环境,麻烦分享一下VPN的P1,P2设置,和VPN的路由设置。
 
谢谢各位
已邀请:

kmliu - Fortinet-TAC

赞同来自:

嗯,没有错,你的这种场景下只能有一条VPN隧道可以UP。
原因是:动态VPN隧道的回程路由是自动生成的,如果路由存在冲突(回程路由内容一致,比如都是20.20.20.0/24),不会全部都下发两条路由,只会保留一条VPN的回程路由,因此只有一条VPN隧道是UP的。

ike 0:Dia_0:6:175: peer proposal is: peer:0:20.20.20.0-20.20.20.255:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:Dia_0:6:Dia:175: trying
ike 0:Dia_0:6:Dia:175: matched phase2
ike 0:Dia_0:6:Dia:175: dynamic client
ike 0:Dia_0:6:Dia:175: my proposal:
......
ike 0:Dia_0:6:Dia:175: negotiation result
ike 0:Dia_0:6:Dia:175: proposal id = 1:
ike 0:Dia_0:6:Dia:175:   protocol id = IPSEC_ESP:
ike 0:Dia_0:6:Dia:175:   PFS DH group = 14
ike 0:Dia_0:6:Dia:175:      trans_id = ESP_AES (key_len = 128)
ike 0:Dia_0:6:Dia:175:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:Dia_0:6:Dia:175:         type = AUTH_ALG, val=SHA1
ike 0:Dia_0:6:Dia:175: set pfs=MODP2048
ike 0:Dia_0:6:Dia:175: using tunnel mode.
ike 0:Dia_0:6:Dia:175: replay protection enabled
ike 0:Dia_0:6:Dia:175: SA life soft seconds=43191.
ike 0:Dia_0:6:Dia:175: SA life hard seconds=43200.
ike 0:Dia_0:6:Dia:175: IPsec SA selectors #src=1 #dst=1
ike 0:Dia_0:6:Dia:175: src 0 7 0:0.0.0.0-255.255.255.255:0
ike 0:Dia_0:6:Dia:175: dst 0 7 0:20.20.20.0-20.20.20.255:0
ike 0:Dia_0:6:Dia:175: add dynamic IPsec SA selectors
ike 0:Dia_1:172: moving route 20.20.20.0/255.255.255.0 oif Dia_1(38) metric 15 priority 0 to 0:Dia_0:175
ike 0:Dia_1:172: del route 20.20.20.0/255.255.255.0 oif Dia_1(38) metric 15 priority 0

ike 0:Dia_1: deleting
ike 0:Dia_1: flushing 
ike 0:Dia_1:5: send IPsec SA delete, spi 78d3f0bd
ike 0:Dia_1:5: enc AFE562FB7F33EDC13DCEC410C81E5DFA08100501F278EC3A000000440C00001878741E30A449DE17744B61331204F0C7A9B51B0000000010000000010304000178D3F0BD
ike 0:Dia_1:5: out AFE562FB7F33EDC13DCEC410C81E5DFA08100501F278EC3A0000004C860740EDCF366FF78642E3246122AAAB7A2607B3245876FC76663F44BD5907D079F719CEE79825FE595108964AAEAED2
ike 0:Dia_1:5: sent IKE msg (IPsec SA_DELETE-NOTIFY): 192.168.90.43:500->192.168.90.52:500, len=76, id=afe562fb7f33edc1/3dcec410c81e5dfa:f278ec3a
ike 0:Dia_1:Dia: sending SNMP tunnel DOWN trap
ike 0:Dia_1: flushed 
ike 0:Dia_1:5: HA send IKE SA del afe562fb7f33edc1/3dcec410c81e5dfa
ike 0:Dia_1:5: send ISAKMP delete afe562fb7f33edc1/3dcec410c81e5dfa
ike 0:Dia_1:5: enc AFE562FB7F33EDC13DCEC410C81E5DFA0810050146A97D48000000500C00001897CE119BAA2E688AFF6136365C415561C066208B0000001C0000000101100001AFE562FB7F33EDC13DCEC410C81E5DFA
ike 0:Dia_1:5: out AFE562FB7F33EDC13DCEC410C81E5DFA0810050146A97D480000005C022363E81125C61D566D1BBB81FC9F2A6279F5D03EAC85C62A6047499411498E3A4D96707D3F4C05FF509A13522216AA839ED46A5EA44DEC1D39F8DE9963F783
ike 0:Dia_1:5: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 192.168.90.43:500->192.168.90.52:500, len=92, id=afe562fb7f33edc1/3dcec410c81e5dfa:46a97d48
ike 0:Dia_1: delete dynamic
ike 0:Dia_1: deleted
ike 0:Dia_0:175: add route 20.20.20.0/255.255.255.0 oif Dia_0(39) metric 15 priority 0
ike 0:Dia_0:6:Dia:175: tunnel 1 of VDOM limit 0/0
ike 0:Dia_0:6:Dia:175: add IPsec SA: SPIs=78d3f0be/38910d33
ike 0:Dia_0:6:Dia:175: IPsec SA dec spi 78d3f0be key 16:C10F3DAB71888C8241D3A5D4DAC38226 auth 20:A3566EBBAD48E134C520222A79806AA554ABC7CB
ike 0:Dia_0:6:Dia:175: IPsec SA enc spi 38910d33 key 16:7BACDE2DB123DBFF85D1BEF1295F7237 auth 20:4162626B4C0240D6BEB9AA36DB272E50DFB8F3F5
ike 0:Dia_0:6:Dia:175: added IPsec SA: SPIs=78d3f0be/38910d33
ike 0:Dia_0:6:Dia:175: sending SNMP tunnel UP trap
 
Dia_1/Dia_0 只有一条隧道可以UP,原因是内网的Spoke段路由冲突(Spoke存在相同的内网IP网段),无法形成负载分担,假设形成了负载分担业务会出现异步路由等问题,业务将无法正常使用,因此如此设定。
 
解决办法:
这种场景应该使用VPN隧道自带的moniter功能
正常情况下:主VPN隧道为UP,备VPN隧道为Moniter状态(Down),当主VPN隧道Down了,备VPN隧道会探测到,然后将主动接管主VPN隧道的工作,类似于HA的工作逻辑。
moniter具体配置如下:
config vpn ipsec phase1-interface
edit master-vpn(主VPN)
 set interface “wan1"
        set remote-gw 202.106.10.1
        set psksecret xxxxxx
next
edit backup-vpn(备份VPN)
 set interface "wan2"
        set remote-gw 202.106.10.1
        set psksecret xxxxxx
        set monitor master-vpn           ----多添加此配置即可实现vpn隧道moniter
end
………
config router static        (去往总部的路由)
    edit 0
        set dst 192.168.100.0/24
        set device “master-vpn"
        set distance 10    (默认为10)
    next
    edit 0
        set dst 192.168.100.0/24
        set device “backup-vpn"
        set distance 20  (备份VPN路由设置为20)
    next
    edit 0
        set dst 192.168.100.0/24
        set distance 250   (黑洞路由为了防止VPN流量错误转发去向互联网出口,产生错误的路由,导致业务异常)
        set blackhole enable
    next
    end
 
 

dchina - 赛辰-攻城狮

赞同来自:

多谢,第一个问题我使用set moniter,暂时这样处理;
第二个问题,切换时, set auto-negotiate enable功能失效,备用VPN不能触发,必须LAN机器PING触发的原因?

kmliu - Fortinet-TAC

赞同来自:

第二个问题:
测试了没有问题,不能触发可能误判,建议优化一下DPD的配置,加快主VPN故障时刻的VPN隧道尽快的DOWN掉

1.DPD是按需检测的,也就是说只有FGT需要发送数据的时候才回去发起DPD探测,平时不发起DPD探测请求
---改成定时发送DPD检测

2.DPD默认是20S发起一次检测,连续3次无人回复才能检测到隧道故障,也就是说需要60s的时间
---调整DPD的检测时间,缩短到20s或30s检测到故障,以便Master VPN可以快速的Down,才能触发Slave VPN尽快的发起VPN请求

config vpn ipsec phase1-interface
    edit "VPN_MASTER"
        set interface "VPN_OUT1_1"
        set mode aggressive
        set peertype any
        set localid "sh"
        set dpd on-idle
        set comments "VPN: VPN_MASTER (Created by VPN wizard)"
        set remote-gw 192.168.90.43
        set psksecret ENC YadxUmG1kWyiQm8cGH8F20G1nYYQwSRFkgg2aCP0AkWVwlJjgHdcAZ3n7pJJE6A/cael8FAnoyITkPJpnk0AMb8ddMav9X/VDeHWihAtl7AMFOW3J8jHAnd9TDGyqtoBBsua7jKPhqh5vBebCfZKO08Z8WmifIFO8MjQhDXFlgPV3d+WBJi2hbfmckh8iYxpSfXsbA==
    next
    edit "VPN_Slave"
        set interface "VPN_OUT2_1"
        set mode aggressive
        set peertype any
        set localid "sh"
        set dpd on-idle
        set comments "VPN: VPN_Slave (Created by VPN wizard)"
        set remote-gw 192.168.90.43
        set monitor "VPN_MASTER"
        set psksecret ENC otRw0b44s3gNJyWWTGnya0iKp8ENTlcc4pa7lZTmz5wwt2GwlwBJaM7C9yLiVJCjB+3OWs2ZQC6MDC1462ZlaqZYgNyXhVH9trVpFf1k3mR53ZpiGH71FLEPf3KGHKYW6CJzLsNFc49CfC8bxFovc3mY+D3nXqAs02rx+damnQeaVxC8GuXfIjHjljs4yxU5SY5A9g==
    next
end
config vpn ipsec phase2-interface
    edit "VPN_MASTER"
        set phase1name "VPN_MASTER"
        set auto-negotiate enable
        set comments "VPN: VPN_MASTER (Created by VPN wizard)"
        set src-subnet 192.168.101.0 255.255.255.0
        set dst-subnet 192.168.103.0 255.255.255.0
    next
    edit "VPN_Slave"
        set phase1name "VPN_Slave"
        set auto-negotiate enable
        set comments "VPN: VPN_Slave (Created by VPN wizard)"
        set src-subnet 192.168.101.0 255.255.255.0
        set dst-subnet 192.168.103.0 255.255.255.0
    next
end

FGT60D4614022596 (VPN_MASTER) # show full-configuration
config vpn ipsec phase1-interface
    edit "VPN_MASTER"
        set type static
        set interface "VPN_OUT1_1"
        set ip-version 4
        set ike-version 1
        set local-gw 0.0.0.0
        set keylife 86400
        set authmethod psk
        set mode aggressive
        set peertype any
        set mode-cfg disable
        set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
        set exchange-interface-ip disable
        set localid "sh"
        set localid-type auto
        set negotiate-timeout 30
        set fragmentation enable
        set dpd on-idle
        set forticlient-enforcement disable
        set comments "VPN: VPN_MASTER (Created by VPN wizard)"
        set npu-offload enable
        set dhgrp 14 5
        set suite-b disable
        set wizard-type custom
        set xauthtype disable
        set mesh-selector-type disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set auto-discovery-sender disable
        set auto-discovery-receiver disable
        set auto-discovery-forwarder disable
        set encapsulation none
        set nattraversal enable
        set remote-gw 192.168.90.43
        set monitor ''
        set add-gw-route disable
        set psksecret ENC EgYc0X3BZcrXo3GW8elKSgbfnp8ic8z51vUTyL0hyOmKjIb9oYFBX6RrPCSI1Cy5aykz39FVR/R7KxGJdrtYsAxuXwd6RW4VRWh8HXS8WTOCiffco6jxLs2b1sp0ZmM8qAvQ0knXwJRgH2Vdpu5uDTeTZkoxtDU7W6mZ4d6/tcIAfmPz15b79EgxA+jAbM+9Osip0Q==
        set keepalive 10
        set auto-negotiate enable
        set dpd-retrycount 3
        set dpd-retryinterval 20

    next
end

diagnose debug application ike  -1 信息记录:见附件

过程如下:
1.VPN_Master正常运行
2.创造添加让VPN_Master连接出现异常,UDP500和UDP4500无法正常通信
3.DPD-ON-IDLE的时候,DPD探测会发现60S内对方不回复DPD-ACK
4.60s之后,DPD检测结束,VPN_Master中断
5.此时触发VPN_Slave发起VPN连接,建立起备份的VPN隧道
6.VPN_Master也一直在探测连接,如果UDP500/UDP4500恢复正常,则会将隧道抢占回去

你的现象,是如果不发起内网的流量,则VPN不切换:
原因应该是:DPD配置的是按需检测,由于测试环境一直没有流量,一直没有DPD检测发出,因此VPN_Master无法Down掉,这样就一直不会切换VPN隧道。直到你发起流量,这时候,60S之后,VPN_Master会探测到隧道异常才会将自己Down掉,此时才会触发VPN_Slave工作。
这个分析应该是符合你测试结果的。

解决办法:
1.DPD不使用默认的按需,而使用定时发送(ON-IDLE),这个起决定性作用,60s后必切换,无需发起业务流量
2.缩短DPD检测时间(默认60s),此处是优化VPN切换的时间,不起决定性作用

dchina - 赛辰-攻城狮

赞同来自:

1.非常感谢kmliu耐心,专业的态度,测试环境搭建和故障还原非常不容易;
2.当初为了尽量达到测试环境的需求,以及测试结果的快速显示,因为是实际生产环境测试,;当初不知道60E,5.6.3的dpd缺省值 : on-demand的实际含义,所以配合LAN ping发布,所以当初的试验相关配置简写如下:
config vpn ipsec phase1-interface
edit "ShGate150"
    set interface "wan1"
    set mode aggressive
    set dpd-retrycount 2     ;失败阀值2次
    set dpd-retryinterval 1   ;测试间隔1秒,此配置满足测试环境的结果快速展现,实际主通道故障2秒就切换至备通道,   failback一般0丢包
next
edit "ShipGate150Lte"
    set interface "wwan"
    set mode aggressive
    set monitor "ShGate150"   ;备用通道监视主通道,基本主通道DPD检测失败,基本立刻切换成功。
    set dpd-retrycount 2
    set dpd-retryinterval 1
next
3.再次感谢kmliu找出 set auto-negotiate enable失效的原因,DPD手动配置确实解决了必须配合LAN PING问题。 
4.我们分析发现,
总部的相同路径的VPN路由在静态IP VPN隧道能够同时UP的原因是,静态VPN配置生成的VPN虚拟接口一直存在,所有对相同路径的VPN通道路由可以设置不同的distance和priority;
而动态VPN隧道缺省是自动生成,相同路径的VPN通道路由无法同时生成,导致路由无法设置,但是发现动态VPN隧道P1,  发现P1阶段有对应的distance和priority路由设置 ,结合P1阶段的add-route                  Enable/disable control addition of a route to peer destination selector, 不知道是否可以满载VPN流量的负载均衡,而不仅仅是HA。
 

kmliu - Fortinet-TAC

赞同来自:

也并非不是实现,有点麻烦,而且没有必要:
总部FGT北京内网网段:192.168.103.0/24
分部FGT上海内网网段:192.168.101.0/24

总部北京VPN配置:
config vpn ipsec phase1-interface
    edit "Dia"
        set type dynamic
        set interface "port16"
        set mode aggressive
        set peertype one
        set proposal 3des-sha1
        set localid "bjmaster"
        set dhgrp 14 5 2
        set peerid "shmaster"
        set psksecret ENC az+DNBPMxzucYVwtGLwV4viU271hcks7Ko4/sJ0ofSrpnVjQHpB2JlXmPc4HPXZrak1sroqSNV5YUyuzdw9/WRFTI+bTdhZzHmm/K08yGkunNvy0jlyscAZFkZWBmjtT2IW4VwfEtKc8YnaPpY1z+o2M9VHnNdaM9l70aVK86A48pA6iHXjpsJwVDihe6TdoNFve1Q==
    next
    edit "Dia2"
        set type dynamic
        set interface "port16"
        set mode aggressive
        set peertype one
        set proposal 3des-sha1
        set localid "bjslave"
        set dhgrp 14 5 2
        set peerid "shslave"
        set psksecret ENC yyhKJ5yFvRwaB+Cwu+9z+XJdK4FDPMFY4O7Juab2kffe/Je4OnYTIcZGCxDZuGSV0s8qBgBUeAU2R9Fc8nGJd434YXOVuk4r6cME55DnNm0hFybr44STTLH0p3pOP7YGFVbB1bKbnvgydNaf3RY8Mz7MwhULS5/gbDahasCGj8+qZHooMYZdj6QT2gNOUGM27Cu6nA==
    next
end
config vpn ipsec phase2-interface
    edit "Dia"
        set phase1name "Dia"
        set proposal 3des-sha1
        set dhgrp 14 5 2
        set keepalive enable
    next
    edit "Dia2"
        set phase1name "Dia2"
        set proposal 3des-sha1
        set dhgrp 14 5 2
        set keepalive enable
    next
end
config firewall policy
    edit 2
        set srcintf "switch"
        set dstintf "Dia" "Dia2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 3
        set srcintf "Dia" "Dia2"
        set dstintf "switch"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

分支上海FGT VPN配置:
config vpn ipsec phase1-interface
    edit "VPN_MASTER"
        set interface "VPN_OUT1_1"
        set mode aggressive
        set peertype one
        set proposal 3des-sha1
        set localid "shmaster"
        set dpd on-idle
        set comments "VPN: VPN_MASTER (Created by VPN wizard)"
        set dhgrp 14 5 2
        set remote-gw 192.168.90.43
        set peerid "bjmaster"
        set psksecret ENC n4WaVHlB9U2mNfk6OX9+cUyhXmLppp2IW56ZfwPoH2m4QLTd7qWpX7+0uD9kp2E9PbG3q7OmtiMzKUbFkqwjFLbtFw6DXIYor3mi4LUqZec/S5c16Td7xaVOmpWGUGE4SRtFZXUGKrN9AY+A0nKTlC1iKJEFtLafyNL1sVEb6pDubl6+omsJG5M+XMZhv1m8K96fGA==
    next
    edit "VPN_Slave"
        set interface "VPN_OUT2_1"
        set mode aggressive
        set peertype one
        set proposal 3des-sha1
        set localid "shslave"
        set dpd on-idle
        set comments "VPN: VPN_Slave (Created by VPN wizard)"
        set dhgrp 14 5 2
        set remote-gw 192.168.90.43
        set peerid "bjslave"
        set psksecret ENC PWIR7wDZ8gR1oYkcvKlQ9LReW5PPWIpUa/vorB6mA3aoNT90VkCuRf7xwQoT8D8htTrzUmDdtHSEaiApXXiuXBOeEUkOEbMqc/xJ/ie+PnB3LwRGvpLqlLeOVij9UZd9SBGvs8+An8ov3O93PtqfA+7z/PLZiHAVTB7k8CH9ggJg3FF512VHrBXBN3P86U6DkuoEZg==
    next
end
config vpn ipsec phase2-interface
    edit "VPN_MASTER"
        set phase1name "VPN_MASTER"
        set proposal 3des-sha1
        set dhgrp 14 5 2
        set auto-negotiate enable
        set comments "VPN: VPN_MASTER (Created by VPN wizard)"
        set src-subnet 192.168.101.0 255.255.255.0
        set dst-subnet 192.168.103.0 255.255.255.0
    next
    edit "VPN_Slave"
        set phase1name "VPN_Slave"
        set proposal 3des-sha1
        set dhgrp 14 5 2
        set auto-negotiate enable
        set comments "VPN: VPN_Slave (Created by VPN wizard)"
        set src-subnet 192.168.100.0 255.255.252.0
        set dst-subnet 192.168.103.0 255.255.255.0
    next
end
config firewall policy
    edit 1
        set name "vpn_VPN_MASTER_local"
        set srcintf "internal1"
        set dstintf "VPN_MASTER"
        set srcaddr "VPN_MASTER_local"
        set dstaddr "VPN_MASTER_remote"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set name "vpn_VPN_MASTER_remote"
        set srcintf "VPN_MASTER"
        set dstintf "internal1"
        set srcaddr "VPN_MASTER_remote"
        set dstaddr "VPN_MASTER_local"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 3
        set name "vpn_VPN_Slave_local"
        set srcintf "internal1"
        set dstintf "VPN_Slave"
        set srcaddr "VPN_Slave_local"
        set dstaddr "VPN_Slave_remote"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 4
        set name "vpn_VPN_Slave_remote"
        set srcintf "VPN_Slave"
        set dstintf "internal1"
        set srcaddr "VPN_Slave_remote"
        set dstaddr "VPN_Slave_local"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
config router static
    edit 1
        set dst 192.168.103.0 255.255.255.0
        set device "VPN_MASTER"
    next
    edit 2
        set dst 192.168.103.0 255.255.255.0
        set priority 200
        set device "VPN_Slave"
    next
    edit 5
        set dst 192.168.103.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

基本的思路就是:
1.创建两条动态的IPsec VPN使用Peer ID区别彼此
2.分支使用掩码区分感兴趣流,主VPN链路使用明细本地网段,备VPN链路使用大掩码的汇总本地网段
3.这样总部就学习到两条来自分部的两条不同的路由,一个明细路由(主VPN隧道),一个大掩码的路由(备份使用),当然要注意不要与其他的分支路由冲突。
主VPN感兴趣流源网段 192.168.101.0 255.255.255.0
备VPN感兴趣流源网段192.168.100.0 255.255.252.0

可以实现但是麻烦  可实施性不高 扩展性差。

还要一种办法,使用动态路由协议,OSPF去学习分支的内网网段,然后用cost去控制选路,这样也可以,同样很麻烦,可实施性不高 扩展性差。

dchina - 赛辰-攻城狮

赞同来自:

太麻烦了,确实不可用

要回复问题请先登录注册