Как настроить 2ISP на каждом роутере по обе стороны ipsec vpn?

Question

[Jonhy]

Стоит задача, настроить site-to-site vpn. При этом по обе стороны используется два провайдера. То есть, чтобы у первого провайдера на одной стороне был туннель с обоими провайдера на другой стороне. На данный момент удалось настроить туннель(ipsec vpn) между первыми провайдерами и вторыми провайдерами(1 и 1, 2 и 2). Но при настройке 1 и 2, 2 и 1 возникает проблема с маршрутами. Выход в интернет зарезервирован при помощи ip sla и route-map.

Конфигурацию обоих роутеров прилагаю

Building configuration...

Current configuration : 3671 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R9
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 source-interface FastEthernet0/0
 frequency 10
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
 type echo protocol ipIcmpEcho 77.77.77.1 source-interface FastEthernet0/0
 frequency 10
ip sla monitor reaction-configuration 2 threshold-falling 5000
ip sla monitor schedule 2 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key CISCO address 44.44.44.2
crypto isakmp key CISCO address 55.55.55.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 44.44.44.2
 set transform-set TS
 match address FOR_VPN
!
crypto map CMAP2 20 ipsec-isakmp
 set peer 55.55.55.2
 set transform-set TS
 match address FOR_VPN
!
!
!
!
interface FastEthernet0/0
 ip address 77.77.77.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CMAP
!
interface FastEthernet0/1
 ip address 172.16.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no switchport
 ip address 11.11.11.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 crypto map CMAP2
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
 no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 77.77.77.1 track 1
ip route 192.168.1.0 255.255.255.0 10.0.0.1 track 2
ip route 0.0.0.0 0.0.0.0 11.11.11.1 10
ip route 8.8.8.8 255.255.255.255 77.77.77.1
ip route 192.168.1.0 255.255.255.0 10.0.1.1 10
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet1/0 overload
!
ip access-list extended FOR_VPN
 permit ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 100 deny   ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
no cdp log mismatch duplex
!
route-map ISP2 permit 10
 match ip address 100
 match interface FastEthernet1/0
!
route-map ISP1 permit 10
 match ip address 100
 match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
event manager applet TRACK_DOWN
 event syslog pattern "1 rtr 1 reachability Up->Down"
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translation *"
 action 3.0 syslog msg "ISP 1 is DOWN"
event manager applet TRACK_UP
 event syslog pattern "1 rtr 1 reachability Down->Up"
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translation *"
 action 3.0 syslog msg "ISP 1 is UP"
!
end



Building configuration...

Current configuration : 3473 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 source-interface FastEthernet0/0
 frequency 10
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 rtr 1 reachability
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key CISCO address 77.77.77.2
crypto isakmp key CISCO address 11.11.11.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 77.77.77.2
 set transform-set TS
 match address FOR_VPN
!
crypto map CMAP2 20 ipsec-isakmp
 set peer 11.11.11.2
 set transform-set TS
 match address FOR_VPN
!
!
!
!
interface FastEthernet0/0
 ip address 44.44.44.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CMAP
!
interface FastEthernet0/1
 ip address 55.55.55.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CMAP2
!
interface FastEthernet1/0
 no switchport
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
 no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 44.44.44.1 track 1
ip route 0.0.0.0 0.0.0.0 55.55.55.1 10
ip route 8.8.8.8 255.255.255.255 44.44.44.1
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
!
ip access-list extended FOR_VPN
 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp log mismatch duplex
!
route-map ISP2 permit 10
 match ip address 100
 match interface FastEthernet0/1
!
route-map ISP1 permit 10
 match ip address 100
 match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
event manager applet TRACK_DOWN
 event syslog pattern "1 rtr 1 reachability Up->Down"
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translation *"
 action 3.0 syslog msg "ISP 1 is DOWN"
event manager applet TRACK_UP
 event syslog pattern "1 rtr 1 reachability Down->Up"
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translation *"
 action 3.0 syslog msg "ISP 1 is UP"
event manager applet VKL
 event timer countdown time 180
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "int f0/0"
 action 4.0 cli command "no shut"
!
end

Comments

[Strabbo]

Но при настройке 1 и 2, 2 и 1 возникает проблема с маршрутами.

Нету ни какого смысла делать такую настройку. если у вас 2 роутера и 2 провайдера, достаточно поднять по 1 туннелю с каждого провайдера.

[Jonhy]

Strabbo, спасибо за ответ. А как быть, если отвалится 1 провайдер?! Каждый раз нужно заходить на второй роутер и выключать интерфейс первого провайдера?

[Strabbo]

Jonhy, Надо прописать статические маршруты в сторону каждого провайдера и держать интерфейсы включеными.
Например вот так:
Если у вас два роутера и на каждом по 2 провайдера, то лучше сделать /32 статические маршруты в сторону каждого.
Роутер 1 - ISP-1= 1.1.1.1, ISP-2 = 2.2.2.1
Роутер 2 - ISP-1= 1.1.1.2, ISP-2 = 2.2.2.2

на первом роутере делаете маршрут
ip route 1.1.1.2 255.255.255.255 ISP-1
ip route 2.2.2.2 255.255.255.255 ISP-2
на втором роутере нужны зеркальные маршруты.
P.S. я бы вообще убрал site2site vpn и вместо него сделал gre over ipsec, там можно и маршрутизацию сделать нормальную, а не с помощью аксес листов и трафик можно пускать в нужный вам туннель без особых проблем и избавиться от crypto map навсегда :)

[Jonhy]

Strabbo, что-то не получилось. Оба впн туннеля active, но траффик не идёт. Вот конфиг:
Building configuration...

Current configuration : 3424 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R9
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 source-interface FastEthernet0/0
frequency 10
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 rtr 1 reachability
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 44.44.44.2
crypto isakmp key CISCO address 55.55.55.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 44.44.44.2
set transform-set TS
match address FOR_VPN
!
crypto map CMAP2 20 ipsec-isakmp
set peer 55.55.55.2
set transform-set TS
match address FOR_VPN
!
!
!
!
interface FastEthernet0/0
ip address 77.77.77.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
no switchport
ip address 11.11.11.2 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map CMAP2
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 77.77.77.1 track 1
ip route 0.0.0.0 0.0.0.0 11.11.11.1 10
ip route 8.8.8.8 255.255.255.255 77.77.77.1
ip route 44.44.44.2 255.255.255.255 FastEthernet0/0
ip route 55.55.55.2 255.255.255.255 FastEthernet1/0
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet1/0 overload
!
ip access-list extended FOR_VPN
permit ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 100 deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
no cdp log mismatch duplex
!
route-map ISP2 permit 10
match ip address 100
match interface FastEthernet1/0
!
route-map ISP1 permit 10
match ip address 100
match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
event manager applet TRACK_DOWN
event syslog pattern "1 rtr 1 reachability Up->Down"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 syslog msg "ISP 1 is DOWN"
event manager applet TRACK_UP
event syslog pattern "1 rtr 1 reachability Down->Up"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 syslog msg "ISP 1 is UP"
!
end

Building configuration...

*Mar 1 01:38:06.947: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 3587 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 source-interface FastEthernet0/0
frequency 10
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 rtr 1 reachability
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 77.77.77.2
crypto isakmp key CISCO address 11.11.11.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 77.77.77.2
set transform-set TS
match address FOR_VPN
!
crypto map CMAP2 20 ipsec-isakmp
set peer 11.11.11.2
set transform-set TS
match address FOR_VPN
!
!
!
!
interface FastEthernet0/0
ip address 44.44.44.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/1
ip address 55.55.55.2 255.255.255.252
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
crypto map CMAP2
!
interface FastEthernet1/0
no switchport
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 44.44.44.1 track 1
ip route 0.0.0.0 0.0.0.0 55.55.55.1 10
ip route 8.8.8.8 255.255.255.255 44.44.44.1
ip route 11.11.11.2 255.255.255.255 FastEthernet0/1
ip route 77.77.77.2 255.255.255.255 FastEthernet0/0
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
!
ip access-list extended FOR_VPN
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp log mismatch duplex
!
route-map ISP2 permit 10
match ip address 100
match interface FastEthernet0/1
!
route-map ISP1 permit 10
match ip address 100
match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
event manager applet TRACK_DOWN
event syslog pattern "1 rtr 1 reachability Up->Down"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 syslog msg "ISP 1 is DOWN"
event manager applet TRACK_UP
event syslog pattern "1 rtr 1 reachability Down->Up"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 syslog msg "ISP 1 is UP"
event manager applet VKL
event timer countdown time 180
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "int f0/0"
action 4.0 cli command "no shut"
!
end

[Jonhy]

Strabbo, я пробовал сделать ipsec+gre. Создавал по 2 interface tunnel на каждом роутере. Но упирался опять в маршрутизацию. Каждый раз маршрут в сторону LAN другой сети перезаписывался.

[Strabbo]

Jonhy, как перезаписывался? можете показать вывод show ip route и кусок конфига маршрутизации. c Site2site помочь не смогу, уже подзабыл его.

[Jonhy]

Strabbo, подскажите сколько туннельных интерфейсов я должен создать, чтобы все 4 внешних ip работали между собой(резервировали впн-туннель). Так как указывается source и destination, то я предполагаю что нужно 4 туннельных интерфейса. Я правильно мыслю?

[Strabbo]

Jonhy, если у вас 2 роутера соедененны друг с другом двумя провайдерамы, то нужно по 2 туннеля на каждый роутер

[Jonhy]

Strabbo, Настроил gre+ipsec. Скидываю конфиг и маршруты.
R1:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 44.44.44.2
crypto isakmp key CISCO address 55.55.55.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile PROTECT-GRE
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
!
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 77.77.77.2
tunnel destination 44.44.44.2
tunnel protection ipsec profile PROTECT-GRE
!
interface Tunnel1
ip address 10.0.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 11.11.11.2
tunnel destination 55.55.55.2
tunnel protection ipsec profile PROTECT-GRE

R2:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 77.77.77.2
crypto isakmp key CISCO address 11.11.11.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile PROTECT-GRE
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
!
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 44.44.44.2
tunnel destination 77.77.77.2
tunnel protection ipsec profile PROTECT-GRE
!
interface Tunnel1
ip address 10.0.1.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 55.55.55.2
tunnel destination 11.11.11.2
tunnel protection ipsec profile PROTECT-GRE

ip route R1:
Gateway of last resort is 77.77.77.1 to network 0.0.0.0

172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, FastEthernet0/1
8.0.0.0/32 is subnetted, 1 subnets
S 8.8.8.8 [1/0] via 77.77.77.1
77.0.0.0/30 is subnetted, 1 subnets
C 77.77.77.0 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.0.0 is directly connected, Tunnel0
C 10.0.1.0 is directly connected, Tunnel1
11.0.0.0/30 is subnetted, 1 subnets
C 11.11.11.0 is directly connected, FastEthernet1/0
S 192.168.1.0/24 [1/0] via 10.0.1.2
[1/0] via 10.0.0.2
S* 0.0.0.0/0 [1/0] via 77.77.77.1

ip route 0.0.0.0 0.0.0.0 77.77.77.1 track 1
ip route 0.0.0.0 0.0.0.0 11.11.11.1 10
ip route 8.8.8.8 255.255.255.255 77.77.77.1
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 192.168.1.0 255.255.255.0 10.0.1.2

На втором роутере аналогично. Но так связи между роутерами нет. Только после no ip route 192.168.1.0 255.255.255.0 10.0.1.2 связь появилась. При отключении первого провайдера, туннель не падает, а связи нет. Пришли опять туда, откуда ушли

[Strabbo]

Jonhy,
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 44.44.44.2
tunnel destination 77.77.77.2
tunnel protection ipsec profile PROTECT-GRE
!
interface Tunnel1
ip address 10.0.1.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 55.55.55.2
tunnel destination 11.11.11.2
tunnel protection ipsec profile PROTECT-GRE

ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 192.168.1.0 255.255.255.0 10.0.1.2

вот эти маршруты не правильные, надо указывать соседний роутер, а тут указан тот же айпи, который прописан на этом же роутере.

[Strabbo]

Jonhy, я перепутал роутеры, вроде правильныйе маршруты в сторону туннелей. может как то свяжемся по телеграм и там продолжим и быстро решим эту проблему, а то тут уже неудобно ))

[Jonhy]

Strabbo, давайте. Найдите меня @BakhtiyaR_1_1

[Jonhy]

Strabbo, спасибо еще раз за помощь. Если кому интересно, был поднят ospf между туннельными интерфейсами. Но, к сожалению, данный вариант не работает при одновременном отключении линков на обоих провайдерах(работает только ISP1-ISP1 и ISP2-ISP2). Но при условии отключении ISP1(R1) и ISP2(R2), вариант с ospf не работает. Strabbo, посоветовал использовать BGP

Answer 1

[Podgorbunskih]

Использовать связку f-VRF + GRE + IPSEC и динамическую маршрутизацию.
для 10ка роутеров такая схема подходит, потом поддержка становиться сложно, дальше смотреть уже в сторону DMVPN или flexvpn