Sannu! IN Na bayyana aikin sabis ɗinmu na MultiSIM a wani ɓangare и tashoshi. Kamar yadda aka ambata, muna haɗa abokan ciniki zuwa cibiyar sadarwar ta hanyar VPN, kuma a yau zan ba ku ɗan ƙarin bayani game da VPN da iyawarmu a wannan ɓangaren.
Yana da kyau mu fara da cewa mu, a matsayinmu na ma’aikacin sadarwa, muna da babbar hanyar sadarwarmu ta MPLS, wadda ga abokan cinikin tsayayyen layi ta kasu zuwa manyan sassa guda biyu - wanda ake amfani da shi kai tsaye don shiga Intanet, da kuma wanda yake. ana amfani da su don ƙirƙirar keɓantattun hanyoyin sadarwa - kuma ta wannan ɓangaren MPLS ne IPVPN (L3 OSI) da VPLAN (L2 OSI) ke balaguro don abokan cinikinmu.
Yawanci, haɗin gwiwar abokin ciniki yana faruwa kamar haka.
An shimfiɗa layin shiga zuwa ofishin abokin ciniki daga wurin da ke kusa da cibiyar sadarwar (node MEN, RRL, BSSS, FTTB, da dai sauransu) da kuma ci gaba, an yi rajistar tashar ta hanyar sadarwar sufuri zuwa PE-MPLS daidai. na'ura mai ba da hanya tsakanin hanyoyin sadarwa, wanda muke fitar da shi zuwa na musamman da aka ƙirƙira don abokin ciniki na VRF, la'akari da bayanan zirga-zirgar zirga-zirgar da abokin ciniki ke buƙata (an zaɓi alamun bayanan don kowane tashar tashar shiga, dangane da ƙimar fifikon ip 0,1,3,5, XNUMX).
Idan saboda wasu dalilai ba za mu iya cikakken tsara mil na ƙarshe ga abokin ciniki ba, alal misali, ofishin abokin ciniki yana cikin cibiyar kasuwanci, inda wani mai ba da fifiko ya fi fifiko, ko kuma ba mu da ma'anar kasancewarmu a kusa, to abokan ciniki a baya. dole ne a ƙirƙiri cibiyoyin sadarwa na IPVPN da yawa a masu samarwa daban-daban (ba tsarin gine-gine mafi tsada ba) ko warware batutuwan da kansu tare da tsara damar shiga VRF ɗin ku ta Intanet.
Mutane da yawa sun yi haka ta hanyar shigar da hanyar Intanet ta IPVPN - sun shigar da na'ura mai ba da hanya tsakanin hanyoyin sadarwa (hardware ko wani bayani na tushen Linux), sun haɗa tashar IPVPN zuwa gare ta tare da tashar jiragen ruwa guda ɗaya da tashar Intanet tare da ɗayan, sun ƙaddamar da uwar garken VPN ɗin su kuma sun haɗa. masu amfani ta hanyar ƙofar VPN nasu. A dabi'ance, irin wannan makirci kuma yana haifar da nauyi: irin waɗannan kayan aikin dole ne a gina su kuma, mafi mahimmanci, sarrafa da haɓakawa.
Don sauƙaƙe rayuwa ga abokan cinikinmu, mun shigar da cibiyar VPN ta tsakiya kuma mun tsara tallafi don haɗin Intanet ta amfani da IPSec, wato, yanzu abokan ciniki kawai suna buƙatar saita na'ura mai ba da hanya tsakanin hanyoyin sadarwa don yin aiki tare da cibiyar VPN ta hanyar rami IPSec akan kowane Intanet na jama'a. , kuma Mu Bari mu saki wannan abokin ciniki ta zirga-zirga zuwa ga VRF.
Wanene zai same shi da amfani?
- Ga waɗanda suka riga suna da babbar hanyar sadarwa ta IPVPN kuma suna buƙatar sabbin hanyoyin sadarwa cikin ɗan gajeren lokaci.
- Duk wanda, saboda wasu dalilai, yana so ya canja wurin wani ɓangare na zirga-zirga daga Intanet na jama'a zuwa IPVPN, amma a baya ya ci karo da iyakokin fasaha da ke da alaƙa da masu samar da sabis da yawa.
- Ga waɗanda a halin yanzu suna da rarrabuwar kawuna na cibiyoyin sadarwa na VPN a cikin ma'aikatan sadarwa daban-daban. Akwai abokan ciniki waɗanda suka yi nasarar shirya IPVPN daga Beeline, Megafon, Rostelecom, da sauransu. Don sauƙaƙa, kuna iya zama kawai akan VPN ɗinmu ɗaya, canza duk sauran tashoshi na sauran masu aiki zuwa Intanet, sannan ku haɗa zuwa Beeline IPVPN ta IPSec da Intanet daga waɗannan masu aiki.
- Ga waɗanda suka riga suna da hanyar sadarwa ta IPVPN da aka lulluɓe akan Intanet.
Idan kun yi amfani da komai tare da mu, to abokan ciniki suna karɓar cikakken goyon bayan VPN, manyan abubuwan more rayuwa, da daidaitattun saitunan da za su yi aiki akan kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa da aka saba amfani da su (kasance Cisco, har ma da Mikrotik, babban abu shine cewa yana iya tallafawa yadda yakamata. IPSec/IKEv2 tare da daidaitattun hanyoyin tabbatarwa). Af, game da IPSec - a yanzu muna goyon bayan shi kawai, amma muna shirin ƙaddamar da cikakken aiki na duka OpenVPN da Wireguard, don haka abokan ciniki ba za su iya dogara da ƙa'idar ba kuma yana da sauƙin ɗauka da canja wurin duk abin zuwa gare mu. kuma muna so mu fara haɗa abokan ciniki daga kwamfutoci da na'urorin hannu (maganin da aka gina a cikin OS, Cisco AnyConnect da strongSwan da makamantansu). Tare da wannan hanyar, za a iya ba da izinin gina gine-gine na kayan aiki a amince da mai aiki, yana barin kawai saitin CPE ko mai watsa shiri.
Yadda tsarin haɗin ke aiki don yanayin IPSec:
- Abokin ciniki ya bar buƙatun ga manajan sa inda yake nuna saurin haɗin da ake buƙata, bayanin martabar zirga-zirga da sigogin adireshi na IP don rami (ta tsohuwa, subnet tare da abin rufe fuska / 30) da nau'in kewayawa (a tsaye ko BGP). Don canja wurin hanyoyin zuwa cibiyoyin sadarwar gida na abokin ciniki a cikin ofishin da aka haɗa, ana amfani da hanyoyin IKEv2 na tsarin tsarin IPSec ta amfani da saitunan da suka dace akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, ko kuma ana tallata su ta hanyar BGP a cikin MPLS daga BGP AS masu zaman kansu da aka ƙayyade a cikin aikace-aikacen abokin ciniki. . Don haka, bayani game da hanyoyin hanyoyin sadarwar abokin ciniki gaba ɗaya abokin ciniki yana sarrafa shi ta hanyar saitunan abokin ciniki na mai ba da hanya tsakanin hanyoyin sadarwa.
- Dangane da amsa daga manajan sa, abokin ciniki yana karɓar bayanan lissafin don haɗawa a cikin VRF ɗin sa na fom:
- VPN-HUB adireshin IP
- Login
- kalmar sirrin tabbatarwa
- Yana saita CPE, a ƙasa, misali, zaɓuɓɓukan sanyi na asali guda biyu:
Zaɓi don Cisco:
crypto ikev2 keying BeelineIPsec_keyring
abokin Beeline_VPNHub
adireshin 62.141.99.183 - VPN cibiyar Beeline
pre-shared-key <Tabbataccen kalmar sirri>
!
Don zaɓin madaidaiciyar hanya, hanyoyin zuwa cibiyoyin sadarwar da ake samu ta hanyar Vpn-hub za a iya ƙayyade su a cikin tsarin IKEv2 kuma za su bayyana ta atomatik a matsayin tsayayyen hanyoyi a cikin tebur ɗin tuƙin CE. Hakanan ana iya yin waɗannan saitunan ta amfani da daidaitaccen hanyar saita tsayayyen hanyoyi (duba ƙasa).manufofin izinin crypto ikev2 FlexClient-marubucin
Hanyar zuwa cibiyoyin sadarwa a bayan na'ura mai ba da hanya tsakanin hanyoyin sadarwa na CE - saitin tilas don a tsaye tsakanin CE da PE. Ana aiwatar da canja wurin bayanan hanya zuwa PE ta atomatik lokacin da aka tayar da rami ta hanyar hulɗar IKEv2.
hanyar saita nesa IPv4 10.1.1.0 255.255.255.0 – Cibiyar sadarwar gida ta ofis
!
bayanin martaba na crypto ikev2 BeelineIPSec_profile
ainihi na gida <login>
Tantance kalmar sirri pre-share
Tantance kalmar sirri pre-share
keyring gida BeelineIPsec_keyring
aaa ƙungiyar izini psk jerin rukuni-marubuci-jerin FlexClient-marubuci
!
crypto ikev2 abokin ciniki flexvpn BeelineIPsec_flex
abokin 1 Beeline_VPNHub
abokin ciniki haɗa Tunnel1
!
crypto ipsec canza-saitin TRANSFORM1 esp-aes 256 esp-sha256-hmac
yanayin rami
!
crypto ipsec profile tsoho
saita canza-saitin TRANSFORM1
saita ikev2-profile BeelineIPSec_profile
!
Interface Tunnel1
Adireshin IP: 10.20.1.2 255.255.255.252 – Adireshin rami
tushen rami GigabitEthernet0/2 –Internet interface
Yanayin rami ipsec ipv4
tunnel manufa mai tsauri
Kariyar ramin bayanin martaba na ipsec tsoho
!
Ana iya saita hanyoyin zuwa hanyoyin sadarwar sirri na abokin ciniki waɗanda ke samun damar ta hanyar mai tattara bayanai na Beeline VPN a tsaye.Hanyar IP 172.16.0.0 255.255.0.0 Tunnel1
Hanyar IP 192.168.0.0 255.255.255.0 Tunnel1Zaɓi don Huawei (ar160/120):
ike local-name <login>
#
Sunan mai suna ipsec 3999
mulki 1 izinin ip tushen 10.1.1.0 0.0.0.255 – Cibiyar sadarwar gida ta ofis
#
AAA
tsarin sabis na IPSEC
Hanyar da aka saita acl 3999
#
ipsec shawara ipsec
esp tabbaci-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike shawara tsoho
encryption-algorithm aes-256
dh group2
Tabbatarwa-algorithm sha2-256
Tantance-hanyar pre-raba
mutunci-algorithm hmac-sha2-256
prf hmac-sha2-256
#
iya peer ipsec
pre-shared-key mai sauƙaƙan <Authentication kalmar sirri>
local-id-type fqdn
m-id-type ip
adireshin nesa 62.141.99.183 - VPN cibiyar Beeline
tsarin sabis na IPSEC
config-change request
saitin musanya saitin karba
saitin musanya saitin aika
#
bayanin martaba ipsecprof
ike-peer ipsec
shawara ipsec
#
Tunnel Tunnel0/0/0
Adireshin IP: 10.20.1.2 255.255.255.252 – Adireshin rami
tunnel-protocol ipsec
tushen GigabitEthernet0/0/1 –Internet interface
bayanin martaba ipsecprof
#
Ana iya saita hanyoyin zuwa cibiyoyin sadarwar masu zaman kansu na abokin ciniki waɗanda ke samun damar ta hanyar mai tattara bayanai na Beeline VPN a tsayeHanyar ip-a tsaye 192.168.0.0 255.255.255.0 Tunnel0/0/0
Hanyar ip-a tsaye 172.16.0.0 255.255.0.0 Tunnel0/0/0
Sakamakon zanen sadarwa yayi kama da haka:
Idan abokin ciniki ba shi da wasu misalan ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun tsari, to, yawanci muna taimakawa tare da samuwar su kuma mu sanya su samuwa ga kowa.
Duk abin da ya rage shine haɗa CPE zuwa Intanet, ping zuwa sashin amsawa na rami na VPN da kowane mai masaukin baki a cikin VPN, kuma shi ke nan, zamu iya ɗauka cewa an haɗa haɗin.
A cikin labarin na gaba za mu gaya muku yadda muka haɗu da wannan makirci tare da IPSec da MultiSIM Redundancy ta amfani da Huawei CPE: mun shigar da Huawei CPE don abokan ciniki, wanda zai iya amfani da ba kawai tashar Intanet mai waya ba, amma har 2 katunan SIM daban-daban, da CPE. ta atomatik sake gina IPSec- rami ko dai ta hanyar waya WAN ko ta rediyo (LTE # 1/LTE#2), fahimtar babban kuskuren haƙuri ga sakamakon sabis.
Godiya ta musamman ga abokan aikinmu na RnD don shirya wannan labarin (kuma, a zahiri, ga marubutan waɗannan hanyoyin fasaha)!
source: www.habr.com