Wannan labarin ci gaba ne sadaukar da ƙayyadaddun ƙayyadaddun kayan aiki Palo Alto Networks . Anan muna so muyi magana game da saitin IPSec Site-to-Site VPN akan kayan aiki Palo Alto Networks kuma game da yuwuwar zaɓin daidaitawa don haɗa masu samar da Intanet da yawa.
Don zanga-zangar, za a yi amfani da daidaitaccen tsari don haɗa babban ofishin da reshe. Domin samar da haɗin Intanet mara kuskure, babban ofishin yana amfani da haɗin kai na masu samarwa guda biyu: ISP-1 da ISP-2. Reshen yana da haɗi zuwa mai bada sabis ɗaya kawai, ISP-3. An gina ramuka biyu tsakanin firewalls PA-1 da PA-2. Tunnels suna aiki a cikin yanayin Active-A jiran aiki,Tunnel-1 yana aiki, Tunnel-2 zai fara watsa zirga-zirga lokacin da Tunnel-1 ya kasa. Tunnel-1 yana amfani da haɗin kai zuwa ISP-1, Tunnel-2 yana amfani da haɗin kai zuwa ISP-2. Duk adiresoshin IP an ƙirƙira su ba da gangan ba don dalilai na nunawa kuma basu da alaƙa da gaskiya.
Za a yi amfani da VPN don gina Yanar-gizo-zuwa-Giri IPsec - saitin ka'idoji don tabbatar da kariyar bayanan da aka watsa ta hanyar IP. IPsec zai yi aiki ta amfani da ka'idar tsaro Esp (Encapsulating Tsaro Payload), wanda zai tabbatar da boye-boye na watsa bayanai.
В IPsec an hada Ike (Internet Key Exchange) yarjejeniya ce da ke da alhakin yin shawarwari SA (kungiyoyin tsaro), sigogin tsaro waɗanda ake amfani da su don kare bayanan da aka watsa. PAN Tacewar zaɓi yana goyan bayan IKEv1 и IKEv2.
В IKEv1 An gina haɗin VPN a matakai biyu: IKEv1 Mataki na 1 (IKE tunnel) da IKEv1 Mataki na 2 (IPSec tunnel), don haka, an ƙirƙiri ramuka biyu, ɗaya daga cikinsu ana amfani da su don musayar bayanan sabis tsakanin wuta, na biyu don watsa zirga-zirga. IN IKEv1 Mataki na 1 Akwai hanyoyi guda biyu masu aiki - babban yanayin da yanayin tashin hankali. Yanayin m yana amfani da ƴan saƙonni kuma yana da sauri, amma baya goyan bayan Kariyar Kariyar Tsara.
IKEv2 ya zo maye gurbinsa IKEv1, kuma idan aka kwatanta da IKEv1 Babban fa'idarsa shine ƙananan buƙatun bandwidth da tattaunawar SA da sauri. IN IKEv2 Ana amfani da ƙarancin saƙon sabis (4 a duka), ana tallafawa ka'idojin EAP da MOBIKE, kuma an ƙara hanyar da za a bincika samuwar ɗan'uwan da aka ƙirƙiri rami da shi - Duban Rayuwa, maye gurbin Gano Matattu a cikin IKEv1. Idan cak ɗin ya gaza, to IKEv2 zai iya sake saita rami sannan kuma ta atomatik mayar da shi a farkon damar. Kuna iya ƙarin koyo game da bambance-bambance .
Idan an gina rami tsakanin wutan wuta daga masana'antun daban-daban, to ana iya samun kurakurai a cikin aiwatarwa IKEv2, kuma don dacewa da irin wannan kayan aiki yana yiwuwa a yi amfani da shi IKEv1. A wasu lokuta yana da kyau a yi amfani da shi IKEv2.
Saita matakai:
• Saita masu samar da Intanet guda biyu a yanayin ActiveStandby
Akwai hanyoyi da yawa don aiwatar da wannan aikin. Ɗaya daga cikinsu shine yin amfani da injin Kula da Hanya, wanda ya zama samuwa tun daga sigar PAN-OS 8.0.0. Wannan misalin yana amfani da sigar 8.0.16. Wannan fasalin yayi kama da IP SLA a cikin masu amfani da hanyar Cisco. Sigar tsohowar hanya madaidaiciya tana daidaita aika fakitin ping zuwa takamaiman adireshin IP daga takamaiman adireshin tushe. A wannan yanayin, ethernet1/1 ke dubawa pings tsoho ƙofar sau ɗaya a sakan daya. Idan babu amsa ga pings uku a jere, ana la'akari da hanyar karye kuma an cire shi daga tebur. Ana saita hanya iri ɗaya zuwa mai ba da Intanet na biyu, amma tare da mafi girman awo (wajibi ne). Da zarar an cire hanyar farko daga tebur, Tacewar zaɓi zai fara aika zirga-zirga ta hanya ta biyu - Kasa-Kasa. Lokacin da mai ba da sabis na farko ya fara ba da amsa ga pings, hanyarsa za ta koma teburin kuma ta maye gurbin na biyu saboda ingantacciyar ma'auni - Kasa-Baya. Tsari Kasa-Kasa yana ɗaukar ƴan daƙiƙa kaɗan dangane da tazarar da aka saita, amma, a kowane hali, tsarin ba ya nan take, kuma a wannan lokacin ana asarar zirga-zirga. Kasa-Baya wuce ba tare da asarar zirga-zirga ba. Akwai damar yin hakan Kasa-Kasa sauri, tare da B.F.D., idan mai bada Intanet ya ba da irin wannan dama. B.F.D. goyan bayan farawa daga samfurin Farashin PA-3000 и BA-100. Zai fi kyau a saka ƙofofin mai bayarwa azaman adireshin ping, amma na jama'a, adireshin Intanet mai sauƙin shiga koyaushe.
• Ƙirƙirar hanyar tunnel
Ana isar da zirga-zirgar ababen hawa a cikin rami ta hanyar mu'amala na musamman. Dole ne a saita kowannensu tare da adireshin IP daga hanyar sadarwar wucewa. A cikin wannan misali, za a yi amfani da tashar 1/172.16.1.0 don Tunnel-30, kuma za a yi amfani da tashar 2/172.16.2.0 don Tunnel-30.
An ƙirƙiri ƙirar rami a cikin sashin Cibiyar sadarwa -> Hanyoyin sadarwa -> Tunnel. Dole ne ku ƙayyade na'ura mai ba da hanya tsakanin hanyoyin sadarwa da yankin tsaro, da kuma adireshin IP daga hanyar sadarwar sufuri. Lambar dubawa na iya zama komai.
sashe Na ci gaba za a iya ƙayyade Bayanan Gudanarwawanda zai ba da damar ping akan ƙa'idar da aka bayar, wannan na iya zama da amfani don gwaji.
• Saita Bayanan martaba na IKE
Bayanin IKE ke da alhakin matakin farko na ƙirƙirar haɗin VPN; an ƙayyade sigogin rami a nan IKE Phase 1. An ƙirƙiri bayanin martaba a cikin sashe Network -> Bayanan martaba na hanyar sadarwa -> IKE Crypto. Wajibi ne a ƙayyade algorithm na ɓoyewa, hashing algorithm, ƙungiyar Diffie-Hellman da mabuɗin rayuwa. Gabaɗaya, mafi rikitarwa algorithms, mafi munin aiki; yakamata a zaɓi su bisa takamaiman buƙatun tsaro. Koyaya, ba a ba da shawarar sosai don amfani da ƙungiyar Diffie-Hellman da ke ƙasa da 14 don kare mahimman bayanai ba. Wannan shi ne saboda rashin lahani na yarjejeniya, wanda kawai za'a iya ragewa ta hanyar amfani da ma'auni masu girma na 2048 bits da mafi girma, ko elliptic cryptography algorithms, waɗanda ake amfani da su a cikin kungiyoyi 19, 20, 21, 24. Waɗannan algorithms suna da babban aiki idan aka kwatanta da su. cryptography na gargajiya. . Kuma .
• Saita Bayanan martaba na IPSec
Mataki na biyu na ƙirƙirar haɗin VPN shine rami IPSec. Ana saita sigogin SA a ciki Cibiyar sadarwa -> Bayanan martaba na hanyar sadarwa -> Bayanan martaba na Crypto IPSec. Anan kuna buƙatar saka ka'idar IPSec - AH ko Esp, kazalika da sigogi SA - algorithms hashing, boye-boye, kungiyoyin Diffie-Hellman da mabuɗin rayuwa. Ma'auni na SA a cikin bayanin martaba na IKE Crypto da IPSec Bayanan martaba na Crypto bazai zama iri ɗaya ba.
• Yana daidaita Ƙofar IKE
IKE Gateway - wannan wani abu ne da ke zayyana na'ura mai ba da hanya tsakanin hanyoyin sadarwa ko Firewall wanda aka gina rami na VPN da shi. Ga kowane rami kuna buƙatar ƙirƙirar naku IKE Gateway. A wannan yanayin, an ƙirƙiri ramuka biyu, ɗaya ta kowane mai ba da Intanet. Ana nuna madaidaicin hanyar sadarwa mai fita da adireshin IP ɗin sa, adireshin IP ɗin saƙo, da maɓallin raba. Ana iya amfani da takaddun shaida azaman madadin maɓallin raba.
An nuna wanda aka ƙirƙira a baya anan IKE Crypto Profile. Siga na abu na biyu IKE Gateway kama, sai dai adireshin IP. Idan Palo Alto Networks Tacewar zaɓi yana bayan na'ura mai ba da hanya tsakanin hanyoyin sadarwa na NAT, to kuna buƙatar kunna tsarin Hanyoyin ciniki na NAT.
• Kafa IPSec Tunnel
IPSec Tunnel wani abu ne da ke ƙayyadad da sigogin tunnel na IPSec, kamar yadda sunan ke nunawa. Anan kuna buƙatar ƙayyade hanyar haɗin rami da abubuwan da aka ƙirƙira a baya IKE Gateway, IPSec bayanan martaba. Don tabbatar da sauyawa ta atomatik zuwa ramin madadin, dole ne ka kunna Tunnel Monitor. Wannan wata hanya ce da ke bincika ko takwarorinsu na raye ta amfani da zirga-zirgar ICMP. A matsayin adireshin da aka nufa, kuna buƙatar saka adireshin IP na hanyar haɗin rami na abokan hulɗa da ake gina rami da shi. Bayanan martaba yana ƙayyade masu ƙidayar lokaci da abin da za a yi idan haɗin ya ɓace. Jira Maida – jira har sai an dawo da haɗin gwiwa, Rashin Ganewa - aika zirga-zirga ta wata hanya daban, idan akwai. Kafa rami na biyu yana da kamanceceniya; an ayyana mashigin rami na biyu da IKE Gateway.
• Saita hanya
Wannan misalan yana amfani da tsarin a tsaye. A kan Tacewar zaɓi na PA-1, ban da tsoffin hanyoyi guda biyu, kuna buƙatar ƙayyade hanyoyi biyu zuwa 10.10.10.0/24 subnet a cikin reshe. Hanya ɗaya tana amfani da Tunnel-1, ɗayan Tunnel-2. Hanya ta hanyar Tunnel-1 ita ce babba saboda tana da ƙananan awo. Makanikai Kula da Hanya ba a amfani da waɗannan hanyoyin. Mai alhakin sauyawa Tunnel Monitor.
Hanyoyi iri ɗaya don subnet 192.168.30.0/24 suna buƙatar saita su akan PA-2.
• Kafa dokokin hanyar sadarwa
Don rami ya yi aiki, ana buƙatar dokoki guda uku:
- Don aiki Hanyar Kulawa Bada ICMP akan musaya na waje.
- domin IPsec yarda apps Ike и ipsec a kan musaya na waje.
- Bada izinin zirga-zirga tsakanin ƙananan hanyoyin sadarwa na ciki da musaya na rami.
ƙarshe
Wannan labarin yana tattauna zaɓi na saita haɗin Intanet mara kuskure da kuma Saita-zuwa-Saiti VPN. Muna fatan bayanin ya kasance da amfani kuma mai karatu ya sami fahimtar fasahar da aka yi amfani da su Palo Alto Networks. Idan kuna da tambayoyi game da saitin da shawarwari kan batutuwa don labarai na gaba, rubuta su a cikin sharhi, za mu yi farin cikin amsawa.
source: www.habr.com