VMware NSX ga ƙananan yara. Sashe na 6: Saitin VPN

Kashi na daya. gabatarwa
Kashi na biyu. Yana daidaita Firewall da Dokokin NAT
Kashi na uku. Ana saita DHCP
Kashi na hudu. Saitin hanya
Kashi na biyar. Saita ma'aunin nauyi

A yau za mu kalli zaɓuɓɓukan sanyi na VPN wanda NSX Edge ke ba mu.

Gabaɗaya, zamu iya raba fasahar VPN zuwa nau'ikan maɓalli guda biyu:

• VPN-site-to-site. Mafi yawan amfani da IPSec shine ƙirƙirar rami mai tsaro, alal misali, tsakanin babbar hanyar sadarwa ta ofis da hanyar sadarwa a wani wuri mai nisa ko cikin gajimare.
• M Nesa VPN. Ana amfani da shi don haɗa masu amfani ɗaya ɗaya zuwa cibiyoyin sadarwar kamfanoni masu zaman kansu ta amfani da software na abokin ciniki na VPN.

NSX Edge yana ba mu damar amfani da zaɓuɓɓukan biyu.
Za mu saita ta amfani da benci na gwaji tare da NSX Edge guda biyu, uwar garken Linux tare da daemon da aka shigar ragon da kwamfutar tafi-da-gidanka na Windows don gwada VPN Access Remote.

IPsec

1. A cikin dubawar Daraktan vCloud, je zuwa sashin Gudanarwa kuma zaɓi vDC. A kan shafin Edge Ƙofar, zaɓi Edge da muke buƙata, danna-dama kuma zaɓi Ayyukan Ƙofar Edge.
   
2. A cikin NSX Edge interface, je zuwa shafin VPN-IPsec VPN, sannan zuwa sashin IPsec VPN Sites kuma danna + don ƙara sabon rukunin yanar gizo.

   

3. Cika filayen da ake buƙata:
   • An kunna – kunna m site.
   • PFS - yana tabbatar da cewa kowane sabon maɓalli na sirri ba shi da alaƙa da kowane maɓalli na baya.
   • ID na gida da Ƙarshen Ƙarshen Gidat shine adireshin waje na NSX Edge.
   • Subnet na gidas - cibiyoyin sadarwar gida waɗanda za su yi amfani da IPsec VPN.
   • ID na Peer da Ƙarshen Ƙarshen Ƙoƙi – adireshin gidan yanar gizo mai nisa.
   • Tsara Subnets - cibiyoyin sadarwar da za su yi amfani da IPsec VPN a gefen nesa.
   • Bayani Encryption – Tunnel boye-boye algorithm.

   
   

   • Gasktawa - yadda za mu tabbatar da takwarorinsu. Kuna iya amfani da Maɓallin da aka riga aka raba ko takaddun shaida.
   • Mabudin da Aka Raba - ƙayyade maɓallin da za a yi amfani da shi don tantancewa kuma dole ne ya dace da bangarorin biyu.
   • Diffie Hellman Group - key musayar algorithm.

   Bayan cika filayen da ake buƙata, danna Ci gaba.

   

4. Anyi.

   

5. Bayan ƙara rukunin yanar gizon, je zuwa shafin Matsayin Kunnawa kuma kunna Sabis na IPsec.

   

6. Bayan an yi amfani da saitunan, je zuwa Statistics -> IPsec VPN shafin kuma duba matsayin ramin. Mun ga cewa rami ya tashi.

   

7. Duba matsayin rami daga na'ura mai ba da hanya tsakanin hanyoyin sadarwa na Edge:
   • nuna sabis ipsec – duba matsayin sabis.

     

   • nuna sabis na ipsec - bayani game da yanayin rukunin yanar gizon da sigogin da aka yarda.

     

   • nuna sabis ipsec sa - duba matsayin Ƙungiyar Tsaro (SA).

     

8. Duba haɗin kai tare da rukunin nesa:

   root@racoon:~# ifconfig eth0:1 | grep inet
           inet 10.255.255.1  netmask 255.255.255.0  broadcast 0.0.0.0
   
   root@racoon:~# ping -c1 -I 10.255.255.1 192.168.0.10 
   PING 192.168.0.10 (192.168.0.10) from 10.255.255.1 : 56(84) bytes of data.
   64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=59.9 ms
   
   --- 192.168.0.10 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 59.941/59.941/59.941/0.000 ms
   

   Fayilolin daidaitawa da ƙarin umarni don bincike daga sabar Linux mai nisa:

   root@racoon:~# cat /etc/racoon/racoon.conf 
   
   log debug;
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   
   listen {
     isakmp 80.211.43.73 [500];
      strict_address;
   }
   
   remote 185.148.83.16 {
           exchange_mode main,aggressive;
           proposal {
                    encryption_algorithm aes256;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group modp1536;
            }
            generate_policy on;
   }
    
   sainfo address 10.255.255.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm aes256;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
   }
   
   ===
   
   root@racoon:~# cat /etc/racoon/psk.txt
   185.148.83.16 testkey
   
   ===
   
   root@racoon:~# cat /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   
   flush;
   spdflush;
   
   spdadd 192.168.0.0/24 10.255.255.0/24 any -P in ipsec
         esp/tunnel/185.148.83.16-80.211.43.73/require;
   
   spdadd 10.255.255.0/24 192.168.0.0/24 any -P out ipsec
         esp/tunnel/80.211.43.73-185.148.83.16/require;
   
   ===
   
   
   root@racoon:~# racoonctl show-sa isakmp
   Destination            Cookies                           Created
   185.148.83.16.500      2088977aceb1b512:a4c470cb8f9d57e9 2019-05-22 13:46:13 
   
   ===
   
   root@racoon:~# racoonctl show-sa esp
   80.211.43.73 185.148.83.16 
           esp mode=tunnel spi=1646662778(0x6226147a) reqid=0(0x00000000)
           E: aes-cbc  00064df4 454d14bc 9444b428 00e2296e c7bb1e03 06937597 1e522ce0 641e704d
           A: hmac-sha1  aa9e7cd7 51653621 67b3b2e9 64818de5 df848792
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=1 pid=7739 refcnt=0
   185.148.83.16 80.211.43.73 
           esp mode=tunnel spi=88535449(0x0546f199) reqid=0(0x00000000)
           E: aes-cbc  c812505a 9c30515e 9edc8c4a b3393125 ade4c320 9bde04f0 94e7ba9d 28e61044
           A: hmac-sha1  cd9d6f6e 06dbcd6d da4d14f8 6d1a6239 38589878
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=0 pid=7739 refcnt=0

9. Komai yana shirye, site-to-site IPsec VPN yana aiki kuma yana gudana.

   A cikin wannan misalin, mun yi amfani da PSK don tabbatar da takwarorinsu, amma amincin satifiket shima zaɓi ne. Don yin wannan, je zuwa shafin Kanfigareshan Duniya, ba da damar tantance takaddun shaida kuma zaɓi takaddun shaida da kanta.

   Bugu da kari, kuna buƙatar canza hanyar tantancewa a cikin saitunan rukunin yanar gizon.

   
   
   
   
   Na lura cewa adadin tunnels na IPsec ya dogara da girman Ƙofar Edge da aka tura (karanta game da wannan a cikin namu). labarin farko).

   

SSL VPN

SSL VPN-Plus yana ɗaya daga cikin zaɓuɓɓukan VPN Access. Yana ba wa masu amfani da nesa damar yin haɗin gwiwa ta aminci zuwa cibiyoyin sadarwa masu zaman kansu a bayan ƙofar NSX Edge. An kafa rami rufaffiyar cikin yanayin SSL VPN-plus tsakanin abokin ciniki (Windows, Linux, Mac) da NSX Edge.

1. Bari mu fara saitin. A cikin kwamitin kula da sabis na Ƙofar Ƙofar, je zuwa shafin SSL VPN-Plus, sannan zuwa Saitunan Sabar. Muna zaɓar adireshi da tashar jiragen ruwa wanda uwar garken zai saurari haɗin da ke shigowa, ba da damar shiga kuma zaɓi algorithms boye-boye.

   
   
   Anan zaka iya canza takardar shedar da uwar garken zata yi amfani da ita.

   

2. Bayan an shirya komai, kunna uwar garken kuma kar a manta da adana saitunan.

   

3. Na gaba, muna buƙatar saita wuraren adiresoshin da za mu ba abokan ciniki idan an haɗa su. Wannan hanyar sadarwa ta bambanta da kowane rukunin yanar gizo na yanzu a cikin mahallin NSX kuma baya buƙatar saita shi akan wasu na'urori akan cibiyoyin sadarwar jiki, sai ga hanyoyin da ke nuni zuwa gare ta.

   Jeka shafin IP Pools kuma danna +.

   

4. Zaɓi adireshi, abin rufe fuska na subnet da ƙofa. Anan zaka iya canza saitunan DNS da WINS sabobin.

   

5. Sakamakon tafkin.

   

6. Yanzu bari mu ƙara cibiyoyin sadarwar da masu amfani da ke haɗawa da VPN za su sami damar shiga. Jeka shafin Masu zaman kansu Networks kuma danna +.

   

7. Mun cika:
   • Network - cibiyar sadarwar gida wacce masu amfani da nesa za su sami damar shiga.
   • Aika zirga-zirga, yana da zaɓuɓɓuka biyu:
     - sama da rami - aika zirga-zirga zuwa hanyar sadarwa ta hanyar rami,
     - ramin kewayawa-aika zirga-zirga zuwa cibiyar sadarwar kai tsaye ta ketare rami.
   • Kunna Haɓaka TCP - duba idan kun zaɓi zaɓin sama da rami. Lokacin da aka kunna haɓakawa, zaku iya saka lambobin tashar jiragen ruwa waɗanda kuke son haɓaka zirga-zirga. Ba za a inganta zirga-zirgar sauran tashoshin jiragen ruwa a waccan cibiyar sadarwar ba. Idan ba a ƙayyade lambobin tashar jiragen ruwa ba, an inganta zirga-zirgar duk tashoshin jiragen ruwa. Kara karantawa game da wannan fasalin a nan.

   

8. Na gaba, je zuwa shafin Tabbatarwa kuma danna +. Don tabbatarwa, za mu yi amfani da sabar gida akan NSX Edge kanta.

   

9. Anan zamu iya zaɓar manufofi don ƙirƙirar sabbin kalmomin shiga da saita zaɓuɓɓuka don toshe asusun mai amfani (misali, adadin sakewa idan an shigar da kalmar wucewa ba daidai ba).

   
   
   

10. Tun da muna amfani da ingantaccen gida, muna buƙatar ƙirƙirar masu amfani.

    

11. Baya ga abubuwan asali kamar suna da kalmar sirri, a nan zaku iya, misali, hana mai amfani da canza kalmar sirri ko kuma, akasin haka, tilasta masa ya canza kalmar sirri a gaba.

    

12. Bayan an ƙara duk masu amfani da suka dace, je zuwa shafin Installation Packages, danna + kuma ƙirƙirar mai sakawa kanta, wanda ma'aikaci mai nisa zai sauke don shigarwa.

    

13. Danna +. Muna zaɓar adireshin da tashar jiragen ruwa na uwar garken wanda abokin ciniki zai haɗa, da kuma dandamali wanda muke buƙatar samar da kunshin shigarwa.

    
    
    A ƙasa a cikin wannan taga, zaku iya tantance saitunan abokin ciniki don Windows. Zaɓi:

    • fara abokin ciniki a kan logon - za a ƙara abokin ciniki na VPN don farawa akan na'ura mai nisa;
    • ƙirƙirar gunkin tebur - zai haifar da alamar abokin ciniki na VPN akan tebur;
    • Tabbatar da takardar shaidar tsaro ta uwar garken - za ta inganta takardar shaidar uwar garken akan haɗin kai.
      Saitin uwar garken ya cika.

    

14. Yanzu bari mu sauke kunshin shigarwa da muka ƙirƙira a mataki na ƙarshe zuwa PC mai nisa. Lokacin kafa uwar garken, mun ƙayyade adireshinsa na waje (185.148.83.16) da tashar jiragen ruwa (445). A wannan adireshin ne muke buƙatar shiga cikin mai binciken gidan yanar gizo. A halin da nake ciki shi ne 185.148.83.16: 445.

    A cikin taga izini, dole ne ka shigar da takaddun shaidar mai amfani da muka ƙirƙira a baya.

    

15. Bayan izini, muna ganin jerin fakitin shigarwa da aka ƙirƙira don saukewa. Mun halitta daya kawai - za mu sauke shi.

    

16. Mun danna hanyar haɗin yanar gizon, zazzagewar abokin ciniki ya fara.

    

17. Cire kayan tarihin da aka zazzage kuma gudanar da mai sakawa.

    

18. Bayan shigarwa, kaddamar da abokin ciniki kuma danna Login a cikin taga izini.

    

19. A cikin taga tabbacin takaddun shaida, zaɓi Ee.

    

20. Mun shigar da takaddun shaida don mai amfani da aka ƙirƙira a baya kuma mu ga cewa an gama haɗin cikin nasara.

    
    
    

21. Muna duba kididdigar abokin ciniki na VPN akan kwamfutar gida.

    
    
    

22. A cikin layin umarni na Windows (ipconfig / duk), mun ga cewa ƙarin adaftar kama-da-wane ya bayyana kuma akwai haɗin kai zuwa cibiyar sadarwar nesa, komai yana aiki:

    
    
    

23. Kuma a ƙarshe, duba daga Edge Gateway console.

    

L2 VPN

L2VPN za a buƙaci lokacin da kuke buƙatar haɗa yawancin yanki
cibiyoyin sadarwa da aka rarraba zuwa yankin watsa shirye-shirye guda ɗaya.

Wannan na iya zama da amfani, misali, lokacin ƙaura na'ura mai kama-da-wane: lokacin da VM ya motsa zuwa wani wuri na yanki, injin zai riƙe saitunan adireshin IP ɗin sa kuma ba zai rasa haɗin kai tare da wasu injinan da ke cikin yanki ɗaya na L2 tare da shi ba.

A cikin yanayin gwajin mu, za mu haɗa shafuka biyu da juna, za mu kira su A da B, bi da bi.Muna da NSX guda biyu da kuma hanyoyin sadarwa guda biyu iri ɗaya da aka ƙirƙira zuwa Edges daban-daban. Machine A yana da adireshin 10.10.10.250/24, Machine B yana da adireshin 10.10.10.2/24.

1. A cikin vCloud Director, je zuwa shafin Gudanarwa, je zuwa VDC da muke buƙata, je zuwa shafin Org VDC Networks kuma ƙara sabbin hanyoyin sadarwa guda biyu.

   

2. Zaɓi nau'in cibiyar sadarwar da aka lalata kuma ku ɗaure wannan hanyar sadarwar zuwa NSX ɗin mu. Mun sanya akwatin rajistan ƙirƙira azaman mahaɗin ƙasa.

   

3. A sakamakon haka, ya kamata mu sami cibiyoyin sadarwa guda biyu. A cikin misalinmu, ana kiran su network-a da network-b tare da saitunan ƙofa iri ɗaya da abin rufe fuska iri ɗaya.

   
   
   

4. Yanzu bari mu je zuwa saitunan NSX na farko. Wannan zai zama NSX wanda Network A ke makala da shi. Zai yi aiki azaman uwar garken.

   Mun koma NSx Edge dubawa / Je zuwa shafin VPN -> L2VPN. Muna ba da damar L2VPN, zaɓi yanayin aiki na uwar garke, kuma a cikin saitunan Global Server na duniya saka adireshin IP na waje na NSX wanda tashar tashar ramin zata saurare. Ta hanyar tsoho, soket ɗin zai buɗe akan tashar jiragen ruwa 443, amma ana iya canza wannan. Kar a manta don zaɓar saitunan ɓoye don rami na gaba.

   

5. Jeka shafin Sabar Sabar kuma ƙara ɗan'uwa.

   

6. Mun kunna takwarorinsu, saita suna, bayanin, idan ya cancanta, saita sunan mai amfani da kalmar wucewa. Za mu buƙaci wannan bayanan daga baya lokacin kafa rukunin yanar gizon abokin ciniki.

   A cikin Adireshin Ƙofar Haɓaka Ƙofar Egress mun saita adireshin ƙofar. Wannan wajibi ne don kauce wa rikici na adiresoshin IP, saboda ƙofar kan hanyoyin sadarwar mu yana da adireshin iri ɗaya. Sannan danna maɓallin SELECT SUB-INTERFACES.

   

7. Anan za mu zaɓi maɓallin ƙasa da ake so. Muna ajiye saitunan.

   

8. Mun ga cewa sabon shafin abokin ciniki da aka kirkira ya bayyana a cikin saitunan.

   

9. Yanzu bari mu matsa zuwa daidaita NSX daga abokin ciniki.

   Muna zuwa NSX gefen B, je zuwa VPN -> L2VPN, kunna L2VPN, saita yanayin L2VPN zuwa yanayin aiki na abokin ciniki. A shafin Client Global, saita adireshi da tashar jiragen ruwa na NSX A, wanda muka bayyana a baya azaman Sauraron IP da Port a gefen uwar garken. Hakanan wajibi ne a saita saitunan ɓoyewa iri ɗaya don su daidaita lokacin da aka ɗaga rami.

   
   
   Gungura ƙasa kuma zaɓi ƙasan ƙasa ta inda za a gina rami don L2VPN.
   A cikin Adireshin Ƙofar Haɓaka Ƙofar Egress mun saita adireshin ƙofar. Saita mai amfani-id da kalmar sirri. Muna zaɓar maɓallin ƙasa kuma kar a manta da adana saitunan.

   

10. A gaskiya, shi ke nan. Saitunan abokin ciniki da gefen uwar garken kusan iri ɗaya ne, ban da ƴan nuances.
11. Yanzu muna iya ganin cewa ramin mu ya yi aiki ta zuwa Statistics -> L2VPN akan kowane NSX.

    

12. Idan yanzu muka je na'urar wasan bidiyo na kowane Ƙofar Edge, za mu ga kowane ɗayansu a cikin teburin arp adiresoshin VMs biyu.

    

Shi ke nan game da VPN akan NSX Edge. Tambayi idan wani abu ba a sani ba. Hakanan shine ɓangaren ƙarshe na jerin labarai akan aiki tare da NSX Edge. Muna fatan sun taimaka 🙂

source: www.habr.com