Aloha! IN
He mea pono e hoʻomaka me ka ʻoiaʻiʻo ʻo mākou, ma ke ʻano he telecom operator, loaʻa kā mākou pūnaewele MPLS nui, ka mea no nā mea kūʻai aku laina paʻa i māhele ʻia i ʻelua mau ʻāpana nui - ka mea i hoʻohana pololei ʻia e komo i ka Pūnaewele, a ʻo ia ka mea. hoʻohana ʻia e hana i nā ʻupena kaʻawale - a ma kēia māhele MPLS e holo ai ka IPVPN (L3 OSI) a me VPLAN (L2 OSI) no kā mākou mau mea kūʻai.
ʻO ka mea maʻamau, loaʻa kahi pilina mea kūʻai aku penei.
Hoʻokomo ʻia kahi laina komo i ke keʻena o ka mea kūʻai mai kahi kokoke loa o ka pūnaewele (node MEN, RRL, BSSS, FTTB, etc.) router, kahi a mākou e hoʻopuka ai i kahi mea i hana ʻia no ka mea kūʻai aku VRF, me ka noʻonoʻo ʻana i ka ʻaoʻao o ke kaʻa e pono ai ka mea kūʻai aku (koho ʻia nā lepili profile no kēlā me kēia puka komo, e pili ana i nā helu ip precedence 0,1,3,5, XNUMX).
Inā no kekahi kumu ʻaʻole hiki iā mākou ke hoʻonohonoho pono i ka mile hope loa no ka mea kūʻai aku, no ka laʻana, aia ke keʻena o ka mea kūʻai aku ma kahi kikowaena ʻoihana, kahi mea hoʻolako ʻē aʻe ka mea nui, a i ʻole ʻaʻole i loaʻa ko mākou wahi kokoke, a laila nā mea kūʻai aku ma mua. pono e hana i kekahi mau pūnaewele IPVPN ma nā mea hoʻolako like ʻole (ʻaʻole ka hoʻolālā kūʻai ʻoi aku ka maikaʻi) a i ʻole e hoʻoholo kūʻokoʻa i nā pilikia me ka hoʻonohonoho ʻana i kāu VRF ma ka Pūnaewele.
He nui ka poʻe i hana i kēia ma ka hoʻokomo ʻana i kahi ʻīpuka pūnaewele IPVPN - ua hoʻokomo lākou i kahi router palena (nā lako a i ʻole kekahi mea hoʻonā Linux-based), hoʻopili i kahi ala IPVPN iā ia me hoʻokahi awa a me kahi pūnaewele pūnaewele me kekahi, hoʻokuʻu i kā lākou kikowaena VPN ma laila a pili. nā mea hoʻohana ma o kā lākou ʻīpuka VPN ponoʻī. ʻO ka mea maʻamau, hoʻokumu ʻia kēlā ʻano hana i nā kaumaha: pono e kūkulu ʻia kēlā ʻano hana a, ʻoi aku ka maʻalahi, hana a hoʻomohala ʻia.
I mea e maʻalahi ai ke ola no kā mākou mea kūʻai aku, ua hoʻokomo mākou i kahi kikowaena VPN kikowaena a hoʻonohonoho i ke kākoʻo no nā pilina ma luna o ka Pūnaewele me ka hoʻohana ʻana i ka IPSec, ʻo ia hoʻi, i kēia manawa pono nā mea kūʻai aku e hoʻonohonoho i kā lākou alalai e hana pū me kā mākou VPN hub ma o kahi IPSec tunnel ma luna o kekahi pūnaewele lehulehu. , a e hoʻokuʻu mākou i ke kālepa o kēia mea kūʻai aku i kāna VRF.
ʻO wai ka mea e pono ai
- No ka poʻe i loaʻa i kahi pūnaewele IPVPN nui a makemake i nā pilina hou i ka manawa pōkole.
- ʻO ka mea, no kekahi kumu, makemake e hoʻololi i kahi hapa o ke kaʻa mai ka pūnaewele lehulehu i IPVPN, akā ua hālāwai mua i nā palena ʻenehana e pili ana i kekahi mau lawelawe lawelawe.
- No ka poʻe i loaʻa i kēia manawa nā pūnaewele VPN ʻokoʻa ma waena o nā ʻoihana telecom like ʻole. Aia nā mea kūʻai aku i hoʻonohonoho pono i ka IPVPN mai Beeline, Megafon, Rostelecom, etc. I mea e maʻalahi ai, hiki iā ʻoe ke noho wale ma kā mākou VPN hoʻokahi, hoʻololi i nā kahawai ʻē aʻe o nā mea hana ʻē aʻe i ka Pūnaewele, a laila hoʻopili iā Beeline IPVPN ma o IPSec a me ka Pūnaewele mai kēia mau mea hoʻohana.
- No ka poʻe i loaʻa i kahi pūnaewele IPVPN i uhi ʻia ma ka Pūnaewele.
Inā ʻoe e kau i nā mea āpau me mākou, a laila loaʻa i nā mea kūʻai aku ke kākoʻo VPN piha, ka hoʻihoʻi ʻana i nā ʻōnaehana koʻikoʻi, a me nā hoʻonohonoho maʻamau e hana ma luna o kekahi alalai a lākou i hoʻohana ai (ʻo ia ʻo Cisco, ʻo Mikrotik, ʻo ka mea nui e hiki ke kākoʻo pono. IPSec/IKEv2 me nā ʻano hana hōʻoia maʻamau). Ma ke ala, e pili ana iā IPSec - i kēia manawa ke kākoʻo wale nei mākou iā ia, akā hoʻolālā mākou e hoʻomaka i ka hana holoʻokoʻa o OpenVPN a me Wireguard, i hiki ʻole i nā mea kūʻai ke hilinaʻi i ka protocol a ʻoi aku ka maʻalahi o ka lawe a hoʻoili i nā mea āpau iā mākou. a makemake pū mākou e hoʻomaka e hoʻopili i nā mea kūʻai mai nā kamepiula a me nā polokalamu kelepona (nā hoʻonā i kūkulu ʻia i loko o ka OS, Cisco AnyConnect a me strongSwan a me nā mea like). Me kēia ala, hiki ke hāʻawi maluhia ʻia ka hana de facto o ka ʻoihana i ka mea hoʻohana, waiho wale i ka hoʻonohonoho ʻana o ka CPE a i ʻole host.
Pehea e hana ai ke kaʻina hana pili no ke ʻano IPSec:
- Haʻalele ka mea kūʻai aku i kahi noi i kāna luna e hōʻike ai i ka wikiwiki pili pono, ka ʻaoʻao kaʻa a me nā ʻāpana helu IP no ka tunnel (ma ka maʻamau, kahi subnet me kahi /30 mask) a me ke ʻano o ke alahele (static a i ʻole BGP). No ka hoʻololi ʻana i nā ala i nā pūnaewele kūloko o ka mea kūʻai aku ma ke keʻena pili, hoʻohana ʻia nā mīkini IKEv2 o ka IPSec protocol phase me ka hoʻohana ʻana i nā hoʻonohonoho kūpono i ka mea hoʻokele mea kūʻai aku, a i ʻole e hoʻolaha ʻia ma o BGP ma MPLS mai ka BGP pilikino AS i kuhikuhi ʻia i ka noi a ka mea kūʻai aku. . No laila, ʻo ka ʻike e pili ana i nā ala o nā pūnaewele mea kūʻai aku e hoʻomalu piha ʻia e ka mea kūʻai aku ma o nā hoʻonohonoho o ka mea hoʻokele mea kūʻai.
- Ma ka pane mai kāna luna, loaʻa i ka mea kūʻai aku ka ʻikepili helu no ka hoʻokomo ʻana i kāna VRF o ke ʻano:
- VPN-HUB IP helu wahi
- ʻeʻe
- ʻO ka ʻōlelo huna hōʻoia
- Hoʻonohonoho i ka CPE, ma lalo, no ka laʻana, ʻelua mau koho hoʻonohonoho kumu:
Koho no Cisco:
crypto ikev2 keyring BeelineIPsec_keyring
hoa Beeline_VPNHub
helu wahi 62.141.99.183 - VPN hub Beeline
pre-shared-key <Authentication password>
!
No ke koho hoʻokele static, hiki ke kuhikuhi ʻia nā ala i nā pūnaewele hiki ke loaʻa ma o ka Vpn-hub i ka hoʻonohonoho IKEv2 a e ʻike ʻia lākou ma ke ʻano he mau ala paʻa i ka papa kuhikuhi CE. Hiki ke hana ʻia kēia mau hoʻonohonoho me ka hoʻohana ʻana i ke ʻano maʻamau o ka hoʻonohonoho ʻana i nā ala static (e ʻike i lalo).crypto ikev2 kulekele mana FlexClient-mea kākau
ʻO ke ala i nā pūnaewele ma hope o ka mea hoʻokele CE - kahi hoʻonohonoho pono no ka hoʻokele static ma waena o CE a me PE. Lawe ʻia ka hoʻoili ʻana o ka ʻikepili ala i ka PE i ka wā e hoʻāla ʻia ai ka tunnel ma o ka launa pū ʻana o IKEv2.
alana hoʻonohonoho ipv4 mamao 10.1.1.0 255.255.255.0 – Keʻena pūnaewele kūloko
!
crypto ikev2 profile BeelineIPSec_profile
ʻike kūloko <login>
kaʻana mua o ka ʻāina
kaʻana like mamao hōʻoia
keyring kūloko BeelineIPsec_keyring
aaa pūʻulu mana psk papa inoa pūʻulu-author-list FlexClient-author
!
crypto ikev2 mea kūʻai flexvpn BeelineIPsec_flex
hoa 1 Beeline_VPNHub
hoʻopili ka mea kūʻai iā Tunnel1
!
crypto ipsec transform-set TRANSFORM1 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile paʻamau
hoʻonohonoho hoʻololi-hoʻonoho TRANSFORM1
hoʻonohonoho ikev2-profile BeelineIPSec_profile
!
interface Tunnel1
ip helu helu 10.20.1.2 255.255.255.252 – Helu wahi kaila
kumu punawai GigabitEthernet0/2 –Ke komo i ka pūnaewele
mode tunnel ipsec ipv4
awāwa hoʻi ka pae ʻana
pale tunnel ipsec profile default
!
Hiki ke hoʻonohonoho statically nā ala ala i nā pūnaewele pilikino o ka mea kūʻai aku ma o ka Beeline VPN concentrator.ip ala 172.16.0.0 255.255.0.0 Tunnel1
ip ala 192.168.0.0 255.255.255.0 Tunnel1Koho no Huawei (ar160/120):
ike local-name <login>
#
inoa acl ipsec 3999
rula 1 ae ip kumu 10.1.1.0 0.0.0.255 – Keʻena pūnaewele kūloko
#
AAA
lawelawe-hana IPSEC
hoʻonohonoho ʻia ke ala acl 3999
#
ipsec proposal ipsec
esp hōʻoia-algorithm sha2-256
esp encryption-algorithm aes-256
#
ʻike manaʻo paʻamau
encryption-algorithm aes-256
dh hui2
hōʻoia-algorithm sha2-256
hōʻoia-ʻano pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ipsec
pre-shared-key simple <Authentication password>
local-id-type fqdn
mamao-id-type ip
mamao-wahi 62.141.99.183 - VPN hub Beeline
lawelawe-hana IPSEC
config-exchange noi
config-exchange set ʻae
config-exchange set send
#
ipsec profile ipsecprof
ike-peer ipsec
noi ipsec
#
interface Tunnel0/0/0
ip helu helu 10.20.1.2 255.255.255.252 – Helu wahi kaila
tunnel-protocol ipsec
kumu GigabitEthernet0/0/1 –Ke komo i ka pūnaewele
ipsec profile ipsecprof
#
Hiki ke hoʻonohonoho ʻia nā ala i nā pūnaewele pilikino o ka mea kūʻai aku ma o ka Beeline VPN concentratorip route-static 192.168.0.0 255.255.255.0 Tunnel0/0/0
ip route-static 172.16.0.0 255.255.0.0 Tunnel0/0/0
ʻO ke kiʻikuhi kamaʻilio e like me kēia:
Inā ʻaʻole i loaʻa i ka mea kūʻai kekahi mau hiʻohiʻona o ka hoʻonohonoho kumu, a laila kōkua pinepine mākou i kā lākou hoʻokumu ʻana a hoʻolako iā lākou i nā mea ʻē aʻe.
ʻO nā mea a pau i koe e hoʻopili i ka CPE i ka Pūnaewele, ping i ka ʻāpana pane o ka tunnel VPN a me nā mea hoʻokipa i loko o ka VPN, a ʻo ia, hiki iā mākou ke manaʻo ua hana ʻia ka pilina.
Ma ka ʻatikala aʻe e haʻi mākou iā ʻoe pehea mākou i hui pū ai i kēia kumumanaʻo me IPSec a me MultiSIM Redundancy me ka hoʻohana ʻana iā Huawei CPE: hoʻokomo mākou i kā mākou Huawei CPE no nā mea kūʻai aku, hiki ke hoʻohana ʻaʻole wale i kahi kaila pūnaewele uea, akā ʻo 2 mau kāleka SIM like ʻole, a me ka CPE hana 'akomi hou i ka IPSec- tunnel ma o WAN uea a ma o ka lekiō (LTE#1/LTE#2), e ike ana i ka hoomanawanui hewa nui o ka lawelawe i loaa mai.
Mahalo nui i kā mākou mau hoa hana RnD no ka hoʻomākaukau ʻana i kēia ʻatikala (a, ʻoiaʻiʻo, i nā mea kākau o kēia mau ʻenehana loea)!
Source: www.habr.com