ProHoster > Pūnaewele > Nā Administration > Pehea e hele ai i Beeline IPVPN ma IPSec. Mahele 1

Pehea e hele ai i Beeline IPVPN ma IPSec. Mahele 1

Aloha! IN pou mua Ua wehewehe au i ka hana o kā mākou lawelawe MultiSIM ma kahi hapa hoʻopaʻa ʻana и kaulike nā kahawai. E like me ka mea i ʻōlelo ʻia, hoʻopili mākou i nā mea kūʻai aku i ka pūnaewele ma o VPN, a i kēia lā e haʻi hou aku wau iā ʻoe e pili ana i ka VPN a me kā mākou hiki i kēia ʻāpana.

He mea pono e hoʻomaka me ka ʻoiaʻiʻo ʻo mākou, ma ke ʻano he telecom operator, loaʻa kā mākou pūnaewele MPLS nui, ka mea no nā mea kūʻai aku laina paʻa i māhele ʻia i ʻelua mau ʻāpana nui - ka mea i hoʻohana pololei ʻia e komo i ka Pūnaewele, a ʻo ia ka mea. hoʻohana ʻia e hana i nā ʻupena kaʻawale - a ma kēia māhele MPLS e holo ai ka IPVPN (L3 OSI) a me VPLAN (L2 OSI) no kā mākou mau mea kūʻai.

Pehea e hele ai i Beeline IPVPN ma IPSec. Mahele 1
ʻO ka mea maʻamau, loaʻa kahi pilina mea kūʻai aku penei.

Hoʻokomo ʻia kahi laina komo i ke keʻena o ka mea kūʻai mai kahi kokoke loa o ka pūnaewele (node ​​MEN, RRL, BSSS, FTTB, etc.) router, kahi a mākou e hoʻopuka ai i kahi mea i hana ʻia no ka mea kūʻai aku VRF, me ka noʻonoʻo ʻana i ka ʻaoʻao o ke kaʻa e pono ai ka mea kūʻai aku (koho ʻia nā lepili profile no kēlā me kēia puka komo, e pili ana i nā helu ip precedence 0,1,3,5, XNUMX).

Inā no kekahi kumu ʻaʻole hiki iā mākou ke hoʻonohonoho pono i ka mile hope loa no ka mea kūʻai aku, no ka laʻana, aia ke keʻena o ka mea kūʻai aku ma kahi kikowaena ʻoihana, kahi mea hoʻolako ʻē aʻe ka mea nui, a i ʻole ʻaʻole i loaʻa ko mākou wahi kokoke, a laila nā mea kūʻai aku ma mua. pono e hana i kekahi mau pūnaewele IPVPN ma nā mea hoʻolako like ʻole (ʻaʻole ka hoʻolālā kūʻai ʻoi aku ka maikaʻi) a i ʻole e hoʻoholo kūʻokoʻa i nā pilikia me ka hoʻonohonoho ʻana i kāu VRF ma ka Pūnaewele.

He nui ka poʻe i hana i kēia ma ka hoʻokomo ʻana i kahi ʻīpuka pūnaewele IPVPN - ua hoʻokomo lākou i kahi router palena (nā lako a i ʻole kekahi mea hoʻonā Linux-based), hoʻopili i kahi ala IPVPN iā ia me hoʻokahi awa a me kahi pūnaewele pūnaewele me kekahi, hoʻokuʻu i kā lākou kikowaena VPN ma laila a pili. nā mea hoʻohana ma o kā lākou ʻīpuka VPN ponoʻī. ʻO ka mea maʻamau, hoʻokumu ʻia kēlā ʻano hana i nā kaumaha: pono e kūkulu ʻia kēlā ʻano hana a, ʻoi aku ka maʻalahi, hana a hoʻomohala ʻia.

I mea e maʻalahi ai ke ola no kā mākou mea kūʻai aku, ua hoʻokomo mākou i kahi kikowaena VPN kikowaena a hoʻonohonoho i ke kākoʻo no nā pilina ma luna o ka Pūnaewele me ka hoʻohana ʻana i ka IPSec, ʻo ia hoʻi, i kēia manawa pono nā mea kūʻai aku e hoʻonohonoho i kā lākou alalai e hana pū me kā mākou VPN hub ma o kahi IPSec tunnel ma luna o kekahi pūnaewele lehulehu. , a e hoʻokuʻu mākou i ke kālepa o kēia mea kūʻai aku i kāna VRF.

ʻO wai ka mea e pono ai

  • No ka poʻe i loaʻa i kahi pūnaewele IPVPN nui a makemake i nā pilina hou i ka manawa pōkole.
  • ʻO ka mea, no kekahi kumu, makemake e hoʻololi i kahi hapa o ke kaʻa mai ka pūnaewele lehulehu i IPVPN, akā ua hālāwai mua i nā palena ʻenehana e pili ana i kekahi mau lawelawe lawelawe.
  • No ka poʻe i loaʻa i kēia manawa nā pūnaewele VPN ʻokoʻa ma waena o nā ʻoihana telecom like ʻole. Aia nā mea kūʻai aku i hoʻonohonoho pono i ka IPVPN mai Beeline, Megafon, Rostelecom, etc. I mea e maʻalahi ai, hiki iā ʻoe ke noho wale ma kā mākou VPN hoʻokahi, hoʻololi i nā kahawai ʻē aʻe o nā mea hana ʻē aʻe i ka Pūnaewele, a laila hoʻopili iā Beeline IPVPN ma o IPSec a me ka Pūnaewele mai kēia mau mea hoʻohana.
  • No ka poʻe i loaʻa i kahi pūnaewele IPVPN i uhi ʻia ma ka Pūnaewele.

Inā ʻoe e kau i nā mea āpau me mākou, a laila loaʻa i nā mea kūʻai aku ke kākoʻo VPN piha, ka hoʻihoʻi ʻana i nā ʻōnaehana koʻikoʻi, a me nā hoʻonohonoho maʻamau e hana ma luna o kekahi alalai a lākou i hoʻohana ai (ʻo ia ʻo Cisco, ʻo Mikrotik, ʻo ka mea nui e hiki ke kākoʻo pono. IPSec/IKEv2 me nā ʻano hana hōʻoia maʻamau). Ma ke ala, e pili ana iā IPSec - i kēia manawa ke kākoʻo wale nei mākou iā ia, akā hoʻolālā mākou e hoʻomaka i ka hana holoʻokoʻa o OpenVPN a me Wireguard, i hiki ʻole i nā mea kūʻai ke hilinaʻi i ka protocol a ʻoi aku ka maʻalahi o ka lawe a hoʻoili i nā mea āpau iā mākou. a makemake pū mākou e hoʻomaka e hoʻopili i nā mea kūʻai mai nā kamepiula a me nā polokalamu kelepona (nā hoʻonā i kūkulu ʻia i loko o ka OS, Cisco AnyConnect a me strongSwan a me nā mea like). Me kēia ala, hiki ke hāʻawi maluhia ʻia ka hana de facto o ka ʻoihana i ka mea hoʻohana, waiho wale i ka hoʻonohonoho ʻana o ka CPE a i ʻole host.

Pehea e hana ai ke kaʻina hana pili no ke ʻano IPSec:

  1. Haʻalele ka mea kūʻai aku i kahi noi i kāna luna e hōʻike ai i ka wikiwiki pili pono, ka ʻaoʻao kaʻa a me nā ʻāpana helu IP no ka tunnel (ma ka maʻamau, kahi subnet me kahi /30 mask) a me ke ʻano o ke alahele (static a i ʻole BGP). No ka hoʻololi ʻana i nā ala i nā pūnaewele kūloko o ka mea kūʻai aku ma ke keʻena pili, hoʻohana ʻia nā mīkini IKEv2 o ka IPSec protocol phase me ka hoʻohana ʻana i nā hoʻonohonoho kūpono i ka mea hoʻokele mea kūʻai aku, a i ʻole e hoʻolaha ʻia ma o BGP ma MPLS mai ka BGP pilikino AS i kuhikuhi ʻia i ka noi a ka mea kūʻai aku. . No laila, ʻo ka ʻike e pili ana i nā ala o nā pūnaewele mea kūʻai aku e hoʻomalu piha ʻia e ka mea kūʻai aku ma o nā hoʻonohonoho o ka mea hoʻokele mea kūʻai.
  2. Ma ka pane mai kāna luna, loaʻa i ka mea kūʻai aku ka ʻikepili helu no ka hoʻokomo ʻana i kāna VRF o ke ʻano:
    • VPN-HUB IP helu wahi
    • ʻeʻe
    • ʻO ka ʻōlelo huna hōʻoia
  3. Hoʻonohonoho i ka CPE, ma lalo, no ka laʻana, ʻelua mau koho hoʻonohonoho kumu:

    Koho no Cisco:
    crypto ikev2 keyring BeelineIPsec_keyring
    hoa Beeline_VPNHub
    helu wahi 62.141.99.183 - VPN hub Beeline
    pre-shared-key <Authentication password>
    !
    No ke koho hoʻokele static, hiki ke kuhikuhi ʻia nā ala i nā pūnaewele hiki ke loaʻa ma o ka Vpn-hub i ka hoʻonohonoho IKEv2 a e ʻike ʻia lākou ma ke ʻano he mau ala paʻa i ka papa kuhikuhi CE. Hiki ke hana ʻia kēia mau hoʻonohonoho me ka hoʻohana ʻana i ke ʻano maʻamau o ka hoʻonohonoho ʻana i nā ala static (e ʻike i lalo).

    crypto ikev2 kulekele mana FlexClient-mea kākau

    ʻO ke ala i nā pūnaewele ma hope o ka mea hoʻokele CE - kahi hoʻonohonoho pono no ka hoʻokele static ma waena o CE a me PE. Lawe ʻia ka hoʻoili ʻana o ka ʻikepili ala i ka PE i ka wā e hoʻāla ʻia ai ka tunnel ma o ka launa pū ʻana o IKEv2.

    alana hoʻonohonoho ipv4 mamao 10.1.1.0 255.255.255.0 – Keʻena pūnaewele kūloko
    !
    crypto ikev2 profile BeelineIPSec_profile
    ʻike kūloko <login>
    kaʻana mua o ka ʻāina
    kaʻana like mamao hōʻoia
    keyring kūloko BeelineIPsec_keyring
    aaa pūʻulu mana psk papa inoa pūʻulu-author-list FlexClient-author
    !
    crypto ikev2 mea kūʻai flexvpn BeelineIPsec_flex
    hoa 1 Beeline_VPNHub
    hoʻopili ka mea kūʻai iā Tunnel1
    !
    crypto ipsec transform-set TRANSFORM1 esp-aes 256 esp-sha256-hmac
    mode tunnel
    !
    crypto ipsec profile paʻamau
    hoʻonohonoho hoʻololi-hoʻonoho TRANSFORM1
    hoʻonohonoho ikev2-profile BeelineIPSec_profile
    !
    interface Tunnel1
    ip helu helu 10.20.1.2 255.255.255.252 – Helu wahi kaila
    kumu punawai GigabitEthernet0/2 –Ke komo i ka pūnaewele
    mode tunnel ipsec ipv4
    awāwa hoʻi ka pae ʻana
    pale tunnel ipsec profile default
    !
    Hiki ke hoʻonohonoho statically nā ala ala i nā pūnaewele pilikino o ka mea kūʻai aku ma o ka Beeline VPN concentrator.

    ip ala 172.16.0.0 255.255.0.0 Tunnel1
    ip ala 192.168.0.0 255.255.255.0 Tunnel1

    Koho no Huawei (ar160/120):
    ike local-name <login>
    #
    inoa acl ipsec 3999
    rula 1 ae ip kumu 10.1.1.0 0.0.0.255 – Keʻena pūnaewele kūloko
    #
    AAA
    lawelawe-hana IPSEC
    hoʻonohonoho ʻia ke ala acl 3999
    #
    ipsec proposal ipsec
    esp hōʻoia-algorithm sha2-256
    esp encryption-algorithm aes-256
    #
    ʻike manaʻo paʻamau
    encryption-algorithm aes-256
    dh hui2
    hōʻoia-algorithm sha2-256
    hōʻoia-ʻano pre-share
    integrity-algorithm hmac-sha2-256
    prf hmac-sha2-256
    #
    ike peer ipsec
    pre-shared-key simple <Authentication password>
    local-id-type fqdn
    mamao-id-type ip
    mamao-wahi 62.141.99.183 - VPN hub Beeline
    lawelawe-hana IPSEC
    config-exchange noi
    config-exchange set ʻae
    config-exchange set send
    #
    ipsec profile ipsecprof
    ike-peer ipsec
    noi ipsec
    #
    interface Tunnel0/0/0
    ip helu helu 10.20.1.2 255.255.255.252 – Helu wahi kaila
    tunnel-protocol ipsec
    kumu GigabitEthernet0/0/1 –Ke komo i ka pūnaewele
    ipsec profile ipsecprof
    #
    Hiki ke hoʻonohonoho ʻia nā ala i nā pūnaewele pilikino o ka mea kūʻai aku ma o ka Beeline VPN concentrator

    ip route-static 192.168.0.0 255.255.255.0 Tunnel0/0/0
    ip route-static 172.16.0.0 255.255.0.0 Tunnel0/0/0

ʻO ke kiʻikuhi kamaʻilio e like me kēia:

Pehea e hele ai i Beeline IPVPN ma IPSec. Mahele 1

Inā ʻaʻole i loaʻa i ka mea kūʻai kekahi mau hiʻohiʻona o ka hoʻonohonoho kumu, a laila kōkua pinepine mākou i kā lākou hoʻokumu ʻana a hoʻolako iā lākou i nā mea ʻē aʻe.

ʻO nā mea a pau i koe e hoʻopili i ka CPE i ka Pūnaewele, ping i ka ʻāpana pane o ka tunnel VPN a me nā mea hoʻokipa i loko o ka VPN, a ʻo ia, hiki iā mākou ke manaʻo ua hana ʻia ka pilina.

Ma ka ʻatikala aʻe e haʻi mākou iā ʻoe pehea mākou i hui pū ai i kēia kumumanaʻo me IPSec a me MultiSIM Redundancy me ka hoʻohana ʻana iā Huawei CPE: hoʻokomo mākou i kā mākou Huawei CPE no nā mea kūʻai aku, hiki ke hoʻohana ʻaʻole wale i kahi kaila pūnaewele uea, akā ʻo 2 mau kāleka SIM like ʻole, a me ka CPE hana 'akomi hou i ka IPSec- tunnel ma o WAN uea a ma o ka lekiō (LTE#1/LTE#2), e ike ana i ka hoomanawanui hewa nui o ka lawelawe i loaa mai.

Mahalo nui i kā mākou mau hoa hana RnD no ka hoʻomākaukau ʻana i kēia ʻatikala (a, ʻoiaʻiʻo, i nā mea kākau o kēia mau ʻenehana loea)!

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka