VMware NSX no nā kamaliʻi. Mahele 6: Hoʻonohonoho VPN

Mahele ʻekahi. hoʻolauna
Mahele ʻelua. Ka hoʻonohonoho ʻana i ka pā ahi a me nā lula NAT
Mahele ʻekolu. Ke hoʻonohonoho nei i ka DHCP
Mahele ʻehā. Hoʻonohonoho alahele
Mahele ʻelima. Ka hoʻonohonoho ʻana i kahi mea hoʻohālikelike ukana

I kēia lā e nānā mākou i nā koho hoʻonohonoho VPN i hāʻawi ʻia e NSX Edge iā mākou.

Ma ka laulā, hiki iā mākou ke hoʻokaʻawale i nā ʻenehana VPN i ʻelua mau ʻano nui:

• Pūnaewele-i kahi pūnaewele VPN. ʻO ka hoʻohana maʻamau o IPSec ka hana ʻana i kahi tunnel paʻa, no ka laʻana, ma waena o kahi pūnaewele keʻena nui a me kahi pūnaewele ma kahi pūnaewele mamao a i ʻole ke ao.
• Loaʻa mamao VPN. Hoʻohana ʻia no ka hoʻopili ʻana i nā mea hoʻohana pilikino i nā ʻoihana pilikino me ka hoʻohana ʻana i ka polokalamu kelepona VPN.

ʻAe ʻo NSX Edge iā mākou e hoʻohana i nā koho ʻelua.
E hoʻonohonoho mākou i ka hoʻohana ʻana i kahi papa hoʻāʻo me ʻelua NSX Edge, kahi kikowaena Linux me kahi daemon i kau ʻia lāhui a me kahi kamepiula Windows e hoʻāʻo ai i ka Remote Access VPN.

IPsec

1. Ma ka vCloud Director interface, e hele i ka ʻāpana Administration a koho i ka vDC. Ma ka ʻaoʻao Edge Gateways, koho i ka Edge e pono ai mākou, kaomi ʻākau a koho i nā lawelawe ʻo Edge Gateway.
   
2. Ma ka NSX Edge interface, e hele i ka VPN-IPsec VPN tab, a laila i ka ʻāpana IPsec VPN Sites a kaomi + e hoʻohui i kahi pūnaewele hou.

   

3. E hoʻopiha i nā kahua i makemake ʻia:
   • Hoʻonāʻia - ho'ā i ka pūnaewele mamao.
   • PFS - hōʻoia ʻaʻole pili kēlā me kēia kī cryptographic hou me kekahi kī mua.
   • ID Kūloko a me ka Hopena Kūlokot ka helu waho o ka NSX Edge.
   • Uuna lalo kūlokos - nā pūnaewele kūloko e hoʻohana i ka IPsec VPN.
   • Peer ID a me Peer Endpoint - helu wahi o ka pūnaewele mamao.
   • Nā Pūnaewele Hoa - nā pūnaewele e hoʻohana i ka IPsec VPN ma ka ʻaoʻao mamao.
   • Algorithm hoʻopunipuni - algorithm encryption tunnel.

   
   

   • hōʻoiaʻikepili pilikino - pehea mākou e hōʻoia ai i ka hoa. Hiki iā ʻoe ke hoʻohana i kahi Pre-Shared Key a i ʻole kahi palapala hōʻoia.
   • Kīi Kaʻi Mua - e kuhikuhi i ke kī e hoʻohana ʻia no ka hōʻoia ʻana a pono e kūlike ma nā ʻaoʻao ʻelua.
   • ʻO ka hui ʻo Diffie Hellman - algorithm hoʻololi kī.

   Ma hope o ka hoʻopiha ʻana i nā kahua i koi ʻia, kaomi Keep.

   

4. Hanaʻia.

   

5. Ma hope o ka hoʻohui ʻana i ka pūnaewele, e hele i ka tab Activation Status a hoʻāla i ka lawelawe IPsec.

   

6. Ma hope o ka hoʻohana ʻana i nā hoʻonohonoho, e hele i ka Statistics -> IPsec VPN tab a nānā i ke kūlana o ka tunnel. ʻIke mākou ua piʻi ka tunnel.

   

7. E nānā i ke kūlana tunnel mai ka console gateway Edge:
   • hōʻike i ka lawelawe ipsec - e nānā i ke kūlana o ka lawelawe.

     

   • hōʻike i ka pūnaewele ipsec lawelawe - ʻike e pili ana i ke kūlana o ka pūnaewele a me nā ʻāpana i kūkākūkā ʻia.

     

   • hōʻike i ka lawelawe ipsec sa - e nānā i ke kūlana o ka Security Association (SA).

     

8. Ke nānā nei i ka pilina me kahi pūnaewele mamao:

   root@racoon:~# ifconfig eth0:1 | grep inet
           inet 10.255.255.1  netmask 255.255.255.0  broadcast 0.0.0.0
   
   root@racoon:~# ping -c1 -I 10.255.255.1 192.168.0.10 
   PING 192.168.0.10 (192.168.0.10) from 10.255.255.1 : 56(84) bytes of data.
   64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=59.9 ms
   
   --- 192.168.0.10 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 59.941/59.941/59.941/0.000 ms
   

   Nā faila hoʻonohonoho a me nā kauoha hou no ka diagnostics mai kahi kikowaena Linux mamao:

   root@racoon:~# cat /etc/racoon/racoon.conf 
   
   log debug;
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   
   listen {
     isakmp 80.211.43.73 [500];
      strict_address;
   }
   
   remote 185.148.83.16 {
           exchange_mode main,aggressive;
           proposal {
                    encryption_algorithm aes256;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group modp1536;
            }
            generate_policy on;
   }
    
   sainfo address 10.255.255.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm aes256;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
   }
   
   ===
   
   root@racoon:~# cat /etc/racoon/psk.txt
   185.148.83.16 testkey
   
   ===
   
   root@racoon:~# cat /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   
   flush;
   spdflush;
   
   spdadd 192.168.0.0/24 10.255.255.0/24 any -P in ipsec
         esp/tunnel/185.148.83.16-80.211.43.73/require;
   
   spdadd 10.255.255.0/24 192.168.0.0/24 any -P out ipsec
         esp/tunnel/80.211.43.73-185.148.83.16/require;
   
   ===
   
   
   root@racoon:~# racoonctl show-sa isakmp
   Destination            Cookies                           Created
   185.148.83.16.500      2088977aceb1b512:a4c470cb8f9d57e9 2019-05-22 13:46:13 
   
   ===
   
   root@racoon:~# racoonctl show-sa esp
   80.211.43.73 185.148.83.16 
           esp mode=tunnel spi=1646662778(0x6226147a) reqid=0(0x00000000)
           E: aes-cbc  00064df4 454d14bc 9444b428 00e2296e c7bb1e03 06937597 1e522ce0 641e704d
           A: hmac-sha1  aa9e7cd7 51653621 67b3b2e9 64818de5 df848792
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=1 pid=7739 refcnt=0
   185.148.83.16 80.211.43.73 
           esp mode=tunnel spi=88535449(0x0546f199) reqid=0(0x00000000)
           E: aes-cbc  c812505a 9c30515e 9edc8c4a b3393125 ade4c320 9bde04f0 94e7ba9d 28e61044
           A: hmac-sha1  cd9d6f6e 06dbcd6d da4d14f8 6d1a6239 38589878
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=0 pid=7739 refcnt=0

9. Ua mākaukau nā mea a pau, ʻo IPsec VPN pūnaewele-i-pae a holo.

   Ma kēia laʻana, ua hoʻohana mākou i ka PSK no ka hōʻoia ʻana o nā hoa, akā hiki nō hoʻi ka hōʻoia hōʻoia. No ka hana ʻana i kēia, e hele i ka ʻaoʻao Global Configuration, hiki i ka palapala hōʻoia a koho i ka palapala hōʻoia ponoʻī.

   Eia kekahi, i nā hoʻonohonoho pūnaewele, pono ʻoe e hoʻololi i ke ʻano hōʻoia.

   
   
   
   
   ʻIke au i ka nui o nā tunnels IPsec e pili ana i ka nui o ka Edge Gateway i hoʻonohonoho ʻia (heluhelu e pili ana i kēia ma kā mākou ʻatikala mua).

   

ssl vpn

ʻO SSL VPN-Plus kekahi o nā koho VPN Access Remote. Hāʻawi ia i nā mea hoʻohana mamao e hoʻopili paʻa i nā pūnaewele pilikino ma hope o ka NSX Edge Gateway. Hoʻokumu ʻia kahi tunnel i hoʻopili ʻia i ka hihia o SSL VPN-plus ma waena o ka mea kūʻai aku (Windows, Linux, Mac) a me NSX Edge.

1. E hoʻomaka kākou e hoʻonohonoho. Ma ka ʻaoʻao hoʻokele lawelawe ʻo Edge Gateway, e hele i ka ʻaoʻao SSL VPN-Plus, a laila i ka Pūnaewele Pūnaewele. Koho mākou i ka helu wahi a me ke awa kahi e hoʻolohe ai ke kikowaena no nā pili e hiki mai ana, hiki iā ʻoe ke hoʻopaʻa inoa a koho i nā algorithm encryption pono.

   
   
   Maanei hiki iā ʻoe ke hoʻololi i ka palapala hōʻoia e hoʻohana ai ke kikowaena.

   

2. Ma hope o ka mākaukau ʻana o nā mea a pau, e hoʻohuli i ke kikowaena a mai poina e mālama i nā hoʻonohonoho.

   

3. A laila, pono mākou e hoʻonohonoho i kahi wai o nā ʻōlelo a mākou e hoʻopuka ai i nā mea kūʻai aku ma ka pili. Hoʻokaʻawale ʻia kēia pūnaewele mai nā subnet i loaʻa i kāu kaiapuni NSX a ʻaʻole pono e hoʻonohonoho ʻia ma nā polokalamu ʻē aʻe ma nā pūnaewele kino, koe wale nō nā ala e kuhikuhi ai iā ia.

   E hele i ka IP Pools tab a kaomi +.

   

4. E koho i nā helu wahi, subnet mask a me ka puka. Maanei hiki iā ʻoe ke hoʻololi i nā hoʻonohonoho no nā kikowaena DNS a me WINS.

   

5. ʻO ka punawai hopena.

   

6. I kēia manawa, e hoʻohui i nā pūnaewele e hiki ai i nā mea hoʻohana e pili ana i ka VPN ke komo. E hele i ka ʻaoʻao Private Networks a kaomi +.

   

7. Hoʻopiha mākou i:
   • Pūnaehana - he pūnaewele kūloko i loaʻa i nā mea hoʻohana mamao.
   • E hoʻouna i nā kaʻa, ʻelua mau koho:
     - ma luna o ka tunnel - e hoʻouna i nā kaʻa i ka pūnaewele ma o ka tunnel,
     — kaalo ala—hoʻouna i ke kaʻa i ka pūnaewele me ke kāʻalo pololei ʻana i ka tunnel.
   • E ho'ā i ka TCP Optimization - e nānā inā ua koho ʻoe i ke koho o luna. Ke hoʻohana ʻia ka loiloi, hiki iā ʻoe ke kuhikuhi i nā helu awa āu e makemake ai e hoʻomaikaʻi i ke kaʻa. ʻAʻole e hoʻopaneʻe ʻia ke kaʻa no nā awa i koe ma ia pūnaewele. Inā ʻaʻole helu ʻia nā helu awa, hoʻomaikaʻi ʻia ke kaʻa no nā awa a pau. E heluhelu hou e pili ana i kēia hiʻona maanei.

   

8. A laila, e hele i ka Authentication tab a kaomi +. No ka hōʻoia ʻana, e hoʻohana mākou i kahi kikowaena kūloko ma ka NSX Edge ponoʻī.

   

9. Maanei hiki iā mākou ke koho i nā kulekele no ka hana ʻana i nā huaʻōlelo hou a hoʻonohonoho i nā koho no ka pale ʻana i nā moʻokāki mea hoʻohana (no ka laʻana, ka helu o ka hoʻāʻo hou inā hoʻokomo hewa ʻia ka ʻōlelo huna).

   
   
   

10. No ka mea ke hoʻohana nei mākou i ka hōʻoia kūloko, pono mākou e hana i nā mea hoʻohana.

    

11. Ma kahi o nā mea maʻamau e like me ka inoa a me ka ʻōlelo huna, hiki iā ʻoe, no ka laʻana, pāpā i ka mea hoʻohana mai ka hoʻololi ʻana i ka ʻōlelo huna a i ʻole, e koi iā ia e hoʻololi i ka ʻōlelo huna i ka manawa aʻe e komo ai ʻo ia.

    

12. Ma hope o ka hoʻohui ʻia ʻana o nā mea hoʻohana pono a pau, e hele i ka ʻaoʻao Installation Packages, kaomi + a hana i ka mea hoʻonohonoho ponoʻī, e hoʻoiho ʻia e kahi limahana mamao no ka hoʻonohonoho ʻana.

    

13. E kaomi +. E koho i ka helu wahi a me ke awa o ke kikowaena kahi e hoʻopili ai ka mea kūʻai aku, a me nā paepae āu e makemake ai e hana i ka pūʻolo hoʻonohonoho.

    
    
    Ma lalo o kēia pukaaniani, hiki iā ʻoe ke kuhikuhi i nā hoʻonohonoho mea kūʻai aku no Windows. E koho:

    • e hoʻomaka i ka mea kūʻai aku ma ka logon - e hoʻohui ʻia ka mea kūʻai VPN i ka hoʻomaka ʻana ma ka mīkini mamao;
    • hana ikona papapihi - e hana i kahi ikona VPN ma ka papapihi;
    • hōʻoia hōʻoia palekana server - e hōʻoia i ka palapala kikowaena ma ka pili.
      Ua pau ka hoʻonohonoho kikowaena.

    

14. I kēia manawa e hoʻoiho i ka pūʻolo hoʻonohonoho a mākou i hana ai i ka hana hope i kahi PC mamao. I ka hoʻonohonoho ʻana i ke kikowaena, ua kuhikuhi mākou i kāna helu waho (185.148.83.16) a me ke awa (445). Aia ma kēia helu wahi e pono ai mākou e hele i kahi polokalamu kele pūnaewele. I koʻu hihia ʻo ia 185.148.83.16: 445.

    I ka puka aniani ʻae, pono ʻoe e hoʻokomo i nā hōʻoia mea hoʻohana a mākou i hana ai ma mua.

    

15. Ma hope o ka ʻae ʻia, ʻike mākou i kahi papa inoa o nā pūʻolo hoʻonohonoho i hana ʻia no ka hoʻoiho. Ua hana mākou i hoʻokahi wale nō - e hoʻoiho mākou.

    

16. Kaomi mākou ma ka loulou, hoʻomaka ka download o ka mea kūʻai aku.

    

17. Wehe i ka waihona i hoʻoiho ʻia a holo i ka mea hoʻonoho.

    

18. Ma hope o ka hoʻouka ʻana, e hoʻolauna i ka mea kūʻai aku, ma ka puka makani ʻae, kaomi Login.

    

19. Ma ka puka makani hōʻoia palapala, koho ʻAe.

    

20. Hoʻokomo mākou i nā hōʻoia no ka mea hoʻohana i hana mua ʻia a ʻike ua hoʻopau maikaʻi ʻia ka pilina.

    
    
    

21. Nānā mākou i nā helu helu o ka mea kūʻai VPN ma ke kamepiula kūloko.

    
    
    

22. Ma ka laina kauoha Windows (ipconfig / all), ʻike mākou ua puka mai kahi adapter virtual hou a aia kahi pilina i ka pūnaewele mamao, hana nā mea āpau:

    
    
    

23. A ʻo ka hope, e nānā mai ka console Edge Gateway.

    

L2 VPN

Pono ʻo L2VPN i ka wā e pono ai ʻoe e hoʻohui i kekahi mau ʻāina
puʻunaue ʻia i nā pūnaewele hoʻolaha hoʻokahi.

Hiki ke hoʻohana i kēia, no ka laʻana, i ka neʻe ʻana i kahi mīkini virtual: i ka neʻe ʻana o kahi VM i kahi ʻāpana ʻāina ʻē aʻe, e mālama ka mīkini i kāna mau hoʻonohonoho IP address a ʻaʻole e nalowale ka pilina me nā mīkini ʻē aʻe i loko o ka L2 domain like me ia.

I loko o kā mākou wahi hoʻāʻo, e hoʻohui mākou i ʻelua mau pūnaewele i kekahi i kekahi, e kapa mākou iā lākou ʻo A a me B, ʻo ia hoʻi. Aia ka Mīkini A i ka helu wahi 10.10.10.250/24, ʻo ka Mīkini B ka helu helu 10.10.10.2/24.

1. Ma vCloud Director, e hele i ka Administration tab, e hele i ka VDC e pono ai mākou, e hele i ka Org VDC Networks tab a hoʻohui i ʻelua mau pūnaewele hou.

   

2. E koho i ke ʻano pūnaewele alahele a hoʻopaʻa i kēia pūnaewele i kā mākou NSX. Hoʻokomo mākou i ka pahu koho Create as subinterface.

   

3. ʻO ka hopena, pono mākou e loaʻa i ʻelua pūnaewele. I kā mākou laʻana, kapa ʻia lākou ʻo network-a a me network-b me nā hoʻonohonoho ʻīpuka like a me ka mask like.

   
   
   

4. I kēia manawa, e hele kāua i nā hoʻonohonoho o ka NSX mua. ʻO kēia ka NSX i hoʻopili ʻia ʻo Network A. E hana ia ma ke ʻano he kikowaena.

   Hoʻi mākou i ka NSx Edge interface / E hele i ka VPN tab -> L2VPN. Hoʻololi mākou i ka L2VPN, koho i ke ʻano hana Server, ma nā kikowaena Global Server e kuhikuhi mākou i ka helu NSX IP waho kahi e hoʻolohe ai ke awa no ka tunnel. Ma ka maʻamau, e wehe ʻia ke kumu ma ke awa 443, akā hiki ke hoʻololi ʻia kēia. Mai poina e koho i nā hoʻonohonoho hoʻopunipuni no ka tunnel e hiki mai ana.

   

5. E hele i ka ʻaoʻao Pūnaewele Pūnaewele a hoʻohui i kahi hoa.

   

6. Huli mākou i ka hoa, hoʻonohonoho i ka inoa, wehewehe, inā pono, hoʻonohonoho i ka inoa inoa a me ka ʻōlelo huna. Pono mākou i kēia ʻikepili ma hope ke hoʻonohonoho ʻana i ka pūnaewele mea kūʻai aku.

   Ma ka Egress Optimization Gateway Address, hoʻonoho mākou i ka helu puka. Pono kēia i ʻole he paio o nā helu IP, no ka mea, ʻo ka ʻīpuka o kā mākou pūnaewele he helu like. A laila kaomi i ke pihi SELECT SUB-INTERFACES.

   

7. Maanei mākou e koho i ka subinterface i makemake ʻia. Mālama mākou i nā hoʻonohonoho.

   

8. ʻIke mākou ua ʻike ʻia ka pūnaewele mea kūʻai aku i hana ʻia i nā hoʻonohonoho.

   

9. I kēia manawa e neʻe kākou i ka hoʻonohonoho ʻana iā NSX mai ka ʻaoʻao o ka mea kūʻai aku.

   Hele mākou i ka ʻaoʻao NSX B, hele i VPN -> L2VPN, hiki iā L2VPN, hoʻonohonoho i ke ʻano L2VPN i ke ʻano mea kūʻai aku. Ma ka Client Global tab, e hoʻonoho i ka helu a me ke awa o NSX A, a mākou i kuhikuhi mua ai ʻo Listening IP a me Port ma ka ʻaoʻao kikowaena. Pono nō hoʻi e hoʻonohonoho i nā hoʻonohonoho hoʻopili hoʻokahi i kūlike lākou i ka wā e piʻi ai ka tunnel.

   
   
   Holo mākou ma lalo, koho i ka subinterface e kūkulu ʻia ai ka tunnel no L2VPN.
   Ma ka Egress Optimization Gateway Address, hoʻonoho mākou i ka helu puka. E hoʻonoho i ka mea hoʻohana a me ka ʻōlelo huna. Koho mākou i ka subinterface a mai poina e mālama i nā hoʻonohonoho.

   

10. ʻOiaʻiʻo, ʻo ia wale nō. ʻO nā hoʻonohonoho o ka ʻaoʻao o ka mea kūʻai aku a me ka ʻaoʻao kikowaena ʻaneʻane like, koe wale kekahi mau nuances.
11. I kēia manawa hiki iā mākou ke ʻike ua hana kā mākou tunnel ma ka hele ʻana i Statistics -> L2VPN ma kekahi NSX.

    

12. Inā mākou e hele nei i ka console o kekahi Edge Gateway, e ʻike mākou ma kēlā me kēia o lākou i ka papa arp i nā helu o nā VM ʻelua.

    

ʻO kēlā wale nō e pili ana iā VPN ma NSX Edge. E nīnau inā maopopo ʻole kekahi mea. ʻO ia ka ʻāpana hope loa o nā ʻatikala e pili ana i ka hana ʻana me NSX Edge. Manaʻo mākou ua kōkua lākou 🙂

Source: www.habr.com