Kab lus no yog ib qho txuas ntxiv mob siab rau qhov tshwj xeeb ntawm kev teeb tsa cov cuab yeej siv Palo Alto tes hauj lwm . Ntawm no peb xav tham txog kev teeb tsa IPSec Site-to-Site VPN ntawm cov khoom siv Palo Alto tes hauj lwm thiab hais txog ib qho kev xaiv tsim nyog rau kev sib txuas ntau tus neeg muab kev pabcuam hauv Is Taws Nem.
Rau kev ua qauv qhia, yuav siv cov txheej txheem kev sib txuas ntawm lub taub hau mus rau ceg. Txhawm rau muab kev sib txuas hauv Is Taws Nem tsis raug, lub hauv paus chaw ua haujlwm siv kev sib txuas ib txhij ntawm ob tus neeg muab kev pabcuam: ISP-1 thiab ISP-2. Lub tuam txhab muaj kev sib txuas nrog tsuas yog ib tus neeg muab kev pabcuam, ISP-3. Ob qhov tunnels yog tsim los ntawm firewalls PA-1 thiab PA-2. Cov tunnels ua haujlwm hauv hom Active-Standby, Qhov-1 ua haujlwm, Qhov-2 yuav pib xa tsheb khiav thaum Tunnel-1 ua tsis tiav. Tunnel-1 siv kev sib txuas rau ISP-1, Tunnel-2 siv kev sib txuas rau ISP-2. Txhua tus IP chaw nyob yog tsim los tsim rau kev ua qauv qhia thiab tsis muaj kev cuam tshuam rau qhov tseeb.
Txhawm rau tsim qhov Site-to-Site VPN yuav raug siv IPsec - txheej txheej txheej txheem los xyuas kom meej kev tiv thaiv cov ntaub ntawv kis ntawm IP. IPsec yuav ua haujlwm siv cov txheej txheem kev ruaj ntseg ESP (Encapsulating Security Payload), uas yuav xyuas kom meej encryption ntawm cov ntaub ntawv xa mus.
Π IPsec suav nrog hauv KUV (Internet Key Exchange) yog cov txheej txheem ua lub luag haujlwm rau kev sib tham SA (cov koom haum kev nyab xeeb), kev ruaj ntseg tsis zoo uas siv los tiv thaiv cov ntaub ntawv xa mus. PAN firewalls txhawb nqa IKEv1 ΠΈ IKEv2.
Π IKEv1 Kev sib txuas VPN yog tsim nyob rau hauv ob theem: IKEv1 Phase 1 (IKE tunnel) thiab IKEv1 Phase 2 (IPSec tunnel), yog li, ob qhov tunnels raug tsim, ib qho yog siv rau kev sib pauv cov ntaub ntawv kev pabcuam ntawm firewalls, qhov thib ob rau kev sib kis. IN IKEv1 Phase 1 Muaj ob hom kev ua haujlwm - hom tseem ceeb thiab hom txhoj puab heev. Hom kev txhoj puab heev siv cov lus tsawg dua thiab nrawm dua, tab sis tsis txhawb Kev Tiv Thaiv Tus Kheej.
IKEv2 hloov IKEv1, thiab piv rau IKEv1 nws lub ntsiab kom zoo dua yog qhov kev xav tau qis dua bandwidth thiab ceev SA kev sib tham. IN IKEv2 Cov lus qhia tsawg dua yog siv (4 nyob rau hauv tag nrho), EAP thiab MOBIKE raws tu qauv tau txais kev txhawb nqa, thiab ib lub tswv yim tau ntxiv los xyuas qhov muaj ntawm cov phooj ywg uas lub qhov tau tsim - Kev kuaj nyob, hloov Dead Peer Detection hauv IKEv1. Yog tias daim tshev ua tsis tiav, ces IKEv2 tuaj yeem rov pib dua lub qhov thiab ces cia li rov qab los ntawm thawj lub sijhawm. Koj tuaj yeem kawm ntxiv txog qhov sib txawv .
Yog tias lub qhov dej tsim los ntawm firewalls los ntawm cov chaw tsim khoom sib txawv, ces tej zaum yuav muaj kab laum hauv kev siv IKEv2, thiab rau compatibility nrog xws li cov cuab yeej siv tau IKEv1. Hauv lwm qhov xwm txheej nws yog qhov zoo dua los siv IKEv2.
Teeb tsa cov kauj ruam:
β’ Configuring ob lub Internet muab kev pab nyob rau hauv ActiveStandby hom
Muaj ntau ntau txoj hauv kev los ua qhov haujlwm no. Ib tug ntawm lawv yog siv lub mechanism Txoj Kev Saib Xyuas, uas tau los ua muaj pib los ntawm version PAN-OS 8.0.0. Qhov piv txwv no siv version 8.0.16. Cov yam ntxwv no zoo ib yam li IP SLA hauv Cisco routers. Txoj kev zoo li qub tsis muaj kev teeb tsa kev xa cov pob ntawv ping mus rau qhov chaw nyob IP tshwj xeeb los ntawm qhov chaw nyob tshwj xeeb. Hauv qhov no, ethernet1/1 interface pings lub rooj vag qub qub ib zaug ib pliag. Yog tias tsis muaj lus teb rau peb pings ua ke, txoj kev raug txiav txim siab tawg thiab tshem tawm ntawm lub rooj routing. Tib txoj kev yog teeb tsa ntawm tus muab kev pabcuam Is Taws Nem thib ob, tab sis nrog qhov ntsuas siab dua (nws yog ib qho thaub qab). Thaum thawj txoj kev raug tshem tawm ntawm lub rooj, lub firewall yuav pib xa tsheb mus los ntawm txoj kev thib ob β Fail-Over. Thaum tus kws kho mob thawj zaug pib teb rau pings, nws txoj hauv kev yuav rov qab mus rau lub rooj thiab hloov qhov thib ob vim qhov kev ntsuas zoo dua - Fail-rov qab. PΡΠΎΡΠ΅ΡΡ Fail-Over siv ob peb vib nas this nyob ntawm lub sijhawm teeb tsa, tab sis, nyob rau hauv txhua rooj plaub, cov txheej txheem tsis yog tam sim no, thiab lub sijhawm no tsheb khiav ploj. Fail-rov qab hla tsis tau kev khiav tsheb. Muaj lub cib fim ua Fail-Over sai, nrog B.F.D., yog tias tus kws kho mob hauv Internet muab lub sijhawm zoo li no. B.F.D. txhawb pib los ntawm tus qauv PA-3000 Series ΠΈ VWM-100. Nws yog qhov zoo dua los qhia tsis yog tus kws kho mob lub rooj vag raws li qhov chaw nyob ping, tab sis pej xeem, ib txwm siv tau Internet chaw nyob.
β’ Tsim ib qhov tunnel interface
Kev tsheb khiav hauv lub qhov yog kis tau los ntawm kev sib cuam tshuam virtual tshwj xeeb. Txhua tus ntawm lawv yuav tsum tau teeb tsa nrog tus IP chaw nyob los ntawm kev thauj mus los network. Hauv qhov piv txwv no, lub substation 1/172.16.1.0 yuav siv rau Tunnel-30, thiab lub substation 2/172.16.2.0 yuav siv rau Tunnel-30.
Lub qhov interface yog tsim nyob rau hauv seem Network -> Interfaces -> Tunnel. Koj yuav tsum qhia kom meej lub router virtual thiab cheeb tsam kev nyab xeeb, nrog rau qhov chaw nyob IP los ntawm kev thauj mus los sib txuas. Tus naj npawb interface tuaj yeem yog dab tsi.
seem Advanced tuaj yeem teev Tswj Profileuas yuav tso cai rau ping ntawm qhov muab interface, qhov no yuav pab tau rau kev sim.
β’ Teeb tsa IKE Profile
IKE Profile yog lub luag haujlwm rau thawj theem ntawm kev tsim kev sib txuas VPN; qhov kev txwv tsis pub dhau ntawm no IKE Phase 1. Qhov profile yog tsim nyob rau hauv seem Network -> Network Profiles -> IKE Crypto. Nws yog ib qho tsim nyog los qhia meej txog qhov encryption algorithm, hashing algorithm, Diffie-Hellman pawg thiab lub neej tseem ceeb. Feem ntau, qhov nyuaj ntawm cov algorithms, qhov ua tau zoo dua; lawv yuav tsum raug xaiv raws li cov kev cai tshwj xeeb. Txawm li cas los xij, nws tsis raug pom zoo kom siv Diffie-Hellman pawg hauv qab 14 los tiv thaiv cov ntaub ntawv rhiab heev. Qhov no yog vim muaj qhov tsis zoo ntawm cov txheej txheem, uas tsuas tuaj yeem txo tau los ntawm kev siv qhov ntau thiab tsawg ntawm 2048 ntsis thiab siab dua, lossis elliptic cryptography algorithms, uas yog siv hauv pawg 19, 20, 21, 24. Cov algorithms no muaj kev ua tau zoo dua piv rau tsoos crypto txiaj. Cov. Thiab .
β’ Teeb tsa IPSec Profile
Qhov thib ob theem ntawm kev tsim kev sib txuas VPN yog IPSec qhov. SA parameters rau nws yog configured nyob rau hauv Network -> Network Profiles -> IPSec Crypto Profile. Ntawm no koj yuav tsum qhia meej txog IPSec raws tu qauv - AH los yog ESP, as well as parameters SA - hashing algorithms, encryption, Diffie-Hellman pawg thiab lub neej tseem ceeb. SA tsis nyob hauv IKE Crypto Profile thiab IPSec Crypto Profile yuav tsis zoo ib yam.
β’ Configuring IKE Gateway
IKE Gateway yog ib yam khoom uas sawv cev rau lub router lossis firewall uas lub VPN qhov tau tsim. Rau txhua qhov av koj yuav tsum tsim koj tus kheej IKE Gateway. Hauv qhov no, ob qhov tunnels raug tsim, ib qho los ntawm txhua tus neeg muab kev pabcuam hauv Internet. Cov kev sib txuas lus sib txuas thiab nws qhov chaw nyob IP, cov phooj ywg IP chaw nyob, thiab cov ntsiab lus sib koom tau qhia. Cov ntawv pov thawj tuaj yeem siv los ua lwm txoj hauv kev sib koom ua ke.
Tus tsim yav dhau los tau qhia ntawm no IKE Crypto Profile. Parameters ntawm qhov khoom thib ob IKE Gateway zoo sib xws, tshwj tsis yog rau IP chaw nyob. Yog tias Palo Alto Networks firewall nyob tom qab NAT router, ces koj yuav tsum ua kom lub tshuab NTUA Traversal.
β’ Teeb tsa IPSec Qhov
IPSec Qhov yog ib yam khoom uas qhia txog qhov IPSec qhov tsis, raws li lub npe qhia. Ntawm no koj yuav tsum tau hais kom meej lub qhov interface thiab yav tas los tsim khoom IKE Gateway, IPSec Crypto Profile. Txhawm rau kom ntseeg tau tias tsis siv neeg hloov pauv ntawm txoj kev mus rau qhov chaw thaub qab, koj yuav tsum qhib Tunnel Monitor. Qhov no yog lub tshuab uas kuaj xyuas seb tus phooj ywg puas muaj sia nyob siv ICMP tsheb. Raws li qhov chaw nyob, koj yuav tsum tau qhia meej IP chaw nyob ntawm qhov chaw sib txuas ntawm cov phooj ywg uas lub qhov tau tsim. Qhov profile qhia txog timers thiab yuav ua li cas yog tias qhov kev sib txuas ploj lawm. Tos Rov qab - tos kom txog thaum kev sib txuas rov qab, Ua Tsis Tau - xa cov tsheb khiav mus rau lwm txoj kev, yog tias muaj. Kev teeb tsa lub qhov thib ob yog qhov zoo sib xws; qhov thib ob qhov sib txuas thiab IKE Gateway tau teev tseg.
β’ Teeb tsa txoj kev
Qhov piv txwv no siv static routing. Ntawm PA-1 firewall, ntxiv rau ob txoj hauv kev, koj yuav tsum qhia ob txoj kev mus rau 10.10.10.0/24 subnet hauv ceg. Ib txoj kev siv Tunnel-1, lwm qhov Tunnel-2. Txoj kev hla Tunnel-1 yog qhov tseem ceeb vim nws muaj qhov ntsuas qis dua. Mechanism Txoj Kev Saib Xyuas tsis siv rau txoj kev no. Lub luag haujlwm rau kev hloov pauv Tunnel Monitor.
Tib txoj kev rau lub subnet 192.168.30.0/24 yuav tsum tau teeb tsa ntawm PA-2.
β’ Teeb tsa cov cai hauv lub network
Yuav kom lub qhov av ua haujlwm, peb txoj cai yuav tsum muaj:
- Rau haujlwm Txoj Kev Saib Xyuas Tso cai ICMP ntawm sab nraud interfaces.
- rau IPsec tso cai rau apps ike ΠΈ ipsec ua ntawm sab nraud interfaces.
- Tso cai rau kev khiav tsheb nruab nrab ntawm cov subnets thiab qhov txuas txuas.
xaus
Kab lus no tham txog qhov kev xaiv ntawm kev teeb tsa kev ua txhaum kev sib txuas hauv Is Taws Nem thiab Site-to-Site VPN. Peb vam tias cov ntaub ntawv tseem ceeb thiab cov neeg nyeem tau txais lub tswv yim ntawm cov thev naus laus zis siv hauv Palo Alto tes hauj lwm. Yog tias koj muaj lus nug txog kev teeb tsa thiab cov lus qhia ntawm cov ncauj lus rau cov lus yav tom ntej, sau rau hauv cov lus, peb yuav zoo siab los teb.
Tau qhov twg los: www.hab.com