ããã«ã¡ã¯ïŒ ã§
ãŸããéä¿¡äºæ¥è ãšããŠãåœç€Ÿãç¬èªã®å·šå€§ãª MPLS ãããã¯ãŒã¯ãæã£ãŠãããšããäºå®ããå§ãã䟡å€ããããŸãããã®ãããã¯ãŒã¯ã¯ãåºå®åç·ã®é¡§å®¢ã«ãšã£ãŠ 3 ã€ã®äž»èŠãªã»ã°ã¡ã³ãã«åãããŠããŸãã2 ã€ã¯ã€ã³ã¿ãŒãããã«çŽæ¥ã¢ã¯ã»ã¹ããããã«äœ¿çšããããã XNUMX ã€ã¯ã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ããããã«äœ¿çšãããŸããåé¢ããããããã¯ãŒã¯ãäœæããããã«äœ¿çšãããŸãããã® MPLS ã»ã°ã¡ã³ããéããŠãäŒæ¥ã¯ã©ã€ã¢ã³ãåãã® IPVPN (LXNUMX OSI) ããã³ VPLAN (LXNUMX OSI) ãã©ãã£ãã¯ãæµããŸãã
éåžžãã¯ã©ã€ã¢ã³ãæ¥ç¶ã¯æ¬¡ã®ããã«çºçããŸãã
ãããã¯ãŒã¯ã®æãè¿ãPoint of PresenceïŒããŒãMENãRRLãBSSSãFTTBãªã©ïŒããã¯ã©ã€ã¢ã³ãã®ãªãã£ã¹ãŸã§ã¢ã¯ã»ã¹åç·ãæ·èšããããã«ãã©ã³ã¹ããŒããããã¯ãŒã¯ãä»ããŠå¯Ÿå¿ããPE-MPLSã«ãã£ãã«ãç»é²ããŸããã«ãŒã¿ãŒãã¯ã©ã€ã¢ã³ããå¿ èŠãšãããã©ãã£ã㯠ãããã¡ã€ã«ãèæ ®ããŠãVRF ã¯ã©ã€ã¢ã³ãçšã«ç¹å¥ã«äœæãããã«ãŒã¿ãŒã«åºåããŸã (ãããã¡ã€ã« ã©ãã«ã¯ãip precedence å€ 0,1,3,5ãXNUMXãXNUMXãã«åºã¥ããŠãã¢ã¯ã»ã¹ ããŒãããšã«éžæãããŸã) XNUMX)ã
äœããã®çç±ã§ãã¯ã©ã€ã¢ã³ãã®ã©ã¹ãã¯ã³ãã€ã«ãå®å šã«æŽçã§ããªãå Žåãããšãã°ãã¯ã©ã€ã¢ã³ãã®ãªãã£ã¹ãããžãã¹ã»ã³ã¿ãŒã«ãããããã§ã¯å¥ã®ãããã€ããŒãåªå ãããŠããå ŽåããŸãã¯åã«åœç€Ÿã®æ ç¹ãè¿ãã«ãªãå Žåã以åã¯ã¯ã©ã€ã¢ã³ãããŸããŸãªãããã€ããŒïŒæãã³ã¹ãå¹çã®é«ãã¢ãŒããã¯ãã£ã§ã¯ãªãïŒã§è€æ°ã® IPVPN ãããã¯ãŒã¯ãäœæããããã€ã³ã¿ãŒãããçµç±ã§ VRF ãžã®ã¢ã¯ã»ã¹ãçµç¹ããéã®åé¡ãåå¥ã«è§£æ±ºããå¿ èŠããããŸããã
å€ãã¯ãIPVPN ã€ã³ã¿ãŒããã ã²ãŒããŠã§ã€ãã€ã³ã¹ããŒã«ããããšã§ãããå®çŸããŸãããããŒã㌠ã«ãŒã¿ãŒ (ããŒããŠã§ã¢ãŸã㯠Linux ããŒã¹ã®ãœãªã¥ãŒã·ã§ã³) ãèšçœ®ããäžæ¹ã®ããŒã㧠IPVPN ãã£ãã«ãããã«æ¥ç¶ããããäžæ¹ã®ããŒãã§ã€ã³ã¿ãŒããã ãã£ãã«ãæ¥ç¶ãããã®äžã§ VPN ãµãŒããŒãèµ·åããŠæ¥ç¶ããŸããããŠãŒã¶ãŒã¯ç¬èªã® VPN ã²ãŒããŠã§ã€ãä»ããŠã¢ã¯ã»ã¹ã§ããŸãã åœç¶ã®ããšãªããããã®ãããªèšç»ã¯è² æ ãçããŸãããã®ãããªã€ã³ãã©ãæ§ç¯ããæãäžäŸ¿ãªããšã«ããã®éçšãšéçºãè¡ããªããã°ãªããŸããã
ã客æ§ã®äœæ¥ã容æã«ããããã«ãéäžå VPN ãããèšçœ®ããIPSec ã䜿çšããã€ã³ã¿ãŒãããçµç±ã®æ¥ç¶ãµããŒããçµç¹åããŸãããã€ãŸããã¯ã©ã€ã¢ã³ãã¯ããããªã㯠ã€ã³ã¿ãŒãããäžã® IPSec ãã³ãã«ãä»ããŠãVPN ãããšé£æºããããã«ã«ãŒã¿ãŒãèšå®ããã ãã§æžã¿ãŸããã§ããã®ã¯ã©ã€ã¢ã³ãã®ãã©ãã£ãã¯ã VRF ã«è§£æŸããŸãããã
誰ãå¿ èŠãšããã
- ãã§ã«å€§èŠæš¡ãª IPVPN ãããã¯ãŒã¯ããããçæéã§æ°ããæ¥ç¶ãå¿ èŠãªå Žåã
- äœããã®çç±ã§ããã©ãã£ãã¯ã®äžéšãå ¬å ±ã®ã€ã³ã¿ãŒããããã IPVPN ã«è»¢éããããšèããŠãããã以åã«ããã€ãã®ãµãŒãã¹ ãããã€ããŒã«é¢é£ããæè¡çãªå¶éã«ééããããšããã人ã
- çŸåšãããŸããŸãªéä¿¡äºæ¥è éã§è€æ°ã®ç°ãªã VPN ãããã¯ãŒã¯ã䜿çšããŠãããŠãŒã¶ãŒåãã BeelineãMegafonãRostelecom ãªã©ãã IPVPN ã®æ§ç¯ã«æåããã¯ã©ã€ã¢ã³ããããŸãã ãããç°¡åã«ããããã«ãåäžã® VPN ã®ã¿ã䜿çšããä»ã®éä¿¡äºæ¥è ã®ä»ã®ãã¹ãŠã®ãã£ãã«ãã€ã³ã¿ãŒãããã«åãæ¿ããŠããããã®éä¿¡äºæ¥è ãã IPSec ãšã€ã³ã¿ãŒããããä»ã㊠Beeline IPVPN ã«æ¥ç¶ããããšãã§ããŸãã
- ãã§ã«ã€ã³ã¿ãŒãããäžã« IPVPN ãããã¯ãŒã¯ããªãŒããŒã¬ã€ããŠããå Žåã
ãã¹ãŠãåœç€Ÿãšäžç·ã«å°å ¥ãããšãã¯ã©ã€ã¢ã³ãã¯æ¬æ Œç㪠VPN ãµããŒããæ¬æ Œçãªã€ã³ãã©åé·æ§ã䜿ãæ £ããã©ã®ã«ãŒã¿ãŒ (Cisco ã§ãã£ãŠããMikrotik ã§ãã£ãŠã) ã§åäœããæšæºèšå®ãåãåãããšãã§ããŸããéèŠãªã®ã¯ãé©åã«ãµããŒãã§ããããšã§ããæšæºåãããèªèšŒæ¹æ³ã䜿çšãã IPSec/IKEv2)ã ã¡ãªã¿ã«ãIPSec ã«ã€ããŠã¯ãçŸæç¹ã§ã¯ãµããŒãã®ã¿ã§ãããOpenVPN ãš Wireguard ã®äž¡æ¹ã®æ¬æ Œçãªéçšãéå§ããäºå®ã§ããããã«ãããã¯ã©ã€ã¢ã³ãã¯ãããã³ã«ã«äŸåã§ããªããªãããã¹ãŠãååŸããŠè»¢éããããšãããã«ç°¡åã«ãªããŸãããŸããã³ã³ãã¥ãŒã¿ãã¢ãã€ã« ããã€ã¹ïŒOSãCisco AnyConnectãstrongSwan ãªã©ã«çµã¿èŸŒãŸãããœãªã¥ãŒã·ã§ã³ïŒããã¯ã©ã€ã¢ã³ãã«æ¥ç¶ããããšãéå§ããããšèããŠããŸãã ãã®ã¢ãããŒãã䜿çšãããšãã€ã³ãã©ã¹ãã©ã¯ãã£ã®äºå®äžã®æ§ç¯ããªãã¬ãŒã¿ã«å®å šã«åŒãç¶ããCPE ãŸãã¯ãã¹ãã®æ§æã ããæ®ãããšãã§ããŸãã
IPSec ã¢ãŒãã®æ¥ç¶ããã»ã¹ã¯ã©ã®ããã«æ©èœããŸãã?
- ã¯ã©ã€ã¢ã³ãã¯ãå¿ èŠãªæ¥ç¶é床ããã©ãã£ã㯠ãããã¡ã€ã«ããã³ãã«ã® IP ã¢ãã¬ã¹æå®ãã©ã¡ãŒã¿ãŒ (ããã©ã«ãã§ã¯ /30 ãã¹ã¯ãæã€ãµãããã)ãããã³ã«ãŒãã£ã³ã°ã®çš®é¡ (éçãŸã㯠BGP) ã瀺ããªã¯ãšã¹ãããããŒãžã£ãŒã«æ®ããŸãã æ¥ç¶ãããŠãããªãã£ã¹å ã®ã¯ã©ã€ã¢ã³ãã®ããŒã«ã« ãããã¯ãŒã¯ã«ã«ãŒãã転éããã«ã¯ãã¯ã©ã€ã¢ã³ã ã«ãŒã¿ã®é©åãªèšå®ã䜿çšã㊠IPSec ãããã³ã« ãã§ãŒãºã® IKEv2 ã¡ã«ããºã ã䜿çšãããããã¯ã©ã€ã¢ã³ãã®ã¢ããªã±ãŒã·ã§ã³ã§æå®ããããã©ã€ããŒã BGP AS ãã MPLS ã® BGP çµç±ã§ã¢ããã¿ã€ãºãããŸãã ã ãããã£ãŠãã¯ã©ã€ã¢ã³ã ãããã¯ãŒã¯ã®ã«ãŒãã«é¢ããæ å ±ã¯ãã¯ã©ã€ã¢ã³ã ã«ãŒã¿ãŒã®èšå®ãéããŠã¯ã©ã€ã¢ã³ãã«ãã£ãŠå®å šã«å¶åŸ¡ãããŸãã
- ãããŒãžã£ãŒããã®å¿çãšããŠãã¯ã©ã€ã¢ã³ãã¯æ¬¡ã®åœ¢åŒã® VRF ã«å«ããäŒèšããŒã¿ãåãåããŸãã
- VPN-HUBã®IPã¢ãã¬ã¹
- ãã°ã€ã³
- èªèšŒãã¹ã¯ãŒã
- CPE ãæ§æããŸããããšãã°ã次㮠XNUMX ã€ã®åºæ¬æ§æãªãã·ã§ã³ããããŸãã
ã·ã¹ã³ã®ãªãã·ã§ã³:
æå· ikev2 ããŒãªã³ã° BeelineIPsec_keyring
ã㢠Beeline_VPNHub
ã¢ãã¬ã¹62.141.99.183 âVPN ãã ããŒã©ã€ã³
äºåå ±æã㌠<èªèšŒãã¹ã¯ãŒã>
!
ã¹ã¿ãã£ã㯠ã«ãŒãã£ã³ã° ãªãã·ã§ã³ã®å ŽåãVPN ãããä»ããŠã¢ã¯ã»ã¹ã§ãããããã¯ãŒã¯ãžã®ã«ãŒãã IKEv2 èšå®ã§æå®ã§ããããã㯠CE ã«ãŒãã£ã³ã° ããŒãã«ã«ã¹ã¿ãã£ã㯠ã«ãŒããšããŠèªåçã«è¡šç€ºãããŸãã ãããã®èšå®ã¯ãéçã«ãŒããèšå®ããæšæºçãªæ¹æ³ã䜿çšããŠè¡ãããšãã§ããŸã (äžèšãåç §)ãcrypto ikev2 èªå¯ããªã·ãŒ FlexClient-author
CE ã«ãŒã¿ãŒã®èåŸã«ãããããã¯ãŒã¯ãžã®ã«ãŒã â CE ãš PE éã®éçã«ãŒãã£ã³ã°ã®å¿ é èšå®ã PE ãžã®ã«ãŒã ããŒã¿ã®è»¢éã¯ãIKEv2 ã€ã³ã¿ã©ã¯ã·ã§ã³ãéããŠãã³ãã«ã確ç«ããããšèªåçã«å®è¡ãããŸãã
ã«ãŒãèšå®ãªã¢ãŒã IPv4 10.1.1.0 255.255.255.0 âãªãã£ã¹ã®ããŒã«ã«ãããã¯ãŒã¯
!
æå· ikev2 ãããã¡ã€ã« BeelineIPSec_profile
ã¢ã€ãã³ãã£ãã£ããŒã«ã« <ãã°ã€ã³>
èªèšŒããŒã«ã«äºåå ±æ
èªèšŒãªã¢ãŒãäºåå ±æ
ããŒãªã³ã°ããŒã«ã« BeelineIPsec_keyring
aaa èªå¯ã°ã«ãŒã psk ãªã¹ã group-author-list FlexClient-author
!
æå· ikev2 ã¯ã©ã€ã¢ã³ã flexvpn BeelineIPsec_flex
ã㢠1 Beeline_VPNHub
ã¯ã©ã€ã¢ã³ãæ¥ç¶ãã³ãã«1
!
æå· ipsec ãã©ã³ã¹ãã©ãŒã ã»ãã TRANSFORM1 esp-aes 256 esp-sha256-hmac
ã¢ãŒããã³ãã«
!
æå·å IPsec ãããã¡ã€ã«ã®ããã©ã«ã
ãã©ã³ã¹ãã©ãŒã ã»ãã TRANSFORM1 ãèšå®ããŸã
ikev2 ãããã¡ã€ã«ãèšå®ãã BeelineIPSec_profile
!
ã€ã³ã¿ãŒãã§ãŒã¹ ãã³ãã«1
IPã¢ãã¬ã¹10.20.1.2 âãã³ãã«ã¢ãã¬ã¹
ãã³ãã«ãœãŒã¹ GigabitEthernet0/2 âã€ã³ã¿ãŒãããã¢ã¯ã»ã¹ã€ã³ã¿ãŒãã§ãŒã¹
ãã³ãã«ã¢ãŒã ipsec ipv4
åçãã³ãã«å®å
ãã³ãã«ä¿è· ipsec ãããã¡ã€ã«ã®ããã©ã«ã
!
Beeline VPN ã³ã³ã»ã³ãã¬ãŒã¿ãŒãä»ããŠã¢ã¯ã»ã¹ã§ããã¯ã©ã€ã¢ã³ãã®ãã©ã€ããŒã ãããã¯ãŒã¯ãžã®ã«ãŒãã¯éçã«èšå®ã§ããŸããip ã«ãŒã 172.16.0.0 255.255.0.0 ãã³ãã« 1
ip ã«ãŒã 192.168.0.0 255.255.255.0 ãã³ãã« 1Huawei çšãªãã·ã§ã³ (ar160/120):
ike ããŒã«ã«å <ãã°ã€ã³>
#
ACL å ipsec 3999
ã«ãŒã« 1 èš±å¯ IP ãœãŒã¹ 10.1.1.0 0.0.0.255 âãªãã£ã¹ã®ããŒã«ã«ãããã¯ãŒã¯
#
å4
ãµãŒãã¹ã¹ããŒã IPSEC
ã«ãŒãã»ããACL 3999
#
ipsec ããããŒã¶ã« ipsec
ESP èªèšŒã¢ã«ãŽãªãºã sha2-256
ESP æå·åã¢ã«ãŽãªãºã aes-256
#
IKE ããããŒã¶ã«ã®ããã©ã«ã
æå·åã¢ã«ãŽãªãºã aes-256
dhã°ã«ãŒã2
èªèšŒã¢ã«ãŽãªãºã sha2-256
èªèšŒæ¹åŒã®äºåå ±æ
æŽåæ§ã¢ã«ãŽãªãºã hmac-sha2-256
PRF hmac-sha2-256
#
ã€ã±ãã¢ipsec
äºåå ±æéµç°¡æ <èªèšŒãã¹ã¯ãŒã>
ããŒã«ã« ID ã¿ã€ãã® FQDN
ãªã¢ãŒã ID ã¿ã€ã IP
ãªã¢ãŒãã¢ãã¬ã¹ 62.141.99.183 âVPN ãã ããŒã©ã€ã³
ãµãŒãã¹ã¹ããŒã IPSEC
æ§æ亀æãªã¯ãšã¹ã
æ§æ亀æã»ããã®åãå ¥ã
èšå®äº€æã»ããéä¿¡
#
ipsec ãããã¡ã€ã« ipsecprof
ã€ã±ãã¢ipsec
ææ¡ipsec
#
ã€ã³ã¿ãŒãã§ã€ã¹ ãã³ãã«0/0/0
IPã¢ãã¬ã¹10.20.1.2 âãã³ãã«ã¢ãã¬ã¹
ãã³ãã«ãããã³ã« ipsec
ãœãŒã¹ã®ã¬ãããã€ãŒãµããã0/0/1 âã€ã³ã¿ãŒãããã¢ã¯ã»ã¹ã€ã³ã¿ãŒãã§ãŒã¹
ipsec ãããã¡ã€ã« ipsecprof
#
Beeline VPN ã³ã³ã»ã³ãã¬ãŒã¿ãŒãä»ããŠã¢ã¯ã»ã¹ã§ããã¯ã©ã€ã¢ã³ãã®ãã©ã€ããŒã ãããã¯ãŒã¯ãžã®ã«ãŒãã¯éçã«èšå®ã§ããŸãip ã«ãŒãéç 192.168.0.0 255.255.255.0 ãã³ãã« 0/0/0
ip ã«ãŒãéç 172.16.0.0 255.255.0.0 ãã³ãã« 0/0/0
çµæãšããŠåŸãããéä¿¡å³ã¯æ¬¡ã®ããã«ãªããŸãã
ã¯ã©ã€ã¢ã³ããåºæ¬æ§æã®äŸãããã€ãæã£ãŠããªãå Žåã¯ãéåžžãç§ãã¡ããã®äœæãæ¯æŽããä»ã®äººãå©çšã§ããããã«ããŸãã
æ®ã£ãŠããã®ã¯ãCPE ãã€ã³ã¿ãŒãããã«æ¥ç¶ããVPN ãã³ãã«ã®å¿çéšåãš VPN å ã®ä»»æã®ãã¹ãã« ping ãéä¿¡ããããšã ãã§ããããã§ãæ¥ç¶ã確ç«ããããšã¿ãªãããšãã§ããŸãã
次ã®èšäºã§ã¯ããã¡ãŒãŠã§ã€ CPE ã䜿çšããŠããã®ã¹ããŒã ã IPSec ããã³ãã«ãSIM åé·æ§ãšã©ã®ããã«çµã¿åããããã説æããŸããã¯ã©ã€ã¢ã³ãçšã«ãã¡ãŒãŠã§ã€ CPE ãã€ã³ã¹ããŒã«ããŸããããã¯ãæç·ã€ã³ã¿ãŒããã ãã£ãã«ã ãã§ãªãã2 ã€ã®ç°ãªã SIM ã«ãŒããš CPE ã䜿çšã§ããŸããæç· WAN ãŸãã¯ç¡ç· (LTE#1/LTE#2) çµç±ã§ IPSec ãã³ãã«ãèªåçã«åæ§ç¯ããçµæãšããŠçãããµãŒãã¹ã®é«ãèé害æ§ãå®çŸããŸãã
ãã®èšäºãæºåããŠããã RnD ã®åå (å®éããããã®æè¡ãœãªã¥ãŒã·ã§ã³ã®äœæè
) ã«æè¬ããŸãã
åºæïŒ habr.com