ãã®èšäºã¯ç¶ãã§ã
å®èšŒã§ã¯ãæ¬ç€Ÿãšæ¯åºãæ¥ç¶ããããã®æšæºçãªã¹ããŒã ã䜿çšãããŸãã ãã©ãŒã«ã ãã¬ã©ã³ããªã€ã³ã¿ãŒãããæ¥ç¶ãæäŸããããã«ãæ¬ç€Ÿã§ã¯ 1 ã€ã®ãããã€ã㌠(ISP-2 ãš ISP-3) ã®åææ¥ç¶ã䜿çšããŠããŸãã ãã®ãã©ã³ãã¯ãISP-1 ãšãã 2 ã€ã®ãããã€ããŒã®ã¿ã«æ¥ç¶ããŠããŸãã ãã¡ã€ã¢ãŠã©ãŒã« PA-XNUMX ãš PA-XNUMX ã®éã« XNUMX ã€ã®ãã³ãã«ãæ§ç¯ãããŸãã ãã³ãã«ã¯æ¬¡ã®ã¢ãŒãã§åäœããŸãã ã¢ã¯ãã£ãã¹ã¿ã³ãã€ããã³ãã« 1 ãã¢ã¯ãã£ãã§ããããã³ãã« 2 ã倱æãããšãã³ãã« 1 ããã©ãã£ãã¯ã®éä¿¡ãéå§ããŸãã ãã³ãã« 1 㯠ISP-1 ãžã®æ¥ç¶ã䜿çšãããã³ãã« 2 㯠ISP-2 ãžã®æ¥ç¶ã䜿çšããŸãã ãã¹ãŠã® IP ã¢ãã¬ã¹ã¯ãã¢ã³ã¹ãã¬ãŒã·ã§ã³ç®çã§ã©ã³ãã ã«çæãããŠãããçŸå®ãšã¯äœã®é¢ä¿ããããŸããã
Site-to-Site VPN ãæ§ç¯ããã«ã¯ã䜿çšãããŸã IPSecã® â IP çµç±ã§éä¿¡ãããããŒã¿ã確å®ã«ä¿è·ããããã®äžé£ã®ãããã³ã«ã IPSecã® ã»ãã¥ãªãã£ãããã³ã«ã䜿çšããŠåäœããŸã ESP (ã»ãã¥ãªã㣠ãã€ããŒãã®ã«ãã»ã«å)ãéä¿¡ããŒã¿ã®æå·åãä¿èšŒãããŸãã
Ð IPSecã® å ¥ã IKE (Internet Key Exchange) ã¯ãéä¿¡ããŒã¿ãä¿è·ããããã«äœ¿çšãããã»ãã¥ãªã㣠ãã©ã¡ãŒã¿ãŒã§ãã SA (ã»ãã¥ãªã㣠ã¢ãœã·ãšãŒã·ã§ã³) ã®ããŽã·ãšãŒã·ã§ã³ãæ åœãããããã³ã«ã§ãã PAN ãã¡ã€ã¢ãŠã©ãŒã«ã®ãµããŒã IKEv1 О IKEv2.
Ð IKEv1 VPN æ¥ç¶ã¯ XNUMX ã€ã®æ®µéã§æ§ç¯ãããŸãã IKEv1 ãã§ãŒãº 1 (IKE ãã³ãã«) ããã³ IKEv1 ãã§ãŒãº 2 (IPSec ãã³ãã«) ãããã£ãŠãXNUMX ã€ã®ãã³ãã«ãäœæããããã®ãã¡ã® XNUMX ã€ã¯ãã¡ã€ã¢ãŠã©ãŒã«éã®ãµãŒãã¹æ å ±ã®äº€æã«äœ¿çšãããXNUMX ã€ç®ã¯ãã©ãã£ãã¯ã®éä¿¡ã«äœ¿çšãããŸãã 㧠IKEv1 ãã§ãŒãº 1 ã¡ã€ã³ ã¢ãŒããšã¢ã°ã¬ãã·ã ã¢ãŒãã® XNUMX ã€ã®åäœã¢ãŒãããããŸãã ã¢ã°ã¬ãã·ã ã¢ãŒãã¯äœ¿çšããã¡ãã»ãŒãžãå°ãªãé«éã§ãããã㢠ID ä¿è·ã¯ãµããŒããããŸããã
IKEv2 代ããã«æ¥ã IKEv1ãšæ¯èŒãããšã IKEv1 ãã®äž»ãªå©ç¹ã¯ã垯åå¹
èŠä»¶ãäœããªããSA ããŽã·ãšãŒã·ã§ã³ãé«éã«ãªãããšã§ãã 㧠IKEv2 䜿çšããããµãŒãã¹ ã¡ãã»ãŒãžãå°ãªããªã (åèš 4 ã€)ãEAP ããã³ MOBIKE ãããã³ã«ããµããŒãããããã³ãã«ã®äœæã«äœ¿çšããããã¢ã®å¯çšæ§ã確èªããã¡ã«ããºã ãè¿œå ãããŸããã çåãã§ãã¯ãIKEv1 ã®ããããã¢æ€åºã眮ãæããŸãã ãã§ãã¯ã倱æããå Žåã¯ã IKEv2 ãã³ãã«ããªã»ããããæåã®æ©äŒã«èªåçã«åŸ©å
ã§ããŸãã éãã«ã€ããŠè©³ããç¥ãããšãã§ããŸã
ç°ãªãã¡ãŒã«ãŒã®ãã¡ã€ã¢ãŠã©ãŒã«éã«ãã³ãã«ãæ§ç¯ãããŠããå Žåãå®è£ ã«ãã°ãååšããå¯èœæ§ããããŸãã IKEv2ããã®ãããªæ©åšãšã®äºææ§ã®ããã«ã䜿çšããããšãã§ããŸã IKEv1ã ä»ã®å Žåã«ã¯äœ¿çšããæ¹ãããã§ããã IKEv2.
ã»ããã¢ããæé :
⢠ActiveStandby ã¢ãŒãã§ã® XNUMX ã€ã®ã€ã³ã¿ãŒããããããã€ããŒã®æ§æ
ãã®é¢æ°ãå®è£ ããã«ã¯ããã€ãã®æ¹æ³ããããŸãã ãã®ãã¡ã® XNUMX ã€ã¯ãã¡ã«ããºã ã䜿çšããããšã§ãã ãã¹ç£èŠã®ããŒãžã§ã³ããå©çšå¯èœã«ãªããŸãã ãã³ OS 8.0.0ã ãã®äŸã§ã¯ããŒãžã§ã³ 8.0.16 ã䜿çšããŸãã ãã®æ©èœã¯ãCisco ã«ãŒã¿ã® IP SLA ã«äŒŒãŠããŸãã éçããã©ã«ã ã«ãŒã ãã©ã¡ãŒã¿ãŒã¯ãç¹å®ã®éä¿¡å ã¢ãã¬ã¹ããç¹å®ã® IP ã¢ãã¬ã¹ã« ping ãã±ãããéä¿¡ããããã«èšå®ããŸãã ãã®å Žåãethernet1/1 ã€ã³ã¿ãŒãã§ã€ã¹ã¯ããã©ã«ã ã²ãŒããŠã§ã€ã« XNUMX ç§ã« XNUMX å ping ãéä¿¡ããŸãã XNUMX åé£ç¶ã㊠ping ã«å¿çããªãå Žåãã«ãŒãã¯å£ããŠãããšã¿ãªãããã«ãŒãã£ã³ã° ããŒãã«ããåé€ãããŸãã åãã«ãŒãã XNUMX çªç®ã®ã€ã³ã¿ãŒããã ãããã€ããŒã«åããŠèšå®ãããŠããŸãããããé«ãã¡ããªã㯠(ããã¯ã¢ãã ãããã€ããŒ) ãèšå®ãããŠããŸãã æåã®ã«ãŒããããŒãã«ããåé€ããããšããã¡ã€ã¢ãŠã©ãŒã«ã¯ XNUMX çªç®ã®ã«ãŒããä»ããŠãã©ãã£ãã¯ã®éä¿¡ãéå§ããŸã- ãã§ã€ã«ãªãŒããŒã æåã®ãããã€ããŒã ping ã«å¿çãå§ãããšããã®ã«ãŒãã¯ããŒãã«ã«æ»ããã¡ããªãã¯ãåªããŠãããã XNUMX çªç®ã®ãããã€ããŒãšçœ®ãæããããŸãã ãã§ã€ã«ããã¯ã ããã»ã¹ ãã§ã€ã«ãªãŒã㌠èšå®ãããééã«å¿ããŠæ°ç§ããããŸããããããã®å Žåãããã»ã¹ã¯å³æã§ã¯ãªãããã®éãã©ãã£ãã¯ã倱ãããŸãã ãã§ã€ã«ãã㯠ãã©ãã£ãã¯ã倱ãããšãªãééããŸãã ããæ©äŒããããŸã ãã§ã€ã«ãªãŒã㌠ããéãã BFDãã€ã³ã¿ãŒããããããã€ããŒããã®ãããªæ©äŒãæäŸããå Žåã BFD ã¢ãã«ãããµããŒãããã PA-3000ã·ãªãŒãº О VM-100ã ping ã¢ãã¬ã¹ãšããŠãããã€ããŒã®ã²ãŒããŠã§ã€ã§ã¯ãªããåžžã«ã¢ã¯ã»ã¹å¯èœãªãããªãã¯ã®ã€ã³ã¿ãŒããã ã¢ãã¬ã¹ãæå®ããããšããå§ãããŸãã
⢠ãã³ãã«ã€ã³ã¿ãŒãã§ãŒã¹ã®äœæ
ãã³ãã«å
ã®ãã©ãã£ãã¯ã¯ãç¹å¥ãªä»®æ³ã€ã³ã¿ãŒãã§ã€ã¹ãä»ããŠéä¿¡ãããŸãã ããããã®ãããã¯ãŒã¯ã«ã¯ãäžç¶ãããã¯ãŒã¯ããã® IP ã¢ãã¬ã¹ãèšå®ããå¿
èŠããããŸãã ãã®äŸã§ã¯ããµãã¹ããŒã·ã§ã³ 1/172.16.1.0 ããã³ãã« 30 ã«äœ¿çšããããµãã¹ããŒã·ã§ã³ 2/172.16.2.0 ããã³ãã« 30 ã«äœ¿çšãããŸãã
ãã³ãã«ã€ã³ã¿ãŒãã§ã€ã¹ã¯ã»ã¯ã·ã§ã³ã§äœæãããŸã ãããã¯ãŒã¯ -> ã€ã³ã¿ãŒãã§ãŒã¹ -> ãã³ãã«ã ä»®æ³ã«ãŒã¿ãŒãšã»ãã¥ãªã㣠ãŸãŒã³ãããã³å¯Ÿå¿ãããã©ã³ã¹ããŒã ãããã¯ãŒã¯ããã® IP ã¢ãã¬ã¹ãæå®ããå¿
èŠããããŸãã ã€ã³ã¿ãŒãã§ã€ã¹çªå·ã¯ä»»æã®çªå·ã«ããããšãã§ããŸãã
ã»ã¯ã·ã§ã³å
ã® é«æ©èœ æå®ã§ãã çµå¶é£ã®ãããã£ãŒã«ããã«ãããæå®ãããã€ã³ã¿ãŒãã§ã€ã¹ã§ã® ping ãå¯èœã«ãªããŸããããã¯ãã¹ãã«åœ¹ç«ã€å¯èœæ§ããããŸãã
⢠IKE ãããã¡ã€ã«ã®ã»ããã¢ãã
IKE ãããã£ãŒã« VPN æ¥ç¶äœæã®æåã®æ®µéãæ
åœããŸãããã³ãã« ãã©ã¡ãŒã¿ã¯ããã§æå®ãããŸã IKE ãã§ãŒãº 1ã ãããã¡ã€ã«ã¯ã»ã¯ã·ã§ã³ã§äœæãããŸã ãããã¯ãŒã¯ -> ãããã¯ãŒã¯ ãããã¡ã€ã« -> IKE æå·åã æå·åã¢ã«ãŽãªãºã ãããã·ã¥ ã¢ã«ãŽãªãºã ãDiffie-Hellman ã°ã«ãŒããããŒã®æå¹æéãæå®ããå¿
èŠããããŸãã äžè¬ã«ãã¢ã«ãŽãªãºã ãè€éã«ãªãã»ã©ããã©ãŒãã³ã¹ã¯äœäžãããããç¹å®ã®ã»ãã¥ãªãã£èŠä»¶ã«åºã¥ããŠã¢ã«ãŽãªãºã ãéžæããå¿
èŠããããŸãã ãã ããæ©å¯æ
å ±ãä¿è·ããããã« 14 æ³æªæºã® Diffie-Hellman ã°ã«ãŒãã䜿çšããããšã¯å³å¯ã«ã¯æšå¥šãããŸããã ããã¯ããããã³ã«ã®è匱æ§ã«ãããã®ã§ã2048 ããã以äžã®ã¢ãžã¥ãŒã« ãµã€ãºããŸãã¯ã°ã«ãŒã 19ã20ã21ã24 ã§äœ¿çšãããæ¥åæå·åã¢ã«ãŽãªãºã ã䜿çšããããšã«ãã£ãŠã®ã¿è»œæžã§ããŸãããããã®ã¢ã«ãŽãªãºã ã¯ãåŸæ¥ã®æå·åã
⢠IPSec ãããã¡ã€ã«ã®ã»ããã¢ãã
VPN æ¥ç¶äœæã®ç¬¬ XNUMX 段éã¯ãIPSec ãã³ãã«ã§ãã ãã®ããã® SA ãã©ã¡ãŒã¿ã¯æ¬¡ã®ããã«èšå®ãããŸãã ãããã¯ãŒã¯ -> ãããã¯ãŒã¯ ãããã¡ã€ã« -> IPSec æå·åãããã¡ã€ã«ã ããã§ã¯ãIPSec ãããã³ã«ãæå®ããå¿ èŠããããŸã - AH ãŸã㯠ESPããã©ã¡ãŒã¿ãšåæ§ã« SA â ããã·ã¥ ã¢ã«ãŽãªãºã ãæå·åãDiffie-Hellman ã°ã«ãŒããããŒã®æå¹æéã IKE æå·åãããã¡ã€ã«ãš IPSec æå·åãããã¡ã€ã«ã® SA ãã©ã¡ãŒã¿ã¯åãã§ã¯ãªãå¯èœæ§ããããŸãã
⢠IKE ã²ãŒããŠã§ã€ã®æ§æ
IKEã²ãŒããŠã§ã€ - VPN ãã³ãã«ãæ§ç¯ããã«ãŒã¿ãŒãŸãã¯ãã¡ã€ã¢ãŠã©ãŒã«ãæå®ãããªããžã§ã¯ãã§ãã ãã³ãã«ããšã«ç¬èªã®ãã³ãã«ãäœæããå¿ èŠããããŸã IKEã²ãŒããŠã§ã€ã ãã®å Žåãåã€ã³ã¿ãŒããã ãããã€ããŒãä»ã㊠XNUMX ã€ã®ãã³ãã«ãäœæãããŸãã 察å¿ããéä¿¡ã€ã³ã¿ãŒãã§ã€ã¹ãšãã® IP ã¢ãã¬ã¹ãã㢠IP ã¢ãã¬ã¹ãããã³å ±æããŒã瀺ãããŸãã 蚌ææžã¯å ±æããŒã®ä»£ããã«äœ¿çšã§ããŸãã
以åã«äœæãããã®ã¯ããã«ç€ºãããŠããŸã IKE æå·ãããã¡ã€ã«ã XNUMX çªç®ã®ãªããžã§ã¯ãã®ãã©ã¡ãŒã¿ IKEã²ãŒããŠã§ã€ IP ã¢ãã¬ã¹ãé€ããŠåæ§ã§ãã Palo Alto Networks ãã¡ã€ã¢ãŠã©ãŒã«ã NAT ã«ãŒã¿ãŒã®èåŸã«ããå Žåã¯ããã®ã¡ã«ããºã ãæå¹ã«ããå¿
èŠããããŸãã NATãã©ããŒãµã«.
⢠IPSec ãã³ãã«ã®ã»ããã¢ãã
IPSec ãã³ãã« ååã瀺ãããã«ãIPSec ãã³ãã« ãã©ã¡ãŒã¿ãæå®ãããªããžã§ã¯ãã§ãã ããã§ã¯ããã³ãã«ã€ã³ã¿ãŒãã§ã€ã¹ãšä»¥åã«äœæãããªããžã§ã¯ããæå®ããå¿ èŠããããŸã IKEã²ãŒããŠã§ã€, IPSec æå·åãããã¡ã€ã«ã ããã¯ã¢ãã ãã³ãã«ãžã®ã«ãŒãã£ã³ã°ã®èªååãæ¿ãã確å®ã«ããã«ã¯ã以äžãæå¹ã«ããå¿ èŠããããŸãã ãã³ãã«ã¢ãã¿ãŒã ICMPãã©ãã£ãã¯ãå©çšããŠãã¢ã®çåã確èªããä»çµã¿ã§ãã å®å ã¢ãã¬ã¹ãšããŠããã³ãã«ãæ§ç¯ãããã¢ã®ãã³ãã«ã€ã³ã¿ãŒãã§ãŒã¹ã®IPã¢ãã¬ã¹ãæå®ããå¿ èŠããããŸãã ãããã¡ã€ã«ã§ã¯ãã¿ã€ããŒãšãæ¥ç¶ã倱ãããå Žåã®å¯ŸåŠæ¹æ³ãæå®ããŸãã å埩ãåŸ ã€ â æ¥ç¶ã埩å ããããŸã§åŸ ã¡ãŸãã ãã§ã€ã«ãªãŒã㌠â å¯èœãªå Žåã¯ãå¥ã®ã«ãŒãã«æ²¿ã£ãŠãã©ãã£ãã¯ãéä¿¡ããŸãã XNUMX çªç®ã®ãã³ãã«ã®èšå®ããŸã£ããåæ§ã§ãXNUMX çªç®ã®ãã³ãã« ã€ã³ã¿ãŒãã§ã€ã¹ãš IKE ã²ãŒããŠã§ã€ãæå®ãããŸãã
⢠ã«ãŒãã£ã³ã°ã®èšå®
ãã®äŸã§ã¯éçã«ãŒãã£ã³ã°ã䜿çšããŸãã PA-1 ãã¡ã€ã¢ãŠã©ãŒã«ã§ã¯ã10.10.10.0 ã€ã®ããã©ã«ã ã«ãŒãã«å ããŠããã©ã³ãå ã® 24/1 ãµãããããžã® 2 ã€ã®ã«ãŒããæå®ããå¿ èŠããããŸãã 1 ã€ã®ã«ãŒãã¯ãã³ãã« XNUMX ã䜿çšãããã XNUMX ã€ã®ã«ãŒãã¯ãã³ãã« XNUMX ã䜿çšããŸãã ãã³ãã« XNUMX ãçµç±ããã«ãŒãã¯ãã¡ããªãã¯ãäœããããã¡ã€ã³ã®ã«ãŒãã§ãã æ©æ§ ãã¹ç£èŠ ãããã®ã«ãŒãã§ã¯äœ¿çšãããŸããã ã¹ã€ããã³ã°ãæ åœ ãã³ãã«ã¢ãã¿ãŒ.
ãµãããã 192.168.30.0/24 ã®åãã«ãŒãã PA-2 ã§èšå®ããå¿
èŠããããŸãã
⢠ãããã¯ãŒã¯ã«ãŒã«ã®èšå®
ãã³ãã«ãæ©èœããã«ã¯ã次㮠XNUMX ã€ã®ã«ãŒã«ãå¿ èŠã§ãã
- äœæ¥ããã«ã¯ ãã¹ã¢ãã¿ãŒ å€éšã€ã³ã¿ãŒãã§ã€ã¹ã§ ICMP ãèš±å¯ããŸãã
- ã®ããã« IPSecã® ã¢ããªãèš±å¯ãã IKE О ipsec å€éšã€ã³ã¿ãŒãã§ã€ã¹äžã§ã
- å éšãµãããããšãã³ãã« ã€ã³ã¿ãŒãã§ã€ã¹éã®ãã©ãã£ãã¯ãèš±å¯ããŸãã
ãŸãšã
ãã®èšäºã§ã¯ããã©ãŒã«ã ãã¬ã©ã³ããªã€ã³ã¿ãŒãããæ¥ç¶ãã»ããã¢ãããããªãã·ã§ã³ã«ã€ããŠèª¬æããŸãã ãµã€ãéVPNã ãã®æ
å ±ã圹ã«ç«ã¡ãèªè
ãããã§äœ¿çšãããŠãããã¯ãããžãŒã«ã€ããŠç解ããŠããã ããã°å¹žãã§ãã ããã¢ã«ããããã¯ãŒã¯ã¹ã èšå®ã«é¢ããã質åãä»åŸã®èšäºã®ãããã¯ã«é¢ãããææ¡ãããããŸããããã³ã¡ã³ãæ¬ã«æžããŠããã ããã°åãã§ãçãããããŸãã
åºæïŒ habr.com