Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe mungafikire ku Beeline IPVPN kudzera pa IPSec. Gawo 1

Momwe mungafikire ku Beeline IPVPN kudzera pa IPSec. Gawo 1

Moni! MU post yapitayi Ndidalongosola ntchito yautumiki wathu wa MultiSIM pang'ono zosungitsa ΠΈ kusanja njira. Monga tafotokozera, timagwirizanitsa makasitomala ku intaneti kudzera pa VPN, ndipo lero ndikuwuzani pang'ono za VPN ndi mphamvu zathu mu gawo ili.

Ndikoyenera kuyamba ndikuti ife, monga ogwiritsira ntchito pa telecom, tili ndi netiweki yathu yayikulu ya MPLS, yomwe makasitomala amtundu wokhazikika amagawidwa m'magawo awiri akuluakulu - omwe amagwiritsidwa ntchito mwachindunji kuti azitha kugwiritsa ntchito intaneti, ndi omwe amalumikizana nawo. amagwiritsidwa ntchito kupanga maukonde akutali - ndipo ndi kudzera mu gawo ili la MPLS pomwe magalimoto a IPVPN (L3 OSI) ndi VPLAN (L2 OSI) amayendera makasitomala athu.

Momwe mungafikire ku Beeline IPVPN kudzera pa IPSec. Gawo 1
Kawirikawiri, kugwirizana kwa kasitomala kumachitika motere.

Chingwe cholowera chimayikidwa kuofesi yamakasitomala kuchokera pamalo omwe ali pafupi ndi netiweki (node ​​MEN, RRL, BSSS, FTTB, etc.) ndipo kupitilira apo, njirayo imalembetsedwa kudzera pa netiweki yoyendera kupita ku PE-MPLS yofananira. rauta, pomwe timayitulutsa ku kasitomala wa VRF, poganizira mbiri yamagalimoto yomwe kasitomala amafunikira (zolemba zambiri zimasankhidwa pa doko lililonse lolowera, kutengera ma ip precedence values ​​0,1,3,5, XNUMX).

Ngati pazifukwa zina sitingathe kukonza mtunda womaliza kwa kasitomala, mwachitsanzo, ofesi ya kasitomala ili pamalo ochitira bizinesi, pomwe wopereka wina ndi wofunikira, kapena tilibe malo athu pafupi, ndiye makasitomala akale. adayenera kupanga maukonde angapo a IPVPN kwa othandizira osiyanasiyana (osati zomanga zotsika mtengo kwambiri) kapena kuthetsa modziyimira pawokha pakukonza mwayi wopeza VRF yanu pa intaneti.

Ambiri adachita izi ndikuyika IPVPN Internet gateway - adayika router border (hardware kapena njira ina yochokera ku Linux), adalumikiza njira ya IPVPN ndi doko limodzi ndi njira ya intaneti ndi ina, adayambitsa seva yawo ya VPN pa izo ndikugwirizanitsa. ogwiritsa kudzera pachipata chawo cha VPN. Mwachilengedwe, dongosolo lotereli limapangitsanso zolemetsa: zomanga zotere ziyenera kumangidwa ndipo, movutikira, kuyendetsedwa ndikupangidwa.

Kuti moyo ukhale wosavuta kwa makasitomala athu, tidayika malo apakati a VPN ndikukhazikitsa chithandizo cholumikizira intaneti pogwiritsa ntchito IPSec, ndiye kuti, makasitomala amangofunika kukonza rauta yawo kuti agwire ntchito ndi VPN yathu kudzera pa IPSec pa intaneti. , ndipo ife Tiyeni titulutse magalimoto a kasitomala uyu ku VRF yake.

Ndani angaupeze kukhala wothandiza?

  • Kwa iwo omwe ali ndi netiweki yayikulu ya IPVPN ndipo amafunikira maulumikizidwe atsopano munthawi yochepa.
  • Aliyense amene, pazifukwa zina, akufuna kusamutsa gawo la magalimoto kuchokera pa intaneti ya anthu kupita ku IPVPN, koma adakumanapo ndi zoletsa zaukadaulo zomwe zimagwirizanitsidwa ndi opereka chithandizo angapo.
  • Kwa iwo omwe pakadali pano ali ndi maukonde angapo a VPN osiyanasiyana pamatelefoni osiyanasiyana. Pali makasitomala omwe adakonza bwino IPVPN kuchokera ku Beeline, Megafon, Rostelecom, ndi zina zambiri. Kuti zikhale zosavuta, mutha kukhala pa VPN yathu imodzi, kusintha njira zina zonse za ogwiritsa ntchito pa intaneti, ndikulumikiza ku Beeline IPVPN kudzera pa IPSec ndi intaneti kuchokera kwa ogwira ntchitowa.
  • Kwa iwo omwe ali kale ndi netiweki ya IPVPN yomwe ili pa intaneti.

Ngati mutumiza zonse ndi ife, ndiye kuti makasitomala amalandira chithandizo chokwanira cha VPN, kukonzanso kwakukulu kwa zomangamanga, ndi makonda omwe angagwire ntchito pa rauta iliyonse yomwe amazolowera (akhale Cisco, ngakhale Mikrotik, chinthu chachikulu ndikuti imatha kuthandizira bwino. IPSec/IKEv2 yokhala ndi njira zovomerezeka zovomerezeka). Mwa njira, za IPSec - pakali pano timangochirikiza, koma tikukonzekera kukhazikitsa ntchito zonse za OpenVPN ndi Wireguard, kuti makasitomala asadalire ndondomekoyi ndipo ndizosavuta kutenga ndi kusamutsa chirichonse kwa ife, ndipo tikufunanso kuyamba kulumikiza makasitomala kuchokera pamakompyuta ndi mafoni (mayankho opangidwa mu OS, Cisco AnyConnect ndi strongSwan ndi zina zotero). Ndi njira iyi, zomangamanga zowonongeka zimatha kuperekedwa mosamala kwa wogwiritsa ntchito, kusiya kokha kasinthidwe ka CPE kapena wolandira.

Kodi njira yolumikizira imagwira ntchito bwanji pa IPSec mode:

  1. Wothandizirayo amasiya pempho kwa manejala wake momwe amasonyezera liwiro lolumikizira lomwe likufunika, mbiri yamagalimoto ndi magawo a IP adilesi (mwachisawawa, subnet yokhala ndi / 30 chigoba) ndi mtundu wamayendedwe (static kapena BGP). Kusamutsa njira kupita kumanetiweki am'deralo a kasitomala muofesi yolumikizidwa, njira za IKEv2 za gawo la protocol ya IPSec zimagwiritsidwa ntchito pogwiritsa ntchito zoikamo zoyenera pa rauta ya kasitomala, kapena zimalengezedwa kudzera pa BGP mu MPLS kuchokera ku BGP AS yachinsinsi . Chifukwa chake, chidziwitso chokhudza njira zamakina a kasitomala chimayendetsedwa kwathunthu ndi kasitomala kudzera pa zoikamo za rauta ya kasitomala.
  2. Poyankha kuchokera kwa manejala wake, kasitomala amalandira zidziwitso zowerengera kuti ziphatikizidwe mu VRF yake ya fomuyo:
    • VPN-HUB IP adilesi
    • Lowani
    • Chizindikiro chachinsinsi
  3. Imakonza CPE, pansipa, mwachitsanzo, zosankha ziwiri zoyambira:

    Njira ya Cisco:
    crypto ikev2 keyring BeelineIPsec_keyring
    peer Beeline_VPNHub
    Adilesi 62.141.99.183 - VPN hub Beeline
    kiyi yogawana kale <Authentication password>
    !
    Pakusankha kokhazikika, njira zopita kumanetiweki kudzera pa Vpn-hub zitha kufotokozedwa pakusintha kwa IKEv2 ndipo ziziwoneka ngati njira zokhazikika patebulo la CE. Zokonda izi zitha kupangidwanso pogwiritsa ntchito njira yokhazikika yokhazikitsira njira zokhazikika (onani pansipa).

    crypto ikev2 chilolezo ndondomeko FlexClient-author

    Njira yopita kumanetiweki kuseri kwa rauta ya CE - malo ovomerezeka amayendedwe okhazikika pakati pa CE ndi PE. Kusamutsa kwa data panjira kupita ku PE kumachitika zokha pomwe ngalandeyo imakwezedwa kudzera pakuchita kwa IKEv2.

    njira yokhazikitsidwa kutali ipv4 10.1.1.0 255.255.255.0 - Office Local network
    !
    crypto ikev2 mbiri BeelineIPSec_profile
    identity local <login>
    kutsimikizika kwanuko kugawanatu
    kutsimikizika kwakutali kugawana
    keyring local BeelineIPsec_keyring
    aaa chilolezo gulu psk mndandanda gulu-mlembi-mndandanda FlexClient-wolemba
    !
    crypto ikev2 kasitomala flexvpn BeelineIPsec_flex
    anzawo 1 Beeline_VPNHub
    kasitomala kulumikiza Tunnel1
    !
    crypto ipsec kusintha-set TRANSFORM1 esp-aes 256 esp-sha256-hmac
    njira
    !
    mbiri ya crypto ipsec
    khazikitsani sinthani TRANSFORM1
    khazikitsani ikev2-mbiri BeelineIPSec_profile
    !
    mawonekedwe Tunnel1
    ip adilesi 10.20.1.2 255.255.255.252 - Tunnel adilesi
    gwero la njira GigabitEthernet0/2 - Mawonekedwe a intaneti
    njira ya tunnel ipsec ipv4
    mayendedwe opita ku ngalandeyo
    chitetezo cha tunnel ipsec mbiri yosasinthika
    !
    Njira zopita kumanetiweki achinsinsi a kasitomala omwe amapezeka kudzera pa Beeline VPN concentrator amatha kukhazikitsidwa mokhazikika.

    ip njira 172.16.0.0 255.255.0.0 Tunnel1
    ip njira 192.168.0.0 255.255.255.0 Tunnel1

    Njira ya Huawei (ar160/120):
    ike local-name <login>
    #
    acl dzina ipsec 3999
    lamulo 1 chilolezo IP gwero 10.1.1.0 0.0.0.255 - Office Local network
    #
    AAA
    Pulogalamu ya IPSEC
    njira yokhazikitsidwa ndi acl 3999
    #
    ipsec proposal ipsec
    esp kutsimikizika-algorithm sha2-256
    esp encryption-algorithm aes-256
    #
    ike proposal default
    encryption-algorithm aes-256
    dh gulu2
    kutsimikizika-algorithm sha2-256
    kutsimikizira-njira yogawaniratu
    kukhulupirika-algorithm hmac-sha2-256
    prf hmac-sha2-256
    #
    ine peer ipsec
    chinsinsi chogawana chisanadze <Authentication password>
    local-id-mtundu fqdn
    kutali-id-mtundu ip
    adilesi yakutali 62.141.99.183 - VPN hub Beeline
    Pulogalamu ya IPSEC
    config-exchange pempho
    config-exchange set kuvomereza
    config-exchange set send
    #
    ipsec mbiri ipsecprof
    ike-peer ipsec
    malingaliro ipsec
    #
    mawonekedwe Tunnel0/0/0
    ip adilesi 10.20.1.2 255.255.255.252 - Tunnel adilesi
    tunnel-protocol ipsec
    Gwero la GigabitEthernet0/0/1 - Mawonekedwe a intaneti
    ipsec mbiri ipsecprof
    #
    Njira zopita kumanetiweki achinsinsi a kasitomala omwe amapezeka kudzera pa Beeline VPN concentrator amatha kukhazikitsidwa mokhazikika

    ip njira-malo 192.168.0.0 255.255.255.0 Tunnel0/0/0
    ip njira-malo 172.16.0.0 255.255.0.0 Tunnel0/0/0

Chithunzi chotsatira cholumikizira chikuwoneka motere:

Momwe mungafikire ku Beeline IPVPN kudzera pa IPSec. Gawo 1

Ngati kasitomala alibe zitsanzo za kasinthidwe koyambira, ndiye kuti nthawi zambiri timathandizira pakupanga kwawo ndikupangitsa kuti azipezeka kwa wina aliyense.

Zonse zomwe zatsala ndikugwirizanitsa CPE ku intaneti, ping ku gawo loyankhidwa la njira ya VPN ndi wolandira aliyense mkati mwa VPN, ndipo ndizo, tikhoza kuganiza kuti kugwirizana kwapangidwa.

M'nkhani yotsatira tidzakuuzani momwe tidaphatikizira chiwembuchi ndi IPSec ndi MultiSIM Redundancy pogwiritsa ntchito Huawei CPE: timayika Huawei CPE yathu kwa makasitomala, omwe sangagwiritse ntchito njira ya intaneti ya waya, komanso makhadi a SIM 2, ndi CPE. imangomanganso IPSec- tunnel kudzera pa WAN yawaya kapena kudzera pawayilesi (LTE#1/LTE#2), pozindikira kulekerera kwamphamvu kwa ntchito yomwe yatsatira.

Tithokoze mwapadera kwa anzathu a RnD pokonzekera nkhaniyi (ndipo, kwenikweni, kwa olemba mayankho aukadaulo)!

Source: www.habr.com

Kuwonjezera ndemanga