Moni! MU
Ndikoyenera kuyamba ndikuti ife, monga ogwiritsira ntchito pa telecom, tili ndi netiweki yathu yayikulu ya MPLS, yomwe makasitomala amtundu wokhazikika amagawidwa m'magawo awiri akuluakulu - omwe amagwiritsidwa ntchito mwachindunji kuti azitha kugwiritsa ntchito intaneti, ndi omwe amalumikizana nawo. amagwiritsidwa ntchito kupanga maukonde akutali - ndipo ndi kudzera mu gawo ili la MPLS pomwe magalimoto a IPVPN (L3 OSI) ndi VPLAN (L2 OSI) amayendera makasitomala athu.
Kawirikawiri, kugwirizana kwa kasitomala kumachitika motere.
Chingwe cholowera chimayikidwa kuofesi yamakasitomala kuchokera pamalo omwe ali pafupi ndi netiweki (node ββMEN, RRL, BSSS, FTTB, etc.) ndipo kupitilira apo, njirayo imalembetsedwa kudzera pa netiweki yoyendera kupita ku PE-MPLS yofananira. rauta, pomwe timayitulutsa ku kasitomala wa VRF, poganizira mbiri yamagalimoto yomwe kasitomala amafunikira (zolemba zambiri zimasankhidwa pa doko lililonse lolowera, kutengera ma ip precedence values ββ0,1,3,5, XNUMX).
Ngati pazifukwa zina sitingathe kukonza mtunda womaliza kwa kasitomala, mwachitsanzo, ofesi ya kasitomala ili pamalo ochitira bizinesi, pomwe wopereka wina ndi wofunikira, kapena tilibe malo athu pafupi, ndiye makasitomala akale. adayenera kupanga maukonde angapo a IPVPN kwa othandizira osiyanasiyana (osati zomanga zotsika mtengo kwambiri) kapena kuthetsa modziyimira pawokha pakukonza mwayi wopeza VRF yanu pa intaneti.
Ambiri adachita izi ndikuyika IPVPN Internet gateway - adayika router border (hardware kapena njira ina yochokera ku Linux), adalumikiza njira ya IPVPN ndi doko limodzi ndi njira ya intaneti ndi ina, adayambitsa seva yawo ya VPN pa izo ndikugwirizanitsa. ogwiritsa kudzera pachipata chawo cha VPN. Mwachilengedwe, dongosolo lotereli limapangitsanso zolemetsa: zomanga zotere ziyenera kumangidwa ndipo, movutikira, kuyendetsedwa ndikupangidwa.
Kuti moyo ukhale wosavuta kwa makasitomala athu, tidayika malo apakati a VPN ndikukhazikitsa chithandizo cholumikizira intaneti pogwiritsa ntchito IPSec, ndiye kuti, makasitomala amangofunika kukonza rauta yawo kuti agwire ntchito ndi VPN yathu kudzera pa IPSec pa intaneti. , ndipo ife Tiyeni titulutse magalimoto a kasitomala uyu ku VRF yake.
Ndani angaupeze kukhala wothandiza?
- Kwa iwo omwe ali ndi netiweki yayikulu ya IPVPN ndipo amafunikira maulumikizidwe atsopano munthawi yochepa.
- Aliyense amene, pazifukwa zina, akufuna kusamutsa gawo la magalimoto kuchokera pa intaneti ya anthu kupita ku IPVPN, koma adakumanapo ndi zoletsa zaukadaulo zomwe zimagwirizanitsidwa ndi opereka chithandizo angapo.
- Kwa iwo omwe pakadali pano ali ndi maukonde angapo a VPN osiyanasiyana pamatelefoni osiyanasiyana. Pali makasitomala omwe adakonza bwino IPVPN kuchokera ku Beeline, Megafon, Rostelecom, ndi zina zambiri. Kuti zikhale zosavuta, mutha kukhala pa VPN yathu imodzi, kusintha njira zina zonse za ogwiritsa ntchito pa intaneti, ndikulumikiza ku Beeline IPVPN kudzera pa IPSec ndi intaneti kuchokera kwa ogwira ntchitowa.
- Kwa iwo omwe ali kale ndi netiweki ya IPVPN yomwe ili pa intaneti.
Ngati mutumiza zonse ndi ife, ndiye kuti makasitomala amalandira chithandizo chokwanira cha VPN, kukonzanso kwakukulu kwa zomangamanga, ndi makonda omwe angagwire ntchito pa rauta iliyonse yomwe amazolowera (akhale Cisco, ngakhale Mikrotik, chinthu chachikulu ndikuti imatha kuthandizira bwino. IPSec/IKEv2 yokhala ndi njira zovomerezeka zovomerezeka). Mwa njira, za IPSec - pakali pano timangochirikiza, koma tikukonzekera kukhazikitsa ntchito zonse za OpenVPN ndi Wireguard, kuti makasitomala asadalire ndondomekoyi ndipo ndizosavuta kutenga ndi kusamutsa chirichonse kwa ife, ndipo tikufunanso kuyamba kulumikiza makasitomala kuchokera pamakompyuta ndi mafoni (mayankho opangidwa mu OS, Cisco AnyConnect ndi strongSwan ndi zina zotero). Ndi njira iyi, zomangamanga zowonongeka zimatha kuperekedwa mosamala kwa wogwiritsa ntchito, kusiya kokha kasinthidwe ka CPE kapena wolandira.
Kodi njira yolumikizira imagwira ntchito bwanji pa IPSec mode:
- Wothandizirayo amasiya pempho kwa manejala wake momwe amasonyezera liwiro lolumikizira lomwe likufunika, mbiri yamagalimoto ndi magawo a IP adilesi (mwachisawawa, subnet yokhala ndi / 30 chigoba) ndi mtundu wamayendedwe (static kapena BGP). Kusamutsa njira kupita kumanetiweki am'deralo a kasitomala muofesi yolumikizidwa, njira za IKEv2 za gawo la protocol ya IPSec zimagwiritsidwa ntchito pogwiritsa ntchito zoikamo zoyenera pa rauta ya kasitomala, kapena zimalengezedwa kudzera pa BGP mu MPLS kuchokera ku BGP AS yachinsinsi . Chifukwa chake, chidziwitso chokhudza njira zamakina a kasitomala chimayendetsedwa kwathunthu ndi kasitomala kudzera pa zoikamo za rauta ya kasitomala.
- Poyankha kuchokera kwa manejala wake, kasitomala amalandira zidziwitso zowerengera kuti ziphatikizidwe mu VRF yake ya fomuyo:
- VPN-HUB IP adilesi
- Lowani
- Chizindikiro chachinsinsi
- Imakonza CPE, pansipa, mwachitsanzo, zosankha ziwiri zoyambira:
Njira ya Cisco:
crypto ikev2 keyring BeelineIPsec_keyring
peer Beeline_VPNHub
Adilesi 62.141.99.183 - VPN hub Beeline
kiyi yogawana kale <Authentication password>
!
Pakusankha kokhazikika, njira zopita kumanetiweki kudzera pa Vpn-hub zitha kufotokozedwa pakusintha kwa IKEv2 ndipo ziziwoneka ngati njira zokhazikika patebulo la CE. Zokonda izi zitha kupangidwanso pogwiritsa ntchito njira yokhazikika yokhazikitsira njira zokhazikika (onani pansipa).crypto ikev2 chilolezo ndondomeko FlexClient-author
Njira yopita kumanetiweki kuseri kwa rauta ya CE - malo ovomerezeka amayendedwe okhazikika pakati pa CE ndi PE. Kusamutsa kwa data panjira kupita ku PE kumachitika zokha pomwe ngalandeyo imakwezedwa kudzera pakuchita kwa IKEv2.
njira yokhazikitsidwa kutali ipv4 10.1.1.0 255.255.255.0 - Office Local network
!
crypto ikev2 mbiri BeelineIPSec_profile
identity local <login>
kutsimikizika kwanuko kugawanatu
kutsimikizika kwakutali kugawana
keyring local BeelineIPsec_keyring
aaa chilolezo gulu psk mndandanda gulu-mlembi-mndandanda FlexClient-wolemba
!
crypto ikev2 kasitomala flexvpn BeelineIPsec_flex
anzawo 1 Beeline_VPNHub
kasitomala kulumikiza Tunnel1
!
crypto ipsec kusintha-set TRANSFORM1 esp-aes 256 esp-sha256-hmac
njira
!
mbiri ya crypto ipsec
khazikitsani sinthani TRANSFORM1
khazikitsani ikev2-mbiri BeelineIPSec_profile
!
mawonekedwe Tunnel1
ip adilesi 10.20.1.2 255.255.255.252 - Tunnel adilesi
gwero la njira GigabitEthernet0/2 - Mawonekedwe a intaneti
njira ya tunnel ipsec ipv4
mayendedwe opita ku ngalandeyo
chitetezo cha tunnel ipsec mbiri yosasinthika
!
Njira zopita kumanetiweki achinsinsi a kasitomala omwe amapezeka kudzera pa Beeline VPN concentrator amatha kukhazikitsidwa mokhazikika.ip njira 172.16.0.0 255.255.0.0 Tunnel1
ip njira 192.168.0.0 255.255.255.0 Tunnel1Njira ya Huawei (ar160/120):
ike local-name <login>
#
acl dzina ipsec 3999
lamulo 1 chilolezo IP gwero 10.1.1.0 0.0.0.255 - Office Local network
#
AAA
Pulogalamu ya IPSEC
njira yokhazikitsidwa ndi acl 3999
#
ipsec proposal ipsec
esp kutsimikizika-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256
dh gulu2
kutsimikizika-algorithm sha2-256
kutsimikizira-njira yogawaniratu
kukhulupirika-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ine peer ipsec
chinsinsi chogawana chisanadze <Authentication password>
local-id-mtundu fqdn
kutali-id-mtundu ip
adilesi yakutali 62.141.99.183 - VPN hub Beeline
Pulogalamu ya IPSEC
config-exchange pempho
config-exchange set kuvomereza
config-exchange set send
#
ipsec mbiri ipsecprof
ike-peer ipsec
malingaliro ipsec
#
mawonekedwe Tunnel0/0/0
ip adilesi 10.20.1.2 255.255.255.252 - Tunnel adilesi
tunnel-protocol ipsec
Gwero la GigabitEthernet0/0/1 - Mawonekedwe a intaneti
ipsec mbiri ipsecprof
#
Njira zopita kumanetiweki achinsinsi a kasitomala omwe amapezeka kudzera pa Beeline VPN concentrator amatha kukhazikitsidwa mokhazikikaip njira-malo 192.168.0.0 255.255.255.0 Tunnel0/0/0
ip njira-malo 172.16.0.0 255.255.0.0 Tunnel0/0/0
Chithunzi chotsatira cholumikizira chikuwoneka motere:
Ngati kasitomala alibe zitsanzo za kasinthidwe koyambira, ndiye kuti nthawi zambiri timathandizira pakupanga kwawo ndikupangitsa kuti azipezeka kwa wina aliyense.
Zonse zomwe zatsala ndikugwirizanitsa CPE ku intaneti, ping ku gawo loyankhidwa la njira ya VPN ndi wolandira aliyense mkati mwa VPN, ndipo ndizo, tikhoza kuganiza kuti kugwirizana kwapangidwa.
M'nkhani yotsatira tidzakuuzani momwe tidaphatikizira chiwembuchi ndi IPSec ndi MultiSIM Redundancy pogwiritsa ntchito Huawei CPE: timayika Huawei CPE yathu kwa makasitomala, omwe sangagwiritse ntchito njira ya intaneti ya waya, komanso makhadi a SIM 2, ndi CPE. imangomanganso IPSec- tunnel kudzera pa WAN yawaya kapena kudzera pawayilesi (LTE#1/LTE#2), pozindikira kulekerera kwamphamvu kwa ntchito yomwe yatsatira.
Tithokoze mwapadera kwa anzathu a RnD pokonzekera nkhaniyi (ndipo, kwenikweni, kwa olemba mayankho aukadaulo)!
Source: www.habr.com