Nkhaniyi ndi kupitiriza odzipereka ku zenizeni zokhazikitsa zida Palo Alto Networks . Apa tikufuna kulankhula za kukhazikitsa IPSec Site-to-Site VPN pa zida Palo Alto Networks ndi za njira yosinthira yolumikizira angapo opanga intaneti.
Pachionetserochi, padzagwiritsidwa ntchito ndondomeko yolumikizira ofesi yaikulu ndi nthambi. Kuti apereke intaneti yololera zolakwika, ofesi yayikulu imagwiritsa ntchito kulumikizana kwapanthawi imodzi kwa othandizira awiri: ISP-1 ndi ISP-2. Nthambi ili ndi cholumikizira kwa wothandizira m'modzi yekha, ISP-3. Misewu iwiri imamangidwa pakati pa ma firewall PA-1 ndi PA-2. Ma tunnels amagwira ntchito munjira Yogwira-Kuyimilira, Tunnel-1 ikugwira ntchito, Tunnel-2 iyamba kutumiza magalimoto pamene Tunnel-1 ikulephera. Tunnel-1 imagwiritsa ntchito kulumikizana ndi ISP-1, Tunnel-2 imagwiritsa ntchito kulumikizana ndi ISP-2. Maadiresi onse a IP amapangidwa mwachisawawa kuti awonetsere ndipo alibe chiyanjano ndi zenizeni.
Kupanga VPN Site-to-Site kudzagwiritsidwa ntchito IPsec - ma protocol kuti atsimikizire chitetezo cha data kudzera pa IP. IPsec idzagwira ntchito pogwiritsa ntchito protocol yachitetezo ESP (Encapsulating Security Payload), yomwe iwonetsetse kubisa kwa data yotumizidwa.
Π IPsec alowa IKE (Internet Key Exchange) ndi protocol yomwe imayang'anira zokambirana za SA (mabungwe achitetezo), magawo achitetezo omwe amagwiritsidwa ntchito kuteteza deta yopatsirana. Thandizo la PAN firewalls IKEv1 ΠΈ IKEv2.
Π IKEv1 Kulumikizana kwa VPN kumapangidwa m'magawo awiri: IKEv1 Gawo 1 (IKE tunnel) ndi IKEv1 Gawo 2 (IPSec tunnel), motero, ma tunnel awiri amapangidwa, imodzi yomwe imagwiritsidwa ntchito posinthanitsa zidziwitso zautumiki pakati pa ma firewall, yachiwiri pakufalitsa magalimoto. MU IKEv1 Gawo 1 Pali mitundu iwiri yogwiritsira ntchito - mode waukulu ndi mode waukali. Aggressive mode imagwiritsa ntchito mauthenga ocheperako ndipo imathamanga, koma sigwirizana ndi Peer Identity Protection.
IKEv2 m'malo IKEv1, ndi kuyerekeza ndi IKEv1 ubwino wake waukulu ndi zofunika zochepa bandwidth ndi mofulumira SA kukambirana. MU IKEv2 Mauthenga ocheperako amagwiritsidwa ntchito (4 yonse), ma protocol a EAP ndi MOBIKE amathandizidwa, ndipo njira yawonjezedwa kuti muwone kupezeka kwa anzawo omwe njirayo imapangidwira - Liveness Check, m'malo mwa Dead Peer Detection mu IKEv1. Ngati cheke chalephera, ndiye IKEv2 ikhoza kukhazikitsanso ngalandeyo ndikuyibwezeretsanso ikangopeza mwayi. Mukhoza kuphunzira zambiri za kusiyana kwake .
Ngati ngalande imamangidwa pakati pa ma firewall ochokera kwa opanga osiyanasiyana, ndiye kuti pangakhale nsikidzi pakukhazikitsa IKEv2, ndipo kuti zigwirizane ndi zipangizo zoterezi ndizotheka kugwiritsa ntchito IKEv1. Nthawi zina ndi bwino kugwiritsa ntchito IKEv2.
Kukhazikitsa:
β’ Kukonza awiri opereka intaneti mu ActiveStandby mode
Pali njira zingapo zoyendetsera ntchitoyi. Ena mwa iwo ndi kugwiritsa ntchito makina Njira Monitoring, yomwe idayamba kupezeka kuchokera ku mtundu PAN-OS 8.0.0. Chitsanzochi chimagwiritsa ntchito mtundu wa 8.0.16. Izi zikufanana ndi IP SLA mu Cisco routers. Njira yokhazikika yokhazikika imakonza kutumiza mapaketi a ping ku adilesi inayake ya IP kuchokera ku adilesi inayake. Pamenepa, mawonekedwe a ethernet1/1 amalowetsa chipata chokhazikika kamodzi pamphindikati. Ngati palibe yankho ku ma pings atatu motsatana, njirayo imatengedwa kuti yosweka ndikuchotsedwa patebulo lolowera. Njira yomweyi imakonzedwera kwa wopereka intaneti wachiwiri, koma ndi metric yapamwamba (ndi yosunga zobwezeretsera). Njira yoyamba ikachotsedwa patebulo, chowotcha moto chimayamba kutumiza magalimoto kudzera munjira yachiwiri - Kulephera-Kupitirira. Wothandizira woyamba akayamba kuyankha ma pings, njira yake imabwerera patebulo ndikulowetsa yachiwiri chifukwa cha metric yabwinoko - Kulephera-Kubwerera. Njira Kulephera-Kupitirira zimatenga masekondi pang'ono malingana ndi nthawi zokhazikitsidwa, koma, mulimonse, ndondomekoyi si nthawi yomweyo, ndipo panthawiyi magalimoto amatayika. Kulephera-Kubwerera imadutsa popanda kutayika kwa magalimoto. Pali mwayi wochita Kulephera-Kupitirira mofulumira, ndi B.F.D., ngati wopereka intaneti amapereka mwayi wotero. B.F.D. kuthandizidwa kuyambira pa chitsanzo Chithunzi cha PA-3000 ΠΈ Chithunzi cha VM-100. Ndibwino kuti musatchule khomo la wothandizira ngati adilesi ya ping, koma adilesi yapagulu, yopezeka pa intaneti nthawi zonse.
β’ Kupanga mawonekedwe a ngalande
Magalimoto mkati mwa ngalandeyi amafalikira kudzera m'malo apadera apadera. Iliyonse ya iwo iyenera kukhazikitsidwa ndi adilesi ya IP kuchokera pa netiweki yoyendera. Muchitsanzo ichi, siteshoni yaing'ono 1/172.16.1.0 idzagwiritsidwa ntchito ku Tunnel-30, ndipo substation 2/172.16.2.0 idzagwiritsidwa ntchito pa Tunnel-30.
Mawonekedwe a tunnel amapangidwa m'gawoli Network -> Interfaces -> Tunnel. Muyenera kutchula rauta yeniyeni ndi zone yachitetezo, komanso adilesi ya IP yochokera pamaneti oyendera. Nambala yolumikizira ikhoza kukhala chilichonse.
gawo zotsogola zitha kufotokozedwa Mbiri Yoyang'anirazomwe zidzalola ping pamawonekedwe operekedwa, izi zitha kukhala zothandiza pakuyesa.
β’ Kukhazikitsa Mbiri ya IKE
Mbiri ya IKE ali ndi udindo pa gawo loyamba lopanga kulumikizana kwa VPN; magawo amsewu afotokozedwa apa IKE Gawo 1. Mbiriyo idapangidwa mugawoli Network -> Network Profiles -> IKE Crypto. Ndikofunikira kutchulanso algorithm ya encryption, hashing algorithm, gulu la Diffie-Hellman ndi moyo wofunikira. Nthawi zambiri, ma aligorivimu akamavuta kwambiri, amagwirira ntchito moyipa kwambiri; ayenera kusankhidwa potengera zofunikira zachitetezo. Komabe, sizovomerezeka kugwiritsa ntchito gulu la Diffie-Hellman pansi pa 14 kuti muteteze zambiri. Izi ndichifukwa cha kusatetezeka kwa protocol, yomwe ingachepetsedwe pogwiritsa ntchito kukula kwa ma module a 2048 bits ndi apamwamba, kapena ma elliptic cryptography algorithms, omwe amagwiritsidwa ntchito m'magulu 19, 20, 21, 24. Ma algorithms awa ali ndi magwiridwe antchito apamwamba poyerekeza ndi zolemba zakale. . Ndipo .
β’ Kukhazikitsa Mbiri Ya IPSec
Gawo lachiwiri lopanga kulumikizana kwa VPN ndi njira ya IPSec. Ma parameters a SA amapangidwa Network -> Network Profiles -> IPSec Crypto Profile. Apa muyenera kufotokoza protocol ya IPSec - AH kapena ESP, komanso magawo SA - ma hashing algorithms, encryption, magulu a Diffie-Hellman ndi moyo wawo wonse. Magawo a SA mu IKE Crypto Profile ndi IPSec Crypto Profile mwina sangakhale ofanana.
β’ Kukonza IKE Gateway
IKE Gateway - ichi ndi chinthu chomwe chimapanga rauta kapena firewall yomwe njira ya VPN imapangidwira. Panjira iliyonse muyenera kupanga yanu IKE Gateway. Pankhaniyi, ngalande ziwiri zimapangidwa, imodzi kudzera pa intaneti iliyonse. Mawonekedwe omwe akutuluka ndi adilesi yake ya IP, adilesi ya IP ya anzawo, ndi makiyi ogawana amawonetsedwa. Zikalata zitha kugwiritsidwa ntchito ngati njira ina yogawana nawo.
Zomwe zidapangidwa kale zikuwonetsedwa apa Mbiri ya IKE Crypto. Magawo a chinthu chachiwiri IKE Gateway zofanana, kupatula ma adilesi a IP. Ngati firewall ya Palo Alto Networks ili kuseri kwa rauta ya NAT, ndiye kuti muyenera kuyatsa makinawo Mtengo wa NAT.
β’ Kukhazikitsa IPSec Tunnel
IPSec Tunnel ndi chinthu chomwe chimatchula magawo a IPSec tunnel, monga dzina limanenera. Apa muyenera kufotokoza mawonekedwe a ngalandeyo ndi zinthu zomwe zidapangidwa kale IKE Gateway, Mbiri ya IPSec Crypto. Kuti muwonetsetse kusintha kwanjira kupita ku ngalande yosunga zobwezeretsera, muyenera kuyatsa Tunnel Monitor. Iyi ndi njira yomwe imayang'ana ngati mnzanu ali ndi moyo pogwiritsa ntchito ICMP traffic. Monga adilesi yopitira, muyenera kufotokoza adilesi ya IP ya mawonekedwe a ngalandeyo ya anzanu omwe njirayo ikumangidwa. Mbiriyi imatchula zowerengera komanso zoyenera kuchita ngati kulumikizana kwatayika. Dikirani Kuchira - dikirani mpaka kulumikizana kubwezeretsedwe, Kulephera - tumizani magalimoto pamsewu wina, ngati alipo. Kukhazikitsa njira yachiwiri ndi yofanana kwathunthu; mawonekedwe achiwiri ndi IKE Gateway afotokozedwa.
β’ Kukhazikitsa njira
Chitsanzochi chimagwiritsa ntchito static routing. Pa PA-1 firewall, kuwonjezera pa njira ziwiri zosasinthika, muyenera kufotokoza njira ziwiri zopita ku 10.10.10.0/24 subnet munthambi. Njira imodzi imagwiritsa ntchito Tunnel-1, ina Tunnel-2. Njira yodutsa mu Tunnel-1 ndiye yayikulu chifukwa ili ndi ma metric otsika. Njira Njira Monitoring osagwiritsidwa ntchito panjira izi. Udindo wosintha Tunnel Monitor.
Njira zomwezo za subnet 192.168.30.0/24 ziyenera kukhazikitsidwa pa PA-2.
β’ Kukhazikitsa malamulo a netiweki
Kuti ngalandeyo igwire ntchito, pamafunika malamulo atatu:
- Kugwira ntchito Njira Monitor Lolani ICMP pamawonekedwe akunja.
- chifukwa IPsec kulola mapulogalamu ike ΠΈ ipsec pa mawonekedwe akunja.
- Lolani kuchuluka kwa magalimoto pakati pa ma subnets amkati ndi makulidwe a tunnel.
Pomaliza
Nkhaniyi ikufotokoza za mwayi wokhazikitsa intaneti yosagwirizana ndi zolakwika ndi Site-to-Site VPN. Tikukhulupirira kuti chidziwitsocho chinali chothandiza ndipo wowerenga adapeza lingaliro laukadaulo womwe umagwiritsidwa ntchito Palo Alto Networks. Ngati muli ndi mafunso okhudza kukhazikitsidwa ndi malingaliro pamitu yankhani zamtsogolo, zilembeni mu ndemanga, tidzakhala okondwa kuyankha.
Source: www.habr.com