VMware NSX ya ana aang'ono. Gawo 6: Kukhazikitsa VPN

Gawo loyamba. mawu oyamba
Gawo lachiwiri. Kukonza Malamulo a Firewall ndi NAT
Gawo lachitatu. Kupanga DHCP
Gawo lachinayi. Kupanga njira
Gawo lachisanu. Kupanga chojambulira katundu

Lero tiwona njira zosinthira VPN zomwe NSX Edge imatipatsa.

Mwambiri, titha kugawa matekinoloje a VPN m'mitundu iwiri yayikulu:

• VPN ya tsamba ndi tsamba. Kugwiritsa ntchito kwambiri IPSec ndikupanga njira yotetezeka, mwachitsanzo, pakati pa ofesi yayikulu ndi netiweki pamalo akutali kapena mumtambo.
• VPN yakutali. Amagwiritsidwa ntchito kulumikiza ogwiritsa ntchito pawokha pamakampani azinsinsi pogwiritsa ntchito pulogalamu yamakasitomala a VPN.

NSX Edge imatilola kugwiritsa ntchito njira zonse ziwiri.
Tidzakonza pogwiritsa ntchito benchi yoyesera yokhala ndi ma NSX Edge awiri, seva ya Linux yokhala ndi daemon yoyikidwa masewera ndi laputopu ya Windows kuyesa Remote Access VPN.

IPsec

1. Mu mawonekedwe a vCloud Director, pitani kugawo la Administration ndikusankha vDC. Pa tsamba la Edge Gateways, sankhani Edge yomwe tikufuna, dinani kumanja ndikusankha Edge Gateway Services.
   
2. Mu mawonekedwe a NSX Edge, pitani ku VPN-IPsec VPN tabu, ndiye ku IPsec VPN Sites gawo ndipo dinani + kuti muwonjezere tsamba latsopano.

   

3. Lembani magawo ofunikira:
   • Yathandiza - imatsegula tsamba lakutali.
   • Zolemba - amaonetsetsa kuti chinsinsi chilichonse chatsopano cha cryptographic sichikugwirizana ndi fungulo lapitalo.
   • Local ID ndi Local Endpointt ndi adilesi yakunja ya NSX Edge.
   • subnet yakomwekos - maukonde akomweko omwe adzagwiritse ntchito IPsec VPN.
   • Peer ID ndi Peer Endpoint - adilesi yamalo akutali.
   • Peer Subnets - maukonde omwe adzagwiritsa ntchito IPsec VPN kumbali yakutali.
   • Algorithm ya encryption - algorithm yachinsinsi ya tunnel.

   
   

   • kutsimikizika - momwe tingatsimikizire mnzawo. Mutha kugwiritsa ntchito Pre-Shared Key kapena satifiketi.
   • Zogawanikiratu - tchulani kiyi yomwe idzagwiritsidwe ntchito potsimikizira ndipo iyenera kufanana mbali zonse.
   • Gulu la Diffie Hellman - algorithm yosinthira makiyi.

   Mukamaliza kudzaza magawo ofunikira, dinani Sungani.

   

4. Wachita.

   

5. Mukawonjezera tsambalo, pitani ku tabu ya activation Status ndikuyambitsa IPsec Service.

   

6. Zokonda zikayikidwa, pitani ku Statistics -> IPsec VPN tabu ndikuwona momwe msewuwo ulili. Tikuwona kuti ngalandeyo yakwera.

   

7. Yang'anani momwe mungayendere kuchokera pa Edge gateway console:
   • onetsani service ipsec - onani momwe ntchitoyo ilili.

     

   • onetsani tsamba la ipsec - Zambiri zokhudzana ndi momwe tsambalo lilili komanso zomwe mwakambirana.

     

   • onetsani ntchito ipsec sa - onani momwe bungwe la Security Association (SA) lilili.

     

8. Kuyang'ana kulumikizidwa ndi tsamba lakutali:

   root@racoon:~# ifconfig eth0:1 | grep inet
           inet 10.255.255.1  netmask 255.255.255.0  broadcast 0.0.0.0
   
   root@racoon:~# ping -c1 -I 10.255.255.1 192.168.0.10 
   PING 192.168.0.10 (192.168.0.10) from 10.255.255.1 : 56(84) bytes of data.
   64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=59.9 ms
   
   --- 192.168.0.10 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 59.941/59.941/59.941/0.000 ms
   

   Mafayilo osinthika ndi malamulo owonjezera owunikira kuchokera pa seva yakutali ya Linux:

   root@racoon:~# cat /etc/racoon/racoon.conf 
   
   log debug;
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   
   listen {
     isakmp 80.211.43.73 [500];
      strict_address;
   }
   
   remote 185.148.83.16 {
           exchange_mode main,aggressive;
           proposal {
                    encryption_algorithm aes256;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group modp1536;
            }
            generate_policy on;
   }
    
   sainfo address 10.255.255.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm aes256;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
   }
   
   ===
   
   root@racoon:~# cat /etc/racoon/psk.txt
   185.148.83.16 testkey
   
   ===
   
   root@racoon:~# cat /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   
   flush;
   spdflush;
   
   spdadd 192.168.0.0/24 10.255.255.0/24 any -P in ipsec
         esp/tunnel/185.148.83.16-80.211.43.73/require;
   
   spdadd 10.255.255.0/24 192.168.0.0/24 any -P out ipsec
         esp/tunnel/80.211.43.73-185.148.83.16/require;
   
   ===
   
   
   root@racoon:~# racoonctl show-sa isakmp
   Destination            Cookies                           Created
   185.148.83.16.500      2088977aceb1b512:a4c470cb8f9d57e9 2019-05-22 13:46:13 
   
   ===
   
   root@racoon:~# racoonctl show-sa esp
   80.211.43.73 185.148.83.16 
           esp mode=tunnel spi=1646662778(0x6226147a) reqid=0(0x00000000)
           E: aes-cbc  00064df4 454d14bc 9444b428 00e2296e c7bb1e03 06937597 1e522ce0 641e704d
           A: hmac-sha1  aa9e7cd7 51653621 67b3b2e9 64818de5 df848792
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=1 pid=7739 refcnt=0
   185.148.83.16 80.211.43.73 
           esp mode=tunnel spi=88535449(0x0546f199) reqid=0(0x00000000)
           E: aes-cbc  c812505a 9c30515e 9edc8c4a b3393125 ade4c320 9bde04f0 94e7ba9d 28e61044
           A: hmac-sha1  cd9d6f6e 06dbcd6d da4d14f8 6d1a6239 38589878
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=0 pid=7739 refcnt=0

9. Chilichonse chakonzeka, IPsec VPN ya malo ndi malo ikugwira ntchito.

   Mu chitsanzo ichi, tidagwiritsa ntchito PSK potsimikizira anzawo, koma kutsimikizika kwa satifiketi ndikothekanso. Kuti muchite izi, pitani ku Global Configuration tabu, yambitsani chitsimikiziro cha satifiketi ndikusankha satifiketi yokha.

   Kuphatikiza apo, pazokonda pamasamba, muyenera kusintha njira yotsimikizira.

   
   
   
   
   Ndikuwona kuti kuchuluka kwa tunnel za IPsec kumadalira kukula kwa Edge Gateway yomwe yatumizidwa (werengani izi m'mabuku athu. nkhani yoyamba).

   

SSL VPN

SSL VPN-Plus ndi imodzi mwazosankha za Remote Access VPN. Imalola ogwiritsa ntchito akutali kuti alumikizane motetezeka ndi maukonde achinsinsi kuseri kwa NSX Edge Gateway. Msewu wobisika wa SSL VPN-plus imakhazikitsidwa pakati pa kasitomala (Windows, Linux, Mac) ndi NSX Edge.

1. Tiyeni tiyambe kukhazikitsa. Mugawo loyang'anira ntchito ya Edge Gateway, pitani ku tabu ya SSL VPN-Plus, kenako ku Zikhazikiko za Seva. Timasankha adilesi ndi doko pomwe seva imamvera zolumikizira zomwe zikubwera, yambitsani mitengo ndikusankha ma algorithms ofunikira.

   
   
   Apa mutha kusinthanso satifiketi yomwe seva idzagwiritse ntchito.

   

2. Zonse zikakonzeka, yatsani seva ndipo musaiwale kusunga zoikamo.

   

3. Kenako, tiyenera kukhazikitsa dziwe la ma adilesi omwe tidzapereka kwa makasitomala akalumikizana. Netiweki iyi ndi yosiyana ndi subnet iliyonse yomwe ilipo mdera lanu la NSX ndipo sifunika kukonzedwa pazida zina pamanetiweki akuthupi, kupatula njira zomwe zimalozera.

   Pitani ku tabu ya IP Pools ndikudina +.

   

4. Sankhani ma adilesi, subnet mask ndi zipata. Apa mutha kusinthanso makonda a seva za DNS ndi WINS.

   

5. Chifukwa dziwe.

   

6. Tsopano tiyeni tiwonjezere ma netiweki omwe ogwiritsa ntchito olumikizana ndi VPN azitha kuwapeza. Pitani ku tabu ya Private Networks ndikudina +.

   

7. Timadzaza:
   • Network - netiweki yakumalo komwe ogwiritsa ntchito akutali atha kukhala nawo.
   • Tumizani traffic, ili ndi njira ziwiri:
     - panjira - tumizani kuchuluka kwa anthu pamaneti kudzera munjira,
     - bypass tunnel - tumizani kuchuluka kwa anthu pamanetiweki modutsa njirayo.
   • Yambitsani Kukhathamiritsa kwa TCP - onani ngati mwasankha njira yopitilira. Kukhathamiritsa kukayatsidwa, mutha kutchula manambala adoko omwe mukufuna kuwongolera kuchuluka kwa magalimoto. Magalimoto a madoko otsala pa netiwekiyo sangakonzedwenso. Ngati palibe manambala adoko omwe atchulidwa, kuchuluka kwa magalimoto pamadoko onse kumakonzedwa. Werengani zambiri za gawoli apa.

   

8. Kenako, pitani ku tabu yotsimikizira ndikudina +. Kuti titsimikizire, tidzagwiritsa ntchito seva yakomweko pa NSX Edge yokha.

   

9. Apa titha kusankha mfundo zopangira mapasiwedi atsopano ndikusintha zosankha zoletsa maakaunti a ogwiritsa ntchito (mwachitsanzo, kuchuluka kwa zoyesereranso ngati mawu achinsinsi alowa molakwika).

   
   
   

10. Popeza tikugwiritsa ntchito kutsimikizika kwanuko, tiyenera kupanga ogwiritsa ntchito.

    

11. Kuphatikiza pa zinthu zofunika monga dzina ndi mawu achinsinsi, apa mungathe, mwachitsanzo, kuletsa wogwiritsa ntchito kusintha mawu achinsinsi kapena, mosiyana, kumukakamiza kuti asinthe mawu achinsinsi akadzalowanso.

    

12. Ogwiritsa ntchito onse ofunikira atawonjezedwa, pitani ku tabu ya Instalation Packages, dinani + ndikupanga choyikiracho, chomwe chidzatsitsidwa ndi wogwira ntchito kutali kuti akhazikitse.

    

13. Dinani +. Sankhani adilesi ndi doko la seva yomwe kasitomala adzalumikiza, ndi nsanja zomwe mukufuna kupanga phukusi loyika.

    
    
    Pansi pa zenera ili, mutha kufotokozera zokonda za kasitomala za Windows. Sankhani:

    • yambitsani kasitomala pa logon - kasitomala wa VPN adzawonjezedwa kuti ayambe pa makina akutali;
    • pangani chithunzi cha desktop - ipanga chizindikiro cha kasitomala wa VPN pa desktop;
    • chitsimikiziro cha satifiketi yachitetezo cha seva - chidzatsimikizira satifiketi ya seva ikalumikizidwa.
      Kukhazikitsa kwa seva kwatha.

    

14. Tsopano tiyeni titsitse phukusi loyika lomwe tidapanga pomaliza ku PC yakutali. Pokhazikitsa seva, tidatchula adilesi yake yakunja (185.148.83.16) ndi doko (445). Ndi pa adilesi iyi yomwe tiyenera kupita mu msakatuli. Pankhani yanga ndi 185.148.83.16: 445.

    Pazenera lovomerezeka, muyenera kuyika zidziwitso za ogwiritsa ntchito zomwe tidapanga kale.

    

15. Pambuyo pa chilolezo, tikuwona mndandanda wazomwe zidapangidwa kuti zitsitsidwe. Tapanga imodzi yokha - tidzatsitsa.

    

16. Timadina ulalo, kutsitsa kwa kasitomala kumayamba.

    

17. Tsegulani zosungidwa zomwe zidatsitsidwa ndikuyendetsa okhazikitsa.

    

18. Pambuyo kukhazikitsa, yambitsani kasitomala, pawindo lovomerezeka, dinani Lowani.

    

19. Pazenera lotsimikizira satifiketi, sankhani Inde.

    

20. Timalowetsa zidziwitso za wogwiritsa ntchito yemwe adapangidwa kale ndikuwona kuti kulumikizanako kudamalizidwa bwino.

    
    
    

21. Timayang'ana ziwerengero za kasitomala wa VPN pakompyuta yakomweko.

    
    
    

22. Mu Windows command line (ipconfig / all), tikuwona kuti adaputala yowonjezera yawonekera ndipo pali kulumikizana ndi netiweki yakutali, chilichonse chimagwira ntchito:

    
    
    

23. Ndipo potsiriza, fufuzani kuchokera ku Edge Gateway console.

    

L2 VPN

L2VPN idzafunika mukafuna kuphatikiza zingapo zamalo
adagawa maukonde kudera limodzi lowulutsa.

Izi zitha kukhala zothandiza, mwachitsanzo, pakusamutsa makina owoneka bwino: VM ikasamukira kudera lina, makinawo amasunga maadiresi ake a IP ndipo sadzataya kulumikizana ndi makina ena omwe ali mugawo lomwelo la L2 nawo.

M'malo athu oyesera, tidzagwirizanitsa malo awiri kwa wina ndi mzake, tidzawatcha A ndi B, motero, Tili ndi ma NSX awiri ndi maukonde awiri opangidwa mofanana omwe amapangidwa ku Edges zosiyana. Makina A ali ndi adilesi 10.10.10.250/24, Makina B ali ndi adilesi 10.10.10.2/24.

1. Mu vCloud Director, pitani ku tabu ya Administration, pitani ku VDC yomwe tikufuna, pitani ku Org VDC Networks tabu ndikuwonjezera maukonde awiri atsopano.

   

2. Sankhani mtundu wa netiweki yoyendetsedwa ndikumanga netiweki iyi ku NSX yathu. Timayika checkbox Pangani ngati subinterface.

   

3. Zotsatira zake, tiyenera kupeza maukonde awiri. Muchitsanzo chathu, amatchedwa network-a ndi network-b yokhala ndi zoikamo zapakhomo ndi chigoba chomwecho.

   
   
   

4. Tsopano tiyeni tipitirire ku zoikamo za NSX yoyamba. Iyi ikhala NSX yomwe Network A imalumikizidwa nayo. Ikhala ngati seva.

   Timabwerera ku mawonekedwe a NSx Edge / Pitani ku tabu ya VPN -> L2VPN. Timayatsa L2VPN, sankhani njira yogwiritsira ntchito Seva, m'makonzedwe a Server Global timatchula adilesi yakunja ya NSX IP yomwe doko la ngalandeyo lidzamvera. Mwachikhazikitso, socket idzatsegulidwa pa doko 443, koma izi zikhoza kusinthidwa. Musaiwale kusankha makonda achinsinsi amsewu wamtsogolo.

   

5. Pitani ku tsamba la Seva ndikuwonjezera anzanu.

   

6. Timayatsa mnzawo, kuyika dzina, kufotokozera, ngati kuli kofunikira, ikani dzina lolowera ndi mawu achinsinsi. Tidzafuna izi pambuyo pake pokhazikitsa tsamba la kasitomala.

   Mu Egress Optimization Gateway Address timayika adilesi yachipata. Izi ndizofunikira kuti pasakhale kutsutsana kwa ma adilesi a IP, chifukwa chipata cha maukonde athu chili ndi adilesi yomweyo. Kenako alemba pa sankhani SUB-INTERFACES batani.

   

7. Apa timasankha subinterface yomwe tikufuna. Timasunga zoikamo.

   

8. Tikuwona kuti tsamba lamakasitomala lomwe langopangidwa kumene lawonekera pazokonda.

   

9. Tsopano tiyeni tipitirire kukonza NSX kuchokera kumbali ya kasitomala.

   Timapita ku NSX mbali B, kupita ku VPN -> L2VPN, yambitsani L2VPN, ikani L2VPN mode kuti mukhale kasitomala. Pa Client Global tabu, ikani adilesi ndi doko la NSX A, zomwe tidazitchulapo kale kuti Kumvetsera IP ndi Port kumbali ya seva. Ndikofunikiranso kukhazikitsa zosintha zomwezo za encryption kuti zikhale zofananira pomwe ngalandeyo imakwezedwa.

   
   
   Timapukuta pansipa, sankhani mawonekedwe amkati momwe msewu wa L2VPN udzapangidwira.
   Mu Egress Optimization Gateway Address timayika adilesi yachipata. Khazikitsani id-user ndi password. Timasankha subinterface ndipo musaiwale kusunga zoikamo.

   

10. Kwenikweni, ndizo zonse. Zokonda pa kasitomala ndi mbali ya seva ndizofanana, kupatula ma nuances angapo.
11. Tsopano titha kuwona kuti ngalande yathu yagwira ntchito popita ku Statistics -> L2VPN pa NSX iliyonse.

    

12. Ngati tipita ku cholumikizira cha Edge Gateway iliyonse, tiwona pa chilichonse patebulo la arp ma adilesi a ma VM onse awiri.

    

Ndizo zonse za VPN pa NSX Edge. Funsani ngati chinachake sichikudziwika. Ilinso gawo lomaliza lazolemba zogwira ntchito ndi NSX Edge. Tikukhulupirira kuti anali othandiza 🙂

Source: www.habr.com