ProHoster > Blog > Utongi > Nzira yekusvika sei kuBeeline IPVPN kuburikidza neIPSec. Chikamu 1

Nzira yekusvika sei kuBeeline IPVPN kuburikidza neIPSec. Chikamu 1

Mhoro! IN yapfuura post Ndakatsanangura basa reMultiSIM sevhisi yedu muchidimbu kuchengetedza ΠΈ kuenzanisa channels. Sezvambotaurwa, tinobatanidza vatengi kune network kuburikidza neVPN, uye nhasi ini ndichakuudza zvishoma nezveVPN uye zvatinokwanisa muchikamu chino.

Zvakakodzera kutanga nenyaya yekuti isu, semufambisi wenhare, tine yedu hombe MPLS network, iyo yevatengi-inokamurwa yakakamurwa kuita zvikamu zviviri zvikuru - icho chinoshandiswa zvakananga kuwana Internet, uye icho chiri. anoshandiswa kugadzira ma network - uye iri kuburikidza nechikamu ichi cheMPLS kuti IPVPN (L3 OSI) uye VPLAN (L2 OSI) traffic inoyerera yevatengi vedu vemakambani.

Nzira yekusvika sei kuBeeline IPVPN kuburikidza neIPSec. Chikamu 1
Kazhinji, kubatana kwevatengi kunoitika sezvinotevera.

Mutsetse wekupinda unoiswa kuhofisi yemutengi kubva padyo nePoint yeHupo yetiweki (node ​​MEN, RRL, BSSS, FTTB, nezvimwewo) uyezve, chiteshi chinonyoreswa kuburikidza netiweki yekufambisa kuenda kune inoenderana PE-MPLS. router, yatinoibudisira kune yakanyatsogadzirwa kune mutengi weVRF, tichifunga nezve traffic traffic inodiwa nemutengi (mazita eprofile anosarudzwa pachiteshi chega chega chekusvika, zvichibva pane ip precedence values ​​0,1,3,5, XNUMX).

Kana nekuda kwechimwe chikonzero isu hatigone kuronga zvizere mamaira ekupedzisira kune mutengi, semuenzaniso, hofisi yemutengi iri munzvimbo yebhizinesi, uko mumwe mupi ari pamberi, kana isu hatina nzvimbo yedu yekuvapo padhuze, saka vaimbova vatengi. aifanira kugadzira akati wandei IPVPN network kune vakasiyana vanopa (kwete iyo inodhura-inoshanda zvivakwa) kana kuzvimiririra kugadzirisa nyaya nekuronga kuwana VRF yako paInternet.

Vazhinji vakaita izvi nekuisa IPVPN Internet gedhi - vakaisa muganhu router (hardware kana imwe Linux-based solution), yakabatanidza IPVPN chiteshi pairi nechiteshi chimwe uye Internet chiteshi neimwe, vakatanga yavo VPN server pairi uye yakabatana. vashandisi kuburikidza neyavo VPN gedhi. Nomuzvarirwo, chirongwa chakadaro chinogadzirawo mitoro: zvivakwa zvakadaro zvinofanirwa kuvakwa uye, zvisingaite, zvinoshanda uye kuvandudzwa.

Kuita kuti hupenyu huve nyore kune vatengi vedu, takaisa yepakati VPN hub uye yakaronga rutsigiro rwekubatanidza paInternet tichishandisa IPSec, ndiko kuti, vatengi vanongoda kugadzirisa router yavo kuti ishande neVPN hub yedu kuburikidza neIPSec mugero pane chero yeruzhinji Internet. , uye isu Ngatisunungurei mutengi uyu traffic kune yayo VRF.

Ndiani achada

  • Kune avo vanotova nehombe IPVPN network uye vanoda mitsva yekubatanidza munguva pfupi.
  • Chero ani zvake, nokuda kwechimwe chikonzero, anoda kuendesa chikamu chetraffic kubva paInternet yeruzhinji kuenda kuIPVPN, asi akambosangana nehunyanzvi hwekuita zvisingakwanisi kune akati wandei vanopa masevhisi.
  • Kune avo parizvino vane akati wandei akasiyana VPN network kune akasiyana telecom vanoshanda. Kune vatengi vakabudirira kuronga IPVPN kubva kuBeeline, Megafon, Rostelecom, nezvimwe. Kuita kuti zvive nyore, iwe unogona kugara chete paVPN yedu imwe chete, shandura mamwe ese machannel evamwe vashandisi kuInternet, uye wozobatanidza kuBeeline IPVPN kuburikidza neIPSec uye Internet kubva kune ava vanoshanda.
  • Kune avo vanotova neIPVPN network yakafukidzwa paInternet.

Kana iwe ukaendesa zvese nesu, ipapo vatengi vanogashira yakazara-yakazara VPN rutsigiro, yakakomba yerudundancy yezvivakwa, uye yakajairwa marongero ayo achashanda pane chero router yavanojaira (ingava Cisco, kunyange Mikrotik, chinhu chikuru ndechekuti inogona kutsigira nemazvo. IPSec/IKEv2 ine yakajairwa nzira dzechokwadi). Nenzira, nezve IPSec - izvozvi isu tinongoitsigira chete, asi isu tinoronga kuvhura yakazara-yakazara kushanda kwese OpenVPN uye Wireguard, kuitira kuti vatengi varege kuvimba neprotocol uye zviri nyore kutora uye kuendesa zvese kwatiri, uye isu tinodawo kutanga kubatanidza vatengi kubva kumakomputa uye nharembozha (mhinduro dzakavakwa muOS, Cisco AnyConnect uye yakasimbaSwan nezvimwe zvakadaro). Neiyi nzira, iyo de facto kuvakwa kwezvivakwa inogona kupihwa zvakachengeteka kune anoshanda, ichisiya chete gadziriso yeCPE kana muenzi.

Iyo yekubatanidza maitiro inoshanda sei kune IPSec modhi:

  1. Mutengi anosiya chikumbiro kuna maneja wake umo anoratidza inodiwa yekubatanidza kumhanya, traffic profiles uye IP kero maparameter emugero (nekusagadzikana, subnet ine / 30 mask) uye rudzi rwenzira (static kana BGP). Kuendesa nzira kune mutengi wemunharaunda network muhofisi yakabatana, iyo IKEv2 nzira dzeIPSec protocol chikamu dzinoshandiswa uchishandisa akakodzera marongero pane yevatengi router, kana ivo vanoshambadzirwa kuburikidza neBGP muMPLS kubva kune yakavanzika BGP AS inotsanangurwa mukushandiswa kwemutengi. . Nekudaro, ruzivo nezve nzira dzevatengi network inodzorwa zvizere nemutengi kuburikidza nezvirongwa zvemutengi router.
  2. Mukupindura kubva kuna maneja wake, mutengi anogamuchira data reakaunzi kuti riiswe muVRF yake yefomu:
    • VPN-HUB IP kero
    • Login
    • Password yekusimbisa
  3. Inogadzirisa CPE, pazasi, semuenzaniso, maviri ekutanga sarudzo sarudzo:

    Sarudzo yeCisco:
    crypto ikev2 keyring BeelineIPsec_keyring
    peer Beeline_VPNHub
    kero 62.141.99.183 -VPN hub Beeline
    pre-yakagovaniswa-kiyi <Authentication password>
    !
    Kune iyo static routing sarudzo, nzira dzekuenda kunetiweki dzinosvikika kuburikidza neVpn-hub dzinogona kutsanangurwa mune IKEv2 kumisikidzwa uye ivo vanozongooneka senge static nzira muEC routing tafura. Aya marongero anogona zvakare kuitwa uchishandisa yakajairwa nzira yekuseta static nzira (ona pazasi).

    crypto ikev2 mvumo mutemo FlexClient-munyori

    Nzira yekuenda kunetiweki kuseri kweEC router - inosungirwa kugadzika kweiyo static routing pakati peEC nePE. Kuendeswa kwedata renzira kuenda kuPE kunoitwa otomatiki kana mugero wasimudzwa kuburikidza neIKEv2 kusangana.

    nzira yakaiswa kure ipv4 10.1.1.0 255.255.255.0 -Hofisi yemunharaunda network
    !
    crypto ikev2 mbiri BeelineIPSec_profile
    identity yemunharaunda <login>
    authentication local pre-share
    authentication kure pre-share
    keyring yemunharaunda BeelineIPsec_keyring
    aaa mvumo boka psk rondedzero boka-munyori-rondedzero FlexClient-munyori
    !
    crypto ikev2 mutengi flexvpn BeelineIPsec_flex
    peer 1 Beeline_VPNHub
    mutengi batanidza Tunnel1
    !
    crypto ipsec shandura-set TRANSFORM1 esp-aes 256 esp-sha256-hmac
    mode mugero
    !
    crypto ipsec profile default
    gadzirisa shandura-seti TRANSFORM1
    isa ikev2-profile BeelineIPSec_profile
    !
    interface Tunnel1
    ip kero 10.20.1.2 255.255.255.252 -Tunnel kero
    tunnel source GigabitEthernet0/2 -Internet yekuwana interface
    tunnel mode ipsec ipv4
    tunnel yekuenda kune simba
    tunnel dziviriro ipsec profile default
    !
    Nzira dzemutengi dzakavanzika network dzinosvikika kuburikidza neBeeline VPN concentrator inogona kuiswa statically.

    ip nzira 172.16.0.0 255.255.0.0 Tunnel1
    ip nzira 192.168.0.0 255.255.255.0 Tunnel1

    Sarudzo yeHuawei (ar160/120):
    ike yemuno-zita <login>
    #
    acl zita ipsec 3999
    mutemo 1 mvumo ip source 10.1.1.0 0.0.0.255 -Hofisi yemunharaunda network
    #
    AAA
    sevhisi-chirongwa IPSEC
    nzira yakaiswa acl 3999
    #
    ipsec proposal ipsec
    esp authentication-algorithm sha2-256
    esp encryption-algorithm aes-256
    #
    ike proposal default
    encryption-algorithm aes-256
    dh boka2
    authentication-algorithm sha2-256
    authentication-method pre-share
    kuvimbika-algorithm hmac-sha2-256
    prf hmac-sha2-256
    #
    ike peer ipsec
    pre-yakagovaniswa-kiyi iri nyore <Authentication password>
    local-id-type fqdn
    kure-id-mhando ip
    kure-kero 62.141.99.183 -VPN hub Beeline
    sevhisi-chirongwa IPSEC
    config-exchange chikumbiro
    config-exchange set bvuma
    config-exchange set send
    #
    ipsec profile ipsecprof
    ike-peer ipsec
    proposal ipsec
    #
    interface Tunnel0/0/0
    ip kero 10.20.1.2 255.255.255.252 -Tunnel kero
    tunnel-protocol ipsec
    kunobva GigabitEthernet0/0/1 -Internet yekuwana interface
    ipsec profile ipsecprof
    #
    Nzira dzekuenda kune yakavanzika network yemutengi inowanikwa kuburikidza neBeeline VPN concentrator inogona kuiswa statically

    ip nzira-static 192.168.0.0 255.255.255.0 Tunnel0/0/0
    ip nzira-static 172.16.0.0 255.255.0.0 Tunnel0/0/0

Iyo dhizaini yekutaurirana inoguma inotaridzika seizvi:

Nzira yekusvika sei kuBeeline IPVPN kuburikidza neIPSec. Chikamu 1

Kana mutengi asina mimwe mienzaniso yekumisikidzwa kwekutanga, saka isu tinowanzo batsira nekuumbwa kwavo uye kuita kuti vawanikwe kune wese wese.

Zvose zvinosara ndezvekubatanidza CPE kuInternet, ping kune chikamu chekupindura cheVPN tunnel uye chero muenzi mukati meVPN, uye ndizvozvo, tinogona kufunga kuti kubatana kwakaitwa.

Muchinyorwa chinotevera tichakuudza kuti takabatanidza sei chirongwa ichi neIPSec uye MultiSIM Redundancy tichishandisa Huawei CPE: isu tinoisa yedu Huawei CPE yevatengi, iyo inogona kushandisa kwete chete waya yeInternet chiteshi, asiwo maviri akasiyana SIM makadhi, uye CPE. inovakazve IPSec- tunnel kuburikidza newaya WAN kana neredhiyo (LTE#2/LTE#1), ichiziva kushivirira kwakanyanya kwesevhisi yabuda.

Kutenda kwakakosha kune vatinoshanda navo veRnD nekugadzirira chinyorwa ichi (uye, kutaura zvazviri, kune vanyori veizvi tekinoroji mhinduro)!

Source: www.habr.com

Voeg