Ichi chinyorwa chinoenderera mberi yakatsaurirwa kune chaiyo yekumisikidza michina Palo Alto Networks . Pano tinoda kutaura nezve setup IPSec Site-to-Site VPN pamidziyo Palo Alto Networks uye nezve inogoneka yekumisikidza sarudzo yekubatanidza akati wandei vanopa Internet.
Pakuenzanisira, chirongwa chenguva dzose chokubatanidza hofisi huru nebazi chichashandiswa. Kuti upe kukanganisa-kushivirira kweInternet yekubatanidza, hofisi yepamusoro inoshandisa kubatana panguva imwe chete yevaviri vanopa: ISP-1 uye ISP-2. Bazi rine chinongedzo kune mumwe chete anopa, ISP-3. Matanho maviri akavakwa pakati pemafirewall PA-1 uye PA-2. Matanho anoshanda mumodhi Active-Kumira, Tunnel-1 inoshanda, Tunnel-2 ichatanga kufambisa traffic kana Tunnel-1 yakundikana. Tunnel-1 inoshandisa chinongedzo kuISP-1, Tunnel-2 inoshandisa chinongedzo kuISP-2. Makero ese eIP anogadzirwa zvisina tsarukano nekuda kwekuratidzira uye haana hukama kune chokwadi.
Kuvaka VPN yeSaiti-kuSaiti ichashandiswa IPsec - seti yemaprotocol kuti ave nechokwadi chekuchengetedzwa kwedata rinofambiswa neIP. IPsec ichashanda uchishandisa chengetedzo protocol kunyanya (Encapsulating Chengetedzo Payload), iyo inovimbisa encryption ye data inofambiswa.
Π IPsec inopinda Ike (Internet Key Exchange) iprotocol ine basa rekutaurirana SA (security associations), chengetedzo paramita dzinoshandiswa kuchengetedza data data. PAN firewalls rutsigiro IKEv1 ΠΈ IKEv2.
Π IKEv1 Kubatana kweVPN kunovakwa mumatanho maviri: IKEv1 Chikamu chekutanga (IKE mugero) uye IKEv1 Chikamu chekutanga (IPSec tunnel), saka, tunnels mbiri dzakagadzirwa, imwe yacho inoshandiswa pakutsinhana kweruzivo rwebasa pakati pemadziro emoto, yechipiri yekufambisa kwemotokari. IN IKEv1 Chikamu chekutanga Kune maviri ekushandisa modes - main mode uye aggressive mode. Aggressive mode inoshandisa mashoma mameseji uye inokurumidza, asi haitsigire Peer Identity Dziviriro.
IKEv2 yakatsiviwa IKEv1, uye zvichienzaniswa ne IKEv1 mukana wayo mukuru ndeye yakaderera bandwidth zvinodiwa uye nekukurumidza SA kutaurirana. IN IKEv2 Mameseji mashoma masevhisi anoshandiswa (4 pakazara), EAP uye MOBIKE mapuroteni anotsigirwa, uye nzira yakawedzerwa kutarisa kuwanikwa kwevezera iro tunnel inogadzirwa nayo - Liveness Check, kutsiva Dead Peer Detection muIKEv1. Kana cheki ikakundikana, saka IKEv2 inogona kusetazve mugero uye wozoidzosera otomatiki pamukana wekutanga. Iwe unogona kudzidza zvakawanda pamusoro pekusiyana .
Kana mugero wakavakwa pakati pemafirewall kubva kune vakasiyana vagadziri, ipapo panogona kunge paine mabugs mukuita IKEv2, uye kuti ienderane nemichina yakadaro zvinokwanisika kushandisa IKEv1. Mune zvimwe zviitiko zviri nani kushandisa IKEv2.
Setup matanho:
β’ Kugadzirisa vaviri vanopa Indaneti muActiveStandby mode
Pane nzira dzakawanda dzekuita basa iri. Imwe yacho ndeye kushandisa michina Path Monitoring, iyo yakatanga kuwanikwa kubva mushanduro PAN-OS 8.0.0. Uyu muenzaniso unoshandisa shanduro 8.0.16. Ichi chimiro chakafanana neIP SLA muCisco routers. Iyo static default nzira paramende inogadzirisa kutumira ping mapaketi kune yakatarwa IP kero kubva kune yakatarwa sosi kero. Muchiitiko ichi, iyo ethernet1/1 interface inonongedza gedhi rekutanga kamwe pasekondi. Kana pasina mhinduro kune matatu pings mumutsara, nzira inoonekwa seyakaputsika uye yakabviswa kubva patafura yekufambisa. Iyo nzira imwe chete inogadziriswa yakananga kune yechipiri Internet mupi, asi ine yepamusoro metric (iyo ndeye backup imwe). Kana nzira yekutanga yabviswa patafura, firewall inotanga kutumira traffic kuburikidza neyechipiri nzira - Kukundikana-Kupfuura. Kana mupi wekutanga atanga kupindura pings, nzira yayo inodzokera patafura uye kutsiva yechipiri nekuda kwemetric iri nani - Fail-Back. Process Kukundikana-Kupfuura inotora masekondi mashoma zvichienderana neyakagadziriswa nguva, asi, chero zvakadaro, iyo nzira haisi pakarepo, uye panguva ino traffic inorasika. Fail-Back inopfuura pasina kurasikirwa nemotokari. Pane mukana wekuita Kukundikana-Kupfuura nekukurumidza, ne B.F.D., kana mupi weInternet anopa mukana wakadaro. B.F.D. inotsigirwa kutanga kubva kumuenzaniso PA-3000 Series ΠΈ VM-100. Zviri nani kudoma kwete gedhi remupi sekero yeping, asi yeruzhinji, inogara ichiwanikwa kero yeInternet.
β’ Kugadzira nzira yekutarisa
Traffic mukati memugero inofambiswa kuburikidza neakakosha madhiraivha. Imwe neimwe yadzo inofanirwa kugadzirwa ine IP kero kubva kune network yekufambisa. Mumuenzaniso uyu, substation 1/172.16.1.0 ichashandiswa kuTunnel-30, uye substation 2/172.16.2.0 ichashandiswa kuTunnel-30.
Iyo tunnel interface inogadzirwa muchikamu Network -> Interfaces -> Tunnel. Iwe unofanirwa kutsanangura chaiyo router uye nzvimbo yekuchengetedza, pamwe nekero yeIP kubva kune inoenderana yekufambisa network. Iyo interface nhamba inogona kuva chero chinhu.
chidimbu enderera zvinogona kutsanangurwa Management Profileiyo inobvumira ping pane yakapihwa interface, izvi zvinogona kubatsira pakuyedza.
β’ Kugadzira IKE Profile
IKE Profile ine basa rekutanga nhanho yekugadzira VPN yekubatanidza; tunnel paramita inotsanangurwa pano IKE Chikamu chekutanga. Iyo mbiri inogadzirwa muchikamu Network -> Network Profiles -> IKE Crypto. Izvo zvinodikanwa kutsanangura iyo encryption algorithm, hashing algorithm, Diffie-Hellman boka uye kiyi yehupenyu. Kazhinji, iyo yakanyanya kuomarara maalgorithms, iwo anowedzera kuita; iwo anofanirwa kusarudzwa zvichibva pane chaiyo kuchengetedza zvinodiwa. Nekudaro, hazvikurudzirwe kushandisa boka reDiffie-Hellman pazasi 14 kuchengetedza ruzivo rwakadzama. Izvi zvinokonzerwa nekusagadzikana kweprotocol, iyo inogona kudzikiswa chete nekushandisa ma module e2048 bits uye epamusoro, kana elliptic cryptography algorithms, ayo anoshandiswa mumapoka 19, 20, 21, 24. Aya maalgorithms ane hukuru hwekuita zvichienzaniswa ne zvechinyakare cryptography. . Uye .
β’ Kumisikidza IPSec Profile
Nhanho yechipiri yekugadzira VPN yekubatanidza iIPSec mugero. SA maparamita ayo akagadzirirwa mukati Network -> Network Profiles -> IPSec Crypto Profile. Pano iwe unofanirwa kutsanangura iyo IPSec protocol - AH kana kunyanya, uyewo parameters SA - hashing algorithms, encryption, Diffie-Hellman mapoka uye akakosha ehupenyu. Iyo SA paramita muIKE Crypto Profile uye IPSec Crypto Profile inogona kunge isina kufanana.
β’ Kugadzirisa IKE Gateway
IKE Gateway - ichi chinhu chinoratidza router kana firewall iyo inovakwa neVPN tunnel. Kune yega yega tunnel iwe unofanirwa kugadzira yako IKE Gateway. Muchiitiko ichi, mitsara miviri inogadzirwa, imwe kuburikidza nemupi wega wega weInternet. Iyo inoenderana inobuda interface uye yayo IP kero, peer IP kero, uye yakagovaniswa kiyi inoratidzwa. Zvitupa zvinogona kushandiswa seimwe nzira kune kiyi yakagovaniswa.
Iyo yakambogadzirwa inoratidzwa pano IKE Crypto Profile. Maparamita echinhu chechipiri IKE Gateway zvakafanana, kunze kwekero dzeIP. Kana iyo Palo Alto Networks firewall iri kuseri kweNAT router, saka unofanirwa kugonesa michina NAT Traversal.
β’ Kugadzira IPSec Tunnel
IPSec Tunnel chinhu chinotsanangura IPSec tunnel parameters, sezita rinoratidza. Pano iwe unofanirwa kutsanangura iyo tunnel interface uye zvakambogadzirwa zvinhu IKE Gateway, IPSec Crypto Profile. Kuve nechokwadi chekuchinja otomatiki kwenzira kuenda kune backup tunnel, unofanirwa kugonesa Tunnel Monitor. Iyi ndiyo nzira inotarisa kana wezera rake ari mupenyu achishandisa ICMP traffic. Sekero yekuenda, iwe unofanirwa kutsanangura iyo IP kero yetunnel interface yevezera iyo tunnel iri kuvakwa. Iyo mbiri inotsanangura nguva uye zvekuita kana kubatana kwakarasika. Wait Recover - mirira kusvika kubatana kwadzorerwa, Fail Over - tumira traffic neimwe nzira, kana iripo. Kumisikidza mugero wechipiri wakafanana zvachose; iyo yechipiri tunnel interface uye IKE Gateway inotsanangurwa.
β’ Kugadzira nzira
Uyu muenzaniso unoshandisa static routing. Pa PA-1 firewall, kuwedzera kune nzira mbiri dzisina kukwana, unoda kutsanangura nzira mbiri kune 10.10.10.0/24 subnet mubazi. Imwe nzira inoshandisa Tunnel-1, imwe Tunnel-2. Nzira yekupfuura nemuTunnel-1 ndiyo huru nekuti ine metric yakaderera. Mechanism Path Monitoring haishandiswe kunzira idzi. Basa rekuchinja Tunnel Monitor.
Nzira dzakafanana dze subnet 192.168.30.0/24 dzinoda kugadziriswa paPA-2.
β’ Kugadzira mitemo yetiweki
Kuti mugero ushande, mitemo mitatu inodiwa:
- For work Path Monitor Bvumira ICMP pane ekunze interfaces.
- nokuti IPsec bvumira mapurogiramu ike ΠΈ ipsec panzvimbo dzekunze.
- Bvumira traffic pakati pemukati subnets uye tunnel interfaces.
mhedziso
Ichi chinyorwa chinokurukura sarudzo yekumisikidza kukanganisa-kushivirira Internet yekubatanidza uye Site-to-Site VPN. Tinovimba kuti ruzivo rwacho rwaibatsira uye muverengi akawana pfungwa yetekinoroji yakashandiswa mukati Palo Alto Networks. Kana uine mibvunzo pamusoro pekugadzirisa uye mazano pamusoro pemisoro yezvinyorwa zvenguva yemberi, zvinyore mumashoko, tichafara kupindura.
Source: www.habr.com