VMware NSX yevadiki. Chikamu 6: VPN Setup

Chikamu chekutanga. nhanganyaya
Chikamu chechipiri. Kugadzirisa Firewall uye NAT Mitemo
Chikamu chetatu. Kugadzirisa DHCP
Chikamu chechina. Routing setup
Chikamu chechishanu. Kugadzirisa mutoro wekuenzanisa

Nhasi ticha tarisa iyo VPN yekumisikidza sarudzo iyo NSX Edge inotipa.

Kazhinji, tinogona kupatsanura matekinoroji eVPN mumhando mbiri dzinokosha:

• Saiti-kune-saiti VPN. Kunyanya kushandiswa kweIPSec kugadzira nzira yakachengeteka, semuenzaniso, pakati pehofisi huru network uye network kune imwe nzvimbo iri kure kana mugore.
• Remote Access VPN. Inoshandiswa kubatanidza vashandisi vega kumakambani akavanzika network vachishandisa VPN mutengi software.

NSX Edge inotibvumira kushandisa zvese sarudzo.
Isu tichagadzirisa tichishandisa bhenji rekuyedza rine maviri NSX Edge, sevha yeLinux ine daemon yakaiswa raccoon uye Windows laptop yekuyedza Remote Access VPN.

IPsec

1. Mune vCloud Director interface, enda kuKutonga chikamu uye sarudza iyo vDC. PaEdge Gateways tab, sarudza Edge yatinoda, tinya-kurudyi uye sarudza Edge Gateway Services.
   
2. MuNSX Edge interface, enda kune VPN-IPsec VPN tab, ipapo kune IPsec VPN Sites chikamu uye tinya + kuwedzera saiti itsva.

   

3. Zadza ndima dzinodiwa:
   • akwanise - inomutsa saiti iri kure.
   • PFS - inova nechokwadi chekuti kiyi yega yega yekristptographic haina kubatanidzwa nekiyi yapfuura.
   • Local ID uye Local Endpointt ndiyo kero yekunze yeNSX Edge.
   • local subnets - network yemuno iyo inoshandisa IPsec VPN.
   • Peer ID uye Peer Endpoint - kero yenzvimbo iri kure.
   • Peer subnets - network inoshandisa IPsec VPN iri kure.
   • Encryption algorithm - tunnel encryption algorithm.

   
   

   • Authentication - isu tichasimbisa sei vezera. Unogona kushandisa Pre-Shared Key kana chitupa.
   • Pre-Yakagovaniswa Kiyi - tsanangura kiyi ichashandiswa kuratidza chokwadi uye inofanirwa kuenzanisa mativi ese.
   • Diffie Hellman Group - kiyi yekutsinhana algorithm.

   Mushure mekuzadza ndima dzinodiwa, baya Ramba.

   

4. Yakaitwa.

   

5. Mushure mekuwedzera saiti, enda kune iyo Activation Status tab uye shandisa iyo IPsec Service.

   

6. Mushure mekunge marongero aiswa, enda kune Statistics -> IPsec VPN tab uye tarisa mamiriro emugero. Tinoona kuti mugero wasimuka.

   

7. Tarisa mamiriro enzira kubva kuEdge gateway console:
   • ratidza sevhisi ipsec - tarisa mamiriro ebasa.

     

   • ratidza sevhisi ipsec saiti - Ruzivo nezve mamiriro esaiti uye negotiated paramita.

     

   • ratidza sevhisi ipsec sa - tarisa mamiriro eSecurity Association (SA).

     

8. Kutarisa kubatana nesaiti iri kure:

   root@racoon:~# ifconfig eth0:1 | grep inet
           inet 10.255.255.1  netmask 255.255.255.0  broadcast 0.0.0.0
   
   root@racoon:~# ping -c1 -I 10.255.255.1 192.168.0.10 
   PING 192.168.0.10 (192.168.0.10) from 10.255.255.1 : 56(84) bytes of data.
   64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=59.9 ms
   
   --- 192.168.0.10 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 59.941/59.941/59.941/0.000 ms
   

   Mafaira ekugadzirisa uye mamwe mirairo yekuongorora kubva kure Linux server:

   root@racoon:~# cat /etc/racoon/racoon.conf 
   
   log debug;
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   
   listen {
     isakmp 80.211.43.73 [500];
      strict_address;
   }
   
   remote 185.148.83.16 {
           exchange_mode main,aggressive;
           proposal {
                    encryption_algorithm aes256;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group modp1536;
            }
            generate_policy on;
   }
    
   sainfo address 10.255.255.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm aes256;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
   }
   
   ===
   
   root@racoon:~# cat /etc/racoon/psk.txt
   185.148.83.16 testkey
   
   ===
   
   root@racoon:~# cat /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   
   flush;
   spdflush;
   
   spdadd 192.168.0.0/24 10.255.255.0/24 any -P in ipsec
         esp/tunnel/185.148.83.16-80.211.43.73/require;
   
   spdadd 10.255.255.0/24 192.168.0.0/24 any -P out ipsec
         esp/tunnel/80.211.43.73-185.148.83.16/require;
   
   ===
   
   
   root@racoon:~# racoonctl show-sa isakmp
   Destination            Cookies                           Created
   185.148.83.16.500      2088977aceb1b512:a4c470cb8f9d57e9 2019-05-22 13:46:13 
   
   ===
   
   root@racoon:~# racoonctl show-sa esp
   80.211.43.73 185.148.83.16 
           esp mode=tunnel spi=1646662778(0x6226147a) reqid=0(0x00000000)
           E: aes-cbc  00064df4 454d14bc 9444b428 00e2296e c7bb1e03 06937597 1e522ce0 641e704d
           A: hmac-sha1  aa9e7cd7 51653621 67b3b2e9 64818de5 df848792
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=1 pid=7739 refcnt=0
   185.148.83.16 80.211.43.73 
           esp mode=tunnel spi=88535449(0x0546f199) reqid=0(0x00000000)
           E: aes-cbc  c812505a 9c30515e 9edc8c4a b3393125 ade4c320 9bde04f0 94e7ba9d 28e61044
           A: hmac-sha1  cd9d6f6e 06dbcd6d da4d14f8 6d1a6239 38589878
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=0 pid=7739 refcnt=0

9. Zvese zvakagadzirira, saiti-kune-saiti IPsec VPN iri kumusoro uye inoshanda.

   Mumuenzaniso uyu, takashandisa PSK yechokwadi chevezera, asi cheti chechokwadi chinogoneka. Kuti uite izvi, enda kune iyo Global Configuration tebhu, gonesa kusimbiswa kwechitupa uye sarudza chitupa pachacho.

   Mukuwedzera, mune zvigadziriso zvesaiti, iwe uchafanirwa kushandura nzira yekusimbisa.

   
   
   
   
   Ndinocherechedza kuti nhamba ye IPsec tunnels inobva pakukura kweEdge Gateway yakashandiswa (verenga pamusoro peizvi mune yedu. chinyorwa chekutanga).

   

SSL VPN

SSL VPN-Plus ndeimwe yeRemote Access VPN sarudzo. Inobvumira vashandisi vari kure kuti vabatane zvakachengeteka kune yakavanzika network kuseri kweNSX Edge Gateway. Mugero wakavharidzirwa munyaya yeSSL VPN-plus inotangwa pakati pemutengi (Windows, Linux, Mac) uye NSX Edge.

1. Ngatitange kumisa. MuEdge Gateway service control panel, enda kune SSL VPN-Plus tab, wozoenda kuSeva Settings. Isu tinosarudza kero uye chiteshi iyo sevha inoteerera kune inouya yekubatanidza, gonesa matanda uye sarudza inodiwa encryption algorithms.

   
   
   Pano iwe unogona zvakare kushandura chitupa chichashandiswa neserver.

   

2. Mushure mekunge zvese zvagadzirwa, vhura sevha uye usakanganwa kuchengetedza marongero.

   

3. Tevere, isu tinofanirwa kumisa dziva rekero dzatinozopa kune vatengi pakubatanidza. Iyi network yakaparadzana kubva kune chero iripo subnet munharaunda yako yeNSX uye haidi kugadziridzwa pane mamwe maturusi pamanetiweki emuviri, kunze kwemakwara anonongedzera kwairi.

   Enda kune IP Pools tebhu uye tinya +.

   

4. Sarudza kero, subnet mask uye gedhi. Pano iwe unogona zvakare kushandura marongero eDNS uye WINS maseva.

   

5. Dziva rinoguma.

   

6. Zvino ngatiwedzerei manetwork ayo vashandisi vanobatana neVPN vachawana mukana. Enda kune Private Networks tebhu uye tinya +.

   

7. Tinozadza:
   • Network - network yemuno iyo vashandisi vari kure vanozowana.
   • Tumira traffic, ine sarudzo mbiri:
     - pamusoro pemugero - tumira traffic kunetiweki kuburikidza nemugero,
     - bypass tunnel - tumira traffic kunetiweki yakananga nekupfuura mugero.
   • Gonesa TCP Optimization - tarisa kana wakasarudza pamusoro petunnel sarudzo. Kana optimization ikagoneswa, unogona kutsanangura nhamba dzechiteshi dzaunoda kukwidziridza traffic. Traffic yezviteshi zvasara pane iyo network haigone kuvandudzwa. Kana pasina nhamba dzechiteshi dzakatsanangurwa, traffic kune ese madoko inogadziriswa. Verenga zvakawanda pamusoro pechinhu ichi pano.

   

8. Tevere, enda kune iyo Authentication tebhu uye tinya +. Kuti tive nechokwadi, tichashandisa sevha yemunharaunda paNSX Edge pachayo.

   

9. Pano tinogona kusarudza marongero ekugadzira mapassword matsva uye kugadzirisa sarudzo dzekuvharira maakaundi emushandisi (semuenzaniso, nhamba yekuyedza zvakare kana password yaiswa zvisizvo).

   
   
   

10. Sezvo isu tiri kushandisa huchokwadi hwemunharaunda, tinoda kugadzira vashandisi.

    

11. Pamusoro pezvinhu zvakakosha sezita nepassword, pano iwe unogona, semuenzaniso, kurambidza mushandisi kuchinja password kana, ukuwo, kumumanikidza kuti achinje password nguva inotevera paanopinda.

    

12. Mushure mevashandisi vese vanodiwa vawedzerwa, enda kuInstalation Packages tebhu, tinya + uye gadzira iyo yekumisikidza pachayo, iyo ichatorwa nemushandi ari kure kuti aiswe.

    

13. Dzvanya +. Sarudza kero uye chiteshi chevhavha iyo mutengi achabatanidza, uye mapuratifomu aunoda kugadzira iyo yekuisa package.

    
    
    Pazasi muhwindo iri, unogona kutsanangura marongero evatengi eWindows. Sarudza:

    • tanga mutengi pane logon - mutengi weVPN anozowedzerwa kutanga pamushini uri kure;
    • gadzira desktop icon - ichagadzira VPN mutengi icon pane desktop;
    • server kuchengetedza chitupa kusimbiswa - ichasimbisa sevha setifiketi pakubatanidza.
      Kugadzirisa sevha kwapera.

    

14. Zvino ngatitorei pasuru yekuisa yatakagadzira munhanho yekupedzisira kune iri kure PC. Pakumisa sevha, takatsanangura kero yayo yekunze (185.148.83.16) uye port (445). Pakero iyi ndipo patinofanira kuenda muwebhu browser. Kana ndiri ini 185.148.83.16: 445.

    Muwindo remvumo, iwe unofanirwa kuisa zvitupa zvemushandisi zvatakagadzira kare.

    

15. Mushure memvumo, tinoona runyorwa rweakagadzirwa ekuisa mapakeji aripo kuti atore. Isu takagadzira imwe chete - tichaidhawunirodha.

    

16. Isu tinya pane chinongedzo, kurodha kwemutengi kunotanga.

    

17. Bvisa iyo archive yakadhindwa uye mhanya iyo yekuisa.

    

18. Mushure mekuisa, tanga mutengi, muhwindo remvumo, tinya Login.

    

19. Muhwindo rekusimbisa zvitupa, sarudza Hongu.

    

20. Isu tinoisa magwaro emushandisi akagadzirwa kare uye tinoona kuti kubatana kwakapedzwa zvinobudirira.

    
    
    

21. Isu tinotarisa nhamba dzeVPN mutengi pakombuta yemuno.

    
    
    

22. Mumutsara wekuraira weWindows (ipconfig / zvese), tinoona kuti imwe yakawedzera dhizaini yakaonekwa uye pane yekubatanidza kune network iri kure, zvese zvinoshanda:

    
    
    

23. Uye pakupedzisira, tarisa kubva kuEdge Gateway console.

    

L2 VPN

L2VPN ichadikanwa kana iwe uchida kusanganisa akati wandei nharaunda
akagovera network mune imwe nhepfenyuro.

Izvi zvinogona kubatsira, semuenzaniso, kana uchifambisa muchina chaiwo: kana VM ichienda kune imwe nzvimbo yenzvimbo, muchina unochengeta IP kero yekuseta uye hauzorasikirwe nekubatana nemimwe michina iri mune imwecheteyo L2 domain nayo.

Munzvimbo yedu yekuyedza, tichabatanidza masayiti maviri kune mumwe nemumwe, tichaadaidza A uye B, zvichiteerana.Tine maviri maNSX uye maviri akafanana akagadzirwa ma network network akabatanidzwa kune akasiyana Edges. Muchina A une kero 10.10.10.250/24, Muchina B une kero 10.10.10.2/24.

1. MuvCloud Director, enda kuTabhurari tabhu, enda kuVDC yatinoda, enda kuOrg VDC Networks tebhu uye wedzera maviri matsva network.

   

2. Sarudza iyo yakafambiswa network mhando uye sunga iyi network kune yedu NSX. Isu tinoisa cheki bhokisi Gadzira se subinterface.

   

3. Nekuda kweizvozvo, isu tinofanirwa kuwana maviri network. Mumuenzaniso wedu, ivo vanonzi network-a uye network-b ine yakafanana gedhi marongero uye yakafanana mask.

   
   
   

4. Zvino ngatiendei kune zvigadziriso zveNSX yekutanga. Iyi ichava NSX iyo Network A yakabatanidzwa pairi. Ichaita sevhavha.

   Isu tinodzokera kuNSx Edge interface / Enda kune VPN tab -> L2VPN. Isu tinobatidza L2VPN, sarudza iyo Server oparesheni modhi, muServer Global marongero isu tinotsanangudza yekunze NSX IP kero painoteerera chiteshi chemugero. Nekumisikidza, socket inovhura pachiteshi 443, asi izvi zvinogona kuchinjwa. Usakanganwa kusarudza iyo encryption marongero eiyo ramangwana tunnel.

   

5. Enda kuServer Sites tab uye wedzera wezera.

   

6. Isu tinobatidza peer, isa zita, tsananguro, kana zvichidikanwa, isa zita rekushandisa uye password. Tichada iyi data gare gare kana tichigadzira saiti yemutengi.

   MuEgress Optimization Gateway Kero isu tinoisa kero yegedhi. Izvi zvinodikanwa kuitira kuti pasave nekupokana kweIP kero, nekuti gedhi remanetiweki edu rine kero yakafanana. Wobva wadzvanya pakanzi SELECT SUB-INTERFACES bhatani.

   

7. Pano tinosarudza subinterface yaunoda. Isu tinochengetedza zvirongwa.

   

8. Isu tinoona kuti ichangobva kugadzirwa yemutengi saiti yakaonekwa mumaseting.

   

9. Zvino ngatienderere mberi nekugadzirisa NSX kubva kudivi remutengi.

   Isu tinoenda kuNSX side B, enda kuVPN -> L2VPN, gonesa L2VPN, isa L2VPN modhi kune mutengi maitiro. PaClient Global tab, isa kero uye chiteshi cheNSX A, yatakambotaura seKuteerera IP uye Port padivi reseva. Izvo zvinodikanwawo kuseta imwechete encryption marongero kuti aenderane kana mugero wasimudzwa.

   
   
   Isu tinopenya pazasi, sarudza iyo subinterface iyo iyo mugero weL2VPN ichavakwa.
   MuEgress Optimization Gateway Kero isu tinoisa kero yegedhi. Seta mushandisi-id uye password. Isu tinosarudza subinterface uye usakanganwa kuchengetedza marongero.

   

10. Chaizvoizvo, ndizvo chete. Izvo zvigadziriso zvemutengi uye sevha parutivi zvakada kufanana, kunze kwemanuances mashoma.
11. Iye zvino tava kuona kuti nzira yedu yakashanda nekuenda kuStatistics -> L2VPN pane chero NSX.

    

12. Kana isu toenda iko zvino kune nyaradzo yechero Edge Gateway, isu tichaona pane imwe neimwe yadzo mune arp tafura kero dzevaviri maVM.

    

Ndizvo zvese nezveVPN paNSX Edge. Bvunza kana chimwe chinhu chisina kujeka. Icho zvakare chikamu chekupedzisira chenhevedzano yezvinyorwa zvekushanda neNSX Edge. Tinovimba vanga vachibatsira 🙂

Source: www.habr.com