Hello! IN Waxa aan qayb ka mid ah ku tilmaamay shaqada adeegeena MultiSIM и kanaalada. Sida aan soo sheegnay, waxaan ku xireynaa macaamiisha shabakada VPN, maantana waxaan kuu sheegi doonaa wax yar oo ku saabsan VPN iyo awooddeena qaybtan.
Waxaa habboon in aan ka bilowno xaqiiqda ah in annagoo ah hawlwadeenka isgaadhsiinta, aynu leenahay shabakad weyn oo MPLS ah, taas oo macaamiisha khadka tooska ah u qaybsan tahay laba qaybood oo waaweyn - mid si toos ah loogu isticmaalo gelitaanka internetka, iyo kan loo isticmaalo in lagu abuuro shabakado go'doonsan - waana iyada oo loo sii marayo qaybtan MPLS in IPVPN (L3 OSI) iyo VPLAN (L2 OSI) taraafikada macaamiishayada shirkadaha.
Caadi ahaan, xidhiidhka macmiilku wuxuu u dhacaa sida soo socota.
Khadka gelitaanka ayaa la dhigaa xafiiska macmiilka laga bilaabo goobta ugu dhow ee jiritaanka shabakadda (NODKA MEN, RRL, BSSS, FTTB, iwm.) router, kaas oo aan u soo saarno si gaar ah loogu abuuray macmiilka VRF, iyada oo la tixgelinayo astaanta taraafikada ee macmiilku u baahan yahay (calaamadaha astaanta ayaa loo doortaa deked kasta oo gelaysa, iyadoo lagu saleynayo qiimaha mudnaanta ip 0,1,3,5, XNUMX).
Haddii sabab qaar ka mid ah aynaan si buuxda u habayn karin mayl ugu dambeeya ee macmiilka, tusaale ahaan, xafiiska macmiilku wuxuu ku yaalaa xarun ganacsi, halkaas oo bixiye kale uu yahay mudnaanta, ama si fudud ma haysanno goobta joogitaanka noo dhow, ka dibna macaamiisha hore waxay ahayd in la abuuro dhowr shabakadood oo IPVPN ah bixiyeyaal kala duwan (ma aha naqshadaha ugu kharashka badan) ama si madax-bannaan u xalliya arrimaha ku saabsan abaabulka gelitaanka VRF kaaga ee internetka.
Qaar badan ayaa tan sameeyay iyaga oo rakibay albaabka Internetka ee IPVPN - waxay rakibeen router xuduudeed (hardware ama xal Linux-ku-salaysan), kanaalka IPVPN waxay ku xidheen hal deked iyo kan kale oo internetka ah, waxay bilaabeen server-kooda VPN waxayna ku xidheen Isticmaalayaasha iyaga oo sii maraya albaabkooda VPN. Dabcan, nidaamka noocan oo kale ah wuxuu abuuraa culaysyo: kaabayaasha noocan oo kale ah waa in la dhisaa oo, si aan habooneyn, loo shaqeeyo loona horumariyo.
Si noloshu ugu fududaato macaamiisheena, waxaanu ku rakibnay xarun VPN dhexe ah iyo taageero abaabulan oo loogu talagalay isku xirka internetka anagoo adeegsanayna IPSec, taas oo ah, hadda macaamiishu waxay u baahan yihiin oo kaliya inay habeeyaan routerkooda si uu ula shaqeeyo xudunta VPN iyada oo loo sii marayo tunnel IPSec oo dulmaraya Internet kasta oo dadweyne. , oo aan u sii deyno taraafikada macmiilkan VRF-keeda.
Yaa u baahan doona
- Kuwa horey u lahaa shabakad weyn oo IPVPN ah oo u baahan xiriiryo cusub waqti gaaban gudaheed.
- Qof kasta oo, sababo jira awgeed, raba inuu qayb ka mid ah taraafikada ka wareejiyo internetka dadweynaha una wareejiyo IPVPN, laakiin wuxuu hore ula kulmay xaddidaadyo farsamo oo la xidhiidha adeegyo badan oo bixiya.
- Kuwa hadda haysta dhowr shabakadood oo VPN ah oo kala duwan oo ka socda hawlwadeennada isgaadhsiinta ee kala duwan. Waxaa jira macaamiil si guul leh u abaabulay IPVPN oo ka socda Beeline, Megafon, Rostelecom, iwm. Si aad u sahlanaato, waxaad ku sii jiri kartaa oo kaliya VPN-keena kaliya, u beddel dhammaan kanaalada kale ee hawl wadeennada kale ee internetka, ka dibna ku xidhi kartaa Beeline IPVPN adoo isticmaalaya IPSec iyo Internet ka hawlwadeenadan.
- Kuwii hore ugu lahaa shabakad IVPN ku dahaadhay internetka.
Haddii aad wax walba nala soo degto, markaa macaamiishu waxay helayaan taageero buuxda oo VPN ah, dib-u-celinta kaabayaasha muhiimka ah, iyo goobaha caadiga ah ee ka shaqeyn doona router kasta oo ay isticmaalaan (ha noqoto Cisco, xitaa Mikrotik, waxa ugu muhiimsan waa inay si habboon u taageeri karto. IPSec/IKEv2 oo leh hababka xaqiijinta caadiga ah). Jid ahaan, ku saabsan IPSec - hadda waxaan taageernaa oo kaliya, laakiin waxaan qorsheyneynaa inaan bilowno hawlgal buuxa oo labada OpenVPN iyo Wireguard ah, si macaamiishu aysan ugu tiirsanaan karin borotokoolka oo ay xitaa fududahay in la qaato oo wax walba nagu wareejiyo, sidoo kale waxaan rabnaa inaan bilowno isku xirka macaamiisha kombuyuutarrada iyo aaladaha mobilada (xalaalaha lagu dhex dhisay OS, Cisco AnyConnect iyo strongSwan iyo wixii la mid ah). Habkan, dhismaha dhabta ah ee kaabayaasha ayaa si badbaado leh loogu wareejin karaa hawlwadeenka, ka tagista kaliya qaabeynta CPE ama martigeliyaha.
Sidee habka isku xidhka u shaqeeyaa habka IPSec:
- Macmiilku wuxuu u dhaafaa codsi maamulihiisa kaas oo uu ku muujinayo xawaaraha isku xirka loo baahan yahay, astaanta taraafikada iyo cabirrada ciwaanka IP ee tunnelka (sida caadiga ah, subnet leh maaskaro / 30) iyo nooca dariiqa (static ama BGP). Si loogu wareejiyo dariiqyada shabakadaha maxaliga ah ee macaamilka ee xafiiska ku xiran, hababka IKEv2 ee marxaladda borotokoolka IPSec waxaa loo isticmaalaa iyadoo la adeegsanayo goobaha ku haboon ee router macmiilka, ama waxaa lagu xayeysiiyaa BGP gudaha MPLS ee gaarka ah ee BGP AS ee lagu qeexay codsiga macmiilka. . Sidaa darteed, macluumaadka ku saabsan waddooyinka shabakadaha macaamiisha waxaa si buuxda u xakameynaya macaamilka iyada oo loo marayo goobaha router macmiilka.
- Isaga oo ka jawaabaya maareeyihiisa, macmiilku waxa uu helayaa xogta xisaabaadka si loogu daro VRF-giisa foomka:
- Ciwaanka IP-ga ee VPN-HUB
- Login
- Furaha aqoonsiga
- Wuxuu dejiyaa CPE, hoos, tusaale ahaan, laba ikhtiyaar oo qaabeynta aasaasiga ah:
Ikhtiyaarka Cisco:
crypto ikev2 furaha BeelineIPsec_keyring
saaxiib Beeline_VPNHub
cinwaanka 62.141.99.183 - VPN xarun Beeline
Furaha hore loo wadaagay <Authentication password>
!
Xulashada dariiqa toosan, waddooyinka loo maro shabakadaha laga heli karo Vpn-hub waxaa lagu qeexi karaa qaabeynta IKEv2 waxayna si toos ah uga muuqan doonaan sida dariiqyo taagan miiska wareegga CE. Dejintan waxa kale oo lagu samayn karaa iyadoo la isticmaalayo habka caadiga ah ee dejinta waddooyinka taagan (hoos eeg).Nidaamka oggolaanshaha crypto ikev2 FlexClient-author
Jidka loo maro shabakadaha ka dambeeya routerka CE – waa goob qasab ah oo loogu talagalay marinka joogtada ah ee u dhexeeya CE iyo PE. Wareejinta xogta dariiqa PE si toos ah ayaa loo fuliyaa marka tunnelka kor loo qaado iyada oo loo marayo isdhexgalka IKEv2.
dariiqa loo dhigay fog IPv4 10.1.1.0 255.255.255.0 -Shabakadda maxaliga ah ee xafiiska
!
crypto ikev2 profile BeelineIPSec_profile
aqoonsiga deegaanka <login>
xaqiijinta la wadaaga hore ee deegaanka
xaqiijinta fog ee wadaaga hore
furaha BeelineIPsec_keyring
aaa ogolaanshaha kooxda psk liiska kooxda-qoraa-liiska FlexClient-qoraaga
!
crypto ikev2 macmiilka flexvpn BeelineIPsec_flex
asaagga 1 Beeline_VPNHub
macmiilku ku xidho Tunnel1
!
crypto ipsec transform-set TRANSFORM1 esp-aes 256 esp-sha256-hmac
habka tunnel
!
crypto ipsec profile default
deji wax-is-beddelka BEDEL1
dhigay ikev2-profile BeelineIPSec_profile
!
interface Tunnel1
ciwaanka IP 10.20.1.2 255.255.255.252 –Cinwaanka tunnel-ka
isha tunnel GigabitEthernet0/2 -Internet-ka gelitaanka interneedka
Habka tunnel ipsec ipv4
jihada tunnel firfircoon
Ilaalinta tunnel ipsec profile default
!
Waddooyinka loo maro shabakadaha gaarka ah ee macmiilka ee laga heli karo isha Beeline VPN waxa loo dejin karaa si joogto ah.ip wadada 172.16.0.0 255.255.0.0 Tunnel1
ip wadada 192.168.0.0 255.255.255.0 Tunnel1Ikhtiyaarka Huawei (ar160/120):
ike local-name <login>
#
Magaca ipsec 3999
qaanuunka 1 ogolaanshaha ip isha 10.1.1.0 0.0.0.255 -Shabakadda maxaliga ah ee xafiiska
#
aaa
nidaamka adeegga IPSEC
wadada dhigay acl 3999
#
soo jeedinta ipsec
esp xaqiijinta-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256
dh kooxda2
xaqiijinta-algorithm sha2-256
Xaqiijinta-habka hore ee wadaagga
daacadnimada-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ipsec
Furaha hore loo wadaagay oo fudud <Authentication password>
nooca-id- local fqdn
fog-id-nooca ip
ciwaanka fog 62.141.99.183 - VPN xarun Beeline
nidaamka adeegga IPSEC
codsiga beddelka config
config-exchange set aqbal
config-exchange set dir
#
ipsec profile ipsecprof
ike-peer ipsec
soo jeedin ipsec
#
interface Tunnel0/0/0
ciwaanka IP 10.20.1.2 255.255.255.252 –Cinwaanka tunnel-ka
tunnel-protocol ipsec
isha GigabitEthernet0/0/1 -Internet-ka gelitaanka interneedka
ipsec profile ipsecprof
#
Wadooyinka loo maro shabakadaha gaarka ah ee macmiilka ee laga heli karo diirada Beeline VPN waxaa loo dejin karaa si joogto ahip route-static 192.168.0.0 255.255.255.0 Tunnel0/0/0
ip route-static 172.16.0.0 255.255.0.0 Tunnel0/0/0
Jaantuska isgaadhsiinta ee ka dhashay waxa uu u egyahay sidan:
Haddii macmiilku aanu haysan tusaalooyin ka mid ah qaabaynta aasaasiga ah, markaa waxaanu caadi ahaan ka caawinaa samayntooda oo aan ka dhigno qof kasta oo kale.
Waxa hadhay oo dhan waa in lagu xidho CPE-ga internetka, ping-ga qaybta jawaabta ee tunnel-ka VPN iyo cid kasta oo martida ku ah gudaha VPN-ka, taasina waa tan, waxaanu u qaadan karnaa in xidhiidhka la sameeyay.
Maqaalka soo socda waxaan kuu sheegi doonaa sida aan isku darnay nidaamkan IPSec iyo MultiSIM Redundancy iyadoo la adeegsanayo Huawei CPE: waxaan ku rakibnaa Huawei CPE macaamiisha, kaas oo isticmaali kara ma aha oo kaliya kanaalka Internetka ee fiilada ah, laakiin sidoo kale 2 kaararka SIM ee kala duwan, iyo CPE waxay si toos ah dib ugu dhistaa IPSec-tunnel iyada oo loo sii marayo WAN fiilooyinka ah ama raadiyaha (LTE#1/LTE#2), iyadoo la ogaanayo dulqaadka sare ee adeegga ka dhashay.
Mahad gaar ah ayaan u leenahay asxaabteena RnD diyaarinta maqaalkan (iyo, runtii, qorayaasha xalalkan farsamada)!
Source: www.habr.com