VMware NSX ee kuwa yaryar. Qaybta 6: VPN Dejinta

Qaybta koowaad. hordhac ah
Qaybta labaad. Habaynta Firewall iyo Xeerarka NAT
Qaybta saddexaad. Dejinta DHCP
Qaybta afraad. Habaynta habaynta
Qaybta shanaad. Dejinta dheellitirka culeyska

Maanta waxaan eegi doonaa xulashada qaabeynta VPN ee NSX Edge na siiso.

Guud ahaan, waxaan u qaybin karnaa tignoolajiyada VPN laba nooc oo muhiim ah:

• Goobta-goobta VPN. Isticmaalka ugu badan ee IPSec waa in la sameeyo tunnel sugan, tusaale ahaan, inta u dhaxaysa shabakad xafiiseed weyn iyo shabakad ku taal meel fog ama daruuraha.
• Gaaritaanka fog VPN. Loo isticmaalo in lagu xidho isticmaalayaasha gaarka ah shabakadaha gaarka ah ee shirkadaha iyada oo la adeegsanayo software-ka macmiilka VPN.

NSX Edge wuxuu noo ogolaanayaa inaan isticmaalno labada ikhtiyaar.
Waxaan u habeyn doonaa annagoo adeegsanayna kursi tijaabo ah oo leh laba NSX Edge, server Linux ah oo wata daemon rakiban rakoon iyo laptop Windows ah si aad u tijaabiso Helitaanka fog ee VPN.

IPsec

1. Interface-ka Agaasimaha vCloud, aad qaybta maamulka oo dooro vDC. Tabka Edge Gateways, dooro Edge aan u baahanahay, midig-guji oo dooro Adeegyada Kadinka Edge.
   
2. Gudaha NSX Edge interface, u tag VPN-IPsec VPN tab, ka dibna qaybta IPsec VPN Sites oo guji + si aad ugu darto goob cusub.

   

3. Buuxi meelaha loo baahan yahay:
   • Haboon – waxay dhaqaajisaa goobta fog.
   • PFS - waxay hubisaa in fure kasta oo cusub oo cryptographic aanu la xidhiidhin furihii hore.
   • Aqoonsiga Maxaliga ah iyo Meesha Dhamaadka Maxaliga aht waa ciwaanka dibadda ee NSX Edge.
   • subnet degaankas - shabakadaha maxaliga ah ee isticmaali doona IPsec VPN.
   • Aqoonsiga asaaga iyo barta dhamaadka asaaga - cinwaanka goobta fog.
   • Shabakadaha facooda - shabakadaha isticmaali doona IPsec VPN dhinaca fog.
   • Algorithm-ka sirta - Algorithm sireed tunnel.

   
   

   • HUBINTA - sida aan u xaqiijin doono asaagga. Waxaad isticmaali kartaa furaha la wadaago ama shahaado.
   • Fure Hore loo Wadaagay - Sheeg furaha loo isticmaali doono xaqiijinta waana in uu is waafajiyaa labada dhinac.
   • Kooxda Diffie Hellman - Algorithm isweydaarsiga muhiimka ah.

   Kadib markaad buuxiso meelaha loo baahan yahay, dhagsii Keep.

   

4. Done.

   

5. Kadib marka aad ku darto goobta, aad tabo heerka firfircoonida tab oo daar adeega IPsec.

   

6. Ka dib marka habaynta la codsado, u gudub Statistics -> IPsec VPN tab oo hubi heerka tunnelka. Waxaan aragnaa in tunnelku kacay.

   

7. Hubi heerka tunnel-ka laga bilaabo konsolka albaabka Edge:
   • show service ipsec - hubi heerka adeega.

     

   • show adeegga ipsec site - Macluumaadka ku saabsan xaaladda goobta iyo cabbirrada laga wada xaajooday.

     

   • show service ipsec sa - hubi heerka Ururka Nabadsugida (SA).

     

8. Ku hubinta isku xidhka goob fog:

   root@racoon:~# ifconfig eth0:1 | grep inet
           inet 10.255.255.1  netmask 255.255.255.0  broadcast 0.0.0.0
   
   root@racoon:~# ping -c1 -I 10.255.255.1 192.168.0.10 
   PING 192.168.0.10 (192.168.0.10) from 10.255.255.1 : 56(84) bytes of data.
   64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=59.9 ms
   
   --- 192.168.0.10 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 59.941/59.941/59.941/0.000 ms
   

   Faylasha isku xidhka iyo amarada dheeraadka ah ee ogaanshaha ee server Linux fog:

   root@racoon:~# cat /etc/racoon/racoon.conf 
   
   log debug;
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   
   listen {
     isakmp 80.211.43.73 [500];
      strict_address;
   }
   
   remote 185.148.83.16 {
           exchange_mode main,aggressive;
           proposal {
                    encryption_algorithm aes256;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group modp1536;
            }
            generate_policy on;
   }
    
   sainfo address 10.255.255.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm aes256;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
   }
   
   ===
   
   root@racoon:~# cat /etc/racoon/psk.txt
   185.148.83.16 testkey
   
   ===
   
   root@racoon:~# cat /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   
   flush;
   spdflush;
   
   spdadd 192.168.0.0/24 10.255.255.0/24 any -P in ipsec
         esp/tunnel/185.148.83.16-80.211.43.73/require;
   
   spdadd 10.255.255.0/24 192.168.0.0/24 any -P out ipsec
         esp/tunnel/80.211.43.73-185.148.83.16/require;
   
   ===
   
   
   root@racoon:~# racoonctl show-sa isakmp
   Destination            Cookies                           Created
   185.148.83.16.500      2088977aceb1b512:a4c470cb8f9d57e9 2019-05-22 13:46:13 
   
   ===
   
   root@racoon:~# racoonctl show-sa esp
   80.211.43.73 185.148.83.16 
           esp mode=tunnel spi=1646662778(0x6226147a) reqid=0(0x00000000)
           E: aes-cbc  00064df4 454d14bc 9444b428 00e2296e c7bb1e03 06937597 1e522ce0 641e704d
           A: hmac-sha1  aa9e7cd7 51653621 67b3b2e9 64818de5 df848792
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=1 pid=7739 refcnt=0
   185.148.83.16 80.211.43.73 
           esp mode=tunnel spi=88535449(0x0546f199) reqid=0(0x00000000)
           E: aes-cbc  c812505a 9c30515e 9edc8c4a b3393125 ade4c320 9bde04f0 94e7ba9d 28e61044
           A: hmac-sha1  cd9d6f6e 06dbcd6d da4d14f8 6d1a6239 38589878
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=0 pid=7739 refcnt=0

9. Wax walba waa diyaar, site-to-site IPsec VPN waa kor oo socda.

   Tusaalahan, waxaan u isticmaalnay PSK xaqiijinta asaagga, laakiin xaqiijinta shahaadada sidoo kale waa suurtagal. Si aad tan u samayso, aad tabka isku xidhka Caalamiga ah, karti u yeelo xaqiijinta shahaadada oo dooro shahaadada lafteeda.

   Intaa waxaa dheer, goobaha goobta, waxaad u baahan doontaa inaad bedesho habka aqoonsiga.

   
   
   
   
   Waxaan ogsoonahay in tirada IPsec tunnels ay ku xiran tahay xajmiga Edge Gateway ee la geeyay (ka akhriso tan in our maqaalka koowaad).

   

SSL VPN

SSL VPN-Plus waa mid ka mid ah fursadaha Helitaanka Fog ee VPN. Waxay u ogolaataa isticmaalayaasha fogfog shakhsi ahaaneed inay si ammaan ah ugu xidhmaan shabakadaha gaarka ah ee ka dambeeya NSX Edge Gateway. Tunnel sir ah oo ku saabsan kiiska SSL VPN-plus ayaa laga dhex sameeyay macmiilka (Windows, Linux, Mac) iyo NSX Edge.

1. Aan bilowno dejinta Gudaha koontaroolka adeegga Edge Gateway, aad SSL VPN-Plus tab, ka dibna Settings Settings. Waxaan dooranaa ciwaanka iyo deked uu seerfarku ku dhageysan doono isku xirka soo socda, awood u gasha oo dooro algorithms-ka qarsoon ee lagama maarmaanka ah.

   
   
   Halkan waxa kale oo aad ka beddeli kartaa shahaadada uu seerfarku isticmaali doono.

   

2. Kadib wax walba oo diyaar ah, shid server-ka oo ha ilaawin inaad kaydiso goobaha.

   

3. Marka xigta, waxaan u baahanahay inaan sameyno goob ciwaanno ah oo aan u soo saari doono macaamiisha marka la isku xiro. Shabakaddani way ka duwan tahay shabakad kasta oo ka jirta deegaankaaga NSX oo uma baahna in lagu habeeyo aaladaha kale ee shabakadaha jireed, marka laga reebo waddooyinka tilmaamaya.

   Tag tab IP Pools oo guji +.

   

4. Dooro ciwaanada, maaskaro subnet-ka iyo albaabka laga soo galo. Halkan waxa kale oo aad ka bedeli kartaa goobaha DNS iyo WINS server.

   

5. Barkadda ka dhalatay.

   

6. Hadda aan ku darno shabakadaha ay isticmaalayaasha ku xiraya VPN ay marin u heli doonaan. Tag tab shabakadaha gaarka ah oo guji +.

   

7. Waxaan buuxineynaa:
   • Shabakadda – shabakad maxalli ah oo isticmaalayaasha fog-fog ay marin u heli doonaan.
   • Soo dir gaadiidka, waxay leedahay laba ikhtiyaar:
     - tunnel-ka - u dir taraafikada shabakadda iyada oo loo marayo tunnel-ka,
     - tunnel-ka-dhaafka-u dir taraafikada shabakada adoo si toos ah u maraya tunnelka.
   • Daar TCP Optimization - hubi haddii aad dooratay ikhtiyaarka tunnel-ka. Marka hagaajinta la furo, waxaad cayimi kartaa nambarada dekedda kuwaas oo aad rabto inaad u wanaajiso taraafikada. Gaadiidka dekedaha hadhay ee shabakadaas gaarka ah lama hagaajin doono. Haddii aan la cayimin lambarrada dekedaha, taraafikada dhammaan dekedaha waa la hagaajiyay. Akhri wax badan oo ku saabsan sifadan halkan.

   

8. Marka xigta, u gudub tabka xaqiijinta oo guji +. Xaqiijinta, waxaan u isticmaali doonaa server maxalli ah NSX Edge laftiisa.

   

9. Halkan waxaan ku dooran karnaa siyaasadaha lagu soo saarayo furaha sirta ah ee cusub waxaanan dejin karnaa xulashooyinka xannibaadda akoonnada isticmaalaha (tusaale, tirada isku-dayga haddii erayga sirta ah si khaldan loo geliyo).

   
   
   

10. Maadaama aan isticmaaleyno xaqiijinta maxalliga ah, waxaan u baahanahay inaan abuurno isticmaalayaasha.

    

11. Marka laga soo tago waxyaabaha aasaasiga ah sida magaca iyo erayga sirta ah, halkan waxaad, tusaale ahaan, ka mamnuuci kartaa isticmaalaha inuu beddelo erayga sirta ah ama, taa beddelkeeda, ku qasbi inuu beddelo erayga sirta ah marka xigta ee uu galo.

    

12. Ka dib markii dhammaan isticmaalayaasha lagama maarmaanka ah lagu daro, u gudub tab xirmooyinka Rakibaadda, guji + oo samee rakibaha laftiisa, kaas oo uu soo dejin doono shaqaale fog si loo rakibo.

    

13. Riix +. Dooro ciwaanka iyo dekedda server-ka uu macmiilku ku xidhi doono, iyo meelaha aad rabto inaad ka soo saarto xidhmada rakibaadda.

    
    
    Hoosta daaqadan, waxaad ku qeexi kartaa nidaamka macmiilka ee Windows. Dooro:

    • ku bilow macmiilka logon - macmiilka VPN waxaa lagu dari doonaa bilawga mashiinka fog;
    • samee icon desktop - waxay ku abuuri doontaa astaanta macmiilka VPN miiska;
    • Ansixinta shahaadada amniga serverka - waxay ansaxi doontaa shahaadada serverka marka la isku xiro.
      Habaynta adeegaha waa dhammaatay.

    

14. Hadda aan soo dejinno xirmada rakibaadda ee aan ku abuurnay tallaabadii u dambeysay PC fog. Marka la dejinayo server-ka, waxaanu cayimnay ciwaankiisa dibadda (185.148.83.16) iyo dekedda (445). Waa ciwaanka aan ugu baahanahay in aan galno browser-ka. Xaaladeyda waa 185.148.83.16: 445.

    Daaqadda oggolaanshaha, waa inaad gelisaa aqoonsiga isticmaale ee aan hore u abuurnay.

    

15. Oggolaanshaha ka dib, waxaan aragnaa liiska xirmooyinka rakibida la sameeyay ee diyaar u ah soo dejinta. Waxaan abuurnay mid kaliya - waan soo dejin doonaa.

    

16. Waxaan guji xiriirka, soo dejinta ee macmiilka bilaabay.

    

17. Furo kaydka la soo dejiyey oo socodsii rakibaha.

    

18. Ka dib marka la rakibo, billow macmiilka, daaqadda oggolaanshaha, guji Login.

    

19. Daaqada xaqiijinta shahaadada, dooro Haa.

    

20. Waxaan galnaa aqoonsiga isticmaaleha hore loo abuuray oo aan aragno in xiriirku si guul leh u dhammaaday.

    
    
    

21. Waxaan ku hubinaa tirakoobka macmiilka VPN kumbuyuutarka deegaanka.

    
    
    

22. Khadka taliska Windows (ipconfig / all), waxaan aragnaa in adabtarada farsamada ee dheeriga ah uu soo muuqday oo uu jiro isku xirnaanta shabakadda fog, wax walbaa way shaqeeyaan:

    
    
    

23. Ugu dambayntii, ka hubi console-ka Edge Gateway.

    

L2 VPN

L2VPN ayaa loo baahan doonaa marka aad u baahato inaad dhowr juqraafi ahaan isugu geyso
Shabakado loo qaybiyay hal goob warbaahineed.

Tani waxay noqon kartaa mid faa'iido leh, tusaale ahaan, markaad u guurto mashiinka farsamada: marka VM u guuro aag kale oo juquraafi ah, mashiinku wuxuu hayn doonaa goobaha ciwaanka IP-ga mana lumin doono isku xirka mashiinnada kale ee ku yaal isla goobta L2.

Deegaankayaga tijaabada ah, waxaanu isku xidhi doonaa laba goobood oo midba midka kale ah, waxaanu ugu yeedhi doonaa A iyo B, siday u kala horreeyaan. Waxaan leenahay laba NSXs iyo laba shabakadood oo isku mid ah oo la sameeyay oo ku xiran geeso kala duwan. Mashiinka A wuxuu leeyahay ciwaanka 10.10.10.250/24, Mashiinka B wuxuu leeyahay ciwaanka 10.10.10.2/24.

1. Gudaha vCloud Agaasimaha, aad tab maamulka, aad VDC aan u baahanahay, tag Org VDC Networks tab oo ku dar laba shabakadood oo cusub.

   

2. Dooro nooca shabakada la leexiyay oo ku xidh shabakadan NSX. Waxaan dhignay sanduuqa hubinta ku samee sidii waji-hoosaad.

   

3. Natiijo ahaan, waa inaan helno laba shabakadood. Tusaalahayaga, waxaa loo yaqaan network-a iyo network-b oo leh jaangooyooyin albaabadu isku mid yihiin iyo isku waji isku mid ah.

   
   
   

4. Hadda aan tagno goobaha NSX ugu horreeya. Tani waxay noqon doontaa NSX ee Network A ay ku xiran tahay. Waxay u dhaqmi doontaa sidii server.

   Waxaan ku laabaneynaa NSx Edge interface / Tag tabka VPN -> L2VPN. Waxaan daarnaa L2VPN, dooro habka hawlgalka Server-ka, gudaha Server-ka Global settings waxaan ku cadeyneynaa ciwaanka IP-ga ee NSX dibadeed kaas oo dekedda tunnelku ay dhageysan doonto. Sida caadiga ah, godku wuxuu ka furmi doonaa dekedda 443, laakiin tan waa la bedeli karaa. Ha iloobin inaad dooratid goobaha sirta ah ee tunnelka mustaqbalka.

   

5. Tag bogga Server-ka tab oo ku dar saaxiib.

   

6. Waxaan shidnaa asxaabta, dejineynaa magaca, sharaxaadda, haddii loo baahdo, dejiso magaca isticmaalaha iyo erayga sirta ah. Waxaan u baahan doonaa xogtan hadhow marka la dejinayo goobta macmiilka.

   Ciwaanka Kadinka Hagaajinta Egress waxaanu dejinay ciwaanka albaabka. Tani waa lagama maarmaan si aysan u dhicin isku dhac cinwaannada IP, sababtoo ah albaabka shabakadahayadu waxay leeyihiin cinwaan isku mid ah. Kadib dhagsii badhanka SELECT SUB-INTERFACES.

   

7. Halkan waxaan ku dooranaynaa wejiga hoose ee la rabo. Waxaanu kaydinay goobaha

   

8. Waxaan aragnaa in goobta cusub ee macmiilka la abuuray ay ka soo muuqatay goobaha.

   

9. Hadda aan u gudubno habaynta NSX ee dhinaca macmiilka.

   Waxaan aadeynaa dhinaca NSX B, aad VPN -> L2VPN, awood L2VPN, u deji qaabka L2VPN qaabka macmiilka. Dhinaca Macmiilka Global tab, dhig ciwaanka iyo dekedda NSX A, kaas oo aanu hore ugu sheegnay inay yihiin Dhagaysiga IP iyo Dekedda dhinaca server-ka. Waxa kale oo lagama maarmaan ah in la dejiyo sir isku mid ah si ay u noqdaan kuwo joogto ah marka tunnelka kor loo qaado.

   
   
   Hoos ayaan u rogrogeynaa, dooro interface-ka hoose ee tunnelka L2VPN lagu dhisi doono.
   Ciwaanka Kadinka Hagaajinta Egress waxaanu dejinay ciwaanka albaabka. Deji user-ID iyo erayga sirta ah Waxaan dooranaa interface-ka hoose oo ha iloobin inaad kaydiso goobaha.

   

10. Dhab ahaantii, taasi waa dhammaan. Dejinta dhinaca macmiilka iyo server-kuba waa isku mid, marka laga reebo dhawr nuances.
11. Hadda waxaan arki karnaa in tunnelkeena uu shaqeeyay anagoo aadaya Tirakoobka -> L2VPN NSX kasta.

    

12. Haddii aan hadda tagno console-ka Edge Gateway, waxaan ku arki doonaa mid kasta oo ka mid ah miiska arp ciwaannada labada VM.

    

Taasi waa wax ku saabsan VPN NSX Edge. Weydii haddii ay wax aan caddayn. Sidoo kale waa qaybta ugu dambeysa ee maqaallo taxane ah oo ku saabsan la shaqeynta NSX Edge. Waxaan rajeyneynaa inay ahaayeen kuwo waxtar leh 🙂

Source: www.habr.com