Lumela! IN Ke hlalositse mosebetsi oa tšebeletso ea rona ea MultiSIM ka karolo и dikanale. Joalokaha ho boletsoe, re hokahanya bareki ho marang-rang ka VPN, 'me kajeno ke tla u bolella hanyenyane ka VPN le bokhoni ba rona karolong ena.
Ho bohlokoa ho qala ka taba ea hore rona, joaloka opareitara ea mehala, re na le marang-rang a rona a maholo a MPLS, ao bareki ba marang-rang ba arotsoeng ka likarolo tse peli tse kholo - e sebelisoang ka kotloloho ho fihlella Marang-rang, le e 'ngoe e sebelisoang ho fihlella Marang-rang. e sebelisetsoang ho theha marang-rang a ka thōko - 'me ke ka karolo ena ea MPLS moo sephethephethe sa IPVPN (L3 OSI) le VPLAN (L2 OSI) se phallang bakeng sa bareki ba rona ba mekhatlo.
Ka tloaelo, khokahano ea bareki e etsahala ka tsela e latelang.
Mohala oa phihlello o behiloe ofising ea moreki ho tloha sebakeng se haufi sa Boteng ba marang-rang (node MEN, RRL, BSSS, FTTB, joalo-joalo) mme ho feta moo, mocha o ngolisitsoe ka marang-rang a lipalangoang ho ea ho PE-MPLS e lumellanang. router, eo ho eona re e hlahisang ho moreki oa VRF ka ho khetheha, re ela hloko profil ea sephethephethe eo moreki a e hlokang (li-label tsa profil li khethoa bakeng sa boema-kepe bo bong le bo bong ba phihlello, ho ipapisitsoe le litekanyetso tsa pele tsa ip 0,1,3,5, XNUMX).
Haeba ka lebaka le itseng re ke ke ra hlophisa ka botlalo sebaka sa ho qetela bakeng sa moreki, mohlala, ofisi ea moreki e sebakeng sa khoebo, moo mofani e mong a tlang pele, kapa re se na sebaka sa rona sa ho ba teng haufi, joale bareki ba pele. o ile a tlameha ho theha marang-rang a 'maloa a IPVPN ho bafani ba fapaneng (eseng meaho e sa bitseng chelete e ngata) kapa ho rarolla mathata ka boikemelo ka ho hlophisa phihlello ea VRF ea hau marang-rang.
Ba bangata ba entse sena ka ho kenya IPVPN Internet gateway - ba kentse router ea moeli (hardware kapa tharollo e thehiloeng ho Linux), ba hokela mocha oa IPVPN ho eona ka boema-kepe bo le bong le mocha oa Marang-rang le o mong, ba tsebisa seva sa bona sa VPN ho eona mme ba hokahana. basebelisi ka tsela ea bona ea VPN. Ka tlhaho, leano le joalo le boetse le baka meroalo: meaho e joalo e tlameha ho hahuoa, 'me, ka mokhoa o sa thabiseng, e sebetsoe le ho ntlafatsoa.
Ho nolofaletsa bareki ba rona bophelo, re kentse setsi sa VPN se bohareng le tšehetso e hlophisitsoeng ea likhokahano marang-rang re sebelisa IPSec, ke hore, joale bareki ba hloka feela ho lokisa router ea bona hore e sebetse le VPN hub ea rona ka kotopo ea IPSec holim'a Marang-rang afe kapa afe a sechaba. , 'me re Ha re lokolle sephethephethe sa moreki ho VRF ea eona.
Ke mang ea tla hloka
- Bakeng sa ba seng ba ntse ba e-na le marang-rang a maholo a IPVPN 'me ba hloka likhokahano tse ncha ka nako e khutšoanyane.
- Mang kapa mang eo, ka lebaka le itseng, a batlang ho fetisetsa karolo ea sephethephethe ho tloha Inthaneteng ea sechaba ho IPVPN, empa o kile a kopana le mefokolo ea tekheniki e amanang le bafani ba litšebeletso tse 'maloa.
- Bakeng sa bao hajoale ba nang le marang-rang a mangata a fapaneng a VPN ho basebelisi ba fapaneng ba mehala. Ho na le bareki ba atlehileng ho hlophisa IPVPN ho tloha Beeline, Megafon, Rostelecom, joalo-joalo. Ho etsa hore ho be bonolo, o ka lula feela ho VPN ea rona e le 'ngoe, fetola liteishene tse ling tsohle tsa basebelisi ba bang ho Internet, ebe o hokela Beeline IPVPN ka IPSec le Marang-rang ho tsoa ho basebelisi bana.
- Bakeng sa ba seng ba ntse ba e-na le marang-rang a IPVPN a koahetsoeng Marang-rang.
Haeba u tsamaisa ntho e 'ngoe le e' ngoe le rona, joale bareki ba fumana tšehetso e feletseng ea VPN, ho fokotseha ho tebileng ha mekhoa ea mehaho, le litlhophiso tse tloaelehileng tse tla sebetsa ho router leha e le efe eo ba e tloaetseng (ebang ke Cisco, esita le Mikrotik, ntho e ka sehloohong ke hore e ka tšehetsa ka nepo. IPSec/IKEv2 e nang le mekhoa e tloaelehileng ea netefatso). Ka tsela, ka IPSec - hona joale re e tšehetsa feela, empa re rerile ho qala ts'ebetso e feletseng ea OpenVPN le Wireguard, e le hore bareki ba se ke ba itšetleha ka protocol mme ho bonolo le ho feta ho nka le ho fetisetsa ntho e 'ngoe le e' ngoe ho rona, hape re batla ho qala ho hokahanya bareki ho tsoa ho likhomphutha le lisebelisoa tsa mehala (tharollo e hahiloeng ho OS, Cisco AnyConnect le strongSwan le tse ling tse joalo). Ka mokhoa ona, kaho ea de facto ea meralo ea motheo e ka fetisetsoa ho opareitara ka mokhoa o sireletsehileng, e siea feela tlhophiso ea CPE kapa moamoheli.
Mokhoa oa ho hokahanya o sebetsa joang bakeng sa mokhoa oa IPSec:
- Moreki o siea kopo ho mookameli oa hae moo a bonts'ang lebelo le hlokahalang la khokahano, profil ea sephethephethe le litekanyetso tsa aterese ea IP bakeng sa kotopo (ka ho sa feleng, subnet e nang le maske / 30) le mofuta oa ho tsamaisa (static kapa BGP). Ho fetisetsa litsela ho marangrang a lehae a moreki ofising e hokahaneng, mekhoa ea IKEv2 ea IPSec protocol phase e sebelisoa ho sebelisoa litlhophiso tse nepahetseng ho router ea bareki, kapa li phatlalatsoa ka BGP ho MPLS ho tsoa ho BGP AS e boletsoeng ts'ebelisong ea moreki. . Kahoo, tlhahisoleseding e mabapi le litsela tsa marang-rang a bareki e laoloa ka ho feletseng ke mofani ka litlhophiso tsa router ea bareki.
- Karabelo e tsoang ho mookameli oa hae, moreki o fumana data ea accounting hore e kenyeletsoe ho VRF ea hae ea foromo:
- VPN-HUB IP aterese
- Ho kena
- Phasewete ya netefatso
- E lokisa CPE, ka tlase, mohlala, likhetho tse peli tsa mantlha tsa tlhophiso:
Khetho bakeng sa Cisco:
crypto ikev2 keyring BeelineIPsec_keyring
methaka Beeline_VPNHub
aterese 62.141.99.183 - VPN hub Beeline
senotlolo se arolelanoeng pele <password ea netefatso>
!
Bakeng sa khetho ea static routing, litsela tsa marang-rang tse fihlellehang ka Vpn-hub li ka hlalosoa ho IKEv2 tlhophiso mme li tla hlaha ka bohona e le litsela tse sa fetoheng tafoleng ea CE ea routing. Litlhophiso tsena li ka boela tsa etsoa ho sebelisoa mokhoa o tloaelehileng oa ho beha litsela tse tsitsitseng (sheba ka tlase).leano la tumello ea crypto ikev2 FlexClient-author
Tsela e eang ho marang-rang ka morao ho router ea CE - sebaka se tlamang bakeng sa ho tsamaea ka mokhoa o tsitsitseng pakeng tsa CE le PE. Phetiso ea data ea tsela ho PE e etsoa ka bo eona ha kotopo e phahamisoa ka tšebelisano ea IKEv2.
tsela e behiloeng ka thōko ipv4 10.1.1.0 255.255.255.0 -Ofisi marangrang a lehae
!
boemo ba crypto ikev2 BeelineIPSec_profile
boitsebiso ba lehae <login>
netefatso ya sebaka sa ho arolelana pele
netefatso remoutu share pre-share
keyring ea lehae ea BeelineIPsec_keyring
aaa tumello sehlopha sa psk lethathamo sehlopha-mongoli-lethathamo la FlexClient-mongoli
!
crypto ikev2 moreki flexvpn BeelineIPsec_flex
thaka 1 Beeline_VPNHub
moreki hokela Tunnel1
!
crypto ipsec fetola-set TRANSFORM1 esp-aes 256 esp-sha256-hmac
kotopo ea mokhoa
!
boemo ba boemo ba crypto ipsec
seta phetoho-seta TRANSFORM1
seta ikev2-profile BeelineIPSec_profile
!
sehokelo Tunnel1
ip aterese 10.20.1.2 255.255.255.252 -Aterese ea tunnel
mohloli oa kotopo GigabitEthernet0/2 - Sehokelo sa phihlello ea Marang-rang
mokhoa oa tunnel ipsec ipv4
kotopo e eang teng e matla
tshireletso ya tunnel ipsec profile ya kamehla
!
Litsela tse eang marang-rang a poraefete a moreki a fihlellehang ka "concentrator ea Beeline VPN" li ka hlophisoa ka lipalo.ip tsela 172.16.0.0 255.255.0.0 Tunnel1
ip tsela 192.168.0.0 255.255.255.0 Tunnel1Khetho bakeng sa Huawei (ar160/120):
ike sebaka-lebitso <login>
#
acl lebitso la ipsec 3999
molao 1 tumello IP mohloli 10.1.1.0 0.0.0.255 -Ofisi marangrang a lehae
#
aaa
tšebeletso-scheme IPSEC
tsela e behiloeng acl3999
#
ipsec tlhahiso ipsec
esp netefatso-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256
sehlopha sa dh2
netefatso-algorithm sha2-256
netefatso-mokhoa oa ho arolelana pele
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ipsec
senotlolo se arolelanoeng esale pele se bonolo <Nonotlolo ea netefatso>
local-id-mofuta fqdn
remote-id-mofuta oa ip
hole-aterese 62.141.99.183 - VPN hub Beeline
tšebeletso-scheme IPSEC
kopo ea config-exchange
config-exchange set amohela
config-exchange set send
#
ipsec profile ipsecprof
ike-peer ipsec
tlhahiso ipsec
#
sehokelo Tunnel0/0/0
ip aterese 10.20.1.2 255.255.255.252 -Aterese ea tunnel
kotopo-protocol ipsec
mohloli GigabitEthernet0/0/1 - Sehokelo sa phihlello ea Marang-rang
ipsec profile ipsecprof
#
Litsela tse eang marang-rang a poraefete a moreki a fihlellehang ka "concentrator ea Beeline VPN" li ka hlophisoa ka lipaloip tsela-static 192.168.0.0 255.255.255.0 Tunnel0/0/0
ip tsela-static 172.16.0.0 255.255.0.0 Tunnel0/0/0
Setšoantšo sa puisano se hlahisoang se shebahala tjena:
Haeba moreki a sena mehlala ea tlhophiso ea mantlha, hangata re thusa ka sebopeho sa bona le ho etsa hore ba fumanehe ho batho bohle.
Sohle se setseng ke ho hokahanya CPE ho Internet, ping ho karolo ea karabo ea kotopo ea VPN le moeti leha e le ofe ka hare ho VPN, 'me ke eona, re ka nahana hore ho amana ho entsoe.
Sehloohong se latelang re tla u bolella kamoo re kopantseng morero ona le IPSec le MultiSIM Redundancy ho sebelisa Huawei CPE: re kenya Huawei CPE ea rona bakeng sa bareki, e ke keng ea sebelisa mocha oa Inthanete oa marang-rang feela, empa hape le likarete tsa SIM tse fapaneng tsa 2, le CPE. e aha hape IPSec-tunnel ka tsela ea WAN kapa ka seea-le-moea (LTE#1/LTE#2), e hlokomela mamello e phahameng ea liphoso tsa ts'ebeletso e hlahisitsoeng.
Re leboha ka ho khetheha basebetsi-'moho le rona ba RnD ka ho lokisetsa sengoloa sena ('me, ha e le hantle, ho bangoli ba litharollo tsena tsa tekheniki)!
Source: www.habr.com