VMware NSX bakeng sa bana ba banyenyane. Karolo ea 6: Setupo sa VPN

Karolo ea pele. selelekela
Karolo ea bobeli. Ho lokisa Firewall le Melao ea NAT
Karolo ea boraro. Ho lokisa DHCP
Karolo ea bone. Tlhophiso ea litsela
Karolo ea bohlano. Ho theha sekala sa mojaro

Kajeno re tlo sheba likhetho tsa tlhophiso ea VPN tseo NSX Edge e re fang tsona.

Ka kakaretso, re ka arola mahlale a VPN ka mefuta e 'meli ea bohlokoa:

• VPN ea sebaka sa marang-rang. Tšebeliso e tloaelehileng ea IPSec ke ho etsa kotopo e sireletsehileng, mohlala, pakeng tsa marang-rang a maholo a ofisi le marang-rang sebakeng se hōle kapa marung.
• Remote Access VPN. E sebelisoa ho hokahanya basebelisi ka bomong ho marang-rang a ikemetseng a sebelisa software ea bareki ba VPN.

NSX Edge e re lumella ho sebelisa likhetho ka bobeli.
Re tla lokisa ho sebelisa benche ea liteko ka NSX Edge tse peli, seva sa Linux se nang le daemon e kentsoeng sebapali le laptop ea Windows ho leka Remote Access VPN.

IPsec

1. Ka vCloud Director segokanyimmediamentsi sa sebolokigolo, ho ea ho Tsamaiso karolo le khetha vDC. Ho tab ea Edge Gateways, khetha Edge eo re e hlokang, tobetsa ka ho le letona ebe u khetha Edge Gateway Services.
   
2. Ka sebopeho sa NSX Edge, e-ea tabeng ea VPN-IPsec VPN, ebe u ea karolong ea IPsec VPN Sites ebe u tobetsa + ho eketsa sebaka se secha.

   

3. Tlatsa likarolo tse hlokahalang:
   • E nolofalitsoe – e kenya tshebetsong sebaka se hole.
   • PFS - e netefatsa hore senotlolo se seng le se seng se secha sa cryptographic ha se amane le senotlolo leha e le sefe se fetileng.
   • ID ea sebakeng sa heno le sebaka sa ho qetela sa lehaet ke aterese ea kantle ea NSX Edge.
   • subnet ea lehaes - marang-rang a lehae a tla sebelisa IPsec VPN.
   • Peer ID le Peer Endpoint – aterese ea sebaka se hole.
   • Lithaka tsa lithaka - marang-rang a tla sebelisa IPsec VPN ka lehlakoreng le ka thōko.
   • Algorithm ea encryption - algorithm ea encryption ea kotopo.

   
   

   • netefatso - ka moo re tla netefatsa thaka. U ka sebelisa Senotlolo sa Pre-Shared kapa setifikeiti.
   • Senotlolo se Arolelitsoeng Pele - hlakisa senotlolo se tla sebelisoa bakeng sa netefatso mme e tlameha ho bapisa mahlakore ka bobeli.
   • Sehlopha sa Diffie Hellman - algorithm ea phapanyetsano ea senotlolo.

   Kamora ho tlatsa likarolo tse hlokahalang, tobetsa Boloka.

   

4. E entsoe.

   

5. Ka mor'a ho eketsa sebaka sa marang-rang, e-ea ho "Active Status" tab 'me u kenye tšebeletso ea IPsec.

   

6. Ka mor'a hore litlhophiso li sebelisoe, e-ea ho Lipalo-palo -> IPsec VPN tab 'me u hlahlobe boemo ba kotopo. Rea bona hore kotopo e tsohile.

   

7. Sheba boemo ba kotopo ho tloha ho Edge gateway console:
   • bontša tšebeletso ipsec - hlahloba boemo ba tšebeletso.

     

   • bonts'a sebaka sa ts'ebeletso sa ipsec - Tlhahisoleseding ka boemo ba sebaka sa marang-rang le liparamente tseo ho buisanoeng ka tsona.

     

   • bontša tšebeletso ipsec sa - hlahloba boemo ba Mokhatlo oa Tšireletso (SA).

     

8. Ho hlahloba khokahanyo le saete e hole:

   root@racoon:~# ifconfig eth0:1 | grep inet
           inet 10.255.255.1  netmask 255.255.255.0  broadcast 0.0.0.0
   
   root@racoon:~# ping -c1 -I 10.255.255.1 192.168.0.10 
   PING 192.168.0.10 (192.168.0.10) from 10.255.255.1 : 56(84) bytes of data.
   64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=59.9 ms
   
   --- 192.168.0.10 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 59.941/59.941/59.941/0.000 ms
   

   Lifaele tsa tlhophiso le litaelo tse ling tsa tlhahlobo ho tsoa ho seva sa Linux se hole:

   root@racoon:~# cat /etc/racoon/racoon.conf 
   
   log debug;
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   
   listen {
     isakmp 80.211.43.73 [500];
      strict_address;
   }
   
   remote 185.148.83.16 {
           exchange_mode main,aggressive;
           proposal {
                    encryption_algorithm aes256;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group modp1536;
            }
            generate_policy on;
   }
    
   sainfo address 10.255.255.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm aes256;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
   }
   
   ===
   
   root@racoon:~# cat /etc/racoon/psk.txt
   185.148.83.16 testkey
   
   ===
   
   root@racoon:~# cat /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   
   flush;
   spdflush;
   
   spdadd 192.168.0.0/24 10.255.255.0/24 any -P in ipsec
         esp/tunnel/185.148.83.16-80.211.43.73/require;
   
   spdadd 10.255.255.0/24 192.168.0.0/24 any -P out ipsec
         esp/tunnel/80.211.43.73-185.148.83.16/require;
   
   ===
   
   
   root@racoon:~# racoonctl show-sa isakmp
   Destination            Cookies                           Created
   185.148.83.16.500      2088977aceb1b512:a4c470cb8f9d57e9 2019-05-22 13:46:13 
   
   ===
   
   root@racoon:~# racoonctl show-sa esp
   80.211.43.73 185.148.83.16 
           esp mode=tunnel spi=1646662778(0x6226147a) reqid=0(0x00000000)
           E: aes-cbc  00064df4 454d14bc 9444b428 00e2296e c7bb1e03 06937597 1e522ce0 641e704d
           A: hmac-sha1  aa9e7cd7 51653621 67b3b2e9 64818de5 df848792
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=1 pid=7739 refcnt=0
   185.148.83.16 80.211.43.73 
           esp mode=tunnel spi=88535449(0x0546f199) reqid=0(0x00000000)
           E: aes-cbc  c812505a 9c30515e 9edc8c4a b3393125 ade4c320 9bde04f0 94e7ba9d 28e61044
           A: hmac-sha1  cd9d6f6e 06dbcd6d da4d14f8 6d1a6239 38589878
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=0 pid=7739 refcnt=0

9. Tsohle li lokile, IPsec VPN ea sebaka sa marang-rang e ntse e sebetsa.

   Mohlaleng ona, re sebelisitse PSK bakeng sa netefatso ea lithaka, empa netefatso ea setifikeiti le eona ea khonahala. Ho etsa sena, eya ho tab ya Global Configuration, etsa bonnete ba setifikeiti ebe o kgetha setifikeiti ka bosona.

   Ho phaella moo, litlhophisong tsa sebaka sa marang-rang, u tla hloka ho fetola mokhoa oa ho netefatsa.

   
   
   
   
   Kea hlokomela hore palo ea lithanele tsa IPsec e ipapisitse le boholo ba Edge Gateway e kentsoeng (bala ka sena ho rona. sehlooho sa pele).

   

SSL VPN

SSL VPN-Plus ke e 'ngoe ea likhetho tsa Remote Access VPN. E lumella basebelisi ba hole ka bomong ho hokela ka mokhoa o sireletsehileng marang-rang a ikemetseng ka morao ho NSX Edge Gateway. kotopo e kentsoeng molemong oa SSL VPN-plus e thehiloe lipakeng tsa moreki (Windows, Linux, Mac) le NSX Edge.

1. Ha re qaleng ho theha. Ka har'a karolo ea taolo ea ts'ebeletso ea Edge Gateway, e ea ho SSL VPN-Plus tab, ebe u ea ho Litlhophiso tsa Seva. Re khetha aterese le boema-kepe moo seva se tla mamela likhokahano tse tlang, re lumelle ho rema lifate ebe re khetha li-algorithms tse hlokahalang tsa encryption.

   
   
   Mona o ka boela oa fetola setifikeiti seo seva se tla se sebelisa.

   

2. Ka mor'a hore ntho e 'ngoe le e' ngoe e lokisoe, bulela seva 'me u se ke ua lebala ho boloka litlhophiso.

   

3. Ka mor'a moo, re hloka ho theha letamo la liaterese tseo re tla li fa bareki ha re hokahanya. Marang-rang ana a arohane le subnet efe kapa efe e teng tikolohong ea hau ea NSX 'me ha e hloke ho hlophisoa lisebelisoa tse ling ho marang-rang a sebele, ntle le litsela tse e supang.

   Eya ho IP Pools tab ebe o tobetsa +.

   

4. Khetha liaterese, subnet mask le heke. Mona o ka boela oa fetola litlhophiso tsa li-server tsa DNS le WINS.

   

5. Letamo la sephetho.

   

6. Joale ha re kenyeng marang-rang ao basebelisi ba hokelang VPN ba tla khona ho fihlella ho ona. Eya ho "Private Networks tab" ebe o tobetsa +.

   

7. Re tlatsa:
   • Marang-rang - marang-rang a lehae ao basebelisi ba hole ba tla ba le phihlello ho ona.
   • Romella sephethephethe, se na le likhetho tse peli:
     - ka holim'a kotopo - romella sephethe-phethe ho marang-rang ka kotopo,
     - kotopo ea bypass - romela sephethephethe ho marang-rang ho feta kotopo ka kotloloho.
   • Numella TCP Optimization - hlahloba hore na u khethile khetho e fetang kotopo. Ha optimization e nolofalitsoe, o ka hlakisa linomoro tsa boema-kepe tseo u batlang ho ntlafatsa sephethephethe ho tsona. Sephethephethe bakeng sa likou tse setseng ho netweke eo e ke ke ea ntlafatsoa. Haeba ho se na linomoro tsa boema-kepe tse boletsoeng, sephethephethe bakeng sa likou tsohle se tla ntlafatsoa. Bala haholoanyane ka tšobotsi ena mona.

   

8. E latelang, e ea ho "Athentication tab" ebe u tobetsa +. Bakeng sa netefatso, re tla sebelisa seva ea lehae ho NSX Edge ka boeona.

   

9. Mona re ka khetha maano a ho hlahisa li-password tse ncha le ho hlophisa likhetho tsa ho thibela li-account tsa mosebelisi (mohlala, palo ea ho leka hape haeba password e kentsoe ka phoso).

   
   
   

10. Kaha re sebelisa netefatso ea lehae, re hloka ho theha basebelisi.

    

11. Ntle le lintho tsa mantlha tse kang lebitso le phasewete, mona u ka etsa mohlala, ho thibela mosebelisi ho fetola phasewete kapa, ka lehlakoreng le leng, u mo qobelle ho fetola phasewete nakong e tlang ha a kena.

    

12. Ka mor'a hore basebelisi bohle ba hlokehang ba kenyelelitsoe, e-ea tabeng ea "Instalation Packages", tobetsa + 'me u thehe mochine ka boeona, o tla kopitsoa ke mosebeletsi ea hole bakeng sa ho kenya.

    

13. Tobetsa +. Khetha aterese le koung ea seva eo moreki a tla hokela ho eona, le liforomo tseo u batlang ho li hlahisa sephutheloana sa ho kenya.

    
    
    Ka tlase fensetereng ena, o ka hlakisa litlhophiso tsa bareki bakeng sa Windows. Khetha:

    • qala moreki ho logon - moreki oa VPN o tla eketsoa ho qala mochini o hole;
    • theha lets'oao la komporo - e tla theha lets'oao la moreki oa VPN komporong;
    • netefatso ya setifikeiti sa tshireletso ya seva - e tla netefatsa setifikeiti sa seva ha o hokela.
      Ho seta seva ho felile.

    

14. Joale ha re khoasolle sephutheloana sa ho kenya seo re se entseng mohatong oa ho qetela ho PC e hole. Ha re theha seva, re boletse aterese ea eona ea kantle (185.148.83.16) le port (445). Ke atereseng ena moo re hlokang ho kena ka har'a sebatli sa marang-rang. Tabeng ea ka ho joalo 185.148.83.16: 445.

    Ka fensetere ea tumello, o tlameha ho kenya lintlha tsa mosebelisi eo re mo entseng pejana.

    

15. Kamora tumello, re bona lethathamo la liphutheloana tse entsoeng tse fumanehang bakeng sa ho jarolleloa. Re thehile e le 'ngoe feela - re tla e jarolla.

    

16. Re tobetsa sehokelo, download ea moreki e qala.

    

17. Hlakola polokelo e jarollotsoeng 'me u tsamaise sesebelisoa.

    

18. Kamora ho kenya, qala moreki, ka fensetere ea tumello, tobetsa Kena.

    

19. Fesetereng ya netefatso ya setifikeiti, kgetha Ee.

    

20. Re kenya lintlha tsa mosebelisi ea entsoeng pele 'me re bona hore khokahano e phethetsoe ka katleho.

    
    
    

21. Re hlahloba lipalo-palo tsa mofani oa VPN khomphuteng ea lehae.

    
    
    

22. Moleng oa taelo oa Windows (ipconfig / all), re bona hore adaptara e eketsehileng e hlahile mme ho na le khokahano ho marang-rang a hole, tsohle lia sebetsa:

    
    
    

23. 'Me qetellong, hlahloba ho tsoa ho khomphutha ea Edge Gateway.

    

L2 VPN

L2VPN e tla hlokahala ha o hloka ho kopanya libaka tse 'maloa
abela marang-rang sebakeng se le seng sa khaso.

Sena se ka ba molemo, ka mohlala, ha u falla mochine oa sebele: ha VM e fallela sebakeng se seng sa libaka, mochine o tla boloka litlhophiso tsa aterese ea IP 'me o ke ke oa lahleheloa ke khokahanyo le mechine e meng e sebakeng se le seng sa L2 le eona.

Sebakeng sa rona sa liteko, re tla hokahanya libaka tse peli ho tse ling, re tla li bitsa A le B, ka ho latellana. Re na le li-NSX tse peli le marang-rang a mabeli a bōpiloeng ka tsela e tšoanang a khomaretsoeng ka mahlakoreng a fapaneng. Mochini oa A o na le aterese 10.10.10.250/24, Mochini oa B o na le aterese 10.10.10.2/24.

1. Ho vCloud Director, e-ea tabeng ea Tsamaiso, e-ea VDC eo re e hlokang, e-ea ho Org VDC Networks tab 'me u kenye marang-rang a mabeli a macha.

   

2. Khetha mofuta oa marang-rang o tsamaisoang 'me u tlamelle marang-rang ena ho NSX ea rona. Re beha lebokose la "Checkbox" e le subinterface.

   

3. Ka lebaka leo, re lokela ho fumana marang-rang a mabeli. Mohlala oa rona, li bitsoa network-a le network-b e nang le litlhophiso tse tšoanang tsa heke le mask a tšoanang.

   
   
   

4. Joale ha re ee ho litlhophiso tsa NSX ea pele. Ena e tla ba NSX eo Network A e khomaretsoeng ho eona. E tla sebetsa joalo ka seva.

   Re khutlela ho NSx Edge interface / Eya ho tab ya VPN -> L2VPN. Re bulela L2VPN, khetha mokhoa oa ts'ebetso ea Seva, ho litlhophiso tsa Server Global re hlakisa aterese ea kantle ea NSX IP eo kou ea kotopo e tla mamela. Ka ho sa feleng, sokete e tla buloa ho port 443, empa sena se ka fetoloa. Se ke oa lebala ho khetha litlhophiso tsa encryption bakeng sa kotopo e tlang.

   

5. Eya ho "Server Sites" tab 'me u kenye thaka.

   

6. Re bulela lithaka, re beha lebitso, tlhaloso, haeba ho hlokahala, beha lebitso la mosebelisi le password. Re tla hloka data ena hamorao ha re theha sebaka sa bareki.

   Atereseng ea Egress Optimization Gateway re beha aterese ea heke. Sena sea hlokahala e le hore ho se be le likhohlano tsa liaterese tsa IP, hobane monyako oa marang-rang a rona o na le aterese e tšoanang. Ebe o tobetsa konopo ea KHETHA SUB-INTERFACES.

   

7. Mona re khetha subinterface e lakatsehang. Re boloka li-setting.

   

8. Rea bona hore sebaka sa bareki se sa tsoa thehoa se hlahile litlhophisong.

   

9. Joale ha re tsoeleng pele ho lokisa NSX ho tloha lehlakoreng la bareki.

   Re ea lehlakoreng la NSX B, ea ho VPN -> L2VPN, nolofalletsa L2VPN, beha mokhoa oa L2VPN ho mokhoa oa bareki. Ho Client Global tab, beha aterese le koung ea NSX A, eo re e boletseng pejana e le Ho mamela IP le Port ka lehlakoreng la seva. Ho boetse hoa hlokahala ho beha litlhophiso tse tšoanang tsa encryption e le hore li lumellane ha kotopo e phahamisoa.

   
   
   Re phenya ka tlase, khetha subinterface eo ka eona kotopo ea L2VPN e tla hahuoa.
   Atereseng ea Egress Optimization Gateway re beha aterese ea heke. Seta ID ea mosebelisi le password. Re khetha subinterface mme u se ke ua lebala ho boloka litlhophiso.

   

10. Haele hantle, ke phetho. Litlhophiso tsa lehlakore la bareki le seva li batla li tšoana, ntle le li-nuances tse 'maloa.
11. Joale re ka bona hore kotopo ea rona e sebelitse ka ho ea ho Lipalopalo -> L2VPN ho NSX efe kapa efe.

    

12. Haeba joale re ea ho console ea Edge Gateway efe kapa efe, re tla bona ho e 'ngoe le e' ngoe ea tsona tafoleng ea arp liaterese tsa li-VM ka bobeli.

    

Ke tsohle tse mabapi le VPN ho NSX Edge. Botsa hore na ho na le ntho e sa hlakang. Hape ke karolo ea ho qetela ea letoto la lingoloa tse mabapi le ho sebetsa le NSX Edge. Re tšepa hore li bile le thuso 🙂

Source: www.habr.com