Mholo! IN
Kufanelekile ukuqala ngento yokuba thina, njengomqhubi we-telecom, sinethungelwano lethu elikhulu le-MPLS, apho abathengi be-fixed-line bahlulwe babe ngamacandelo amabini aphambili - leyo isetyenziselwa ngqo ukufikelela kwi-Intanethi, kunye neyodwa. esetyenziselwa ukudala amanethiwekhi azimeleyo - kwaye kungenxa yeli candelo le-MPLS ukuba i-IPVPN (L3 OSI) kunye ne-VPLAN (L2 OSI) ihamba ngezithuthi kubaxhasi bethu beenkampani.
Ngokuqhelekileyo, uqhagamshelwano lomxhasi lwenzeka ngolu hlobo lulandelayo.
Umgca wokufikelela ubekwe kwiofisi yomxhasi ukusuka kwindawo ekufutshane yoBukho benethiwekhi (i-node MEN, RRL, BSSS, FTTB, njl.) i-router, apho siyikhupha khona ngokukodwa eyenzelwe umxhasi weVRF, sithathela ingqalelo iprofayile yetrafikhi efunwa ngumxhasi (iileyibhile zeprofayile zikhethwa kwizibuko ngalinye lokufikelela, ngokusekwe kumaxabiso aphambili e-ip 0,1,3,5, XNUMX).
Ukuba ngenxa yesizathu esithile asikwazi ukulungelelanisa ngokupheleleyo imayile yokugqibela kumxhasi, umzekelo, iofisi yomxhasi ikwiziko leshishini, apho omnye umnikezeli uphambili, okanye asinayo indawo yethu yobukho kufutshane, ngoko ke abathengi bangaphambili. kuye kwafuneka yenze iinethiwekhi ezininzi ze-IPVPN kubaboneleli abohlukeneyo (ingeyiyo eyona ndlela yolwakhiwo lungabizi kakhulu) okanye usombulule imiba ngokuzimeleyo ngokulungiselela ukufikelela kwiVRF yakho kwi-Intanethi.
Abaninzi bakwenza oku ngokufaka i-IPVPN Internet gateway - bafakela i-router yomda (i-hardware okanye isisombululo esisekwe kwi-Linux), baqhagamshele ijelo le-IPVPN kuyo ngezibuko elinye kunye nejelo le-Intanethi kunye nelinye, baqalise iseva yabo ye-VPN kuyo kwaye baqhagamshelana. abasebenzisi ngesango labo leVPN. Ngokwemvelo, iskimu esinjalo sikwadala imithwalo: isiseko esinjalo kufuneka sakhiwe kwaye, ngokungathandekiyo, siqhutywe kwaye siphuhliswe.
Ukwenza ubomi bube lula kubathengi bethu, sifake i-hub ye-VPN ephakathi kunye nenkxaso elungelelanisiweyo yoqhagamshelo kwi-Intanethi usebenzisa i-IPSec, oko kukuthi, ngoku abathengi badinga kuphela ukuqwalasela i-router yabo ukuze basebenze kunye ne-hub yethu ye-VPN ngetonela ye-IPSec phezu kwayo nayiphi na i-intanethi yoluntu. , kwaye thina Masikhulule le traffic yomxhasi kwiVRF yayo.
Ngubani oza kuyifumana iluncedo?
- Kwabo sele benenethiwekhi enkulu ye-IPVPN kwaye bafuna unxibelelwano olutsha ngexesha elifutshane.
- Nabani na, ngenxa yesizathu esithile, ufuna ukudlulisela inxalenye yetrafikhi kwi-Intanethi yoluntu ukuya kwi-IPVPN, kodwa ngaphambili uhlangabezane nemida yobugcisa ehambelana nabanikezeli benkonzo abaninzi.
- Kwabo ngoku banamanethiwekhi amaninzi ahlukeneyo e-VPN kubo bonke abaqhubi be-telecom abahlukeneyo. Kukho abathengi abaye baququzelela ngempumelelo i-IPVPN esuka kuBeeline, Megafon, Rostelecom, njl. Ukwenza kube lula, ungahlala kuphela kwi-VPN yethu enye, utshintshe zonke ezinye iziteshi zabanye abaqhubi kwi-Intanethi, emva koko uqhagamshele kwi-Beeline IPVPN nge-IPSec kunye ne-Intanethi evela kwaba baqhubi.
- Kwabo sele benenethiwekhi ye-IPVPN egqunywe kwi-Intanethi.
Ukuba uhambisa yonke into kunye nathi, ke abathengi bafumana inkxaso ye-VPN epheleleyo, ukunyanzeliswa kweziseko ezingundoqo, kunye nezicwangciso ezisemgangathweni eziza kusebenza kuyo nayiphi na i-router abayisebenzisileyo (nokuba yiCisco, nokuba yiMikrotik, into ephambili kukuba inokuxhasa ngokufanelekileyo. IPSec/IKEv2 eneendlela zokuqinisekisa ezisemgangathweni). Ngendlela, malunga ne-IPSec - okwangoku sixhasa kuphela, kodwa siceba ukuqalisa ukusebenza ngokupheleleyo kwe-OpenVPN kunye ne-Wireguard, ukuze abathengi bangakwazi ukuxhomekeka kwiprothokholi kwaye kulula ukuyithatha kwaye idlulisele yonke into kuthi, kwaye sifuna ukuqalisa ukudibanisa abathengi kwiikhomputha kunye nezixhobo eziphathwayo (izisombululo ezakhelwe kwi-OS, i-Cisco AnyConnect kunye ne-strongSwan kunye nokunye okunjalo). Ngale ndlela, ukwakhiwa kwe-de facto yesiseko kunokunikezelwa ngokukhuselekileyo kumqhubi, kushiya kuphela ukucwangciswa kwe-CPE okanye umkhosi.
Isebenza njani inkqubo yoqhagamshelwano kwimowudi ye-IPSec:
- Umxhasi ushiya isicelo kumphathi wakhe apho abonisa isantya soxhulumaniso olufunekayo, iprofayili yendlela kunye neeparamitha zedilesi ye-IP yetonela (ngokungagqibekanga, i-subnet ene-mask / 30) kunye nohlobo lokuhamba (static okanye BGP). Ukudlulisa iindlela kuthungelwano lwasekhaya lomxhasi kwiofisi eqhagamshelweyo, iindlela IKEv2 ze IPSec protocol isigaba zisetyenziswa ngokusebenzisa izicwangciso ezifanelekileyo kumzila womxhasi, okanye zipapashwa nge BGP kwi MPLS ukusuka kwi BGP yabucala AS echazwe kwisicelo somthengi. . Ngaloo ndlela, ulwazi malunga neendlela zothungelwano lwabaxumi zilawulwa ngokupheleleyo ngumxhasi ngokusebenzisa izicwangciso ze-router yomthengi.
- Ukuphendula kumphathi wakhe, umxhasi ufumana idatha ye-accounting ukuze ifakwe kwi-VRF yakhe yefom:
- VPN-HUB idilesi ye-IP
- Ukungena
- I-password yokuqinisekisa
- Qwalasela i-CPE, ngezantsi, umzekelo, iinketho ezimbini zoqwalaselo ezisisiseko:
Ukhetho lweCisco:
crypto ikev2 keyring BeelineIPsec_keyring
ntanga Beeline_VPNHub
idilesi 62.141.99.183 -VPN hub Beeline
iqhosha ekwabelwana ngalo kwangaphambili <Igama lokugqitha loqinisekiso>
!
Kukhetho lwendlela engatshintshiyo, iindlela eziya kuthungelwano olufikelelekayo ngeVpn-hub zinokucaciswa kuqwalaselo lwe-IKEv2 kwaye ziya kubonakala ngokuzenzekelayo njengemizila engashukumiyo kwitheyibhile yokujikeleza ye-CE. Olu seto lunokwenziwa kusetyenziswa indlela esemgangathweni yokuseta iindlela ezingatshintshiyo (jonga ngezantsi).crypto ikev2 umgaqo-nkqubo wogunyaziso FlexClient-author
Indlela eya kuthungelwano emva komzila we-CE - ukusetha okunyanzelekileyo kumzila omileyo phakathi kwe-CE kunye ne-PE. Ukudluliselwa kwedatha yendlela kwi-PE kuqhutyelwa ngokuzenzekelayo xa i-tunnel iphakanyisiwe ngokusebenzisa i-IKEv2 ukusebenzisana.
indlela iseti kude ipv4 10.1.1.0 255.255.255.0 -Iofisi yenethiwekhi yendawo
!
crypto ikev2 iprofayile BeelineIPSec_profile
isazisi sasekhaya <login>
uqinisekiso lolwabelwano lwasekhaya kwangaphambili
ungqinisiso ekude ukwabelana kwangaphambili
keyring yendawo BeelineIPsec_keyring
aaa ugunyaziso iqela psk uluhlu iqela-umbhali-uluhlu FlexClient-umbhali
!
crypto ikev2 umxhasi flexvpn BeelineIPsec_flex
ntanga 1 Beeline_VPNHub
umxhasi qhagamshela iTunnel1
!
crypto ipsec inguqu-seti TRANSFORM1 esp-aes 256 esp-sha256-hmac
itonela yemowudi
!
iprofayile ye-crypto ipsec engagqibekanga
cwangcisa inguqu-seti TRANSFORM1
cwangcisa i-ikev2-iprofayile ye-BeelineIPSec_profile
!
ujongano Itonela1
idilesi yep 10.20.1.2 255.255.255.252 -Idilesi yetonela
umthombo wetonela GigabitEthernet0/2 -Ukufikelela kwi-Intanethi
indlela yetonela ipsec ipv4
indawo yokufikela yetonela iyaguquguquka
ukhuselo lwetonela ipsec yeprofayile emiselweyo
!
Iindlela eziya kuthungelwano lwabucala lomxhasi olufikelelekayo ngeBeeline VPN concentrator zinokusetwa ngokwezibalo.ip indlela 172.16.0.0 255.255.0.0 Itonela1
ip indlela 192.168.0.0 255.255.255.0 Itonela1Ukhetho lweHuawei (ar160/120):
ike lendawo-igama <login>
#
igama acl ipsec 3999
umthetho 1 imvume ip umthombo 10.1.1.0 0.0.0.255 -Iofisi yenethiwekhi yendawo
#
aaa
inkonzo-scheme IPSEC
indlela iseti acl 3999
#
ipsec isindululo ipsec
esp uqinisekiso-algorithm sha2-256
esp encryption-algorithm aes-256
#
ukusilela kwesindululo se-ike
i-encryption-algorithm aes-256
dh iqela2
ungqinisiso-algorithm sha2-256
uqinisekiso-indlela yokwabelana kwangaphambili
ingqibelelo-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike ntanga ipsec
Iqhosha ekwabelwana ngalo kwangaphambili <Igama eliyimfihlo lokungqinisisa>
local-id-uhlobo fqdn
okude-id-uhlobo ip
idilesi ekude 62.141.99.183 -VPN hub Beeline
inkonzo-scheme IPSEC
isicelo sotshintshiselwano
config-exchange iseti yamkela
config-exchange iseti thumela
#
iprofayile ye-ipsec ipsecprof
ike-peer ipsec
isindululo ipsec
#
ujongano lweTunnel0/0/0
idilesi yep 10.20.1.2 255.255.255.252 -Idilesi yetonela
itonela-protocol ipsec
umthombo GigabitEthernet0/0/1 -Ukufikelela kwi-Intanethi
iprofayile ye-ipsec ipsecprof
#
Iindlela eziya kuthungelwano lwabucala lomxhasi olufikelelekayo ngeBeeline VPN concentrator inokumiselwa ngokwestaticallyip umzila-static 192.168.0.0 255.255.255.0 Itonela0/0/0
ip umzila-static 172.16.0.0 255.255.0.0 Itonela0/0/0
Isiphumo somzobo wonxibelelwano sijongeka ngolu hlobo:
Ukuba umxhasi akanayo imizekelo yoqwalaselo olusisiseko, ngoko sihlala sincedisa ngokuqulunqwa kwazo kwaye sizenze zifumaneke kuye wonke umntu.
Yonke into eseleyo kukudibanisa i-CPE kwi-Intanethi, i-ping kwimpendulo inxalenye ye-tunnel ye-VPN kunye nayiphi na i-host host ngaphakathi kwe-VPN, kwaye kunjalo, sinokucinga ukuba uxhulumaniso lwenziwe.
Kwinqaku elilandelayo siza kukuxelela indlela esidibanise ngayo le skimu kunye ne-IPSec kunye ne-MultiSIM Redundancy usebenzisa iHuawei CPE: sifaka iHuawei CPE yethu kubathengi, engasebenzisi kuphela itshaneli ye-Intanethi enentambo, kodwa kunye ne-2 amakhadi e-SIM ahlukeneyo, kunye neCPE. yakha ngokuzenzekelayo i-IPSec- itonela mhlawumbi nge-WAN enengcingo okanye ngerediyo (LTE#1/LTE#2), iqonda ukunyamezela iimpazamo eziphezulu kwinkonzo enesiphumo.
Sibulela ngokukhethekileyo koogxa bethu beRnD ngokulungiselela eli nqaku (kwaye, enyanisweni, kubabhali bezi zisombululo zobugcisa)!
umthombo: www.habr.com