ProHoster > Ibhulogi > Ulawulo > Ufika njani kwiBeeline IPVPN nge-IPSec. Icandelo loku-1

Ufika njani kwiBeeline IPVPN nge-IPSec. Icandelo loku-1

Mholo! IN iposti yangaphambili Ndichaze umsebenzi wenkonzo yethu yeMultiSIM ngokuyinxenye ugcino ΠΈ ukulinganisa imijelo. Njengoko kukhankanyiwe, sidibanisa abathengi kwinethiwekhi nge-VPN, kwaye namhlanje ndiya kukuxelela kancinci malunga ne-VPN kunye nobuchule bethu kule nxalenye.

Kufanelekile ukuqala ngento yokuba thina, njengomqhubi we-telecom, sinethungelwano lethu elikhulu le-MPLS, apho abathengi be-fixed-line bahlulwe babe ngamacandelo amabini aphambili - leyo isetyenziselwa ngqo ukufikelela kwi-Intanethi, kunye neyodwa. esetyenziselwa ukudala amanethiwekhi azimeleyo - kwaye kungenxa yeli candelo le-MPLS ukuba i-IPVPN (L3 OSI) kunye ne-VPLAN (L2 OSI) ihamba ngezithuthi kubaxhasi bethu beenkampani.

Ufika njani kwiBeeline IPVPN nge-IPSec. Icandelo loku-1
Ngokuqhelekileyo, uqhagamshelwano lomxhasi lwenzeka ngolu hlobo lulandelayo.

Umgca wokufikelela ubekwe kwiofisi yomxhasi ukusuka kwindawo ekufutshane yoBukho benethiwekhi (i-node MEN, RRL, BSSS, FTTB, njl.) i-router, apho siyikhupha khona ngokukodwa eyenzelwe umxhasi weVRF, sithathela ingqalelo iprofayile yetrafikhi efunwa ngumxhasi (iileyibhile zeprofayile zikhethwa kwizibuko ngalinye lokufikelela, ngokusekwe kumaxabiso aphambili e-ip 0,1,3,5, XNUMX).

Ukuba ngenxa yesizathu esithile asikwazi ukulungelelanisa ngokupheleleyo imayile yokugqibela kumxhasi, umzekelo, iofisi yomxhasi ikwiziko leshishini, apho omnye umnikezeli uphambili, okanye asinayo indawo yethu yobukho kufutshane, ngoko ke abathengi bangaphambili. kuye kwafuneka yenze iinethiwekhi ezininzi ze-IPVPN kubaboneleli abohlukeneyo (ingeyiyo eyona ndlela yolwakhiwo lungabizi kakhulu) okanye usombulule imiba ngokuzimeleyo ngokulungiselela ukufikelela kwiVRF yakho kwi-Intanethi.

Abaninzi bakwenza oku ngokufaka i-IPVPN Internet gateway - bafakela i-router yomda (i-hardware okanye isisombululo esisekwe kwi-Linux), baqhagamshele ijelo le-IPVPN kuyo ngezibuko elinye kunye nejelo le-Intanethi kunye nelinye, baqalise iseva yabo ye-VPN kuyo kwaye baqhagamshelana. abasebenzisi ngesango labo leVPN. Ngokwemvelo, iskimu esinjalo sikwadala imithwalo: isiseko esinjalo kufuneka sakhiwe kwaye, ngokungathandekiyo, siqhutywe kwaye siphuhliswe.

Ukwenza ubomi bube lula kubathengi bethu, sifake i-hub ye-VPN ephakathi kunye nenkxaso elungelelanisiweyo yoqhagamshelo kwi-Intanethi usebenzisa i-IPSec, oko kukuthi, ngoku abathengi badinga kuphela ukuqwalasela i-router yabo ukuze basebenze kunye ne-hub yethu ye-VPN ngetonela ye-IPSec phezu kwayo nayiphi na i-intanethi yoluntu. , kwaye thina Masikhulule le traffic yomxhasi kwiVRF yayo.

Ngubani oza kuyifumana iluncedo?

  • Kwabo sele benenethiwekhi enkulu ye-IPVPN kwaye bafuna unxibelelwano olutsha ngexesha elifutshane.
  • Nabani na, ngenxa yesizathu esithile, ufuna ukudlulisela inxalenye yetrafikhi kwi-Intanethi yoluntu ukuya kwi-IPVPN, kodwa ngaphambili uhlangabezane nemida yobugcisa ehambelana nabanikezeli benkonzo abaninzi.
  • Kwabo ngoku banamanethiwekhi amaninzi ahlukeneyo e-VPN kubo bonke abaqhubi be-telecom abahlukeneyo. Kukho abathengi abaye baququzelela ngempumelelo i-IPVPN esuka kuBeeline, Megafon, Rostelecom, njl. Ukwenza kube lula, ungahlala kuphela kwi-VPN yethu enye, utshintshe zonke ezinye iziteshi zabanye abaqhubi kwi-Intanethi, emva koko uqhagamshele kwi-Beeline IPVPN nge-IPSec kunye ne-Intanethi evela kwaba baqhubi.
  • Kwabo sele benenethiwekhi ye-IPVPN egqunywe kwi-Intanethi.

Ukuba uhambisa yonke into kunye nathi, ke abathengi bafumana inkxaso ye-VPN epheleleyo, ukunyanzeliswa kweziseko ezingundoqo, kunye nezicwangciso ezisemgangathweni eziza kusebenza kuyo nayiphi na i-router abayisebenzisileyo (nokuba yiCisco, nokuba yiMikrotik, into ephambili kukuba inokuxhasa ngokufanelekileyo. IPSec/IKEv2 eneendlela zokuqinisekisa ezisemgangathweni). Ngendlela, malunga ne-IPSec - okwangoku sixhasa kuphela, kodwa siceba ukuqalisa ukusebenza ngokupheleleyo kwe-OpenVPN kunye ne-Wireguard, ukuze abathengi bangakwazi ukuxhomekeka kwiprothokholi kwaye kulula ukuyithatha kwaye idlulisele yonke into kuthi, kwaye sifuna ukuqalisa ukudibanisa abathengi kwiikhomputha kunye nezixhobo eziphathwayo (izisombululo ezakhelwe kwi-OS, i-Cisco AnyConnect kunye ne-strongSwan kunye nokunye okunjalo). Ngale ndlela, ukwakhiwa kwe-de facto yesiseko kunokunikezelwa ngokukhuselekileyo kumqhubi, kushiya kuphela ukucwangciswa kwe-CPE okanye umkhosi.

Isebenza njani inkqubo yoqhagamshelwano kwimowudi ye-IPSec:

  1. Umxhasi ushiya isicelo kumphathi wakhe apho abonisa isantya soxhulumaniso olufunekayo, iprofayili yendlela kunye neeparamitha zedilesi ye-IP yetonela (ngokungagqibekanga, i-subnet ene-mask / 30) kunye nohlobo lokuhamba (static okanye BGP). Ukudlulisa iindlela kuthungelwano lwasekhaya lomxhasi kwiofisi eqhagamshelweyo, iindlela IKEv2 ze IPSec protocol isigaba zisetyenziswa ngokusebenzisa izicwangciso ezifanelekileyo kumzila womxhasi, okanye zipapashwa nge BGP kwi MPLS ukusuka kwi BGP yabucala AS echazwe kwisicelo somthengi. . Ngaloo ndlela, ulwazi malunga neendlela zothungelwano lwabaxumi zilawulwa ngokupheleleyo ngumxhasi ngokusebenzisa izicwangciso ze-router yomthengi.
  2. Ukuphendula kumphathi wakhe, umxhasi ufumana idatha ye-accounting ukuze ifakwe kwi-VRF yakhe yefom:
    • VPN-HUB idilesi ye-IP
    • Ukungena
    • I-password yokuqinisekisa
  3. Qwalasela i-CPE, ngezantsi, umzekelo, iinketho ezimbini zoqwalaselo ezisisiseko:

    Ukhetho lweCisco:
    crypto ikev2 keyring BeelineIPsec_keyring
    ntanga Beeline_VPNHub
    idilesi 62.141.99.183 -VPN hub Beeline
    iqhosha ekwabelwana ngalo kwangaphambili <Igama lokugqitha loqinisekiso>
    !
    Kukhetho lwendlela engatshintshiyo, iindlela eziya kuthungelwano olufikelelekayo ngeVpn-hub zinokucaciswa kuqwalaselo lwe-IKEv2 kwaye ziya kubonakala ngokuzenzekelayo njengemizila engashukumiyo kwitheyibhile yokujikeleza ye-CE. Olu seto lunokwenziwa kusetyenziswa indlela esemgangathweni yokuseta iindlela ezingatshintshiyo (jonga ngezantsi).

    crypto ikev2 umgaqo-nkqubo wogunyaziso FlexClient-author

    Indlela eya kuthungelwano emva komzila we-CE - ukusetha okunyanzelekileyo kumzila omileyo phakathi kwe-CE kunye ne-PE. Ukudluliselwa kwedatha yendlela kwi-PE kuqhutyelwa ngokuzenzekelayo xa i-tunnel iphakanyisiwe ngokusebenzisa i-IKEv2 ukusebenzisana.

    indlela iseti kude ipv4 10.1.1.0 255.255.255.0 -Iofisi yenethiwekhi yendawo
    !
    crypto ikev2 iprofayile BeelineIPSec_profile
    isazisi sasekhaya <login>
    uqinisekiso lolwabelwano lwasekhaya kwangaphambili
    ungqinisiso ekude ukwabelana kwangaphambili
    keyring yendawo BeelineIPsec_keyring
    aaa ugunyaziso iqela psk uluhlu iqela-umbhali-uluhlu FlexClient-umbhali
    !
    crypto ikev2 umxhasi flexvpn BeelineIPsec_flex
    ntanga 1 Beeline_VPNHub
    umxhasi qhagamshela iTunnel1
    !
    crypto ipsec inguqu-seti TRANSFORM1 esp-aes 256 esp-sha256-hmac
    itonela yemowudi
    !
    iprofayile ye-crypto ipsec engagqibekanga
    cwangcisa inguqu-seti TRANSFORM1
    cwangcisa i-ikev2-iprofayile ye-BeelineIPSec_profile
    !
    ujongano Itonela1
    idilesi yep 10.20.1.2 255.255.255.252 -Idilesi yetonela
    umthombo wetonela GigabitEthernet0/2 -Ukufikelela kwi-Intanethi
    indlela yetonela ipsec ipv4
    indawo yokufikela yetonela iyaguquguquka
    ukhuselo lwetonela ipsec yeprofayile emiselweyo
    !
    Iindlela eziya kuthungelwano lwabucala lomxhasi olufikelelekayo ngeBeeline VPN concentrator zinokusetwa ngokwezibalo.

    ip indlela 172.16.0.0 255.255.0.0 Itonela1
    ip indlela 192.168.0.0 255.255.255.0 Itonela1

    Ukhetho lweHuawei (ar160/120):
    ike lendawo-igama <login>
    #
    igama acl ipsec 3999
    umthetho 1 imvume ip umthombo 10.1.1.0 0.0.0.255 -Iofisi yenethiwekhi yendawo
    #
    aaa
    inkonzo-scheme IPSEC
    indlela iseti acl 3999
    #
    ipsec isindululo ipsec
    esp uqinisekiso-algorithm sha2-256
    esp encryption-algorithm aes-256
    #
    ukusilela kwesindululo se-ike
    i-encryption-algorithm aes-256
    dh iqela2
    ungqinisiso-algorithm sha2-256
    uqinisekiso-indlela yokwabelana kwangaphambili
    ingqibelelo-algorithm hmac-sha2-256
    prf hmac-sha2-256
    #
    ike ntanga ipsec
    Iqhosha ekwabelwana ngalo kwangaphambili <Igama eliyimfihlo lokungqinisisa>
    local-id-uhlobo fqdn
    okude-id-uhlobo ip
    idilesi ekude 62.141.99.183 -VPN hub Beeline
    inkonzo-scheme IPSEC
    isicelo sotshintshiselwano
    config-exchange iseti yamkela
    config-exchange iseti thumela
    #
    iprofayile ye-ipsec ipsecprof
    ike-peer ipsec
    isindululo ipsec
    #
    ujongano lweTunnel0/0/0
    idilesi yep 10.20.1.2 255.255.255.252 -Idilesi yetonela
    itonela-protocol ipsec
    umthombo GigabitEthernet0/0/1 -Ukufikelela kwi-Intanethi
    iprofayile ye-ipsec ipsecprof
    #
    Iindlela eziya kuthungelwano lwabucala lomxhasi olufikelelekayo ngeBeeline VPN concentrator inokumiselwa ngokwestatically

    ip umzila-static 192.168.0.0 255.255.255.0 Itonela0/0/0
    ip umzila-static 172.16.0.0 255.255.0.0 Itonela0/0/0

Isiphumo somzobo wonxibelelwano sijongeka ngolu hlobo:

Ufika njani kwiBeeline IPVPN nge-IPSec. Icandelo loku-1

Ukuba umxhasi akanayo imizekelo yoqwalaselo olusisiseko, ngoko sihlala sincedisa ngokuqulunqwa kwazo kwaye sizenze zifumaneke kuye wonke umntu.

Yonke into eseleyo kukudibanisa i-CPE kwi-Intanethi, i-ping kwimpendulo inxalenye ye-tunnel ye-VPN kunye nayiphi na i-host host ngaphakathi kwe-VPN, kwaye kunjalo, sinokucinga ukuba uxhulumaniso lwenziwe.

Kwinqaku elilandelayo siza kukuxelela indlela esidibanise ngayo le skimu kunye ne-IPSec kunye ne-MultiSIM Redundancy usebenzisa iHuawei CPE: sifaka iHuawei CPE yethu kubathengi, engasebenzisi kuphela itshaneli ye-Intanethi enentambo, kodwa kunye ne-2 amakhadi e-SIM ahlukeneyo, kunye neCPE. yakha ngokuzenzekelayo i-IPSec- itonela mhlawumbi nge-WAN enengcingo okanye ngerediyo (LTE#1/LTE#2), iqonda ukunyamezela iimpazamo eziphezulu kwinkonzo enesiphumo.

Sibulela ngokukhethekileyo koogxa bethu beRnD ngokulungiselela eli nqaku (kwaye, enyanisweni, kubabhali bezi zisombululo zobugcisa)!

umthombo: www.habr.com

Yongeza izimvo