Eli nqaku liyaqhubeka ezinikezelwe kwiinkcukacha zokuseta izixhobo Palo Alto Networks . Apha sifuna ukuthetha ngokuseta IPSec Site-to-Site VPN kwizixhobo Palo Alto Networks kwaye malunga noqwalaselo olunokwenzeka ukhetho lokudibanisa ababoneleli be-Intanethi abaninzi.
Kuloo mboniso, kuya kusetyenziswa inkqubo eqhelekileyo yokuqhagamshela iofisi eyintloko nesebe. Ukuze unikeze uxhulumaniso lwe-Intanethi olunempazamo, iofisi yentloko isebenzisa uxhulumaniso lwangaxeshanye lwababoneleli ababini: ISP-1 kunye ne-ISP-2. Isebe linoqhagamshelo kumboneleli omnye kuphela, ISP-3. Iitonela ezimbini zakhiwe phakathi kwee-firewall PA-1 kunye ne-PA-2. Iitonela zisebenza kwimowudi Iyasebenza-Ilindile, Itonela-1 iyasebenza, Itonela-2 iya kuqalisa ukuhambisa itrafikhi xa Itonela-1 isilela. Itonela-1 isebenzisa uqhagamshelo kwi-ISP-1, iTunnel-2 isebenzisa umdibaniso kwi-ISP-2. Zonke iidilesi ze-IP zenziwe ngokungenamkhethe ngeenjongo zokubonisa kwaye azinanto yakwenza nenyani.
Ukwakha i-Site-to-Site VPN iya kusetyenziswa IPsec β iseti yeeprothokholi zokuqinisekisa ukukhuselwa kwedatha ethunyelwa nge-IP. IPsec izakusebenza isebenzisa inkqubo yokhuseleko ESP (I-Encapsulating Security Payload), eya kuqinisekisa ukubethelwa kwedatha egqithisiweyo.
Π IPsec ifakiwe Ike (I-Internet Key Exchange) yiprotocol enoxanduva lokuxoxisana ne-SA (imibutho yokhuseleko), iiparamitha zokhuseleko ezisetyenziselwa ukukhusela idatha edlulisiweyo. Inkxaso yomlilo wePAN IKEv1 ΠΈ IKEv2.
Π IKEv1 Uqhagamshelo lweVPN lwakhiwe ngokwamanqanaba amabini: I-IKEv1 iSigaba soku-1 (IKE itonela) kunye I-IKEv1 iSigaba soku-2 (Itonela ye-IPSec), ngoko ke, iitonela ezimbini zenziwe, enye isetyenziselwa ukutshintshiselana ngolwazi lwenkonzo phakathi kwee-firewalls, okwesibini ukuhanjiswa kwezithuthi. IN I-IKEv1 iSigaba soku-1 Zimbini iindlela zokusebenza - imowudi ephambili kunye nemowudi ndlongo. Imo endlongondlongo isebenzisa imiyalezo embalwa kwaye iyakhawuleza, kodwa ayiluxhasi uKhuseleko lweSazisi soNtanga.
IKEv2 weza endaweni IKEv1, kwaye kuthelekiswa ne IKEv1 Inzuzo yayo ephambili ziimfuno ezisezantsi zebhanwidth kunye nothethathethwano olukhawulezayo loMzantsi Afrika. IN IKEv2 Imiyalezo yenkonzo embalwa isetyenzisiweyo (i-4 iyonke), i-EAP kunye ne-MOBIKE iprothokholi ziyaxhaswa, kwaye inkqubo yongeziweyo yongezwa ukujonga ukufumaneka kwentanga eyenziwe ngayo itonela - Ukujonga Ubomi, endaweni yokuFumana koontanga abafileyo kwi-IKEv1. Ukuba itshekhi iyasilela, ngoko IKEv2 iyakwazi ukuseta kwakhona itonela kwaye emva koko uyibuyisele ngokuzenzekelayo kwithuba lokuqala. Unokufunda ngakumbi malunga neeyantlukwano .
Ukuba itonela yakhiwe phakathi kwee-firewall ezivela kubakhiqizi abahlukeneyo, ngoko kunokubakho iibhugi ekuphunyezweni IKEv2, kunye nokuhambelana nezixhobo ezinjalo kunokwenzeka ukuba zisetyenziswe IKEv1. Kwezinye iimeko kungcono ukusebenzisa IKEv2.
Ukuseta amanyathelo:
β’ Ukuqwalasela ababoneleli be-Intanethi ababini kwimowudi ye-ActiveStandby
Kukho iindlela ezininzi zokuphumeza lo msebenzi. Enye yazo kukusebenzisa isixhobo Ukujongwa kwendlela, eyafumaneka ukususela kwinguqulelo I-PAN-OS 8.0.0. Lo mzekelo usebenzisa inguqulo 8.0.16. Eli nqaku lifana ne-IP SLA kwii-router zeCisco. Iparameter yendlela engagqibekanga iqwalasela ukuthumela iipakethi zeping kwidilesi ethile yeIP ukusuka kwidilesi yomthombo othile. Kulo mzekelo, i-ethernet1/1 ijongana ne-pings isango elimiselweyo kanye ngesekhondi. Ukuba akukho mpendulo kwiipings ezintathu kumqolo, indlela ithathwa njengeyaphukileyo kwaye isuswe kwitafile yomzila. Indlela efanayo iqwalaselwe ukuya kumnikezeli we-Intanethi wesibini, kodwa nge-metric ephezulu (yeyokugcina). Nje ukuba indlela yokuqala isusiwe etafileni, i-firewall iya kuqalisa ukuthumela itrafikhi ngendlela yesibini β Ukungaphumeleli. Xa umboneleli wokuqala eqala ukuphendula kwipings, indlela yayo iya kubuyela etafileni kwaye ithathe indawo yesibini ngenxa yemetric engcono - Ukusilela-Umva. Inkqubo Ukungaphumeleli ithatha imizuzwana embalwa ngokuxhomekeke kwizithuba ezicwangcisiweyo, kodwa, nangayiphi na imeko, inkqubo ayikho ngokukhawuleza, kwaye ngeli xesha i-traffic ilahlekile. Ukusilela-Umva idlula ngaphandle kokulahleka kwetrafikhi. Kukho ithuba lokwenza Ukungaphumeleli ngokukhawuleza, nge B.F.D., ukuba umboneleli we-Intanethi unika ithuba elinjalo. B.F.D. ixhaswa ukuqala kwimodeli PA-3000 Series ΠΈ I-VM-100. Kungcono ukukhankanya kungekhona isango lomboneleli njengedilesi ye-ping, kodwa idilesi yoluntu, ehlala ifikeleleka kwi-Intanethi.
β’ Ukudala ujongano lwetonela
I-traffic ngaphakathi kwetonela isasazwa ngojongano olukhethekileyo lwenyani. Ngamnye kubo kufuneka aqwalaselwe ngedilesi ye-IP evela kumnatha wokuthutha. Kulo mzekelo, i-substation 1/172.16.1.0 iya kusetyenziselwa iTunnel-30, kunye ne-substation 2/172.16.2.0 iya kusetyenziswa kwiTunnel-30.
Ujongano lwetonela lwenziwe kwicandelo Uthungelwano -> Ujongano-> Itonela. Kufuneka ucacise i-router ebonakalayo kunye nommandla wokhuseleko, kunye nedilesi ye-IP evela kwinethiwekhi yothutho ehambelanayo. Inombolo yojongano ingaba nantoni na.
Kulo candelo Advanced ingachazwa Iprofayile yoLawuloeyakuvumela iping kujongano olunikiweyo, oku kunokuba luncedo kuvavanyo.
β’ Ukumisela iProfayili ye-IKE
Iprofayile ye-IKE inoxanduva lwenqanaba lokuqala lokudala uqhagamshelo lweVPN, iiparamitha zetonela zichaziwe apha Isigaba soku-1 se-IKE. Iprofayile yenziwe kwicandelo Inethiwekhi -> IiProfayili zeNethiwekhi -> IKE Crypto. Kuyimfuneko ukucacisa i-algorithm ye-encryption, i-algorithm ye-hashing, iqela le-Diffie-Hellman kunye nobomi obuphambili. Ngokubanzi, okukhona kuntsokothileyo ii-algorithms, kokukhona ukusebenza kubi; kufuneka zikhethwe ngokusekelwe kwiimfuno ezithile zokhuseleko. Nangona kunjalo, akukhuthazwa ngokungqongqo ukusebenzisa iqela le-Diffie-Hellman elingaphantsi kwe-14 ukukhusela ulwazi olubucayi. Oku kungenxa yokuba sesichengeni kweprotocol, enokuthi incitshiswe kuphela ngokusebenzisa ubungakanani bemodyuli ye-2048 bits nangaphezulu, okanye i-elliptic cryptography algorithms, esetyenziswa kumaqela 19, 20, 21, 24. Ezi algorithms zinentsebenzo enkulu xa kuthelekiswa icryptography yemveli. ... KUNYE .
β’ Ukumisela iProfayili ye-IPSec
Inqanaba lesibini lokudala uxhumano lwe-VPN yi-tunnel ye-IPSec. Iiparamitha ze-SA zayo ziqwalaselwe Inethiwekhi -> Iiprofayili zeNethiwekhi -> IPSec Crypto Profile. Apha kufuneka ucacise i-IPSec protocol - AH okanye ESP, kunye neeparamitha SA -I-algorithms ye-hashing, i-encryption, amaqela e-Diffie-Hellman kunye nobomi obuphambili. Iiparamitha ze-SA kwiProfayili ye-IKE Crypto kunye neProfayili ye-IPSec ye-Crypto isenokungafani.
β’ Ukuqwalasela i-IKE Gateway
IKE Gateway - le yinto echaza i-router okanye i-firewall apho i-tunnel ye-VPN yakhiwe ngayo. Kwitonela nganye kufuneka uzenzele eyakho IKE Gateway. Kule meko, iitonela ezimbini zenziwe, enye ngomboneleli we-Intanethi ngamnye. I-interface ephumayo ehambelanayo kunye nedilesi yayo ye-IP, idilesi ye-IP yontanga, kunye nesitshixo ekwabelwana ngaso sibonisiwe. Izatifikethi zinokusetyenziswa njengenye indlela yesitshixo ekwabelwana ngaso.
Eyakhiwe ngaphambili ibonisiwe apha Iprofayile ye-IKE Crypto. Iiparamitha zento yesibini IKE Gateway efanayo, ngaphandle kweedilesi ze IP. Ukuba i-firewall yePalo Alto Networks ibekwe ngasemva kwerutha ye-NAT, kuya kufuneka uyivule loo matshini Ukuhanjiswa kweNAT.
β’ Ukumisela IPSec Itonela
IPSec Itonela yinto exela i IPSec itonela iparameters, njengoko igama licebisa. Apha kufuneka ucacise ujongano lwetonela kunye nezinto ezenziwe ngaphambili IKE Gateway, IPSec iProfayile yeCrypto. Ukuqinisekisa ukutshintshela okuzenzekelayo kwendlela ukuya kwitonela yokugcina, kufuneka uvule I-Tonnel Monitor. Le yindlela ejonga ukuba intanga iyaphila isebenzisa i-ICMP traffic. Njengedilesi yendawo ekuyiwa kuyo, kufuneka ucacise idilesi ye-IP yojongano lwetonela yentanga apho itonela yakhiwa ngayo. Inkangeleko ixela izibali-xesha kunye nento omawuyenze ukuba umdibaniso ulahlekile. Linda Phinda -linda de unxibelelwano lubuyiselwe, Ukusilela ngaphezulu β thumela itrafikhi ngendlela eyahlukileyo, ukuba ikhona. Ukumisela itonela yesibini kufana ngokupheleleyo; ujongano lwetonela yesibini kunye ne-IKE Gateway zibaluliwe.
β’ Ukumisela indlela
Lo mzekelo usebenzisa indlela engatshintshiyo. Kwi-firewall ye-PA-1, ngaphezu kweendlela ezimbini ezingagqibekanga, kufuneka uchaze iindlela ezimbini kwi-subnet ye-10.10.10.0/24 kwisebe. Enye indlela isebenzisa iTunnel-1, enye iTunnel-2. Indlela edlula kwiTunnel-1 yeyona iphambili kuba ine-metric esezantsi. Inkqubo Ukujongwa kwendlela ayisetyenziswanga kwezi ndlela. Uxanduva lokutshintsha I-Tonnel Monitor.
Iindlela ezifanayo ze-subnet 192.168.30.0/24 kufuneka ziqwalaselwe kwi-PA-2.
β’ Ukumisela imithetho yenethiwekhi
Ukuze itonela isebenze, imithetho emithathu iyafuneka:
- Ukusebenza Indlela Monitor Vumela i-ICMP kujongano lwangaphandle.
- kuba IPsec vumela usetyenziso ike ΠΈ ipsec kujongano lwangaphandle.
- Vumela i-traffic phakathi kwee-subnets zangaphakathi kunye nojongano lwetonela.
isiphelo
Eli nqaku lixubusha ukhetho lokuseka uxhulumaniso lwe-Intanethi olunempazamo kunye Site-to-Site VPN. Siyathemba ukuba ulwazi lwaluluncedo kwaye umfundi wafumana umbono wobugcisa obusetyenziswayo Palo Alto Networks. Ukuba unemibuzo malunga nokusekwa kunye neengcebiso kwizihloko zamanqaku azayo, zibhale kumazwana, siya kuvuya ukuphendula.
umthombo: www.habr.com