VMware NSX for abancinci. Icandelo 6: Ukuseta VPN

Icandelo lokuqala. intshayelelo
Icandelo lesibini. Ukuqwalasela i-Firewall kunye neMithetho ye-NAT
Icandelo lesithathu. Ukuqwalasela i-DHCP
Icandelo lesine. Ukuseta indlela
Icandelo lesihlanu. Ukumisela isilinganisi somthwalo

Namhlanje siza kujonga kwiinketho zoqwalaselo lweVPN olunikezelwa yiNSX Edge.

Ngokubanzi, sinokwahlula itekhnoloji yeVPN kwiintlobo ezimbini eziphambili:

• I-VPN yesayithi ukuya kwindawo. Ukusetyenziswa okuqhelekileyo kwe-IPSec kukwenza itonela ekhuselekileyo, umzekelo, phakathi kwenethiwekhi ye-ofisi enkulu kunye nenethiwekhi kwindawo ekude okanye kwifu.
• Ukufikelela kude kwi-VPN. Isetyenziselwa ukudibanisa abasebenzisi ngabanye ukuba badibanise iinethiwekhi zabucala zisebenzisa isoftware yomxhasi weVPN.

I-NSX Edge ivumela ukuba sisebenzise zombini iinketho.
Siza kuqwalasela ukusebenzisa ibhentshi yovavanyo ngee-NSX Edge ezimbini, iseva yeLinux enedaemon efakiweyo umdlalo weqonga kunye nelaptop yeWindows ukuvavanya i-VPN yoFikelelo olukude.

IPsec

1. Kwi-interface ye-vCloud Director, yiya kwicandelo loLawulo kwaye ukhethe i-vDC. Kwi-Edge Gateways tab, khetha i-Edge esiyifunayo, cofa ekunene kwaye ukhethe Iinkonzo zeSango se-Edge.
   
2. Kwi-interface ye-NSX Edge, yiya kwi-VPN-IPsec ithebhu ye-VPN, emva koko uye kwi-IPsec VPN Sites icandelo kwaye ucofe + ukongeza indawo entsha.

   

3. Gcwalisa iindawo ezifunekayo:
   • Kunikwe – ivula indawo ekude.
   • I-PFS - iqinisekisa ukuba iqhosha elitsha le-cryptographic alinxulumananga naso nasiphi na isitshixo sangaphambili.
   • I-ID yendawo kunye neNdawo yokuphela kwendawot yidilesi yangaphandle ye-NSX Edge.
   • subnet yendawos - uthungelwano lwasekhaya oluya kusebenzisa IPsec VPN.
   • Isazisi sontanga kunye neNdlela yokuphela koNtanga – idilesi yendawo ekude.
   • Iisubnets zoontanga - iinethiwekhi eziza kusebenzisa i-IPsec VPN kwicala elikude.
   • Uguqulelo oluntsonkothileyo -Ialgorithm yoguqulelo lwetonela.

   
   

   • Ukuqinisekiswa - siya kuyiqinisekisa njani intanga. Ungasebenzisa iSitshixo eSabelana ngaso kwangaphambili okanye isatifikethi.
   • Isitshixo esabelwe ngaphambili - cacisa isitshixo esiza kusetyenziswa ekuqinisekiseni kwaye kufuneka sihambelane macala omabini.
   • Iqela leDiffie Hellman -i-algorithm yokutshintshiselana okungundoqo.

   Emva kokuzalisa iindawo ezifunekayo, cofa Gcina.

   

4. Yenziwe.

   

5. Emva kokongeza isayithi, yiya kwi-Active Status tab kwaye uvule iNkonzo ye-IPsec.

   

6. Emva kokuba useto lusetyenzisiwe, yiya kwi-Statistics -> IPsec VPN ithebhu kwaye ujonge imeko yetonela. Siyabona ukuba itonela linyukile.

   

7. Jonga imeko yetonela kwi-Edge gateway console:
   • bonisa inkonzo ipsec - khangela ubume benkonzo.

     

   • bonisa inkonzo ye-ipsec site - Ulwazi malunga nemeko yendawo kunye neeparameters ekuxoxwe ngazo.

     

   • bonisa inkonzo ipsec sa - khangela ubume boMbutho woKhuseleko (SA).

     

8. Ijonga uqhagamshelo kwindawo ekude:

   root@racoon:~# ifconfig eth0:1 | grep inet
           inet 10.255.255.1  netmask 255.255.255.0  broadcast 0.0.0.0
   
   root@racoon:~# ping -c1 -I 10.255.255.1 192.168.0.10 
   PING 192.168.0.10 (192.168.0.10) from 10.255.255.1 : 56(84) bytes of data.
   64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=59.9 ms
   
   --- 192.168.0.10 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 59.941/59.941/59.941/0.000 ms
   

   Iifayile zoqwalaselo kunye nemiyalelo eyongezelelweyo yoxilongo olusuka kwiseva yeLinux ekude:

   root@racoon:~# cat /etc/racoon/racoon.conf 
   
   log debug;
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   
   listen {
     isakmp 80.211.43.73 [500];
      strict_address;
   }
   
   remote 185.148.83.16 {
           exchange_mode main,aggressive;
           proposal {
                    encryption_algorithm aes256;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group modp1536;
            }
            generate_policy on;
   }
    
   sainfo address 10.255.255.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm aes256;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
   }
   
   ===
   
   root@racoon:~# cat /etc/racoon/psk.txt
   185.148.83.16 testkey
   
   ===
   
   root@racoon:~# cat /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   
   flush;
   spdflush;
   
   spdadd 192.168.0.0/24 10.255.255.0/24 any -P in ipsec
         esp/tunnel/185.148.83.16-80.211.43.73/require;
   
   spdadd 10.255.255.0/24 192.168.0.0/24 any -P out ipsec
         esp/tunnel/80.211.43.73-185.148.83.16/require;
   
   ===
   
   
   root@racoon:~# racoonctl show-sa isakmp
   Destination            Cookies                           Created
   185.148.83.16.500      2088977aceb1b512:a4c470cb8f9d57e9 2019-05-22 13:46:13 
   
   ===
   
   root@racoon:~# racoonctl show-sa esp
   80.211.43.73 185.148.83.16 
           esp mode=tunnel spi=1646662778(0x6226147a) reqid=0(0x00000000)
           E: aes-cbc  00064df4 454d14bc 9444b428 00e2296e c7bb1e03 06937597 1e522ce0 641e704d
           A: hmac-sha1  aa9e7cd7 51653621 67b3b2e9 64818de5 df848792
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=1 pid=7739 refcnt=0
   185.148.83.16 80.211.43.73 
           esp mode=tunnel spi=88535449(0x0546f199) reqid=0(0x00000000)
           E: aes-cbc  c812505a 9c30515e 9edc8c4a b3393125 ade4c320 9bde04f0 94e7ba9d 28e61044
           A: hmac-sha1  cd9d6f6e 06dbcd6d da4d14f8 6d1a6239 38589878
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=0 pid=7739 refcnt=0

9. Yonke into ilungile, indawo ukuya kwindawo ye-IPsec VPN iphezulu kwaye iyasebenza.

   Kulo mzekelo, sisebenzise i-PSK ungqinisiso loontanga, kodwa uqinisekiso lwesatifikethi nalo luyenzeka. Ukwenza oku, yiya kuqwalaselo lwehlabathi isithuba, vula uqinisekiso lwesatifikethi kwaye ukhethe isatifikethi ngokwaso.

   Ukongeza, kwizicwangciso zesayithi, kuya kufuneka utshintshe indlela yokuqinisekisa.

   
   
   
   
   Ndiyaqaphela ukuba inani leetonela ze-IPsec lixhomekeke kubukhulu be-Edge Gateway esetyenzisiweyo (funda malunga nale nto yethu inqaku lokuqala).

   

I-SSL yeVPN

I-SSL VPN-Plus yenye yeendlela zokuFikelela kwi-Remote VPN. Ivumela abasebenzisi abakude ukuba baqhagamshele ngokukhuselekileyo kuthungelwano lwabucala emva kwe-NSX Edge Gateway. Itonela efihliweyo kwimeko ye-SSL VPN-plus isekwe phakathi komxhasi (iWindows, Linux, Mac) kunye ne-NSX Edge.

1. Masiqalise ukuseta. Kwiphaneli yolawulo lwenkonzo ye-Edge Gateway, yiya kwi-SSL VPN-Plus ithebhu, emva koko uye kwiSetingi zeSeva. Sikhetha idilesi kunye nezibuko apho umncedisi uya kumamela uqhagamshelo olungenayo, vumela ukungena kwaye ukhethe i-algorithms yofihlo oluyimfuneko.

   
   
   Apha ungatshintsha kwakhona isatifikethi esiza kusetyenziswa ngumncedisi.

   

2. Emva kokuba yonke into ilungile, vula iseva kwaye ungalibali ukugcina useto.

   

3. Okulandelayo, kufuneka simise idili yeedilesi esiya kuzikhupha kubathengi xa siqhagamshelana. Lo msebenzi womnatha wahlukile kuyo nayiphi na subnet ekhoyo kwindawo yakho ye-NSX kwaye ayifuni kuqwalaselwa kwezinye izixhobo kuthungelwano olubonakalayo, ngaphandle kweendlela ezikhomba kuyo.

   Yiya kwi IP Pools ithebhu kwaye ucofe +.

   

4. Khetha iidilesi, i-subnet mask kunye nesango. Apha ungatshintsha kwakhona izicwangciso ze-DNS kunye neeseva ze-WINS.

   

5. I-pool yesiphumo.

   

6. Ngoku masenze uthungelwano apho abasebenzisi abaqhagamshela kwiVPN baya kuba nofikelelo. Yiya kuNethiwekhi yaBucala isithuba kwaye ucofe +.

   

7. Sigcwalisa:
   • Inethiwekhi - inethiwekhi yendawo apho abasebenzisi abakude baya kuba nokufikelela khona.
   • Thumela itrafikhi, inokhetho ezimbini:
     - ngaphaya kwetonela - thumela itrafikhi kwinethiwekhi ngetonela,
     — Itonela yodlula—thumela itrafikhi kwinethiwekhi ngokuthe ngqo ngokudlula itonela.
   • Yenza uLungiso lwe-TCP-jonga ukuba ukhethe ukhetho olungaphezulu kwetonela. Xa ulungiselelo luvuliwe, ungakhankanya amanani ezibuko ofuna ukuwanyusela wona itrafikhi. I-traffic yamazibuko aseleyo kuloo nethiwekhi ayisayi kulungiswa. Ukuba akukho manani ezibuko achaziweyo, itrafikhi yawo onke amazibuko ilungisiwe. Funda ngakumbi malunga neli nqaku apha.

   

8. Okulandelayo, yiya kwi Ungqinisiso isithuba kwaye ucofe +. Ukuqinisekisa, siya kusebenzisa iseva yendawo kwi-NSX Edge ngokwayo.

   

9. Apha singakhetha imigaqo-nkqubo yokuvelisa amagama agqithisiweyo amatsha kwaye siqwalasele iinketho zokuvala iiakhawunti zomsebenzisi (umzekelo, inani lokuzama kwakhona ukuba igama eliyimfihlo lifakwe ngokungalunganga).

   
   
   

10. Ekubeni sisebenzisa ukuqinisekiswa kwendawo, kufuneka senze abasebenzisi.

    

11. Ukongeza kwizinto ezisisiseko ezifana negama kunye negama lokugqitha, apha unako, umzekelo, ukwalela umsebenzisi ekutshintsheni igama eligqithisiweyo okanye, ngokuchaseneyo, umnyanzele ukuba atshintshe igama eligqithisiweyo kwixesha elizayo xa engena.

    

12. Emva kokuba bonke abasebenzisi abayimfuneko bongeziweyo, yiya kwi-Instalation Packages tab, cofa + kwaye wenze i-installer ngokwayo, eya kukhutshelwa ngumqeshwa okude ukuze afakwe.

    

13. Cinezela +. Khetha idilesi kunye nechweba lomncedisi apho umxhasi uya kudibanisa, kunye namaqonga ofuna ukuvelisa ipakethe yokufakela.

    
    
    Ezantsi kule festile, ungakhankanya useto lomxhasi lweWindows. Khetha:

    • qalisa umxhasi kwi-logon - umxhasi weVPN uya kongezwa ukuqalisa kumatshini okude;
    • yenza i icon yedesktop - iyakwenza i icon yomxhasi weVPN kwidesktop;
    • uqinisekiso lwesatifikethi sokhuseleko lomncedisi- siyakuqinisekisa isiqinisekiso somncedisi phezu koqhagamshelwano.
      Ukumisela iseva kugqityiwe.

    

14. Ngoku makhe sikhuphele iphakheji yokuhlohla esiyenzileyo kwinyathelo lokugqibela kwiPC ekude. Xa useka umncedisi, sichaze idilesi yayo yangaphandle (185.148.83.16) kunye ne-port (445). Kukule dilesi ekufuneka siye kuyo kwibhrawuza yewebhu. Kwimeko yam kunjalo 185.148.83.16: 445.

    Kwifestile yogunyaziso, kufuneka ufake iinkcukacha zomsebenzisi esizenzileyo ngaphambili.

    

15. Emva kogunyaziso, sibona uluhlu lweepakethe zofakelo ezenziweyo ezikhoyo ukuze zikhutshelwe. Senze enye kuphela - siya kuyikhuphela.

    

16. Sicofa kwikhonkco, ukukhuphela komxhasi kuqala.

    

17. Khupha i-archive ekhutshelweyo kwaye usebenzise isifakeli.

    

18. Emva kokufakela, vula umxhasi, kwifestile yogunyaziso, cofa Ngena.

    

19. Kwifestile yoqinisekiso lwesatifikethi, khetha Ewe.

    

20. Sifaka iziqinisekiso zomsebenzisi owenziwe ngaphambili kwaye sibone ukuba uqhagamshelo lugqitywe ngempumelelo.

    
    
    

21. Sijonga izibalo zomthengi weVPN kwikhompyuter yendawo.

    
    
    

22. Kumgca womyalelo weWindows (ipconfig / zonke), sibona ukuba iadaptha eyongezelelweyo ibonakala kwaye kukho uqhagamshelo kwinethiwekhi ekude, yonke into isebenza:

    
    
    

23. Kwaye ekugqibeleni, khangela kwi-Edge Gateway console.

    

I-L2 VPN

I-L2VPN iya kufuneka xa ufuna ukudibanisa iindawo ezininzi ngokwejografi
uthungelwano lwasasazwa kwindawo enye yosasazo.

Oku kunokuba luncedo, umzekelo, xa ufuduka umatshini wenyani: xa i-VM ifudukela kwenye indawo yendawo, umatshini uya kugcina izicwangciso zedilesi ye-IP kwaye akayi kulahlekelwa uqhagamshelwano kunye nabanye oomatshini abakwi-domain ye-L2 efanayo nayo.

Kwimeko yethu yokuvavanya, siya kudibanisa iisayithi ezimbini komnye nomnye, siya kuzibiza ngokuba ngu-A no-B, ngokulandelanayo. Umatshini A unedilesi 10.10.10.250/24, uMshini B unedilesi 10.10.10.2/24.

1. KuMlawuli we-vCloud, yiya kwithebhu yoLawulo, yiya kwi-VDC esiyifunayo, yiya kwi-Org VDC Networks ithebhu kwaye wongeze amanethiwekhi amabini amatsha.

   

2. Khetha uhlobo lwenethiwekhi ehanjiswayo kwaye ubophe le nethiwekhi kwi-NSX yethu. Sibeka ibhokisi yokukhangela Yenza njenge-subinterface.

   

3. Ngenxa yoko, kufuneka sifumane iinethiwekhi ezimbini. Kumzekelo wethu, zibizwa ngokuba yinethiwekhi-a kunye nenethiwekhi-b kunye nezicwangciso zesango elifanayo kunye nemaski efanayo.

   
   
   

4. Ngoku masiye kuseto lwe-NSX yokuqala. Le iya kuba yi-NSX apho iNethiwekhi A idityaniselwe kuyo. Iza kusebenza njengomncedisi.

   Sibuyela kwi-interface ye-NSx Edge / Yiya kwithebhu ye-VPN -> L2VPN. Sivula i-L2VPN, khetha imo yokusebenza yeServer, kwi-Server Global setting sicacisa idilesi ye-IP yangaphandle ye-NSX apho i-port ye-tunnel iya kuphulaphula. Ngokungagqibekanga, isiseko siya kuvula kwi-port 443, kodwa oku kunokutshintshwa. Ungalibali ukukhetha useto loguqulelo oluntsonkothileyo lwetonela elizayo.

   

5. Yiya kwiiNdawo zeeNdawo zomncedisi kwaye wongeze intanga.

   

6. Sivula intanga, sibeka igama, inkcazo, ukuba kuyimfuneko, setha igama lomsebenzisi kunye negama lokugqitha. Siza kuyidinga le datha kamva xa siseta indawo yomthengi.

   Kwi-Egress Optimization Gateway idilesi sibeka idilesi yesango. Oku kuyimfuneko ukwenzela ukuba kungabikho ukungqubuzana kweedilesi ze-IP, kuba isango lothungelwano lwethu linedilesi efanayo. Emva koko nqakraza kwi KHETHA SUB-INTERFACES iqhosha.

   

7. Apha sikhetha isinxibelelanisi esifunekayo. Sigcina useto.

   

8. Siyabona ukuba indawo esanda kwenziwa yabathengi ibonakala kwiisetingi.

   

9. Ngoku masiqhubele phambili ekuqwalaseleni i-NSX kwicala lomxhasi.

   Siya kwicala le-NSX B, yiya kwi-VPN -> L2VPN, yenza i-L2VPN, setha imowudi ye-L2VPN kwimodi yomxhasi. Kwi-Client Global tab, seta idilesi kunye ne-port ye-NSX A, esiyichazile ngaphambili njenge-IP yokuMamela kunye ne-Port kwicala lomncedisi. Kwakhona kuyimfuneko ukuseta izicwangciso ezifanayo zofihlo ukuze zihambelane xa itonela iphakanyiswa.

   
   
   Siskrola ngezantsi, khetha i-subinterface apho itonela ye-L2VPN iya kwakhiwa.
   Kwi-Egress Optimization Gateway idilesi sibeka idilesi yesango. Seta umsebenzisi-id kunye negama lokugqitha. Sikhetha i-subinterface kwaye ungalibali ukugcina useto.

   

10. Eneneni, kuphelele apho. Izicwangciso zomxhasi kunye necala lomncedisi ziphantse zafana, ngaphandle kwee-nuances ezimbalwa.
11. Ngoku siyabona ukuba itonela yethu isebenze ngokuya kwi-Statistics -> L2VPN kuyo nayiphi na i-NSX.

    

12. Ukuba ngoku siya kwikhonsoli yayo nayiphi na i-Edge Gateway, siya kubona nganye kuzo kwitafile ye-arp iidilesi zazo zombini ii-VM.

    

Yiyo yonke loo nto malunga ne-VPN kwi-NSX Edge. Buza ukuba kukho into engacacanga. Ikwayinxalenye yokugqibela yothotho lwamanqaku asebenza ne-NSX Edge. Siyathemba ukuba bebeluncedo 🙂

umthombo: www.habr.com