Ungafika kanjani ku-Beeline IPVPN nge-IPSec. Ingxenye 1

Sawubona! IN okuthunyelwe kwangaphambilini Ngichaze umsebenzi wesevisi yethu ye-MultiSIM ngokwengxenye ukubhuka и ukulinganisa iziteshi. Njengoba kushiwo, sixhuma amaklayenti kunethiwekhi nge-VPN, futhi namuhla ngizokutshela kancane mayelana ne-VPN kanye namakhono ethu kule ngxenye.

Kuhle ukuqala ngeqiniso lokuthi thina, njengo-opharetha we-telecom, sinenethiwekhi yethu enkulu ye-MPLS, leyo kumakhasimende e-fixed-line ihlukaniswe izingxenye ezimbili eziyinhloko - leyo esetshenziswa ngokuqondile ukufinyelela i-inthanethi, kanye naleso esetshenziswa ukudala amanethiwekhi angawodwa - futhi kungale ngxenye ye-MPLS lapho i-IPVPN (L3 OSI) ne-VPLAN (L2 OSI) igeleza khona kumakhasimende ethu ezinkampani.

Ngokuvamile, ukuxhumana kweklayenti kwenzeka kanje.

Ulayini wokufinyelela ubekwe ehhovisi leklayenti usuka endaweni eseduze yokuba khona kwenethiwekhi (i-node MEN, RRL, BSSS, FTTB, njll.) futhi ngokuqhubekayo, isiteshi sibhaliswa ngenethiwekhi yezokuthutha siye ku-PE-MPLS ehambisanayo. i-router, lapho siyikhiphela eklanyelwe ngokukhethekile iklayenti le-VRF, kucatshangelwa iphrofayili yethrafikhi edingwa yiklayenti (amalebula wephrofayela akhethiwe echwebeni ngalinye lokufinyelela, ngokususelwa kumanani we-ip precedence 0,1,3,5, XNUMX).

Uma ngesizathu esithile singeke sikwazi ukuhlelela iklayenti ngokugcwele imayela lokugcina, isibonelo, ihhovisi leklayenti lisesikhungweni sebhizinisi, lapho omunye umhlinzeki ebaluleke kakhulu, noma asinalo indawo yethu yokuba khona eduze, ngakho-ke amaklayenti angaphambili bekufanele udale amanethiwekhi amaningana e-IPVPN kubahlinzeki abahlukene (hhayi izakhiwo ezingabizi kakhulu) noma uxazulule izinkinga ngokuzimela ngokuhlela ukufinyelela ku-VRF yakho nge-inthanethi.

Abaningi bakwenze lokhu ngokufaka isango le-inthanethi le-IPVPN - bafake i-router yasemngceleni (i-hardware noma isisombululo esisekelwe ku-Linux), baxhuma isiteshi se-IPVPN kuso ngembobo eyodwa kanye nesiteshi se-Inthanethi kwesinye, bethula iseva yabo ye-VPN kuyo futhi baxhuma. abasebenzisi ngesango labo le-VPN. Ngokwemvelo, uhlelo olunjalo luphinde ludale imithwalo: ingqalasizinda enjalo kufanele yakhiwe futhi, okungalungile kakhulu, isetshenziswe futhi ithuthukiswe.

Ukuze senze ukuphila kube lula kumakhasimende ethu, sifake ihabhu le-VPN eliphakathi nendawo futhi sihlele ukwesekwa kokuxhumana nge-inthanethi sisebenzisa i-IPSec, okungukuthi, manje amaklayenti adinga kuphela ukulungisa umzila wawo ukuze usebenze nehabhu lethu le-VPN ngomhubhe we-IPSec kunoma iyiphi i-inthanethi yomphakathi. , futhi thina Masikhulule ithrafikhi yaleli klayenti ku-VRF yalo.

Ubani ozodinga

• Kulabo asebevele benenethiwekhi enkulu ye-IPVPN futhi badinga ukuxhumana okusha ngesikhathi esifushane.
• Noma ubani, ngesizathu esithile, ofuna ukudlulisa ingxenye yethrafikhi isuka ku-inthanethi yomphakathi iye ku-IPVPN, kodwa ngaphambilini uhlangabezane nemikhawulo yobuchwepheshe ehlotshaniswa nabahlinzeki besevisi abambalwa.
• Kulabo njengamanje abanamanethiwekhi amaningana e-VPN ahlukene avela ku-telecom opharetha abahlukene. Kukhona amaklayenti ahlele ngempumelelo i-IPVPN evela kuBeeline, Megafon, Rostelecom, njll. Ukwenza kube lula, ungahlala kuphela ku-VPN yethu eyodwa, ushintshe zonke ezinye iziteshi zabanye opharetha ku-inthanethi, bese uxhuma ku-Beeline IPVPN nge-IPSec kanye ne-inthanethi evela kulaba opharetha.
• Kulabo asebevele banenethiwekhi ye-IPVPN embozwe ku-inthanethi.

Uma uhambisa yonke into nathi, khona-ke amaklayenti athola ukwesekwa okugcwele kwe-VPN, ukudayiswa kwengqalasizinda engathi sína, nezilungiselelo ezijwayelekile ezizosebenza kunoma iyiphi i-router azijwayele (kungaba yi-Cisco, ngisho ne-Mikrotik, into eyinhloko ukuthi ingakwazi ukusekela kahle. IPSec/IKEv2 enezindlela zokuqinisekisa ezijwayelekile). Ngendlela, mayelana ne-IPSec - okwamanje siyayisekela kuphela, kodwa sihlela ukwethula ukusebenza okuphelele kokubili kwe-OpenVPN ne-Wireguard, ukuze amaklayenti angakwazi ukuncika kumthethonqubo futhi kulula nakakhulu ukuthatha nokudlulisa konke kithi, futhi sifuna ukuqala ukuxhuma amaklayenti asuka kumakhompyutha namadivayisi eselula (izixazululo ezakhelwe ku-OS, Cisco AnyConnect kanye neSwan eqinile nokunye okunjalo). Ngale ndlela, ukwakhiwa kwengqalasizinda kunganikezwa ngokuphephile ku-opharetha, kushiye kuphela ukucushwa kwe-CPE noma umsingathi.

Isebenza kanjani inqubo yokuxhuma kumodi ye-IPSec:

1. Iklayenti lishiya isicelo kumphathi walo lapho libonisa khona isivinini sokuxhuma esidingekayo, iphrofayili yethrafikhi kanye nemingcele yokukhuluma nge-IP yomhubhe (ngokuzenzakalelayo, i-subnet ene-mask / 30) kanye nohlobo lomzila (i-static noma i-BGP). Ukuze udlulisele imizila kumanethiwekhi endawo eklayenti ehhovisi elixhunyiwe, izindlela ze-IKEv2 zesigaba sephrothokholi ye-IPSec zisetshenziswa kusetshenziswa izilungiselelo ezifanele kumzila weklayenti, noma zikhangiswa nge-BGP ku-MPLS zisuka ku-BGP AS yangasese eshiwo kuhlelo lokusebenza lweklayenti. . Ngakho-ke, ulwazi mayelana nemizila yamanethiwekhi amaklayenti kulawulwa ngokuphelele yiklayenti ngokusebenzisa izilungiselelo zerutha yeklayenti.
2. Liphendula kumphathi walo, iklayenti lithola idatha yokubalwa kwezimali ukuze ifakwe ku-VRF yalo yefomu:
   • Ikheli le-IP ye-VPN-HUB
   • Login
   • Iphasiwedi yokuqinisekisa
3. Ilungiselela i-CPE, ngezansi, isibonelo, izinketho ezimbili zokumisa eziyisisekelo:

   Inketho ye-Cisco:
   crypto ikev2 keyring BeelineIPsec_keyring
   untanga Beeline_VPNHub
   ikheli le-62.141.99.183 - I-VPN hub Beeline
   ukhiye owabiwe ngaphambili <Iphasiwedi yokuqinisekisa>
   !
   Ngenketho yomzila omile, imizila eya kumanethiwekhi afinyeleleka nge-Vpn-hub ingacaciswa ekucushweni kwe-IKEv2 futhi izovela ngokuzenzakalelayo njengemizila emile kuthebula lomzila le-CE. Lezi zilungiselelo zingenziwa kusetshenziswa indlela ejwayelekile yokubeka imizila engashintshi (bona ngezansi).

   Inqubomgomo yokugunyazwa ye-crypto ikev2 FlexClient-author

   Umzila oya kumanethiwekhi ngemuva kwerutha ye-CE - isilungiselelo esiyisibopho somzila omile phakathi kwe-CE ne-PE. Ukudluliselwa kwedatha yomzila ku-PE kwenziwa ngokuzenzakalelayo lapho umhubhe uphakanyiswa ngokusebenzisana kwe-IKEv2.

   ukusetha umzila ipv4 10.1.1.0 255.255.255.0 -Inethiwekhi yendawo yehhovisi
   !
   Iphrofayili ye-crypto ikev2 BeelineIPSec_profile
   ubunikazi bendawo <login>
   ubuqiniso bokwabelana kwangaphambili kwendawo
   ukufakazela ubuqiniso ukwabelana kwangaphambili okukude
   ukufaka i-BeelineIPsec_keyring yendawo
   aaa iqembu lokugunyaza uhlu lwe-psk iqembu-uhlu lombhali-FlexClient-umbhali
   !
   crypto ikev2 iklayenti flexvpn BeelineIPsec_flex
   untanga 1 Beeline_VPNHub
   iklayenti xhuma i-Tunnel1
   !
   i-crypto ipsec guqula-setha i-TRANSFORM1 esp-aes 256 esp-sha256-hmac
   Umhubhe wemodi
   !
   okuzenzakalelayo kwephrofayili ye-crypto ipsec
   setha ukuguqula-setha i-TRANSFORM1
   setha i-ikev2-profile BeelineIPSec_profile
   !
   isixhumi esibonakalayo Umhubhe1
   ikheli le-IP 10.20.1.2 255.255.255.252 – Ikheli lomhubhe
   umthombo womhubhe GigabitEthernet0/2 - Isixhumanisi sokufinyelela ku-inthanethi
   imodi yomhubhe ipsec ipv4
   indawo okuyiwa kuyo yomhubhe inamandla
   ukuvikelwa komhubhe okuzenzakalelayo kwephrofayela ye-ipsec
   !
   Imizila eya kumanethiwekhi ayimfihlo eklayenti afinyeleleka nge-concentrator ye-Beeline VPN ingasethwa ngokwezibalo.

   ip umzila 172.16.0.0 255.255.0.0 Umhubhe1
   ip umzila 192.168.0.0 255.255.255.0 Umhubhe1

   Inketho ye-Huawei (ar160/120):
   igama lendawo <login>
   #
   acl igama ipsec 3999
   umthetho 1 imvume yomthombo we-ip 10.1.1.0 0.0.0.255 -Inethiwekhi yendawo yehhovisi
   #
   AAA
   service-scheme IPSEC
   umzila usethe i-acl 3999
   #
   isiphakamiso se-ipsec ipsec
   esp ubuqiniso-algorithm sha2-256
   esp encryption-algorithm aes-256
   #
   okuzenzakalelayo kwesiphakamiso
   i-encryption-algorithm aes-256
   dh iqembu2
   ubuqiniso-algorithm sha2-256
   Indlela yokuqinisekisa-ukwabelana kwangaphambili
   ubuqotho-algorithm hmac-sha2-256
   prf hmac-sha2-256
   #
   ike peer ipsec
   Ukhiye owabiwe ngaphambili olula <I-password yokuqinisekisa>
   local-id-type fqdn
   i-remote-id-type ip
   ikheli elikude 62.141.99.183 - I-VPN hub Beeline
   service-scheme IPSEC
   isicelo se-config-exchange
   config-exchange set yamukela
   config-exchange usethe ukuthumela
   #
   iphrofayili ye-ipsec ipsecprof
   ike-peer ipsec
   isiphakamiso ipsec
   #
   isixhumi esibonakalayo Umhubhe0/0/0
   ikheli le-IP 10.20.1.2 255.255.255.252 – Ikheli lomhubhe
   i-tunnel-protocol ipsec
   umthombo GigabitEthernet0/0/1 - Isixhumanisi sokufinyelela ku-inthanethi
   iphrofayili ye-ipsec ipsecprof
   #
   Imizila eya kumanethiwekhi ayimfihlo eklayenti afinyeleleka nge-concentrator ye-Beeline VPN ingasethwa ngokwezibalo

   ip umzila-static 192.168.0.0 255.255.255.0 Umhubhe0/0/0
   ip umzila-static 172.16.0.0 255.255.0.0 Umhubhe0/0/0

Umdwebo wokuxhumana owumphumela ubukeka kanjena:

Uma iklayenti lingenazo izibonelo ezithile zokucushwa okuyisisekelo, ngakho-ke ngokuvamile siyasiza ngokwakheka kwazo futhi sizenze zitholakale kuwo wonke umuntu.

Konke okusele ukuxhuma i-CPE ku-inthanethi, ukugxila engxenyeni yokuphendula yomhubhe we-VPN nanoma yimuphi umsingathi ngaphakathi kwe-VPN, futhi yilokho, singacabanga ukuthi uxhumano lwenziwe.

Esihlokweni esilandelayo sizokutshela ukuthi sihlanganise kanjani lolu hlelo ne-IPSec kanye ne-MultiSIM Redundancy sisebenzisa i-Huawei CPE: sifaka i-Huawei CPE yethu kumakhasimende, engasebenzisi kuphela isiteshi se-inthanethi esinezintambo, kodwa futhi namakhadi we-SIM angu-2 ahlukene, kanye ne-CPE. yakha kabusha i-IPSec- tunnel ngokuzenzakalelayo nge-WAN enezintambo noma ngomsakazo (LTE#1/LTE#2), ibona ukubekezelelwa kwamaphutha okuphezulu kwesevisi ewumphumela.

Sibonga ngokukhethekile kozakwethu be-RnD ngokulungiselela lesi sihloko (futhi, empeleni, kubabhali balezi zixazululo zobuchwepheshe)!

Source: www.habr.com