Uma inkampani yakho idlulisela noma ithola idatha yomuntu siqu kanye nolunye ulwazi oluyimfihlo ngenethiwekhi engaphansi kokuvikelwa ngokuvumelana nomthetho, kuyadingeka ukusebenzisa ukubethela kwe-GOST. Namuhla sizokutshela ukuthi sikusebenzise kanjani ukubethela okunjalo okusekelwe ku-S-Terra crypto gateway (CS) kwelinye lamakhasimende. Le ndaba izothakazelisa ochwepheshe bezokuphepha kolwazi, kanye nonjiniyela, abaklami nabadwebi bezakhiwo. Ngeke singene sijule kumanuances wokucushwa kobuchwepheshe kulokhu okuthunyelwe; sizogxila kumaphuzu abalulekile wokusetha okuyisisekelo. Inqwaba yemibhalo ekusetheni amadaemoni e-Linux OS, okusekelwe kuwo i-S-Terra CS, itholakala mahhala ku-inthanethi. Amadokhumenti okusetha isofthiwe ye-S-Terra yobunikazi nawo ayatholakala esidlangalaleni umkhiqizi.
Amagama ambalwa mayelana nephrojekthi
I-topology yenethiwekhi yekhasimende yayijwayelekile - inezikhala ezigcwele phakathi kwesikhungo namagatsha. Bekudingekile ukwethula ukubethela kweziteshi zokushintshana ngolwazi phakathi kwawo wonke amasayithi, okwakukhona angu-8.
Ngokuvamile kumaphrojekthi anjalo yonke into imile: imizila emile eya kunethiwekhi yendawo yesayithi isethwe ku-crypto gateways (CGs), izinhlu zamakheli e-IP (ACLs) zokubethela zibhalisiwe. Kodwa-ke, kulesi simo, amasayithi awanakho ukulawula okumaphakathi, futhi noma yini ingenzeka ngaphakathi kwamanethiwekhi awo endawo: amanethiwekhi angengezwa, asuswe, futhi alungiswe ngayo yonke indlela. Ukuze kugwenywe ukulungisa kabusha umzila kanye ne-ACL ku-KS lapho kushintsha ukusingathwa kwamanethiwekhi endawo kumasayithi, kwanqunywa ukuthi kusetshenziswe i-GRE tunneling kanye nomzila oguquguqukayo we-OSPF, ohlanganisa yonke i-KS namarutha amaningi ezingeni eliyinhloko lenethiwekhi kumasayithi ( kwamanye amasayithi, abalawuli bengqalasizinda bancamela ukusebenzisa i-SNAT ngase-KS kuma-kernel routers).
I-GRE tunneling isivumele ukuthi sixazulule izinkinga ezimbili:
1. Sebenzisa ikheli le-IP le-interface yangaphandle ye-CS ukuze ubhale ngemfihlo ku-ACL, ehlanganisa yonke ithrafikhi ethunyelwa kwamanye amasayithi.
2. Hlela imigudu ye-ptp phakathi kwe-CSs, ekuvumela ukuthi ulungiselele umzila oguquguqukayo (kithi, i-MPLS L3VPN yomhlinzeki ihlelwe phakathi kwamasayithi).
Iklayenti liyalele ukuqaliswa kokubethela njengesevisi. Uma kungenjalo, kwakuzodingeka angagcini nje ngokugcina amasango e-crypto noma akhiphele inhlangano ethile, kodwa futhi aqaphe ngokuzimela umjikelezo wokuphila wezitifiketi zokubethela, azivuselele ngesikhathi futhi afake ezintsha.
Futhi manje imemo yangempela - kanjani futhi yini esiyilungiselele
Qaphela esihlokweni se-CII: ukusetha isango le-crypto
Ukusethwa kwenethiwekhi okuyisisekelo
Okokuqala, sethula i-CS entsha futhi singena kukhonsoli yokuphatha. Kufanele uqale ngokushintsha iphasiwedi yomlawuli eyakhelwe ngaphakathi - umyalo shintsha umlawuli wephasiwedi yomsebenzisi. Ngemuva kwalokho udinga ukwenza inqubo yokuqalisa (i-command qalisa) lapho kufakwa idatha yelayisense futhi inzwa yenombolo engahleliwe (RNS) iqaliswa.
Nakani! Uma i-S-Terra CC iqaliswa, inqubomgomo yokuphepha iyasungulwa lapho izixhumanisi zesango lokuvikeleka zingavumeli amaphakethe ukuthi adlule. Kufanele uzenzele eyakho inqubomgomo noma usebenzise umyalo sebenzisa i-csconf_mgr yenza kusebenze sebenzisa inqubomgomo yokuvumela echazwe ngaphambilini.
Okulandelayo, udinga ukulungisa ikheli le-interfaces yangaphandle nengaphakathi, kanye nomzila ozenzakalelayo. Kungcono ukusebenza ngokucushwa kwenethiwekhi ye-CS futhi ulungiselele ukubethela usebenzisa ikhonsoli efana ne-Cisco. Le khonsoli yakhelwe ukufaka imiyalo efana nemiyalo ye-Cisco IOS. Ukulungiselelwa okukhiqizwa kusetshenziswa ikhonsoli efana ne-Cisco, yona, iguqulelwa kumafayela ahambisanayo okucupha asebenza ngawo amadaemoni e-OS. Ungaya kukhonsoli efana ne-Cisco ukusuka kukhonsoli yokuphatha ngomyalo lungisa.
Shintsha amagama ayimfihlo kuma-cscons owakhelwe ngaphakathi bese unika amandla:
>vumela
Iphasiwedi: csp(kufakwe ngaphambili)
#Lungisa itheminali
#igama lomsebenzisi cscons ilungelo 15 imfihlo 0 #vula imfihlo 0 Isetha ukucushwa kwenethiwekhi okuyisisekelo:
#interface GigabitEthernet0/0
#ikheli le-IP 10.111.21.3 255.255.255.0
#akukho ukuvala shaqa
#interface GigabitEthernet0/1
#ikheli le-IP 192.168.2.5 255.255.255.252
#akukho ukuvala shaqa
#ip umzila 0.0.0.0 0.0.0.0 10.111.21.254
GRE
Phuma kukhonsoli efana ne-Cisco bese uya kugobolondo le-debian ngomyalo uhlelo. Setha iphasiwedi yakho yomsebenzisi izimpande iqembu i-passwd.
Egunjini ngalinye lokulawula, umhubhe ohlukile ulungiselelwe isayithi ngalinye. Ukusebenzelana komhubhe kulungiselelwe kufayela / njll / inethiwekhi / ukuxhumana. Isisetshenziswa somhubhe we-IP, ofakwe kusethi ye-iproute2 efakwe ngaphambili, inesibopho sokudala isixhumi esibonakalayo ngokwaso. Umyalo wokudala isikhombimsebenzisi ubhalwe kunketho yangaphambilini.
Isibonelo sokucushwa kwesixhumi esibonakalayo somhubhe ojwayelekile:
indawo yezimoto1
i-iface site1 inet static
ikheli le-192.168.1.4
I-255.255.255.254 ye-netmask
umhubhe we-ip wangaphambili engeza i-site1 imodi gre yendawo 10.111.21.3 isilawuli kude 10.111.22.3 ukhiye hfLYEg^vCh6p
Nakani! Kufanele kuqashelwe ukuthi izilungiselelo zokusebenzelana komhubhe kufanele zibekwe ngaphandle kwesigaba
###netifcfg-qala###
*****
###netifcfg-end###
Uma kungenjalo, lezi zilungiselelo zizobhalwa ngaphezulu lapho kushintsha izilungiselelo zenethiwekhi yezokuxhumana ezingokoqobo kusetshenziswa ikhonsoli efana ne-Cisco.
Umzila onamandla
Ku-S-Terra, umzila oguquguqukayo usetshenziswa kusetshenziswa iphakheji yesofthiwe ye-Quagga. Ukumisa i-OSPF sidinga ukunika amandla futhi silungiselele ama-daemon i-zebra ΠΈ ospfd. I-zebra daemon inesibopho sokuxhumana phakathi kwama-daemon aqondisayo kanye ne-OS. I-ospfd daemon, njengoba igama liphakamisa, inesibopho sokusebenzisa umthetho olandelwayo we-OSPF.
I-OSPF ilungiswa ngekhonsoli ye-daemon noma ngokuqondile ngefayela lokucushwa /etc/quagga/ospfd.conf. Zonke izixhumi ezibonakalayo nezingumhubhe ezibamba iqhaza emzileni oguquguqukayo zengezwa kufayela, futhi amanethiwekhi azokhangiswa futhi amukele izimemezelo nawo ayamenyezelwa.
Isibonelo sokucushwa okudingeka kwengezwe kukho ospfd.conf:
isikhombimsebenzisi eth0
!
isikhombimsebenzisi eth1
!
I-interface yesayithi1
!
I-interface yesayithi2
i-router ospf
ospf router-id 192.168.2.21
inethiwekhi 192.168.1.4/31 indawo 0.0.0.0
inethiwekhi 192.168.1.16/31 indawo 0.0.0.0
inethiwekhi 192.168.2.4/30 indawo 0.0.0.0
Kulesi simo, amakheli 192.168.1.x/31 abekelwe amanethiwekhi e-ptp yomhubhe phakathi kwamasayithi, amakheli 192.168.2.x/30 abelwe amanethiwekhi ezokuthutha phakathi kwe-CS namarutha e-kernel.
Nakani! Ukuze unciphise ithebula lomzila ekufakweni okukhulu, ungakwazi ukuhlunga isimemezelo samanethiwekhi ezokuthutha ngokwawo usebenzisa izakhiwo. akukho ukusabalaliswa kabusha okuxhunyiwe noma ukusabalalisa kabusha imephu yomzila exhunyiwe.
Ngemva kokumisa ama-daemon, udinga ukushintsha isimo sokuqalisa samademoni ku /etc/quagga/daemons. Kokukhethwa kukho i-zebra ΠΈ ospfd alukho ushintsho ku-yebo. Qala i-quagga daemon bese uyimisa ukuze i-autorun lapho uqala umyalo we-KS vumela i-update-rc.d quagga.
Uma ukucushwa kwemigudu ye-GRE ne-OSPF kwenziwa ngendlela efanele, khona-ke imizila kunethiwekhi yamanye amasayithi kufanele ivele ku-KSh namarutha ayinhloko futhi, ngaleyo ndlela, ukuxhumana kwenethiwekhi phakathi kwamanethiwekhi endawo kuyavela.
Sibhala ngemfihlo ithrafikhi ethunyelwayo
Njengoba sekuvele kubhaliwe, ngokuvamile uma sibhala ngekhodi phakathi kwamasayithi, sicacisa ububanzi bamakheli e-IP (ACLs) lapho ithrafikhi ibethelwa phakathi kwayo: uma umthombo nekheli lendawo liwela phakathi kwalobu bubanzi, khona-ke ithrafikhi phakathi kwawo iyabethelwa. Nokho, kule phrojekthi isakhiwo sinamandla futhi amakheli angashintsha. Njengoba sesivele sikumisile umhubhe we-GRE, singacacisa amakheli e-KS angaphandle njengomthombo namakheli okuyiwa kuwo wokubhala ngemfihlo ithrafikhi - phela ithrafikhi eseyivele ihlanganiswe yiphrothokholi ye-GRE ifika ukuze ibethelwe. Ngamanye amazwi, yonke into engena ku-CS kusukela kunethiwekhi yendawo yesayithi eyodwa kuya kumanethiwekhi amenyezelwe ngamanye amasayithi ibethelwe. Futhi ngaphakathi kwesizinda ngasinye noma yikuphi ukuqondisa kabusha kungenziwa. Ngakho, uma kukhona noma yiluphi ushintsho kumanethiwekhi endawo, umlawuli udinga kuphela ukuguqula izimemezelo ezivela kunethiwekhi yakhe ziye kunethiwekhi, futhi izotholakala kwamanye amasayithi.
Ukubethela ku-S-Terra CS kwenziwa kusetshenziswa iphrothokholi ye-IPSec. Sisebenzisa i-algorithm ethi "Grasshopper" ngokuhambisana ne-GOST R 34.12-2015, futhi ngokuhambisana nezinguqulo ezindala ungasebenzisa i-GOST 28147-89. Ukufakazela ubuqiniso kungenziwa ngokobuchwepheshe kukho kokubili okhiye abachazwe ngaphambilini (ama-PSK) nezitifiketi. Kodwa-ke, ekusebenzeni kwezimboni kuyadingeka ukusebenzisa izitifiketi ezikhishwe ngokuhambisana ne-GOST R 34.10-2012.
Ukusebenza ngezitifiketi, iziqukathi nama-CRL kwenziwa kusetshenziswa insiza cert_mgr. Okokuqala, sebenzisa umyalo cert_mgr dala kuyadingeka ukukhiqiza isiqukathi sikakhiye wangasese kanye nesicelo sesitifiketi, esizothunyelwa Esikhungweni Sokuphathwa Kwesitifiketi. Ngemva kokuthola isitifiketi, kufanele singeniswe kanye nesitifiketi se-CA esiyimpande kanye ne-CRL (uma sisetshenziswa) nomyalo cert_mgr ukungenisa. Ungenza isiqiniseko sokuthi zonke izitifiketi nama-CRL afakiwe ngomyalo cert_mgr umbukiso.
Ngemva kokufaka izitifiketi ngempumelelo, hamba kukhonsoli efana ne-Cisco ukuze ulungiselele i-IPSec.
Sakha inqubomgomo ye-IKE ecacisa ama-algorithms nemingcele efiselekayo yesiteshi esivikelekile esidalwayo, esizonikezwa uzakwethu ukuze asigunyaze.
#crypto isakmp policy 1000
#encr gost341215k
#hash gost341112-512-tc26
#ubufakazi bokuqinisekisa
#group vko2
#impilo yonke 3600
Le nqubomgomo isetshenziswa uma kwakhiwa isigaba sokuqala se-IPSec. Umphumela wokuphothulwa ngempumelelo kwesigaba sokuqala wukusungulwa kwe-SA (Security Association).
Okulandelayo, sidinga ukuchaza uhlu lwamakheli e-IP kanye nendawo okuyiwa kuyo (ACL) yokubethela, sikhiqize isethi yokuguqula, sidale imephu ye-cryptographic (crypto map) futhi siyibophe ekuxhumaneni kwangaphandle kwe-CS.
Setha i-ACL:
#ip ukufinyelela-uhlu lwesayithi enwetshiwe1
#permit gre host 10.111.21.3 umsingathi 10.111.22.3
Isethi yokuguqulwa (okufanayo nesigaba sokuqala, sisebenzisa i-algorithm yokubethela ethi "Intethe" sisebenzisa imodi yokukhiqiza yokufaka yokulingisa):
#crypto ipsec transform-set GOST esp-gost341215k-mac
Sakha imephu ye-crypto, sicacisa i-ACL, siguqule isethi kanye nekheli lontanga:
#imephu ye-crypto MAIN 100 ipsec-isakmp
#match ikheli site1
#set guqula-setha i-GOST
#setha untanga 10.111.22.3
Sibophezela ikhadi le-crypto ku-interface yangaphandle yerejista yemali:
#interface GigabitEthernet0/0
#ikheli le-IP 10.111.21.3 255.255.255.0
#imephu ye-crypto MAIN
Ukubethela iziteshi namanye amasayithi, kufanele uphinde inqubo yokwakha i-ACL nekhadi le-crypto, uguqule igama le-ACL, amakheli e-IP kanye nenombolo yekhadi le-crypto.
Nakani! Uma ukuqinisekiswa kwesitifiketi nge-CRL kungasetshenziswa, lokhu kufanele kucaciswe ngokucacile:
#crypto pki trustpoint s-terra_technological_trustpoint
#ukuhoxiswa-ungahloli lutho
Kuleli qophelo, ukusetha kungabhekwa njengokuphelele. Ngokukhishwa komyalo we-Cisco-like console bonisa i-crypto isakmp sa ΠΈ bonisa i-crypto ipsec sa Isigaba sokuqala nesesibili esakhiwe se-IPSec kufanele sibonakale. Ulwazi olufanayo lungatholakala ngokusebenzisa umyalo sa_mgr umbukiso, ikhishwe kugobolondo le-debian. Ekuphumeni komyalo cert_mgr umbukiso Izitifiketi zesayithi elikude kufanele zivele. Isimo sezitifiketi ezinjalo sizoba kude. Uma imigudu ingakhiwa, udinga ukubheka ilogi yesevisi ye-VPN, egcinwe efayeleni /var/log/cspvpngate.log. Uhlu oluphelele lwamafayela elogi anencazelo yokuqukethwe kwawo luyatholakala kumadokhumenti.
Ukuqapha "impilo" yohlelo
I-S-Terra CC isebenzisa i-daemon ye-snmpd ejwayelekile ukuze iqaphe. Ngokungeziwe kumapharamitha ajwayelekile e-Linux, ngaphandle kwebhokisi i-S-Terra isekela ukukhishwa kwedatha mayelana namahubhu e-IPSec ngokuvumelana ne-CISCO-IPSEC-FLOW-MONITOR-MIB, okuyiyona nto esiyisebenzisayo uma siqapha isimo semigudu ye-IPSec. Ukusebenza kwama-OID angokwezifiso akhipha imiphumela yokwenziwa kombhalo njengamavelu nakho kuyasekelwa. Lesi sici sisivumela ukuthi silandelele amadethi okuphelelwa yisikhathi kwesitifiketi. Umbhalo obhaliwe udlulisa okukhiphayo komyalo cert_mgr umbukiso futhi ngenxa yalokho inikeza inani lezinsuku kuze kube yilapho izitifiketi zendawo nezempande ziphelelwa yisikhathi. Le nqubo ibalulekile uma unikeza inani elikhulu lama-CABG.
Iyini inzuzo yokubethela okunjalo?
Konke ukusebenza okuchazwe ngenhla kusekelwa ngaphandle kwebhokisi yi-S-Terra KSh. Okusho ukuthi, asikho isidingo sokufaka noma yimaphi amamojula engeziwe angathinta ukuqinisekiswa kwamasango e-crypto kanye nesitifiketi salo lonke uhlelo lolwazi. Kungaba khona noma yiziphi iziteshi phakathi kwamasayithi, ngisho nange-inthanethi.
Ngenxa yokuthi lapho ingqalasizinda yangaphakathi ishintsha, asikho isidingo sokulungisa amasango e-crypto, isistimu isebenza njengesevisi, okuyinto elula kakhulu kukhasimende: angabeka izinsizakalo zakhe (iklayenti kanye neseva) kunoma yimaphi amakheli, futhi zonke izinguquko zizodluliswa ngamandla phakathi kwemishini yokubethela.
Yiqiniso, ukubethela ngenxa yezindleko eziphezulu (i-overhead) kuthinta isivinini sokudlulisa idatha, kodwa kancane kuphela - ukuphuma kwesiteshi kungancipha ngo-5-10%. Ngesikhathi esifanayo, ubuchwepheshe buye bahlolwa futhi baboniswa imiphumela emihle ngisho naseziteshini zesathelayithi, ezingazinzile futhi ezinomkhawulokudonsa ophansi.
U-Igor Vinokhodov, unjiniyela womugqa wesibili wokuphatha we-Rostelecom-Solar
Source: www.habr.com