I-VMware NSX yabancane. Ingxenye 6. Ukusetha i-VPN

Ingxenye yokuqala. isingeniso
Ingxenye yesibili. Ilungiselela i-Firewall kanye nemithetho ye-NAT
Ingxenye yesithathu. Ukusethwa kwe-DHCP
Ingxenye yesine. Isetha umzila
Ingxenye yesihlanu. Layisha Ukusethwa Kwebhalansi

Namuhla sizobheka izinketho zokucushwa kwe-VPN esinikezwa yi-NSX Edge.

Ngokuvamile, singahlukanisa ubuchwepheshe be-VPN zibe izinhlobo ezimbili ezibalulekile:

• I-VPN yesayithi kuya kusayithi. Ukusetshenziswa okuvamile kwe-IPSec ukwakha umhubhe ovikelekile, isibonelo, phakathi kwenethiwekhi yehhovisi elikhulu nenethiwekhi endaweni ekude noma emafini.
• I-VPN yokufinyelela kude. Isetshenziselwa ukuxhuma abasebenzisi ngabanye kumanethiwekhi ayimfihlo enhlangano kusetshenziswa isofthiwe yeklayenti le-VPN.

I-NSX Edge isivumela ukuthi sikwenze kokubili.
Sizokwenza ukusetha sisebenzisa ibhentshi lokuhlola elinama-NSX Edges amabili, iseva ye-Linux efakwe i-daemon. i-racoon kanye nekhompuyutha ephathekayo ye-Windows ukuhlola i-VPN yokufinyelela kude.

I-IPsec

1. Ku-interface ye-vCloud Director, iya esigabeni Sokuphatha bese ukhetha i-vDC. Kuthebhu ye-Edge Gateways, khetha i-Edge esiyidingayo, chofoza kwesokudla bese ukhetha i-Edge Gateway Services.
   
2. Ku-interface ye-NSX Edge, iya kuthebhu ye-VPN-IPsec VPN, bese uye esigabeni se-IPsec VPN Amasayithi bese uchofoza + ukuze wengeze isayithi elisha.

   

3. Gcwalisa izinkambu ezidingekayo:
   • Inikwe amandla – yenza kusebenze isayithi ekude.
   • I-PFS - iqinisekisa ukuthi ukhiye omusha ngamunye we-cryptographic awuhlotshaniswa nanoma yimuphi ukhiye wangaphambilini.
   • I-ID yendawo kanye nendawo yokugcinat – Ikheli langaphandle le-NSX Edge.
   • i-subnet yendawos – amanethiwekhi endawo azosebenzisa i-IPsec VPN.
   • I-ID yontanga kanye nephoyinti lokugcina lontanga – ikheli lesayithi elikude.
   • I-Peer Subnets - amanethiwekhi azosebenzisa i-IPsec VPN ohlangothini olukude.
   • I-algorithm yokubethela - I-algorithm yokubethela komhubhe.

   
   

   • Ukufakazela ubuqiniso – sizoqinisekisa kanjani untanga. Ungasebenzisa ukhiye owabiwe ngaphambilini noma isitifiketi.
   • Ukhiye owabiwe ngaphambilini – khombisa ukhiye ozosetshenziselwa ukufakazela ubuqiniso futhi kumele uhambisane nhlangothi zombili.
   • Iqembu le-Diffie Hellman – key exchange algorithm.

   Ngemva kokugcwalisa izinkambu ezidingekayo, chofoza Gcina.

   

4. Kwenziwe.

   

5. Ngemva kokwengeza isayithi, hamba kuthebhu Yesimo Sokuqalisa futhi wenze kusebenze Isevisi ye-IPsec.

   

6. Ngemuva kokuthi izilungiselelo zisetshenziswe, hamba ku-Statistics -> IPsec VPN ithebhu bese uhlola isimo somhubhe. Siyabona ukuthi umhubhe uvukile.

   

7. Ake sihlole isimo somhubhe kukhonsoli yesango le-Edge:
   • khombisa isevisi ipsec – hlola isimo sesevisi.

     

   • bonisa isayithi le-ipsec yesevisi - ulwazi mayelana nesimo sesayithi kanye nemingcele okuvunyelwene ngayo.

     

   • bonisa isevisi ipsec sa - hlola isimo se-Security Association (SA).

     

8. Ihlola ukuxhumeka nesayithi elikude:

   root@racoon:~# ifconfig eth0:1 | grep inet
           inet 10.255.255.1  netmask 255.255.255.0  broadcast 0.0.0.0
   
   root@racoon:~# ping -c1 -I 10.255.255.1 192.168.0.10 
   PING 192.168.0.10 (192.168.0.10) from 10.255.255.1 : 56(84) bytes of data.
   64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=59.9 ms
   
   --- 192.168.0.10 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 59.941/59.941/59.941/0.000 ms
   

   Amafayela okulungiselela kanye nemiyalo eyengeziwe yokuxilongwa kusuka kuseva ye-Linux ekude:

   root@racoon:~# cat /etc/racoon/racoon.conf 
   
   log debug;
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   
   listen {
     isakmp 80.211.43.73 [500];
      strict_address;
   }
   
   remote 185.148.83.16 {
           exchange_mode main,aggressive;
           proposal {
                    encryption_algorithm aes256;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group modp1536;
            }
            generate_policy on;
   }
    
   sainfo address 10.255.255.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm aes256;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
   }
   
   ===
   
   root@racoon:~# cat /etc/racoon/psk.txt
   185.148.83.16 testkey
   
   ===
   
   root@racoon:~# cat /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   
   flush;
   spdflush;
   
   spdadd 192.168.0.0/24 10.255.255.0/24 any -P in ipsec
         esp/tunnel/185.148.83.16-80.211.43.73/require;
   
   spdadd 10.255.255.0/24 192.168.0.0/24 any -P out ipsec
         esp/tunnel/80.211.43.73-185.148.83.16/require;
   
   ===
   
   
   root@racoon:~# racoonctl show-sa isakmp
   Destination            Cookies                           Created
   185.148.83.16.500      2088977aceb1b512:a4c470cb8f9d57e9 2019-05-22 13:46:13 
   
   ===
   
   root@racoon:~# racoonctl show-sa esp
   80.211.43.73 185.148.83.16 
           esp mode=tunnel spi=1646662778(0x6226147a) reqid=0(0x00000000)
           E: aes-cbc  00064df4 454d14bc 9444b428 00e2296e c7bb1e03 06937597 1e522ce0 641e704d
           A: hmac-sha1  aa9e7cd7 51653621 67b3b2e9 64818de5 df848792
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=1 pid=7739 refcnt=0
   185.148.83.16 80.211.43.73 
           esp mode=tunnel spi=88535449(0x0546f199) reqid=0(0x00000000)
           E: aes-cbc  c812505a 9c30515e 9edc8c4a b3393125 ade4c320 9bde04f0 94e7ba9d 28e61044
           A: hmac-sha1  cd9d6f6e 06dbcd6d da4d14f8 6d1a6239 38589878
           seq=0x00000000 replay=4 flags=0x00000000 state=mature 
           created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
           diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
           last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
           current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
           allocated: 860  hard: 0 soft: 0
           sadb_seq=0 pid=7739 refcnt=0

9. Konke sekumi ngomumo, i-IPsec VPN yendawo kuya kusayithi imisiwe futhi iyasebenza.

   Kulesi sibonelo, sisebenzise i-PSK ukuze sigunyaze intanga, kodwa ukuqinisekiswa kwesitifiketi nakho kuyinketho. Ukwenza lokhu, iya kuthebhu yokucushwa komhlaba wonke, vumela ukuqinisekiswa kwesitifiketi bese ukhetha isitifiketi ngokwaso.

   Ngaphezu kwalokho, uzodinga ukushintsha indlela yokuqinisekisa kuzilungiselelo zesayithi.

   
   
   
   
   Ngiyaqaphela ukuthi inani lemigudu ye-IPsec lincike kusayizi we-Edge Gateway esetshenzisiwe (funda ngalokhu kweyethu isihloko sokuqala).

   

I-SSL VPN

I-SSL VPN-Plus ingenye yezinketho ze-VPN zokufinyelela kude. Ivumela abasebenzisi abakude ukuba baxhume ngokuphephile kumanethiwekhi angasese ngemuva kwesango le-NSX Edge. Umhubhe obethelwe esimweni se-SSL VPN-plus uyasungulwa phakathi kweklayenti (iWindows, Linux, Mac) ne-NSX Edge.

1. Masiqale ukumisa. Kuphaneli yokulawula yezinsizakalo ze-Edge Gateway, iya kuthebhu ye-SSL VPN-Plus, bese uye kokuthi Izilungiselelo Zeseva. Sikhetha ikheli kanye nembobo lapho iseva izolalela khona ukuxhumana okungenayo, sivumele ukungena futhi sikhethe ama-algorithms wokubethela adingekayo.

   
   
   Lapha ungashintsha isitifiketi esizosetshenziswa iseva.

   

2. Ngemuva kokuthi konke sekulungile, vula iseva futhi ungakhohlwa ukulondoloza izilungiselelo.

   

3. Okulandelayo, sidinga ukumisa inqwaba yamakheli esizowakhiphela amaklayenti lapho sixhuma. Le nethiwekhi ihlukile kunoma iyiphi i-subnet ekhona endaweni yakho ye-NSX futhi ayidingi ukulungiswa kwamanye amadivayisi kumanethiwekhi aphathekayo ngaphandle kwemizila ekhomba kuyo.

   Iya kuthebhu ye-IP Pools bese uchofoza +.

   

4. Khetha amakheli, imaski ye-subnet kanye nesango. Lapha ungakwazi futhi ukushintsha izilungiselelo zeseva ye-DNS ne-WINS.

   

5. Ichibi eliphumela.

   

6. Manje ake sengeze amanethiwekhi abasebenzisi abaxhuma ku-VPN abazokwazi ukuwafinyelela. Asiye kuthebhu ethi Amanethiwekhi Ayimfihlo bese uchofoza +.

   

7. Gcwalisa:
   • Inethiwekhi - inethiwekhi yendawo lapho abasebenzisi abakude bazokwazi ukufinyelela kuyo.
   • Thumela ithrafikhi, inezinketho ezimbili:
     - phezu komhubhe-thumela ithrafikhi kunethiwekhi ngomhubhe,
     — umhubhe wokudlula—thumela ithrafikhi kunethiwekhi udlula umhubhe ngokuqondile.
   • Nika amandla i-TCP Optimization - hlola leli bhokisi uma ukhethe inketho yomhubhe ngaphezulu. Uma ukulungiselelwa kunikwe amandla, ungacacisa izinombolo zembobo ofuna ukuzilungiselela ithrafikhi. Ithrafikhi yezimbobo ezisele kuleyo nethiwekhi ngeke ithuthukiswe. Uma izinombolo zembobo zingacacisiwe, ithrafikhi yazo zonke izimbobo iyathuthukiswa. Funda kabanzi ngalesi sici lapha.

   

8. Okulandelayo, iya kuthebhu yokuqinisekisa bese uchofoza +. Ukufakazela ubuqiniso sizosebenzisa iseva yendawo ku-NSX Edge ngokwayo.

   

9. Lapha singakhetha izinqubomgomo zokukhiqiza amagama ayimfihlo amasha futhi silungiselele izinketho zokuvimbela ama-akhawunti omsebenzisi (isibonelo, inombolo yokuzama futhi uma iphasiwedi ifakwe ngokungalungile).

   
   
   

10. Njengoba sisebenzisa ukufakazela ubuqiniso kwasendaweni, sidinga ukudala abasebenzisi.

    

11. Ngaphezu kwezinto eziyisisekelo njengegama nephasiwedi, lapha ungakwazi, isibonelo, ukuvimbela umsebenzisi ukuthi ashintshe iphasiwedi noma, ngokuphambene, umphoqelele ukuthi ashintshe iphasiwedi ngesikhathi esilandelayo lapho engena khona.

    

12. Ngemuva kokuthi bonke abasebenzisi abadingekayo sebengeziwe, hamba kuthebhu yamaphakheji wokufaka, chofoza + bese udala isifaki ngokwaso, okuzolandelwa isisebenzi esikude ukuze sifakwe.

    

13. Chofoza +. Sikhetha ikheli kanye nechweba leseva lapho iklayenti lizoxhumeka khona, kanye nezinkundla okudingeka sikhiqize kuzo iphakheji yokufaka.

    
    
    Ngezansi kuleli windi ungacacisa izilungiselelo zeklayenti zeWindows. Khetha:

    • qala iklayenti ku-logon - iklayenti le-VPN lizongezwa ukuqalisa emshinini oqhelile;
    • dala isithonjana sedeskithophu - izodala isithonjana seklayenti le-VPN kudeskithophu;
    • ukuqinisekiswa kwesitifiketi sokuvikeleka kweseva - kuzoqinisekisa isitifiketi seseva ekuxhumekeni.
      Ukusethwa kweseva kuqedile.

    

14. Manje ake silande iphakheji yokufaka esiyidalile esinyathelweni sokugcina ku-PC ekude. Lapho sisetha iseva, sicacise ikheli layo langaphandle (185.148.83.16) kanye nembobo (445). Kuleli kheli okudingeka siye kulo esipheqululini sewebhu. Endabeni yami kunjalo 185.148.83.16: 445.

    Ewindini lokugunyazwa, kufanele ufake imininingwane yomsebenzisi esimdale ngaphambilini.

    

15. Ngemva kokugunyazwa, sibona uhlu lwamaphakheji okufaka adaliwe atholakalayo ukuze alandwe. Sidale eyodwa kuphela - sizoyilanda.

    

16. Chofoza isixhumanisi bese ukulanda kweklayenti kuqala.

    

17. Khipha ingobo yomlando elandiwe bese usebenzisa isifaki.

    

18. Ngemva kokufaka, vula iklayenti bese uchofoza Ngena efasiteleni lokugunyazwa.

    

19. Ewindini lokuqinisekisa isitifiketi, khetha Yebo.

    

20. Sifaka imininingwane yomsebenzisi odalwe ngaphambilini futhi sibona ukuthi uxhumano luqedwa ngempumelelo.

    
    
    

21. Ihlola izibalo zeklayenti le-VPN kukhompuyutha yendawo.

    
    
    

22. Emgqeni womyalo weWindows (ipconfig /all) sibona ukuthi i-adaptha eyengeziwe ebonakalayo ivele futhi kukhona ukuxhumana nenethiwekhi ekude, konke kuyasebenza:

    
    
    

23. Futhi ekugcineni, hlola kukhonsoli ye-Edge Gateway.

    

I-L2 VPN

I-L2VPN izodingeka uma udinga ukuhlanganisa ezimbalwa ngokwendawo
amanethiwekhi asabalalise esizindeni esisodwa sokusakaza.

Lokhu kungaba usizo, ngokwesibonelo, lapho uthutha umshini obonakalayo: lapho i-VM ithuthela kwenye indawo yendawo, umshini uzogcina izilungiselelo zawo zamakheli e-IP futhi ngeke ulahlekelwe ukuxhumana neminye imishini etholakala esizindeni esifanayo se-L2 nayo.

Endaweni yethu yokuhlola, sizoxhumanisa amasayithi amabili komunye nomunye, masiwabize ngo-A no-B, ngokulandelana. Umshini A unekheli 10.10.10.250/24, umshini B unekheli 10.10.10.2/24.

1. Kumqondisi we-vCloud, iya kuthebhu Yokuphatha, hamba ku-VDC esiyidingayo, hamba kuthebhu ye-Org VDC Networks bese wengeza amanethiwekhi amasha amabili.

   

2. Sikhetha uhlobo lwenethiwekhi ewumzila bese sibopha le nethiwekhi ku-NSX yethu. Hlola ibhokisi elithi Dala njengesixhumi esingaphansi.

   

3. Ngenxa yalokho, kufanele sibe namanethiwekhi amabili. Esibonelweni sethu, abizwa nge-network-a kanye nenethiwekhi-b enezilungiselelo ezifanayo zesango kanye nemaski efanayo.

   
   
   

4. Manje ake siqhubekele kuzilungiselelo ze-NSX yokuqala. Lena kuzoba yi-NSX leyo Inethiwekhi A enamathiselwe kuyo. Izosebenza njengeseva.

   Buyela kusixhumi esibonakalayo se-NSx Edge/ Iya kuthebhu ye-VPN -> L2VPN. Sivumela i-L2VPN, khetha imodi yokusebenza Yeseva, futhi kuzilungiselelo ze-Server Global ucacise ikheli le-IP langaphandle le-NSX lapho imbobo yomhubhe izolalela khona. Ngokuzenzakalelayo, isokhethi izovuleka ku-port 443, kodwa lokhu kungashintshwa. Ungakhohlwa ukukhetha izilungiselelo zokubethela zomhubhe wesikhathi esizayo.

   

5. Iya kuthebhu Yamasayithi Eseva bese wengeza untanga.

   

6. Sivula untanga, setha igama, incazelo, uma kunesidingo, setha igama lomsebenzisi nephasiwedi. Sizodinga le datha kamuva lapho sisetha isayithi leklayenti.

   Ekhelini le-Egress Optimization Gateway sibeka ikheli lesango. Lokhu kuyadingeka ukuze ugweme ukungqubuzana kwamakheli e-IP, ngoba isango lamanethiwekhi wethu linekheli elifanayo. Bese ucindezela inkinobho ethi KHETHA SUB-INTERFACES.

   

7. Lapha sikhetha i-subinterface esiyifunayo. Londoloza izilungiselelo.

   

8. Siyabona ukuthi isayithi leklayenti elisha livele kuzilungiselelo.

   

9. Manje ake siqhubekele ekulungiseleleni i-NSX ohlangothini lweklayenti.

   Siya ohlangothini lwe-NSX B, iya ku-VPN -> L2VPN, vumela i-L2VPN, setha imodi ye-L2VPN kumodi yokusebenza yeklayenti. Kuthebhu ye-Client Global, setha ikheli kanye nembobo ye-NSX A, esiyichaze ngaphambilini njenge-Lalela IP kanye Nembobo ohlangothini lweseva. Kuyadingeka futhi ukusetha izilungiselelo ezifanayo zokubethela ukuze zihambisane lapho umhubhe uphakanyiswa.

   
   
   Skrolela phansi bese ukhetha i-subinterface okuzokwakhiwa ngayo umhubhe we-L2VPN.
   Ekhelini le-Egress Optimization Gateway sibeka ikheli lesango. Setha i-id yomsebenzisi nephasiwedi. Khetha i-subinterface futhi ungakhohlwa ukulondoloza izilungiselelo.

   

10. Empeleni, yilokho kuphela. Izilungiselelo zohlangothi lweklayenti neseva zicishe zifane, ngaphandle kwama-nuances ambalwa.
11. Manje siyabona ukuthi umhubhe wethu uyasebenza ngokuya kokuthi Izibalo -> L2VPN kunoma iyiphi i-NSX.

    

12. Uma manje siya kukhonsoli yanoma iyiphi i-Edge Gateway, sizobona amakheli awo womabili ama-VM etafuleni le-arp ngalinye lawo.

    

Lokho konke kimi nge-VPN ku-NSX Edge. Buza ukuthi kukhona yini okuhlala kungacacile. Lokhu kuphinde kube yingxenye yokugcina ochungechungeni lwezihloko mayelana nokusebenza ne-NSX Edge. Sithemba ukuthi abewusizo :)

Source: www.habr.com