Network equipment hard core technology insider firewall and security gateway (11) secrets of zero contact office

Everything must be from that evil bat / Pangolin / Civet speaking ……

Talking on wheels , Cross out .

More than a decade ago , The concept of telecommuting has sprung up , And until recently , The public health crisis sweeping half the world has really made telecommuting popular .

Huashan sect expects that its internal disciples can also connect to the internal network when practicing at home , But the internal network and the disciples' home network are separated by the Internet , Two problems need to be solved to realize remote office ：

1. How to use the intranet address of the company , Cross the Internet and corporate networks ？
2. How to ensure that the traffic in the middle is safe , Not monitored ？

When Yue buqun asked linghuchong these two questions , Lin Pingzhi on one side immediately interrupted ：“ The master , I'll take care of it ！”

Yue buqun didn't trust Lin Pingzhi , But Lin Pingzhi often praises the beauty of Shiniang , Shiniang spoke ：“ This time, , Let Xiao Linzi have a try ！”

Lin Pingzhi is trusted , Start to specify the plan ——

Because Huashan school has opened many branches all over the world , The export firewall of Huashan sect headquarters has long been equipped IPSec function , Communicate with the branch rudder through encrypted tunnel .

Lin Pingzhi thought , We regard each disciple's home as a branch , adopt IPSec The way to connect with the headquarters , No, that's fine ？

Laudeno, who made friends with Lin Pingzhi, was the first to laugh at Lin Pingzhi ：

“ You need to know , Routers in disciples' homes are generally TP-Link Hundred yuan machine , How to support IPSec？”

Lin Pingzhi rolled his eyes , Avenue ：

“ We Huashan sect can support IPSec Lend your equipment to disciples for remote use ……”

Laudeno stopped interrupting , Waiting to see Lin Pingzhi's joke .

Sure enough , Lin Pingzhi's plan can work normally in some disciples' homes , But other disciples are completely unable to establish IPSec Connect ……

This is because , Operators provide effective global unicast for enterprise users IP Address (Global Unicast Address), But for home broadband users , There is no obligation to provide a global unicast address . In practice , The operator will approve CGN (Carriger Grade NAT) The way , Provide users with 100.64.0.0-100.127.255.255 The network segment , after NAT Enter the public network after conversion .

good , Come here , We know why ——

IPSec Not based on UDP Of , It's not based on TCP Of , It needs to IP End to end connectivity , whatever NAT The existence of , Can lead to IPSec Unavailable , Or need to be in NAT Very special configuration on the device . obviously ,CGN The device cannot support IPSec through —— therefore ,IPSec The scheme is not feasible for telecommuting .

Let's sort out the above logic , We will find that ,IPSec The essential reason why it cannot be used for telecommuting is , Individual users cannot guarantee global unicast on the public network IP Address . that , What kind of communication mode can meet the following requirements ：

1. One end does not need to have global unicast IP Address ;
2. Communication is secure , A certification / authentication / encryption ;

The answer is coming out —— Use SSL/HTTPS.

This is it. SSL VPN.

front , We have already mentioned ,LB Equipment has SSL Connection termination capability , in other words , It can achieve SSL/HTTPS Encryption and decryption of / authentication / authentication , that , Only need to LB Make some modifications to the equipment , Can create support SSL/HTTPS Of VPN equipment ！

Late at the time , Fast then , Linghuchong has taken the transformed SSL VPN The equipment has been tested , The test networking is as follows ：

Pictured , The address of the data center server is 10.100.100.10,SSL VPN After the user accesses the company network , The address assigned to is 10.100.200.100.

Users access the intranet VM The flow of ：10.100.200.100:31233->10.100.100.10:443

It is encapsulated from users to VPN The gateway VPN Through the tunnel Internet.

From users to VPN Gateway tunnels pass through 2 Time NAT, The source of the tunnel IP And the source port are converted twice (192.168.1.101:13763 Convert to 100.64.123.213:12580; 100.64.123.213:12580 Convert to 123.118.108.217:51167), But because of NAT The mechanism of ensures based on HTTPS The tunnel can work normally .

such , No matter where the user accesses ,SSL VPN Can ensure remote security access ！

but , Linghuchong didn't expect , More challenges lie ahead ……