Shulou(Shulou.com)06/01 Report--

Network Security-- ipsec

Internet Protocol Security (IPSec) is an open standard framework that ensures the use of encrypted security services.

Secure and secure communication over the Internet Protocol (IP) network, which provides active protection through end-to-end security to prevent private networks from communicating with Internet

Ipsec is a collection of protocols (including symmetric encryption of some encryption protocols such as des, 3des, aes, as well as some security protocols AH and ESP, etc.)

Ipsec tunnel belongs to a three-layer tunnel, which loads various network protocols directly into the tunnel protocol, and the resulting data packets rely on the third layer protocol for transmission.

Let's see what ipsec can offer us.

Security Services:

The security services that Ipsec can provide are authentication, digital certificate, anti-replay and confidentiality:

Authentication: the following types of authentication can be provided

Provide a mechanism for pre-shared key pre-control keys

Digital certificates (relatively troublesome but more secure)

Kerveros v5

Integrity: the ipsec protocol provides a summary that can be used through md5 and sha to ensure that the information has not been modified

Anti-replay: give a number to the sent packet to prevent replay

Confidentiality: encrypt data packets with des, 3des and aes symmetrical encryption.

Security protocols:

Security protocols provided by Ipsec:

AH authentication (cannot pass nat) header protocol, can guarantee authentication, digital certificate, anti-replay these three security services, the protocol number is 51

Esp security package payload, can provide four kinds of security service authentication, digital certificate, anti-replay, confidentiality, protocol number is 50

Let's talk about how they work:

AH:

AH: divided into tunnel mode and transmission mode

Transmission mode

There is no * * server in the middle, which is used in the local area network and does not generate new IP headers during transmission.

The way data is processed:

The AH header contains: summary value, 32 counters, spi Security Alliance (sa) index value

Tunnel mode

There must be one or two * servers in the middle, and a new IP header will be generated when the packet is transmitted.

Handling method:

Because a new ip header is generated, it cannot be implemented in the nat transformation

Esp:

Transmission mode

The contents of esp header include 32 counters and spikes.

Esp verification content is some authentication information.

Esp tail content: make up when there are not enough blocks to encrypt blocks. The esp tail is the completion data.

The transmission method encrypts only the data and the ESP tail when encrypting, and verifies the ESP header, data and ESP tail when verifying.

Tunnel mode

A new IP head is generated during transmission

Tunnel encrypts the original ip header and data as well as the ESP tail. When verifying, it depends on the ESP header, the original ip header and data of the package, as well as the ESP tail.

Implementation of Ipsec:

Ipsec can be realized through routers and firewalls. of course, we still give priority to using firewalls, because it is superior to routers in terms of stability and security.

When the data flow passes through the interface, the flow to be matched is filtered through the prevention and control list applied on the interface, and the flow to pass through the tunnel is filtered to match the security policy. Others, such as those going to internet, no longer take the ipsec tunnel.

What is required to implement an ipsec tunnel:

1. Flow: a series of packets with the same five elements (source, destination, protocol, source port number, destination). The flow through the tunnel is to match the security policy.

Filtering the stream depends on matching the access control list

two。 Security proposal:

Whether ipsec works in tunnel mode or transport mode. If the security protocol is AH, we should also provide AH digest by MD5 or sha. If esp also provides digest and encryption methods, the encryption methods can be divided into des, 3des and aes, which need to be configured by us.

3. Security policy: filter the data to be applied to ipsec through the set acl plus the security proposal

4. Apply a policy to an interface

Here is one of our cases:

Configuration commands:

Create an encrypted access control list

Acl acl-number [match-order config | auto]

Rule {normal | special} {permit | deny} pro-number

[source source-addr source-wildcard | any] [source-port operator port1 [port2]]

[destination dest-addr dest- wildcard | any]

[destination-port operator port1 [port2]]

[icmp-type icmp-type icmp-code]

[logging]

Define security proposal

Ipsec proposal proposal-name

Set the packet encapsulation mode of the security protocol

Encapsulation-mode {transport | tunnel}

Set the security protocol adopted by the security proposal

Transform {ah | ah-esp | esp}

Set the encryption algorithm used by the ESP protocol of the encryption card

Esp-new encryption-algorithm {3des | des | aes}

Set the authentication algorithm used in ESP protocol

Esp-new authentication-algorithm {md5 | sha1}

Manually create a security policy

Ipsec policy policy-name sequence-number {manual | isakmp}

Set the encrypted access control list referenced by security policy

Security acl access-list-number

Specify the local address of the secure tunnel

Tunnel local ip-address

Specify the peer address of the secure tunnel

Tunnel remote ip-address

Configure the security proposal referenced in the security policy

Proposal proposal-name

When manually configured:

Configure AH/ESP protocol to input SPI of security alliance

Sa inbound {ah | esp} spi spi-number

Configure the SPI of the AH/ESP protocol output security alliance

Sa outbound {ah | esp} spi spi-number

Configure the authentication key for the AH protocol

Sa {inbound | outbound} ah hex-key-string hex-key

Configure the authentication key for the AH protocol (as a string

Sa {inbound | outbound} ah string-key string-key

Configure the authentication key for the ESP protocol (in hexadecimal

Sa {inbound | outbound} esp authentication-hex hex-key

Configure the encryption key for the ESP protocol (in hexadecimal

Sa {inbound | outbound} esp encryption-hex hex-key

Create a security policy alliance with IKE and enter the security policy

Ipsec policy policy-name sequence-number isakmp

Set the encrypted access control list referenced by security policy

Security acl access-list-number

Specify the local address of the secure tunnel

Tunnel local ip-address

Specify the peer address of the secure tunnel

Tunnel remote ip-address

Configure the security proposal referenced in the security policy

Proposal proposal-name

Apply a security policy group on an interface

Ipsec policy policy-name

Lab Topology:

Experimental equipment (huawei):

Three firewalls, three pc and one layer 3 switch

Experimental purpose:

Make the packets from pc3 go through the security policy of matching firewall and reach pc1 and pc2 through the ipsec tunnel formed by them, respectively.

Reference configuration:

Fw1

Fw2

Fw3

Sw1

Verify the figure:

Pc1 ping pc3

Pc2 ping pc3

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.