Shulou(Shulou.com)05/31 Report--

This article shows you how to carry out ipsec instructions and tunnel case studies, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Introduction to 1.IPSEC

IPSec includes Security Protocol (Security Protocol) and key Exchange Protocol (IKE), developed by IETF (Internet Engineering TaskForce,Internet Engineering Task Force), and can provide both sides of communication with access control, connectionless integrity, data source authentication, anti-playback, encryption and classified encryption of data streams. The security protocol also includes AH (header Authentication Protocol) and ESP (Security Encapsulation payload). IKE is a hybrid protocol based on TCP/IP framework of ISAKMP (Internet Security Association and Key Management Protocol, Internet Security Association and key Management Protocol), which combines part of Oakley (key Exchange Protocol) and SKEME (key Technology Protocol).

Security features of 2.IPSEC

(1) non-repudiation: "non-repudiation" can confirm that the sender of the message is the only possible sender, and the sender cannot deny that the message has been sent. "non-repudiation" is a feature of public key technology. when public key technology is used, the sender uses the private key to generate a digital signature to be sent with the message, and the receiver uses the sender's public key to verify the digital signature. In theory, only the sender has the private key, and only the sender can generate the digital signature, so as long as the digital signature is verified, the sender cannot deny that the message has been sent. However, "non-repudiation" is not a feature of authentication-based shared key technology, because in authentication-based shared key technology, the sender and receiver hold the same key.

(2) Anti-replay (Anti-Replay): the IPsec receiver can detect the uniqueness of each IP packet according to the 32-bit sequence number added in front of the packet segment and refuse to receive outdated or duplicate messages, so as to prevent the user from intercepting the deciphered information and then using the same packet to obtain illegal access rights (even if this spoofing occurs several months later).

(3) data integrity (Data Integrity): IPsec receivers use hash algorithms such as md5,sha-1 to authenticate packets sent by the sender to prevent data from being tampered with in the process of transmission and to ensure the consistency of sending data and receiving data.

(4) data reliability (Confidentiality): the IPsec sender encrypts the packet before transmitting the packet through des,3des,aes and other symmetric encryption algorithms to ensure that the information cannot be read even if the packet is intercepted during transmission. This feature is optional in IPSec and is related to the specific settings of the IPSec policy.

(5) data source authentication (Data Authentication): IPsec can authenticate whether the sender of IPsec message is legal or not through preshared key (domain shared key), certificate, kerberos v5, etc.

The working mode of 3.IPSEC

(1) tunnel mode: the user's entire IP packet is used to calculate the AH or ESP header, and the AH or ESP header and ESP encrypted user data are encapsulated in a new IP packet. Typically, tunnel mode is applied to communication between two secure gateways.

(2) transport mode: only the transport layer data is used to calculate the AH or ESP header, and the AH or ESP header and ESP encrypted user data are placed behind the original IP header. Usually, the transmission mode is applied to the communication between two hosts, or between a host and a secure gateway.

Comparison of two protocols in 4.IPSEC Security Mechanism

AH protocol (IP protocol number 51) provides data source authentication, data integrity check and anti-message playback function. It can protect communication from tampering, but can not prevent eavesdropping, so it is suitable for transmitting unclassified data. AH works by adding an authentication header to each packet that is inserted behind the standard IP header to protect the integrity of the data. But because the IP header contains many variables, such as type of service (TOS), flags,fragment offset,TTL, and header checksum. So all these values should be cleared before authtication. Otherwise, hash will mismatch and cause packet loss. Therefore, AH does not support NAT transformations.

ESP protocol (IP protocol number 50) provides encryption, data source authentication, data integrity check and anti-message playback functions. ESP works by adding an ESP header to the standard IP header of each packet and appending an ESP tail to the packet. Different from AH protocol, ESP encrypts the user data that needs to be protected and then encapsulates it into IP packets to ensure the confidentiality of the data.

The following figure better explains the encryption and authentication of packets by AH and ESP under the two operating modes of IPSEC.

Basic concepts of 5.IPsec (based on H3C)

1. Data flow: in IPSec, a set of data sets with the same source address / mask / port, destination address / mask / port, and upper layer protocols are called data streams. Typically, a data flow is defined by an access control list (acl), and all messages allowed by the ACL are logically defined as a data flow.

two。 Security policy: it is manually configured by the user to specify what kind of security measures are adopted for what kind of data flow. The definition of data flow is achieved by configuring multiple rules in an access control list, which is referenced in the security policy to determine the data flow that needs to be protected. A security policy is uniquely determined by both "name" and "sequence number".

3. Security policy group: a collection of all security policies with the same name. On an interface, a security policy group can be applied or cancelled, so that multiple security policies in the security policy group can be applied to this interface at the same time, so as to achieve different security protection for different data streams. In the same security policy group, the lower the sequence number, the higher the priority of the security policy.

4. Security Alliance (Security Association, referred to as SA): the security service provided by IPSec to the data stream is realized through the security alliance SA, which includes protocols, algorithms, keys and other contents, and specifically determines how to process IP messages. A SA is an one-way logical connection between two IPSec systems. The input data flow and the output data flow are handled by the input security alliance and the output security alliance respectively. The security federation is uniquely identified by a triple (security parameter index (SPI), IP destination address, and security protocol number (AH or ESP).

Security alliances can be established by manual configuration and automatic negotiation.

The way of manually establishing security alliance is that users establish security alliance by manually setting all the information of SA at both ends, and then applying security policy on the interface. The disadvantage is that the configuration is complex, and it does not support some advanced features (such as regular key update), which is suitable for small businesses.

The automatic negotiation mode is generated and maintained by IKE. After matching and negotiation based on their respective security policy libraries, the two sides of the communication finally establish a security alliance without the intervention of users. The configuration is simple and suitable for large enterprises. In automatic negotiation, it is divided into main mode and barbaric mode. The main difference between barbaric mode exchange and main mode exchange is that barbaric mode does not provide identity protection. In situations where the requirement for identity protection is not high, the use of barbaric mode with fewer exchange messages can improve the speed of negotiation; in situations with high requirements for identity protection, the main mode should be used.

5. Security Parameter Index (SPI): a 32-bit value that is carried in every IPSec message. SPI, IP destination address and security protocol number are combined to form a triple to uniquely identify a specific security alliance. When configuring the security federation manually, you need to specify the value of SPI manually. In order to ensure the uniqueness of the security alliance, each security alliance needs to specify a different SPI value; when the security alliance is generated by IKE negotiation, the SPI will be generated randomly.

6. Security proposal: including the security protocol, the algorithm used by the security protocol, and the encapsulation form of the message by the security protocol, which specifies the way to convert the ordinary IP message into the IPSec message. In the security policy, the protocol, algorithm and so on adopted by the security policy are specified by referring to a security proposal.

6.IPsecIPSEC configuration steps

Create an encrypted access control list

Depending on whether it matches the encrypted access control list, you can determine which IP packets are encrypted and which IP packets are straight.

Pick up and forward. Secure data flows that need to be protected are defined using extended IP access control lists.

Acl acl-number

Rule {normal | special} {permit | deny} pro-number [source source-addr source-wildcard | any] [source-port operator port1 [port2]] [destination dest-addr dest- wildcard | any] [destination-port operator port1 [port2]] [icmp-type icmp-type icmp-code] [logging]

Define security proposal

Define a security proposal ipsec proposal proposal-name

Sets the encapsulation mode encapsulation-mode {transport | tunnel} for IP messages by security protocols

Select the security protocol transform {ah-new | ah-esp-new | esp-new}

Select encryption algorithm and authentication algorithm

Transform {ah-new | ah-esp-new | esp-new} under Esp protocol

Transform {ah-new | ah-esp-new | esp-new} under AH protocol

Create a security policy

Configurations for manually creating security policies include:

Manually create a security policy ipsec policy policy-name sequence-number manual

Configure access control list security acl access-list-number referenced by security policy

Specify the start and end tunnel local ip-address of the secure tunnel

Tunnel remote ip-address

Configure the security proposal proposal proposal-name referenced in the security policy

Configure the SPI of the security policy alliance and the keys used

Configuration of SPI sa inbound {ah | esp} spi spi-number

Sa outbound {ah | esp} spi spi-number

Configuration of key

AH16 binary key sa {inbound | outbound} ah hex-key-string hex-key

AH character key sa {inbound | outbound} ah string-key string-key

ESP16 binary key sa {inbound | outbound} esp encryption-hex hex-key

ESP character key sa {inbound | outbound} esp string-key string-key

Apply a security policy group on an interface

Ipsec policy policy-name

The configuration for IKE to create a security policy alliance includes:

Creating Security Policy Alliance with IKE

Ipsec policy policy-name sequence-number isakmp

Configure access control lists referenced by security policy

Security acl access-list-number

Specify the end point of the safe tunnel

Tunnel remote ip-address

Configure the security proposal referenced in the security policy

Proposal proposal-name1 [proposal-name2...proposal-name6]

Configure the lifetime of the security alliance (optional)

Configure global time

Ipsec sa global-duration time-based seconds

Ipsec sa global-duration traffic-based kilobytes

Configure independent time

Sa duration {time-based seconds | traffic-based kilobytes}

IPsec configuration case: using ipsec tunneling Protocol to complete Enterprise secure Communication

Experimental equipment: three Huawei AR1220 routers and one Huawei S5700 switch

Topology Diagram:

Configuration process:

Switch: (the port mode for adding ports in this switch needs to be access)

Vlan 10

Port GE0/0/10

Vlan 20

Port GE0/0/20

Vlan 24

Port GE0/0/24

Int vlan 10

Ip add 1.1.1.2 255.255.255.0

Int vlan 20

Ip add 1.1.2.2 255.255.255.0

Int vlan 24

Ip add 1.1.3.2 255.255.255.0

R1

System-view

Sysname R1

Int eth0/0/0

Ip add 192.168.1.1 24

Loopback

Int eth0/0/1

Ip add 1.1.1.1 24

Quit

Ip route 0.0.0.0 0 1.1.2.2

Ping 1.1.1.1

R2

System-view

Sysname R2

Int eth0/0/0

Ip add 192.168.2.1 24

Loopback

Int eth0/0/1

Ip add 1.1.2.1 24

Quit

Ip route 0.0.0.0 0 1.1.2.2

Ping 1.1.1.1

R3

System-view

Sysname R3

Int etth0/0/0

Ip add 192.168.3.1 24

Loopback

Int eth0/0/1

Ip add 1.1.3.1 24

Quit

Ip route 0.0.0.0 0 1.1.3.2

Ping 1.1.1.1

Tunnel from R1 to R2 and R3

Acl number 3000 match-order auto

Rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

Rule 20 deny ip source any destination any

Acl number 3001 match-order auto

Rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

Rule 20 deny ip source any destination any

Quit

Security proposal

Ipsec proposal tran1

Encapsulation-mode tunnel

Transform esp

Esp authentication-algorithm md5 (parity check algorithm)

Esp encryption-algorithm des (encryption algorithm)

Ipsec proposal tran2

Encapsulation-mode tunnel

Transform esp

Esp authentication-algorithm md5

Esp encryption-algorithm des

Quit

Configure the appropriate IKE

Ike peer R2

Remote-address 1.1.2.1

Pre-shared-key simple abcdef

Ike peer R3

Remote-address 1.1.3.1

Pre-shared-key simple 123456

Add Policy

Ipsec policy policy1 10 isakmp

Ike peer R2

Security acl 3000

Proposal tran1

Ipsec policy policy1 20 isakmp

Ike peer R3

Security acl 3000

Proposal tran2

Apply policy on the outbound interface

Int e0/0/1

Ipsec policy policy1

R2 to R1

Acl number 3000 match-order auto

Rule 10 permitip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

Rule 20 deny ip source any destination any

Quit

Ipsec proposal tran1

Encapsulation-mode tunnel

Transform esp

Esp authentication-algorithm md5

Esp encryption-algorithm des

Quit

Ike peer R1

Remote-address 1.1.1.1

Pre-shared-key simple abcdef

Quit

Ipsec policy policy1 10 isakmp

Ike peer R1

Security acl 3000

Proposal tran1

Apply policy on the outbound interface

Int e0/0/1

Ipsec policy policy1

R3 to R1

Acl number 3000 match-order auto

Rule 10 permitip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

Rule 20 deny ip source any destination any

Quit

Ipsec proposal tran1

Encapsulation-mode tunnel

Transform esp

Esp authentication-algorithm md5

Esp encryption-algorithm des

Quit

Ike peer R1

Remote-address 1.1.1.1

Pre-shared-key simple 123456

Quit

Ipsec policy policy1 10 isakmp

Ike peer R1

Security acl 3000

Proposal tran1

Apply policy on the outbound interface

Int e0/0/1

Ipsec policy policy1

That's it!

The above content is how to carry on the ipsec explanation and the tunnel case study, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.