Shulou(Shulou.com)06/01 Report--

1. Experimental purpose

Master the site-to-site virtual private network of IKE implementation on Huawei devices (HCNP exclusive added courses)

IPSec ensures the privacy, authenticity, integrity and anti-playback of packets when they are transmitted on the network by means of encryption and data source authentication in the IP layer.

The keys used by IPSec encryption and authentication algorithms can be configured manually or dynamically negotiated through the Internet key Exchange IKE (Internet Key Exchange) protocol. IKE protocol is based on the framework of Internet security alliance and key management protocol ISAKMP (Internet Security Association and Key Management Protocol). It uses DH (Diffie-Hellman) algorithm to securely distribute keys and verify identity on insecure networks to ensure the security of data transmission. IKE protocol can improve the security of keys and reduce the complexity of IPSec management.

Purpose

In the transmission of Internet, most of the data are transmitted in clear text, so there are many potential dangers, such as: passwords and bank account information are stolen and tampered with, users' identities are impersonated, network malice is suffered, and so on. After IPSec is deployed in the network, the transmitted data can be protected and processed to reduce the risk of information leakage.

Benefit

Through encryption and verification, IPSec ensures the secure transmission of user business data in Internet from the following aspects:

Data source verification: the receiver verifies that the identity of the sender is legitimate.

Data encryption: the sender encrypts the data and transmits it on the Internet in the form of ciphertext. The receiver decrypts the encrypted data or forwards it directly.

Data integrity: the receiver validates the received data to determine whether the message has been tampered with.

Anti-playback: the receiver rejects old or duplicate packets to prevent malicious users from repeatedly sending captured packets.

two。 Implementation Topology Diagram

3. Lab step 3.1 routing problem

Ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 / / this route can solve the communication problems of reaching peer communication point and peer encryption and decryption point.

3.2Implementing ACL matching stream of interest

These traffic will be handled securely.

Acl number 3000

Rule 5 permit ip source 10.1.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255

3.3Configuring IPSEC proposal

Ipsec proposal 10

Esp authentication-algorithm sha2-384

Esp encryption-algorithm aes-128

3.4Configuring IKE proposal

Ike proposal 10

Encryption-algorithm aes-cbc-128

Dh group2

3.5 configure IKE peer groups and negotiate peers

Ike peer R2 v1

Pre-shared-key simple qytang

Ike-proposal 10

Remote-address 12.1.1.2

3.6 configure Policy Summary

Ipsec policy P1 10 isakmp

Security acl 3000

Ike-peer R2

Proposal 10

4. Call the policy on the interface

Interface GigabitEthernet0/0/0

Ip address 12.1.1.1 255.255.255.0

Ipsec policy P1

The configuration of AR2 is almost the same as that of AR1. Most of the contents, such as acl, can switch the source and destination of traffic. Please refer to the following configuration.

Acl number 3000 rule 5 permit ip source 10.1.20.0 0.0.255 destination 10.1.10.0 0.0.255 # ipsec proposal 10 esp authentication-algorithm sha2-384 esp encryption-algorithm aes-128#ike proposal 10 encryption-algorithm aes-cbc-128 dh group2 # ike peer R1 v1 pre-shared-key simple qytang ike-proposal 10 remote-address 12.1.1.1#ipsec policy P1 10 isakmp security acl 3000 ike-peer R1 proposal 10#interface GigabitEthernet0/0/0 ip address 12.1.1.2 255.255.255.0 ipsec policy P1#interface GigabitEthernet0/0/2 ip address 10.1.20.254 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 12.1.1.15. Verify the various states of IPSEC for troubleshooting

Verify:

[Gateway1] display ike sa Conn-ID Peer × × Flag (s) Phase-2 12.1.1.20 RD | ST 2 1 12.1.1.20 RD | ST 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP[Gateway1] dis ike peer Number of IKE peers: 1 Peer name Exchange Remote NAT mode name traversal--- R2 Main Disable [Gateway1] dis ike statistics v1Murray-IKE V1 statistics information Number of total peers: 18 Number of policy peers: 1 Number of profile peers : 17 Number of proposals: 2 Number of established V1 phase 1 SAs: 1 Number of established V1 phase 2 SAs: 1 Number of total V1 phase 1 SAs: 1 Number of total V1 phase 2 SAs: 1 Number of total SAs: 2 Keep alive time : 0 Keep alive interval: 0 keepalive spi list: Disable--- [Gateway1] dis ipsec sa / / View IPSEC SA It is used to determine both sides of the network Encrypt and decrypt the data at the same time = = Interface: GigabitEthernet0/0/0 Path MTU: 1500 encryption =-- IPSec policy name: "P1" Sequence number: 10 Acl Group: 3000 Acl rule: 5 Mode: ISAKMP-- Connection ID: 2 Encapsulation mode: Tunnel Tunnel local: 12.1.1.1 Tunnel remote: 12.1.1.2 Flow source: 10.1.10.0 Disable 255.255.255.0 Qos pre-classify: Disable [Outbound ESP SAs] SPI: 1214314935 (0x4860f9b7) Proposal: ESP-ENCRYPT -AES-128 SHA2-384-192 SA remaining key duration (bytes/sec): 1887283200 ESP-ENCRYPT-AES-128 SHA2 3079 Max sent sequence-number: 10 UDP encapsulation used for NAT traversal: n [Inbound ESP SAs] SPI: 2003986867 (0x777269b3) Proposal: ESP-ENCRYPT-AES-128 SHA2-384-192 SA remaining key duration (bytes/sec): 1887436260 3079 Max received sequence-number: 9 Anti-replay window size: 32 UDP encapsulation used for NAT traversal: n [ Gateway1] dis ipsec policy = = IPSec policy group: "P1" Using interface: GigabitEthernet0/0/0=== Sequence number: 10 Security data flow: 3000 Peer name: R2 Perfect forward secrecy: None Proposal name: 10 IPSec SA local duration (time based): 3600 seconds IPSec SA local duration (traffic based): 1843200 kilobytes Anti-replay window size: 32 SA trigger mode: Automatic Route inject: None Qos pre-classify: disk [Gateway1] dis ipsec statistics esp Inpacket count: 9 Inpacket Auth count: 0 Inpacket decap count: 0 Outpacket count: 10 Outpacket auth count: 0 Outpacket encap count: 0 Inpacket drop count: 0 Outpacket drop count: 0 BadAuthLen count: 0 AuthFail count: 0 InSAAclCheckFail count: 0 PktDuplicateDrop count: 0 PktSeqNoTooSmallDrop count: 0 PktInSAMissDrop count: 0

It is important to note that the acl of ensp does not necessarily match, as shown below

Dis acl all

Total quantity of nonempty ACL number is 1

Advanced ACL 3000, 1 rule

Acl's step is 5

Rule 5 permit ip source 10.1.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255

6. View messages for security processing

The following figure helps you recognize the ESP message. You can no longer see the icmp message because the data is encrypted.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.