Shulou(Shulou.com)05/31 Report--

The content of this article mainly focuses on how to configure IPsec. The content of the article is clear and clear. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

Lab configuration steps:

The first phase: iaskmp SA (the object to be protected by IKE SA is related to the key)

IKE does not directly care about users' data, and IKE SA negotiates IPSec SA services for security.

1. Shared key or digital certificate

IKE uses the Diffie-Hellman algorithm, and the key calculates its own key through the peer.

Group1 key length is 768bit

Group2 key length is 1024bit

Group5 key length is 1536bit

The value of the key used for data encryption is calculated by the algorithm and cannot be defined and modified by the administrator

2. Verify neighbors (establish neighbors)

The second phase: IPsec SA (the user's data traffic is really delivered on the IPSec SA)

IPSec SA serves the user data flow directly, and all the security policies in IPSec SA are for the security of the user data flow.

1. Data encapsulation protocol (ESP\ AH is a security protocol)

2. Working mode (transmission\ transparent)

3. Encryption algorithm (DES\ 3DES\ AES)

4. Authentication method (MD5\ SHA)

Phase 3: define the stream of interest (communication segment, based on extended ACL)

Phase IV: security Association (SA)

1. Verify neighbors

2. Data encryption method

3. Stream of interest

Phase 5: interface call

R1

Router > enable

Router#configure terminal

Router (config) # hostname R1

R1 (config) # no ip domain-lookup

R1 (config) # service timestamps debug datetime localtime

R1 (config) # service timestamps log datetime localtime

R1 (config) # interface f0bin1

R1 (config-if) # ip address 10.1.1.1 255.255.255.0

R1 (config-if) # no shutdown

R1 (config-if) # exit

R1 (config) # interface f0bin0

R1 (config-if) # ip address 12.1.1.1 255.255.255.0

R1 (config-if) # no shutdown

R1 (config-if) # exit

R1 (config) # interface loop0

R1 (config-if) # ip address 1.1.1.1 255.255.255.0

R1 (config-if) # no shutdown

R1 (config-if) # exit

R1 (config) # ip route 0.0.0.0 0.0.0.0 12.1.1.2

R1 (config) # interface tunnel10

R1 (config-if) # tunnel source 12.1.1.1

R1 (config-if) # tunnel destination 23.1.1.3

R1 (config-if) # ip address 172.16.1.1 255.255.255.0

R1 (config-if) # tunnel mode gre ip

R1 (config-if) # no shutdown

R1 (config) # ip route 192.168.1.0 255.255.255.0 tunnel10

R1 (config) # crypto isakmp policy 10 IKE first phase authentication policy (to ensure key security)

R1 (config-isakmp) # authentication pre-share authentication method

R1 (config-isakmp) # encryption des IKE stage 1.5 encryption (data encryption, encryption method, default to DES)

R1 (config-isakmp) # group 2 key algorithm (Diffie-Hellman)

Group1 (768bit), group2 (1024bit), group5 (1536bit). Default is group1.

R1 (config-isakmp) # hash md5 authentication method

R1 (config-isakmp) # exit

R1 (config) # crypto isakmp key 6 cisco address 23.1.1.3 255.255.255.0 Authentication

R1 (config) # crypto isakmp keepalive 103 sends DPD detection × × × establishment every 10s, and does not reply within 3 seconds and sends it again 3 times.

R1 (config) # crypto ipsec transform-set cisco esp-des esp-md5-hmac isakmp policy, data encapsulation mode

R1 (cfg-crypto-trans) # mode tunnel mode, default is tunnel mode mode

R1 (cfg-crypto-trans) # exit

R1 (config) # ip access-list extended interested defines the stream of interest

R1 (config-ext-nacl) # permit gre host 12.1.1.1 host 23.1.1.3 hosts for local communication and hosts for peer communication

R1 (config-ext-nacl) # permit ip 10.1.1.0 0.0.255 192.168.1.0 0.0.255 tunnel mode defines the stream of interest

R1 (config-ext-nacl) # exit

R1 (config) # crypto map IPSec*** 10 ipsec-isakmp Security Association (associate the above data encapsulation methods, streams of interest)

R1 (config-crypto-map) # set peer 23.1.1.3

R1 (config-crypto-map) # set transform-set cisco

R1 (config-crypto-map) # match address interested

R1 (config-crypto-map) # exit

R1 (config) # interface f0bin0

R1 (config-if) # crypto map IPSec***

R1 (config) # ip access-list extended nat

R1 (config-ext-nacl) # 10 permit ip 1.1.1.0 0.0.255 any

R1 (config-ext-nacl) # exit

R1 (config) # int loop0

R1 (config-if) # ip nat inside

R1 (config-if) # int s0swap 0

R1 (config-if) # ip nat outside

R1 (config-if) # exit

R1 (config) # ip nat inside source list nat int f0bin0 overload

R1 (config) # ip nat inside source static udp 192.168.2.2 4500 interface f0UP 0 4500

R1 (config) # ip nat inside source static udp 192.168.2.2 500 interface f0UP 0 500

R3

Router > enable

Router#configure terminal

Router (config) # hostname R3

R3 (config) # no ip domain-lookup

R3 (config) # service timestamps debug datetime localtime

R3 (config) # service timestamps log datetime localtime

R3 (config) # interface f0Let0

R3 (config-if) # ip address 192.168.1.3 255.255.255.0

R3 (config-if) # no shutdown

R3 (config-if) # exit

R3 (config) # interface f0swap 1

R3 (config-if) # ip address 23.1.1.3 255.255.255.0

R3 (config-if) # no shutdown

R3 (config-if) # exit

R3 (config) # ip route 0.0.0.0 0.0.0.0 23.1.1.2

R3 (config) # interface tunnel11

R3 (config-if) # tunnel source 23.1.1.3

R3 (config-if) # tunnel destination 12.1.1.1

R3 (config-if) # ip address 172.16.1.3 255.255.255.0

R3 (config-if) # tunnel mode gre ip

R3 (config-if) # no shutdown

R3 (config-if) # exit

R3 (config) # ip route 10.1.1.0 255.255.255.0 tunnel11

R3 (config) # crypto isakmp policy 10

R3 (config-isakmp) # authentication pre-share

R3 (config-isakmp) # encryption des

R3 (config-isakmp) # group 2

R3 (config-isakmp) # hash md5

R3 (config-isakmp) # exit

R3 (config) # crypto isakmp key 6 cisco address 12.1.1.1 255.255.255.0

R3 (config) # crypto ipsec transform-set cisco esp-des esp-md5-hmac

R3 (cfg-crypto-trans) # mode tunnel

R3 (cfg-crypto-trans) # exit

R3 (config) # ip access-list extended interested

R3 (config-ext-nacl) # permit gre host 23.1.1.3 host 12.1.1.1

R3 (config-ext-nacl) # exit

R3 (config) # crypto map IPSec*** 10 ipsec-isakmp

R3 (config-crypto-map) # set peer 12.1.1.1

R3 (config-crypto-map) # set transform-set cisco

R3 (config-crypto-map) # match address interested

R3 (config-crypto-map) # exit

R3 (config) # interface serial 0Universe 1

R3 (config-if) # crypto map IPSec***

IPSec also has some disadvantages, such as complex configuration, consuming more computing resources, increasing latency, not supporting multicast and so on.

View policies:

Show crypto isakmp policy definition domain shared key establishment * connection

Show crypto engine connections active to view the number of encrypted and decrypted packets

Clear crypto isakmp clears IKE Phase 1

Clear crypto sa clears IKE Phase II

Traffic optimization:

Access-list 101 permit esp host 12.1.1.1 host 23.1.1.3

Access-list 101 permit udp host 12.1.1.1 host 23.1.1.3 eq isakmp

Access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

First of all, there are MM (main mode) and savage mode in the first stage, and QM (fast mode) in the second stage.

Second, the last two messages in the main mode are encrypted to provide identity protection

The savage mode message integration is too high, so there is no identity protection function.

Savage mode (in this case, the responder cannot select the corresponding pre-shared key based on the IP address, that is, it does not rely on the IP address to identify the identity, which makes the savage mode more flexible)

View the results through display ike sa

1. The first phase of ike sa has been successfully established.

3. Ike uses version v1.

Peer status of this security alliance

Flag displays the status of this security alliance

RD (ready) indicates that the SA has been established successfully

ST (stayalive) indicates that this end is the initiator of channel negotiation.

RL (Replaced) indicates that this channel has been replaced by a new channel and will be deleted after a period of time

FD (Fading) indicates that this channel has experienced a soft timeout and is still in use. It will be deleted when the hard timeout occurs.

TO (timeout) indicates that the SA has not received the keepalive message since the last keepalive timeout. If the keepalive message is not received the next time the keepalive timeout occurs, the SA will be deleted.

TD (deleting) indicates that the SA is about to be deleted

NEG (negotiating) indicates that IKE SA is under negotiation, which is caused by some inconsistent parameters set at both ends of the tunnel.

D (DPD) indicates that DPD detection function is enabled and DPD detection is being done.

M (active) indicates that the IKE SA status is dominant

S (standby) indicates that the IKE SA status is standby

A (alone) indicates that the IKE SA status is not backed up between Alone,IPSec tunnels

The phase to which this SA belongs: Phase1: the stage in which a secure channel is established for communication, and the stage in which the ISAKMP SA Phase2 is established: the stage in which security services are negotiated. Establish IPSec SA at this stage

The security alliance is uniquely identified by three elements (security protocol number (AH or ESP), destination IP address, security parameter index (SPI,Security Parameter Index))

The security parameter index is a 32bite value generated to uniquely identify the SA, which is transmitted in the IPsec header.

IPSec-IKE barbaric mode

1. The problem of slow negotiation at both ends of the tunnel

2. the source address of the initiator is uncertain.

(when the initiator's IP address is dynamically assigned, the initiator's IP address cannot be known in advance by the responder, and both parties intend to use the pre-shared key verification method.)

ESP message can realize the confidentiality of the original IP header data in tunnel mode.

To configure a pre-shared key, it must be configured on both sides, and the keys on both sides must be the same

In tunnel mode in IPSEC, ESP does not validate the header field of the new IP message (tunnel mode encapsulates the new header and does not verify it)

IKE uses DH group2 default groups by default

Features that can be realized by AH (AH protocol, AH is a header verification protocol, which mainly provides functions such as data source verification, data integrity check and anti-message playback)

AH does not encrypt the protected data, so confidentiality cannot be achieved.

IKE Internet password Exchange Protocol: the IKE protocol is used to automatically negotiate the cryptographic algorithm used by AH and ESP

Thank you for your reading. I believe you have some understanding of "how to configure IPsec". Go to practice quickly. If you want to know more about it, you can follow the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.