In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-30 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
The content of this article mainly focuses on how to configure IPsec. The content of the article is clear and clear. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!
Lab configuration steps:
The first phase: iaskmp SA (the object to be protected by IKE SA is related to the key)
IKE does not directly care about users' data, and IKE SA negotiates IPSec SA services for security.
1. Shared key or digital certificate
IKE uses the Diffie-Hellman algorithm, and the key calculates its own key through the peer.
Group1 key length is 768bit
Group2 key length is 1024bit
Group5 key length is 1536bit
The value of the key used for data encryption is calculated by the algorithm and cannot be defined and modified by the administrator
2. Verify neighbors (establish neighbors)
The second phase: IPsec SA (the user's data traffic is really delivered on the IPSec SA)
IPSec SA serves the user data flow directly, and all the security policies in IPSec SA are for the security of the user data flow.
1. Data encapsulation protocol (ESP\ AH is a security protocol)
2. Working mode (transmission\ transparent)
3. Encryption algorithm (DES\ 3DES\ AES)
4. Authentication method (MD5\ SHA)
Phase 3: define the stream of interest (communication segment, based on extended ACL)
Phase IV: security Association (SA)
1. Verify neighbors
2. Data encryption method
3. Stream of interest
Phase 5: interface call
R1
Router > enable
Router#configure terminal
Router (config) # hostname R1
R1 (config) # no ip domain-lookup
R1 (config) # service timestamps debug datetime localtime
R1 (config) # service timestamps log datetime localtime
R1 (config) # interface f0bin1
R1 (config-if) # ip address 10.1.1.1 255.255.255.0
R1 (config-if) # no shutdown
R1 (config-if) # exit
R1 (config) # interface f0bin0
R1 (config-if) # ip address 12.1.1.1 255.255.255.0
R1 (config-if) # no shutdown
R1 (config-if) # exit
R1 (config) # interface loop0
R1 (config-if) # ip address 1.1.1.1 255.255.255.0
R1 (config-if) # no shutdown
R1 (config-if) # exit
R1 (config) # ip route 0.0.0.0 0.0.0.0 12.1.1.2
R1 (config) # interface tunnel10
R1 (config-if) # tunnel source 12.1.1.1
R1 (config-if) # tunnel destination 23.1.1.3
R1 (config-if) # ip address 172.16.1.1 255.255.255.0
R1 (config-if) # tunnel mode gre ip
R1 (config-if) # no shutdown
R1 (config) # ip route 192.168.1.0 255.255.255.0 tunnel10
R1 (config) # crypto isakmp policy 10 IKE first phase authentication policy (to ensure key security)
R1 (config-isakmp) # authentication pre-share authentication method
R1 (config-isakmp) # encryption des IKE stage 1.5 encryption (data encryption, encryption method, default to DES)
R1 (config-isakmp) # group 2 key algorithm (Diffie-Hellman)
Group1 (768bit), group2 (1024bit), group5 (1536bit). Default is group1.
R1 (config-isakmp) # hash md5 authentication method
R1 (config-isakmp) # exit
R1 (config) # crypto isakmp key 6 cisco address 23.1.1.3 255.255.255.0 Authentication
R1 (config) # crypto isakmp keepalive 103 sends DPD detection × × × establishment every 10s, and does not reply within 3 seconds and sends it again 3 times.
R1 (config) # crypto ipsec transform-set cisco esp-des esp-md5-hmac isakmp policy, data encapsulation mode
R1 (cfg-crypto-trans) # mode tunnel mode, default is tunnel mode mode
R1 (cfg-crypto-trans) # exit
R1 (config) # ip access-list extended interested defines the stream of interest
R1 (config-ext-nacl) # permit gre host 12.1.1.1 host 23.1.1.3 hosts for local communication and hosts for peer communication
R1 (config-ext-nacl) # permit ip 10.1.1.0 0.0.255 192.168.1.0 0.0.255 tunnel mode defines the stream of interest
R1 (config-ext-nacl) # exit
R1 (config) # crypto map IPSec*** 10 ipsec-isakmp Security Association (associate the above data encapsulation methods, streams of interest)
R1 (config-crypto-map) # set peer 23.1.1.3
R1 (config-crypto-map) # set transform-set cisco
R1 (config-crypto-map) # match address interested
R1 (config-crypto-map) # exit
R1 (config) # interface f0bin0
R1 (config-if) # crypto map IPSec***
R1 (config) # ip access-list extended nat
R1 (config-ext-nacl) # 10 permit ip 1.1.1.0 0.0.255 any
R1 (config-ext-nacl) # exit
R1 (config) # int loop0
R1 (config-if) # ip nat inside
R1 (config-if) # int s0swap 0
R1 (config-if) # ip nat outside
R1 (config-if) # exit
R1 (config) # ip nat inside source list nat int f0bin0 overload
R1 (config) # ip nat inside source static udp 192.168.2.2 4500 interface f0UP 0 4500
R1 (config) # ip nat inside source static udp 192.168.2.2 500 interface f0UP 0 500
R3
Router > enable
Router#configure terminal
Router (config) # hostname R3
R3 (config) # no ip domain-lookup
R3 (config) # service timestamps debug datetime localtime
R3 (config) # service timestamps log datetime localtime
R3 (config) # interface f0Let0
R3 (config-if) # ip address 192.168.1.3 255.255.255.0
R3 (config-if) # no shutdown
R3 (config-if) # exit
R3 (config) # interface f0swap 1
R3 (config-if) # ip address 23.1.1.3 255.255.255.0
R3 (config-if) # no shutdown
R3 (config-if) # exit
R3 (config) # ip route 0.0.0.0 0.0.0.0 23.1.1.2
R3 (config) # interface tunnel11
R3 (config-if) # tunnel source 23.1.1.3
R3 (config-if) # tunnel destination 12.1.1.1
R3 (config-if) # ip address 172.16.1.3 255.255.255.0
R3 (config-if) # tunnel mode gre ip
R3 (config-if) # no shutdown
R3 (config-if) # exit
R3 (config) # ip route 10.1.1.0 255.255.255.0 tunnel11
R3 (config) # crypto isakmp policy 10
R3 (config-isakmp) # authentication pre-share
R3 (config-isakmp) # encryption des
R3 (config-isakmp) # group 2
R3 (config-isakmp) # hash md5
R3 (config-isakmp) # exit
R3 (config) # crypto isakmp key 6 cisco address 12.1.1.1 255.255.255.0
R3 (config) # crypto ipsec transform-set cisco esp-des esp-md5-hmac
R3 (cfg-crypto-trans) # mode tunnel
R3 (cfg-crypto-trans) # exit
R3 (config) # ip access-list extended interested
R3 (config-ext-nacl) # permit gre host 23.1.1.3 host 12.1.1.1
R3 (config-ext-nacl) # exit
R3 (config) # crypto map IPSec*** 10 ipsec-isakmp
R3 (config-crypto-map) # set peer 12.1.1.1
R3 (config-crypto-map) # set transform-set cisco
R3 (config-crypto-map) # match address interested
R3 (config-crypto-map) # exit
R3 (config) # interface serial 0Universe 1
R3 (config-if) # crypto map IPSec***
IPSec also has some disadvantages, such as complex configuration, consuming more computing resources, increasing latency, not supporting multicast and so on.
View policies:
Show crypto isakmp policy definition domain shared key establishment * connection
Show crypto engine connections active to view the number of encrypted and decrypted packets
Clear crypto isakmp clears IKE Phase 1
Clear crypto sa clears IKE Phase II
Traffic optimization:
Access-list 101 permit esp host 12.1.1.1 host 23.1.1.3
Access-list 101 permit udp host 12.1.1.1 host 23.1.1.3 eq isakmp
Access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
First of all, there are MM (main mode) and savage mode in the first stage, and QM (fast mode) in the second stage.
Second, the last two messages in the main mode are encrypted to provide identity protection
The savage mode message integration is too high, so there is no identity protection function.
Savage mode (in this case, the responder cannot select the corresponding pre-shared key based on the IP address, that is, it does not rely on the IP address to identify the identity, which makes the savage mode more flexible)
View the results through display ike sa
1. The first phase of ike sa has been successfully established.
3. Ike uses version v1.
Peer status of this security alliance
Flag displays the status of this security alliance
RD (ready) indicates that the SA has been established successfully
ST (stayalive) indicates that this end is the initiator of channel negotiation.
RL (Replaced) indicates that this channel has been replaced by a new channel and will be deleted after a period of time
FD (Fading) indicates that this channel has experienced a soft timeout and is still in use. It will be deleted when the hard timeout occurs.
TO (timeout) indicates that the SA has not received the keepalive message since the last keepalive timeout. If the keepalive message is not received the next time the keepalive timeout occurs, the SA will be deleted.
TD (deleting) indicates that the SA is about to be deleted
NEG (negotiating) indicates that IKE SA is under negotiation, which is caused by some inconsistent parameters set at both ends of the tunnel.
D (DPD) indicates that DPD detection function is enabled and DPD detection is being done.
M (active) indicates that the IKE SA status is dominant
S (standby) indicates that the IKE SA status is standby
A (alone) indicates that the IKE SA status is not backed up between Alone,IPSec tunnels
The phase to which this SA belongs: Phase1: the stage in which a secure channel is established for communication, and the stage in which the ISAKMP SA Phase2 is established: the stage in which security services are negotiated. Establish IPSec SA at this stage
The security alliance is uniquely identified by three elements (security protocol number (AH or ESP), destination IP address, security parameter index (SPI,Security Parameter Index))
The security parameter index is a 32bite value generated to uniquely identify the SA, which is transmitted in the IPsec header.
IPSec-IKE barbaric mode
1. The problem of slow negotiation at both ends of the tunnel
2. the source address of the initiator is uncertain.
(when the initiator's IP address is dynamically assigned, the initiator's IP address cannot be known in advance by the responder, and both parties intend to use the pre-shared key verification method.)
ESP message can realize the confidentiality of the original IP header data in tunnel mode.
To configure a pre-shared key, it must be configured on both sides, and the keys on both sides must be the same
In tunnel mode in IPSEC, ESP does not validate the header field of the new IP message (tunnel mode encapsulates the new header and does not verify it)
IKE uses DH group2 default groups by default
Features that can be realized by AH (AH protocol, AH is a header verification protocol, which mainly provides functions such as data source verification, data integrity check and anti-message playback)
AH does not encrypt the protected data, so confidentiality cannot be achieved.
IKE Internet password Exchange Protocol: the IKE protocol is used to automatically negotiate the cryptographic algorithm used by AH and ESP
Thank you for your reading. I believe you have some understanding of "how to configure IPsec". Go to practice quickly. If you want to know more about it, you can follow the website! The editor will continue to bring you better articles!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 255
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.