Shulou(Shulou.com)06/01 Report--

Blog outline:

I. Overview of Virtual Private Network

1. Definition of Virtual Private Network

two。 Models and types of Virtual Private Network

(1) connection mode of virtual private network

(2) types of virtual private networks

2. Virtual private network technology

1. Encryption technology

(1) symmetric encryption algorithm

(2) asymmetric encryption algorithm

(3) key exchange

two。 Data message verification

(1) HMAC function to implement verification function

(2) MD5 and SHA

III. IPSec Virtual Private Network

1.IPsec connection

2.ISAKMP/IKE stage 1

3.ISAKMP/IKE stage 2

Fourth, configure to realize IPSec virtual private network

Commands commonly used for troubleshooting

There is a lot of theoretical knowledge about virtual private network. If you look at it once or twice, you may not be able to fully grasp it. It is recommended that you have nothing to look at!

I. Overview of Virtual Private Network

Virtual private network technology at the beginning of the period is to solve the security risks caused by the transmission of plaintext data on the network. Many protocols in the TCP/IP protocol family are transmitted in clear text. For example: Telnet, FTP, TFTP and so on. Some illegal users may intercept plaintext data through a series of illegal means in order to gain benefits, causing enterprises and individuals to suffer losses.

Virtual private network technology can solve this problem to some extent. It can encrypt the data transmitted on the public network, and in time illegal users can obtain the data through some means, and can not understand the true meaning of the data information; it can also realize the identity verification of both sides of the data transmission. to prevent illegal users from disguising as legitimate users in the network.

1. Definition of Virtual Private Network

Virtual private network (VPN) is a protected connection established between two network entities, which can be directly connected by a point-to-point link. Usually, they are far apart.

The word "protected" can be understood in the following ways:

Through the use of encryption technology to prevent data eavesdropping; through data integrity verification data is destroyed, tampered with; through the authentication mechanism to achieve communication party identity confirmation, to prevent communication data from being intercepted and played back

In addition, the virtual private network defines the following functions:

What kind of traffic needs to be protected; the mechanism by which data is protected; the process of data encapsulation

The virtual private network in the actual working environment does not necessarily contain all the functions mentioned above, which should be combined with the actual situation, and many enterprises may adopt more than one virtual private network solution.

two。 Model and type of virtual private network (1) connection mode of virtual private network

There are two basic connection modes of virtual private network: transmission mode and tunnel mode.

1) Transmission mode

As shown in the figure:

One of the most prominent features of the transmission mode is that the IP packet header is not encapsulated during the transmission process of the virtual private network, which means that the data from the source end to the destination end always use the original IP address for communication. The actual data load transmitted is encapsulated in the virtual private network message, for most virtual private network transmission, the packet encapsulation process of the virtual private network is the data encryption process, therefore, illegal users can not crack the data content immediately after intercepting the data, but they can clearly know the address information of the communication double reverse.

Because the transmission mode encapsulation structure is relatively simple (each data packet is 20 bytes less than the tunnel mode structure), the transmission efficiency is higher, and it is mostly used in the case that both sides of the communication are in a local area network.

2) Tunnel mode

As shown in the figure:

The difference between tunnel mode and transmission mode is obvious. The virtual private network equipment encapsulates the whole three-layer data packet in the virtual private network data, and then adds a new IP header to the encapsulated data packet. Because the new IP packet header encapsulates the IP address information of the virtual private network equipment, when the illegal users intercept the data, they can not only understand the content of the actual load data, but also can not know the address information of the actual communication parties.

Because the tunnel mode virtual private network has great advantages in security and flexibility, it is widely used in the enterprise environment, the communication between the head office and the branch across the wide area network, mobile users accessing the company's internal resources in the public network and many other cases, tunnel mode virtual private network will be used to encrypt data transmission.

(2) types of virtual private networks

In the case of communication, the type of virtual private network is divided into site-to-site virtual private network and remote access virtual private network.

1) site-to-site virtual private network

Site-to-site virtual private network is to protect the traffic between two or more sites through tunnel mode between virtual private network gateways. The traffic between sites usually refers to the traffic between L2L. L2L virtual private network is mostly used to transfer important business data between domain branches and branches of the head office on the public network.

As shown in the figure:

For the end users of the two Lans, the network in the middle of the virtual private network gateway has the same name, just like connecting two Lans through a router. The terminal equipment of the head office accesses the network resources of the branch through the virtual private network, and the IP addresses encapsulated by the packets are all intranet addresses (usually private addresses), but the client has no idea about the re-encapsulation process of the data packet by the virtual private network gateway.

2) remote access to virtual private network

Remote access virtual private network is usually used for the communication connection between single user equipment and virtual private network gateway, single user equipment is generally a PC or small office network and so on. One end of the virtual private network connection is PC, which may make many people misunderstand that the remote access virtual private network uses the transmission mode, but because this kind of virtual private network often transmits key data from the public network, and a single user is more likely to become the target of illegal users, so remote access virtual private network requires higher security, which is more suitable for tunnel mode.

In order to realize tunnel mode communication, it is necessary to assign two IP addresses to the remote client, one is its own NIC address and the other is the intranet address, that is to say, the remote client acts as both the virtual private network gateway (using the NIC address) and the end user (using the intranet address) during the establishment of the virtual private network.

As shown in the figure:

When the remote mobile user has remote access to the network of the head office, it is like an ordinary user in the local area network of the head office, not only using the address in the network segment of the head office to access the company resources, but also because it uses the tunnel mode, the real IP address will be hidden, and the link of the actual corporate communication seems transparent to the remote mobile user.

Second, virtual private network technology 1. Encryption technology

Encryption is a process of converting data into another form, and decryption is almost possible if you do not understand the algorithm used for encryption.

The algorithm used by the actual virtual private network equipment is quite complex, and it generally involves some complex mathematical algorithms. These short hair can be used to realize the basic functions of virtual private network, such as data encryption, data integrity verification, identity authentication and so on. Generally speaking, these encryption algorithms can be divided into two categories: symmetric encryption and asymmetric encryption.

(1) symmetric encryption algorithm

The symmetric encryption algorithm uses a unified key to provide security protection for information. The data encryption and decryption process of the symmetric encryption algorithm is shown in the figure:

At present, the most commonly used encryption algorithms are DES, 3DES, AES and so on.

1) DES algorithm

DES algorithm has been widely used in the field of virtual private network, which belongs to the product developed by IBM Company. Its key length is 64 bits, of which 8 bits are used for parity, so the actual effective length is 56 bits. Although the algorithm has not found a better way to crack, but through some technical means has been able to crack the DES algorithm in a short time, so it is not recommended to use this algorithm in the actual project implementation process.

2) 3DES algorithm

Theoretically, 3DES algorithm is the enhanced version of DES algorithm, because 3DES uses three stages of DES, that is, three different 56-bit keys at the same time, so it produces a valid key length of 168. at present, this level of key does not have the ability to crack it in a short time, and although its execution efficiency is slow in the software environment, it is not obvious in the hardware environment.

3) AES algorithm

Although the 3DES algorithm is safe so far, it will become insecure one day with the update of computer hardware. The AES algorithm is more secure than the 3DES algorithm, it supports 128,192,256 as the key degree, and the valid key length can reach thousands of bits. More importantly, the AES algorithm uses a more efficient writing method and occupies less lv for CPU, so practical projects such as IPSec virtual private network tend to use AES to provide better encryption functions.

(2) asymmetric encryption algorithm 1) algorithm principle

Asymmetric algorithms use two different keys, public key and private key, for encryption and decryption. Data encrypted with one key can only be decrypted by another key, and another key cannot be inferred from one key. The data encryption and decryption process of asymmetric encryption algorithm is shown in the figure:

2) the advantages and disadvantages of the algorithm.

The biggest advantage of asymmetric encryption algorithm lies in its security. So far, there is no way to crack the algorithm within a reasonable time range.

The algorithm of asymmetric encryption is not perfect. Because of its complex calculation process, its computational efficiency is much lower than that of symmetric encryption algorithm.

3) DH algorithm

The commonly used asymmetric algorithms are RSA, DSA and DH. The first two algorithms are often used to verify functions, while the DH algorithm is generally used to implement the internet key Exchange (IKE) protocol in IPSec.

The principle of the DH algorithm is a little different from the traditional asymmetric encryption algorithm: after exchanging the public key, the two sides of the communication will use their own key and each other's key to calculate a shared key through the DH algorithm, and then both parties will use the shared key to encrypt the transmitted data. In terms of algorithm principle, it can be said that DH algorithm has combined symmetric encryption algorithm with asymmetric encryption algorithm.

DH algorithm supports variable key length. Because the length of public key and private key is different, the effective length of shared key calculated by DH algorithm is also different. These are defined by the key group of the DH algorithm. The longer the valid length of the key, the stronger the security, and the higher the resource occupancy rate of CPU. Therefore, the selection of appropriate DH group should be considered from two aspects: the security requirements of the network and the performance of the device itself.

(3) key exchange

The solutions to key exchange are:

Out-of-band sharing: that is, the two sides of the communication share the key by means of a disk, a piece of paper or a phone. The biggest disadvantage of this scheme is that the factual process takes a long time. If a large number of virtual private network devices are managed, or if the company has high security requirements for the key, and the key needs to be changed once an hour, this method will basically not be used. In-band management: that is, the key is transmitted through the network through Telnet, SSH and other connection methods, this method can improve the efficiency of the shared key, but the premise is to ensure the absolute security of the channel in which the key is transmitted, and the transmission of the key itself is to establish a secure channel, which seems to be trapped in a dead cycle.

In fact, this problem can be solved by the asymmetric encryption algorithm that encrypts the symmetric encryption key, and then uses the symmetric encryption algorithm to encrypt the actual data to be transmitted.

two。 Data message verification

Data message authentication includes two aspects: database source authentication (authentication) and message integrity verification.

(1) HMAC function to implement verification function

In the field of virtual private network, the source and integrity verification of data is usually realized by three-column algorithm. HMAC (hash message authentication code) function is specially used to deal with the verification problems related to data and data packets, which uses a shared symmetric key to produce a fixed output-digital signature. HMAC belongs to a subset of the one-way hash algorithm, and the hash algorithm is irreversible, that is, the data after hashing cannot be restored.

The hash function in the traditional sense has defects in ensuring the security of data transmission, that is, eavesdroppers on the Internet can intercept the transmitted data, then tamper with the data content, and get a fixed output through the hash algorithm. so it's impossible for the receiver to know that someone has tampered with the data. The HMAC function allows the key to be called one of the variables of the hash function, which is calculated to a fixed output-digital signature, so that even if the eavesdropper intercepts the data, he cannot get the correct digital signature after tampering with the data because he does not have a shared secret key, so HMAC can prevent tampering (integrity verification). Similarly, because the shared secret is only available to the real communicating parties, all HMAC functions can also achieve authentication.

As shown in the figure:

The principle of HMAC algorithm is as follows:

(1) both parties share the key key that executes the Hash algorithm

(2) the user data and shared key key of router An are digitally signed by Hash algorithm.

(3) Router A will send the digital signature and user data to Router B.

(4) Router B performs the same algorithm to get a digital signature.

(5) whether the route B is consistent with the digital signature

If the data is tampered with or damaged in the process of transmission, the digital signature calculated by the receiver through the Hash algorithm will be different from that of the sender, so we can know that the content of the data has been tampered with in the process of transmission. By the same token, if the eavesdropper pretends to be one of the communication parties, although it can forge the identity information of the communication party, it can never forge the identity information and the digital signature calculated by the shared key.

(2) MD5 and SHA

MD5 (Information-Digest algorithm) is clearly defined in REC 1321. It creates a 128bit digital signature and is the most extensive algorithm in HMAC functions.

SHA (secure hashing algorithm) is developed by NIST and has been called the American National Standard Brick, commonly known as SHA-1, which can produce 160s of signatures (20 bytes in length).

At present, it has been proved that different input values can be calculated by MD5 to get the same digital signature, indicating that the signature of MD5 may be false to a certain extent. SHA has a similar problem, and some people claim that digital signatures can be forged in theory. Because of this security risk, SHA-256 and SHA-512 have been developed. They have a longer signature length. For the current level of calculation, the above security risks can be eliminated.

III. IPSec Virtual Private Network

The realization of virtual private network based on IPSec technology is a wide range of applications at present.

1.IPsec connection

It takes three steps to establish the connection of IPSec virtual private network between peers.

1) Traffic triggers IPSec

Generally speaking, the IPSec establishment process is triggered by traffic sent between peers. Once virtual private network traffic passes through the virtual private network gateway, the connection process begins to be established. Of course, manual configuration can also achieve this process. Before configuring devices to implement this step, network engineers need to know which traffic needs to be "protected".

2) establish a management connection

IPSec uses ISAKMP/IKE phase 1 to build a secure administrative connection, and it is important to note that this administrative connection is only a preparatory work, and it is not used to transfer actual data. Before configuring the device to implement this step, the network engineer needs to know how the device implements authentication, which encryption machine authentication algorithm to use, which DH group to use, and so on.

3) establish a data connection

IPSec negotiates the establishment of secure data connections based on secure management connections, and ISAKMP/IKE phase 2 is used to accomplish this task, and data connections are used to transmit real user data. Before configuring the device to implement this step, the network engineer needs to be clear about which security protocol to use, the encryption or authentication algorithm for the specific security protocol, and the transmission mode of the data (tunnel mode or transmission mode).

After the trilogy established by IPSec, the virtual private network traffic can be encrypted / decrypted according to the negotiated results, but the virtual private network connection is not an one-time, both the management connection and the database connection have a life cycle associated with it, and the connection will be terminated once it expires. If you need to continue to transfer virtual private network data, the connection needs to be rebuilt, this design is mainly for security considerations.

2.ISAKMP/IKE stage 1

ISAKMP describes the framework of key management, which defines the format of messages and the mechanism of key exchange protocol, as well as the negotiation process of building connections, while IKE (Internet key Exchange) is a hybrid protocol that defines the generation, sharing and management of keys. IKE uses UDP port 500. In general, the ISAKMP and IKE keywords are used interchangeably.

The exchange process of ISAKMP/IKE stage 1 has two modes: the main mode and the positive mode. The active mode is faster than the main mode and the main mode is safer than the active mode.

Regardless of whether the type of virtual private network is site-to-site or remote access, you need to complete three tasks:

Negotiate how to establish administrative connections; share key information through the DH algorithm; and authenticate peers to each other

In the main mode, these three tasks are accomplished through six data packets:

The first two packets are used to negotiate which security policy to use for administrative connections between peers (exchange ISAKMP/IKE transmission sets); the middle two packets generate and exchange keys required for encryption algorithms and HMAC functions through the DH algorithm; and the last two packets use pre-shared keys to perform authentication between peers

It should be noted that the first four messages are plaintext transmission, starting from the fifth data message for ciphertext transmission, while the key generated by the first four data packets through various algorithms is used for the encryption of the fifth and sixth data packets and subsequent data.

(1) ISAKMP/IKE stage 1 Establishment process 1) switched ISAKMP/IKE transfer set

The ISAKMP/IKE transfer set is a set of security measures used to protect management connections, including the following aspects:

Encryption algorithms: DES, 3DES and AES;HMAC algorithms: type of MD5 or SHA-1; device authentication: pre-shared key; DH key group: Cisco supports 1, 2, 5, 7 (Cisco router does not support key group 7); manage the life cycle of the connection

The device may have more than one transport set, and if the device initiates a connection, it sends a list of transfer sets (including all transport sets) to the remote peer device and compares it until a match is found. If no matching transfer set is found after comparing all transfer sets, the administrative connection cannot be established and the IPSec connection fails.

If a virtual private network connection is implemented using Cisco products, other items in the ISAKMP/IKE transport set must match in order to establish a connection except for the life cycle. The life cycle of the cleavage peer is different, and the peer will use the smaller one. This is also the rule of IPSec, but some vendors do not follow this rule, so if you encounter Cisco building IPSec connections with other vendor devices, you should be careful to ensure that all parameters in the ISAKMP/IKE transport set match.

2) implement key exchange through DH algorithm

The DH algorithm is an asymmetric encryption algorithm, so it produces a combination of public / private key pairs and shares the public key with each other. The virtual private network peer uses each other's public key and its own private key to generate a secure shared key through a functional operation. Even if someone intercepts the data, the shared key cannot be deduced because there is no private key.

3) implement authentication between devices

The most common method of device authentication is to pre-share the key, that is, to share the key out-of-band between peers and store the local location of the device. The process of device verification can be realized by encryption algorithm or HMAC function. Encryption algorithms are rarely used for authentication, and in most cases are implemented through the HMAC function.

(2) ISAKMP/IKE Phase 1 related configuration commands

This blog post takes the router of Cisco as an example!

1) configure security policy

The ISAKMP/IKE policy contains the following parameters: sequence number of the policy, encryption algorithm, hash algorithm, authentication method, DH group, lifetime, and so on. The command is as follows:

R1 (config) # crypto isakmp policy 1ramp / used to establish a management connection policy for establishing ISAKMP/IKE; / / each policy corresponds to a sequence number, ranging from 1 to 10000. The lower the value, the higher the priority. R1 (config-isakmp) # encryption des// is used to specify which encryption algorithm (des, 3des, aes) R1 (config-isakmp) # hash sha// is used to specify the last two messages (authentication) established by the management connection. Md5) R1 (config-isakmp) # authentication pre-share// specifies the method of device authentication {pre-shara (pre-shared key) | rsa-encr | rsa-sig} R1 (config-isakmp) # group 1 move / used to specify the DH key group DH1 is used by default / / the group number is also large, and the more secure the algorithm is, the more resources the device will take up. Range (1, 2, 5, 14, 15, 16) R1 (config-isakmp) # lifetime 86400 / / specifies the life cycle of the administrative connection. The default value is 86400s (24 hours) R1#show crypto isakmp policy// to view the relevant configuration of the security policy Global IKE policyProtection suite of priority 1 / / here are the parameters specified in policy 1: encryption algorithm: DES-Data Encryption Standard (56 bit keys). Hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: # 1 (768 bit) lifetime: 86400 seconds, no volume limitDefault protection suite / / here shows the default configuration parameter encryption algorithm: DES-Data Encryption Standard (56 bit keys). Hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: # 1 (768 bit) lifetime: 86400 seconds, no volume limit2) configure pre-shared key R1 (config) # crypto isakmp key 0 123456 address 192.168.1.1 / where 0 means clear text 6 indicates that ciphertext / / 123456 is the specific content of the key / / 192.168.1.1 is the peer device address / / IP address with which the peer shares the key. If the subnet mask is not added after the address, the 32-bit mask R1#show crypto isakmp key / / is used by default to view the configuration of the pre-shared key in Keyring Hostname/Address Preshared Key// plaintext. If it is in ciphertext, the key content will not be displayed in default 192.168.1.1 123456

You can only see the key information in plaintext through "show run".

To enhance security, in IOS version 12.3 (2) T, an option has been added to encrypt the key, but the IOS image of the device must support AES encryption, as follows:

R1 (config) # key config-key password-encryptNew key: Confirm key: / / password must not be less than 8 characters R1 (config) # password encryption aesR1#show runners crypto isakmp policy 1 authentication pre-sharecrypto isakmp key 6 GZF] iBT ^ d _ eBMHQT ^ HIhZ`XFJhAAB address 192.168.1.1! / / can only see the effect of key encryption R1 (config) # no key config-key password-encrypt / / can cause the shared key to be unavailable WARNING : All type 6 encrypted keys will become unusableContinue with master key deletion? [yes/no]: yes3.ISAKMP/IKE stage 2

ISAKMP/IKE phase 2 focuses on establishing a data connection between two IPSec peers and accomplishes the following tasks:

Define what kind of traffic needs to be protected between peers; define the security protocol used to protect data; define the transmission mode; define the life cycle of the data connection and how to refresh the key.

Among them, IPSec peers generally use ACL to match virtual private network traffic that needs to be encrypted.

(1) ISAKMP/IKE phase 2 establishment process 1) Security association

IPSec needs to establish a logical connection between peers, which uses a signaling protocol called secure association (SA). This is because IPSec requires the connectionless IP protocol to become a connection-oriented protocol before it can run securely. The connection of the SA is an one-way connection between the source point and the end point. If you need a two-way connection, you need two SA connections, one in each direction.

The SA connection is defined by three elements:

Security parameter index (SPI): used to uniquely identify each SA connection; type of security protocol: IPSec defines two security protocols, namely AH (Authentication header Protocol) and ESP (Encapsulation Security Payload Protocol); destination IP address

ISAKMP/IKE phase 2 has this feature, that is, ISAKMP/IKE data connections are actually established through two one-way connections, and the two connections are encrypted or authenticated in the same way, which makes it difficult to observe this feature of ISAKMP/IKE phase 2.

2) transfer set of ISAKMP/IKE Phase 2

The transfer set of a data connection defines how the data connection is protected. Similar to a transfer set that manages a connection, a peer device can save one or more transfer sets, but the details are different:

Security protocols: AH protocol, ESP protocol; connection mode: tunnel mode, transmission mode; encryption method: for ESP, there are DES, 3DES, AES-128, AES-192, AES-256 or unusable encryption algorithms; authentication method: MD5 or SHA-1;3) ISAKMP/IKE phase 2 security protocol

The data connection of IPSec can be protected by security protocols: AH protocol and ESP protocol, one of which can be used to encrypt and verify data, such as using ESP protocol, or two protocols can be used together. AH uses IP protocol number 51 IP ESP uses IP protocol number 50.

1.AH protocol

The AH protocol is clearly defined in RFC 2402 and provides the following security features:

Data integrity service; data validation; illegal behavior of protecting data playback

The AH protocol protects the entire data packet, except for volatile fields, such as the TTL and TOS fields in the IP packet header. As shown in the figure:

Next header: this octet field defines the type of payload carried by the IP data packet (TCP, UDP, ICMP, OSPF, etc.), which has the same function as the protocol field in the IP header before encapsulation; payload length: the function of this octet field is different from the literal meaning, it does not define the length of the payload, it only defines the length of the AH header. Security Parameter Index (SPI): this 32-bit field is a number assigned by the receiving device to uniquely identify an one-way connection and can provide more than 100 million identification numbers; sequence number: this 32-bit field provides sorting information for datagrams to prevent replay. Even if the data message is retransmitted. The sequence number will not be repeated, and when the sequence number reaches the 32th power of 2, it will not be rewound, but a new connection must be re-established; integrity checksum (ICV): this field provides verification function, which is the digital signature generated by HMAC functions such as MD5 or SHA. The ICV value of AH is the digital signature generated by the complete IP data message, that is, it verifies the integrity of the entire IP data message.

As can be seen from the results of the message, the AH protocol only implements the authentication function, but does not provide any form of data encryption, and it is precisely because it implements the authentication function for the whole IP data message, so it can not be used with NAT or PAt.

2.ESP protocol

ESP is clearly defined in RFC 2406, and it differs from AH as follows:

ESP encrypts user data; ESP only validates the payload of IP data, excluding external IP headers

Therefore, if an illegal user tampers with the content of the IP header, ESP cannot detect it. NAT also modifies external IP information, so ESP can be shared with NAT. Therefore, AH cannot be shared with NAT in any way, but ESP can, and with NAT-T technology, ESP can even be shared with PAT.

ESP cannot traverse PAT devices by default because PAT modifies the port information in the transport layer header. The header of the transport layer is encrypted in the ESP encapsulation, so PAT cannot modify the port information. The NAT-T technology is to make PAT work by adding an additional transport layer header.

As shown in the figure:

ESP header: the function of the SPI field and sequence number is similar to that of the corresponding field in the AH message structure; ESP tail: the patch is used to reduce the possibility that the payload is eavesdropped and guessed; the patch length defines the number of bytes of the patch; the function of the next header is similar to that of the corresponding field in the AH message structure; ICV still provides verification, but ICV is only a digital signature generated by the payload of the IP data message through the HMAC function. (2) ISAKMP/IKE Phase 2 related configuration commands

The configuration process for ISAKMP/IKE Phase 2 consists of three parts:

1) configure Crypto ACL

One way to define what kind of traffic needs to be protected is to establish a Crypto ACL that matches IPSec virtual private network traffic through ACL. The configuration commands are as follows:

Access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.255max / define an extended ACL that allows the source address 192.168.10.0 network segment to access the 192.168.20.0 network segment / / normally, the Crypto ACL on the peer devices on both ends is the transport set of the mirror 2) configuration phase 2

A transfer set of multiple data connections can be configured between IPSec peers, and at least a pair of matching transfer sets at both ends must be ensured so that the data SA connection of ISAKMP/IKE phase 2 can be successfully negotiated. The transmission set of a device is determined by the performance of the device. If the performance of all peer devices is similar, a common transmission set can be used. If the performance difference between devices is obvious, multiple transmission sets are usually required. The configuration commands are as follows:

R1 (config) # crypto ipsec transform-set accp-set esp-des ah-sha-hmac// defines the transfer set name (the name must be unique), followed by some options / / using esp-des encryption Use ah-sha-hmacR1 (cfg-crypto-trans) # mode tunnel// in the AH protocol to use tunnel mode R1#show crypto ipsec transform-set / / to view the transport set on the router Transform set accp-set: {ah-sha-hmac} will negotiate = {Tunnel,}, {esp-des} will negotiate = {Tunnel,}

Transfer set options, as shown in the figure:

If you change the configuration of the transfer set after the data connection is established, it does not affect the existing SA settings, and the SA will not be reestablished or manually cleared until the connection's lifetime expires (through the "clear crypto sa" or "clear crypto ipsec sa" command).

3) configure Crypto Map

The function of Crypto Map is to organize all the information together to build an IPSec session. Usually, there is only one Crypto Map on the interface of a router, and a router can protect traffic on multiple interfaces, which may require multiple Crypto Map.

There are two types of Crypto Map: static Crypto Map and dynamic Crypto Map. The Crypto Map of the podium is usually used when building an L2L session. The configuration commands are as follows:

R1 (config) # crypto map benet-map 1 ipsec-isakmp / / create a Map named benet-map with a serial number of 1max / serial number range of 1mm 65535. The lower the value, the higher the priority% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. / / this is a normal hint, that is, the Map does not include the name of configuring R1 (config-crypto-map) # match address 100 set transform-set accp-set// / calling ACL name or number R1 (config-crypto-map) # set peer 192.168.2.1 Universe / setting peer device R1 (config-crypto-map) # transfer set name You can specify up to six R1 (config-crypto-map) # set pfs group1// to start this function and which DH key group to use. This is an optional command / / the DH group just defined is 1R1 (config-crypto-map) # set security-association lifetime seconds 1800 / / specifies the life cycle of the SA. By default, the Cisco device has set the life cycle of the data connection to 3600s or 4608000KB, which is equivalent to the traffic transmitted at the 10MB/s rate within an hour. R1 (config-crypto-map) # set security-association idle-time 60 stroke / used to set the idle timeout timer, the range is 60~86400s// default, idle timeout timer is off IV. Configuration implementation of IPSec Virtual Private Network (1) case Topology

(2) case requirements

PC1 accesses PC3 through virtual private network

PC1 accesses PC2

(3) case implementation 1) configure PC, IP address of router

Configuration of PC1:

PC1 (config) # int f0/0PC1 (config-if) # ip add 192.168.1.100 255.255.255.0PC1 (config-if) # no shPC1 (config-if) # ip route 0.0.0.0 0.0.0 192.168.1.1

Configuration of PC2:

PC2 (config) # int f0/0PC2 (config-if) # ip add 50.0.0.100 255.255.255.0PC2 (config-if) # no shPC2 (config-if) # ip route 0.0.0.0 0.0.0.0 50.0.0.1

Configuration of PC3:

PC3 (config) # int f0/0PC3 (config-if) # ip add 192.168.2.100 255.255.255.0PC3 (config-if) # no shPC3 (config-if) # ip route 0.0.0.0 0.0.0 192.168.2.1

Configuration of R1:

R1 (config) # int f0/0R1 (config-if) # ip add 192.168.1.1 255.255.255.0R1 (config-if) # no shR1 (config-if) # int f1/0R1 (config-if) # ip add 20.0.0.1 255.255.255.0R1 (config-if) # no shR1 (config-if) # ip route 0.0.0.0 0.0.0.0 20.0.0.2

Configuration of R2:

R2 (config) # int f1/0R2 (config-if) # ip add 20.0.0.2 255.255.255.0R2 (config-if) # no shR2 (config-if) # int f0/0R2 (config-if) # ip add 50.0.0.1 255.255.255.0R2 (config-if) # no shR2 (config-if) # int f2/0R2 (config-if) # ip add 30.0.0.1 255.255.255.0R2 (config-if) # no sh//R2 can only be configured with IP address

Configuration of R3:

R3 (config) # int f2/0R3 (config-if) # ip add 30.0.0.2 255.255.255.0R3 (config-if) # no shR3 (config-if) # int f0/0R3 (config-if) # ip add 192.168.2.1 255.255.255.0R3 (config-if) # no shR3 (config-if) # ip route 0.0.0.0 0.0.0.0 30.0.0.12) configure ISAKMP policy

Configuration of R1:

R1 (config) # crypto isakmp policy 1ram / configure ISAKMP/IKE policy, serial number is 1 The smaller the value, the more priority R1 (config-isakmp) # encryption 3des// specifies for authentication using the 3des encryption algorithm R1 (config-isakmp) # hash sha// to verify data integrity (hashing algorithm) using the sha algorithm R1 (config-isakmp) # authentication pre-share// device authentication using pre-sha (pre-shared key) R1 (config-isakmp) # group 2 / specify the DH key group, the larger the group number The life cycle of the more secure R1 (config-isakmp) # lifetime 10000 swap / managed connection is 10000sR1 (config) # crypto isakmp key 0 123456 address 30.0.0.2 Universe / establish a peer relationship with 30.0.0.2, using plaintext key 123456

Configuration of R3:

R3 (config) # crypto isakmp policy 1R3 (config-isakmp) # encryption 3desR3 (config-isakmp) # hash shaR3 (config-isakmp) # authentication pre-shareR3 (config-isakmp) # group 2R3 (config-isakmp) # lifetime 10000R3 (config) # crypto isakmp key 0 123456 address 20.0.0.1 amp / peer configuration is almost the same 3) configure ACL

Why configure ACL? Note: when both NAT and virtual private network traffic exist on the router, NAT is performed by default!

Configuration of R1:

R1 (config) # access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.255ash / configure ACL to allow the 192.168.1.0 segment to access the 192.168.2.0 segment

Configuration of R3:

R3 (config) # access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 / / configure ACL to allow 192.168.2.0 network segment access to 192.168.1.0 network segment 4) configure IPSec transport set

Configuration of R1:

R1 (config) # crypto ipsec transform-set R1-set esp-des ah-sha-hmac / / establishes the transmission set, named R1-set, uses esp-des algorithm for encryption, and uses ah-sha-hmac algorithm R1 (cfg-crypto-trans) # mode tunnel / / for decryption to select tunnel mode. The default is tunnel mode R1 (cfg-crypto-trans) # exitR1 (config) # crypto ipsec security-association lifetime seconds 1800 / global mode can also set the life cycle.

Configuration of R3:

R3 (config) # crypto ipsec transform-set R3-set esp-des ah-sha-hmac R3 (cfg-crypto-trans) # mode tunnelR3 (cfg-crypto-trans) # exitR3 (config) # # crypto ipsec security-association lifetime seconds 18005) configure the crypto map

Configuration of R1:

R1 (config) # crypto map R1-map 1 ipsec-isakmp// creates a Crypto-Map with the name R1-map and the serial number 1, the smaller the number More priority% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R1 (config-crypto-map) # set peer 30.0.0.2 / / set peer to 30.0.0.2R1 (config-crypto-map) # set transform-set R1-set / / specify transfer set R1 (config-crypto-map) # match address 100 / / call the ACL you just created

Configuration of R3:

R3 (config) # crypto map R3-map 1 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R3 (config-crypto-map) # set peer 20.0.0.1R3 (config-crypto-map) # set transform-set R3-setR3 (config-crypto-map) # match address 1 06) apply the mapping to the interface

Configuration of R1:

R1 (config) # int f1/0R1 (config-if) # crypto map R1-map// calls Crypto-Map on the interface connecting to the public network

Configuration of R3:

R3 (config) # int f2/0R3 (config-if) # crypto map R3-map

Now verify that PC1 can access PC3:

PC1#ping 192.168.2.100Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.100, timeout is 2 secondsFlux! / / successfully accessed (using virtual private network) Success rate is 100 percent (5go 5), round-trip min/avg/max = 124amp 136 ms7 156 ms7) set PAT

Configuration of R1:

R1 (config) # access-list 110 deny ip 192.168.1.0 0.0.255 192.168.2.0 0.0.0.255R1 (config) # access-list 110 permit ip any any// setup ACL Deny traffic from virtual private network R1 (config) # ip nat inside source list 110 int F1 0 overload / / convert traffic from the ACL 110 list to the outside interface address R1 (config) # int f0/0R1 (config-if) # ip nat insideR1 (config-if) # int f1gamo R1 (config-if) # ip nat outside// sets the inside and outside interface

PC1 test access PC2:

PC1#ping 50.0.0.100Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 50.0.0.100, timeout is 2 secondstimeout is! / / access succeeded (accessed using router external interface address) Success rate is 100 percent (5ax 5), round-trip min/avg/max = 92cine 105124 ms

The experiment is complete!

5. Common troubleshooting commands R1#show crypto isakmp policy / / View the configuration results of the ISAKMP negotiation policy R1#show crypto isakmp sa / / View the status of the management connection SA / / View the IPSec transfer set R1#show crypto ipsec security-association lifetime / / View the life cycle of the data connection establishment R1#show crypto ipsec sa / / View the details of the data connection SA Check R1#show crypto map / / check the information of crypto Map This command can view the name of the crypto map, / / ACL, the IP address of the peer, the interface on which the Crypto map is applied, and so on.

Don't forget that the "show run" command is almost omnipotent on Cisco devices!

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.