Shulou(Shulou.com)06/01 Report--

Problems to be solved in 1.Easy Virtual Private Network

Phase 1, talk, talk, talk-establish a management connection

Negotiate how to establish a management connection and authenticate each other by sharing key information through the DH algorithm

Phase 2-establish a data connection

Define what kind of traffic is protected between peers, define the security protocol used to protect data, define the transmission mode.

two。 Use XAUTH for user authentication

(1) XAUTH

The original design of the IPsec protocol did not take into account the problem of user authentication, so IETF (internet Engineering Task Force) introduced a draft of RFC-XAUTH, which is an enhanced feature of a virtual private network management that provides a user name and password to verify the user's identity. Because this process is done between two connections, it is called "phase 1.5". User authentication naturally involves the storage of usernames and passwords, which are usually stored in the internal database of virtual private network gateway devices and on third-party devices.

(2) definition of AAA

AAA, which stands for Authentication, Authorization and Accounting, provides a basic framework for configuring access control on network devices

Authentication: who is the user?

Verify the validity of the user, including user name, password and other information

Authorization: what can users do?

After the user passes the authentication, specify the permissions such as the services that the user can use.

Statistics: what have users done?

After the user authentication and authorization is successful, record the user's operation and other information for bookkeeping.

The implementation of AAA server mainly uses RADIUS protocol and TACACS+ protocol

RADIUS (remote Authentication Dial-in user Service) is a fully open standard protocol, and manufacturers or users can modify RADIUS flexibly.

TACACS+ (Terminal access Controller access Control system) is a private protocol designed by Cisco.

The router turns on AAA

Router (config) # aaa new-model

3. Group policy

. Address pool

The reason why the client accessing the virtual private network remotely is difficult to establish a connection with the gateway of the virtual private network is that the client does not have a fixed IP address. In this "dynamic" case, the best way is to make the virtual private network device "push" the IP address for each authenticated client like the DHCP server. In this way, because the IP address of the client is dynamically assigned by the virtual private network gateway, the virtual private network equipment naturally knows which IP to establish a virtual private network connection with.

DNS and Gateway

Like the DHCP server, besides assigning the IP address to the client, the gateway and DNS are also assigned, so that the client has the necessary resources such as IP, gateway and DNS of the intranet, and really becomes a member of the intranet.

Shared secret key

In the remote access virtual private network, the virtual private network gateway needs to "share the key" with multiple groups of clients, so when configuring the virtual private network, it is necessary to set a different shared key for each group of clients. the client key is not pushed by the virtual private network gateway, but requires the user to configure it on the host through the client software, and this process is generally implemented by the company's network administrator. Then the key is naturally saved locally on the client host, so there is the existence of "stage 1.5".

Separation tunnel

By default, after the client establishes a tunnel with the virtual private network gateway, it can only access the resources authorized by the private network. This is because the tunnel allows all traffic, that is, all traffic must reach the company through the tunnel, and naturally no traffic access is allowed. For the client, it is necessary to configure ACL for remote access virtual private network to separate the tunnel.

Separate DNS

When the client host connects to the company through the remote access virtual private network, even after the tunnel is separated, when the client accesses the web server of Internet, it still needs to use the DNS resolution of the company's intranet, but this is not a reasonable process. If the client has to parse the DNS through the company's intranet every time he visits Baidu, it is actually unnecessary and a waste of resources, so when the client accesses the company's web server, Use the DNS resolution of the company's intranet. If you visit Baidu, you will use the DNS. If you want to implement different domain names using different DNS, you need to use a separate DNS.

4. Dynamic Crypto Map

We cannot specify the address of the client in the static crypto map of the virtual private network device (the address of the client is distributed by the DHCP service of the virtual private network, which is not fixed), so we need to dynamically populate the parameters needed in the static crypto map. To use dynamic crypto map, we must use ISAKMP/IKE to initiate negotiation. And when implementing remote access to the virtual private network, static and dynamic crypto map are usually configured at the virtual private network gateway at the same time, because only one device with static configuration can initiate the IPSec tunnel, which is why dynamic crypto map is rarely used for L2L (local area network to local area network) session establishment.

When implementing remote access to virtual local area network, transform-set is generally configured first, because the specified transmission set has nothing to do with the IP address of peer, so it can be directly applied to dynamic crypto map;. Because only one crypto map can be configured on the interface, and the virtual private gateway must have static crypto map, it is necessary to apply dynamic crypto map to static crypto map, and then static crypto map to the interface, which is to configure crypto map.

5. Configuration case

1. Configure IP and do default routing for everything except R4

Bridging a host is a 64-bit client program that uses a virtual private network

Such as R3 configuration

R3 (config) # int f0/0R3 (config-if) # ip add 192.168.0.10 255.255.255.0R3 (config-if) # no shutdownR3 (config) # ip route 0.0.0.0 0.0.0 192.168.0.1

R1 configuration:

The aaa configuration is as follows

R1 (config) # aaa new-modelR1 (config) # aaa authentication login bdqn-authen localR1 (config) # aaa authorization network bdqn-author localR1 (config) # username bdqn secret cisco / / create user encryption

Phase 1 is configured as follows

R1 (config) # crypto isakmp policy 10R1 (config-isakmp) # encryption 3desR1 (config-isakmp) # hash shaR1 (config-isakmp) # authentication pre-share R1 (config-isakmp) # group 2R1 (config-isakmp) # exit

Phase 1.5 is configured as follows

R1 (config) # ip local pool bdqn-pool 192.168.1.200 192.168.1.210 / / create address pool R1 (config) # ip access-list extended split-aclR1 (config-ext-nacl) # permit ip 192.168.0.0 0.0.0.255 any R1 (config-ext-nacl) # exit

Create a group policy as follows

R1 (config) # crypto isakmp client configuration group test-groupR1 (config-isakmp-group) # key 123456R1 (config-isakmp-group) # pool bdqn-poolR1 (config-isakmp-group) # dns 192.168.0.10R1 (config-isakmp-group) # acl split-aclR1 (config-isakmp-group) # split-dns bdqn.comR1 (config-isakmp-group) # exit

Configure dynamic Map

R1 (config) # crypto ipsec transform-set bdqn-set esp-3des esp-sha-hmac R1 (cfg-crypto-trans) # exitR1 (config) # crypto dynamic-map bdqn-dymap 1R1 (config-crypto-map) # set transform-set bdqn-setR1 (config-crypto-map) # exitR1 (config) # crypto map bdqn-stamap 1000 ipsec-isakmp dynamic bdqn-dymapR1 (config) # crypto map bdqn-stamap client authentication list bdqn-authenR1 (config) # crypto map bdqn-stamap isakmp authorization list bdqn-authorR1 (config) # crypto map Bdqn-stamap client configuration address respond / / is used to let the client first initiate a connection to R1 (config) # int f0/1R1 (config-if) # crypto map bdqn-stamap// to the outside interface.

Install the client of virtual private network

Fill in the first and second box description information casually.

The third box writes the iP of the outside interface of R1

Write the user name and password of the group policy and enter the password twice.

Enter the account password of aaa

Virtual machine ping for verification

If you replace R1 with a firewall

All other configurations are the same.

Configure on the firewall as follows:

Enter the external interface: nameif outside

Enter the inner interface: nameif inside

Ciscoasa (config) # route outside 00 200.0.0.2 / / Firewall takes the default route

Ciscoasa (config) # username bdqn password 123456ciscoasa (config) # crypto isakmp enable outsideciscoasa (config) # crypto isakmp policy 10ciscoasa (config-isakmp-policy) # encryption 3des ciscoasa (config-isakmp-policy) # hash sha ciscoasa (config-isakmp-policy) # authentication pre-share ciscoasa (config-isakmp-policy) # group 2ciscoasa (config-isakmp-policy) # exitciscoasa (config) # ip local pool bdqn-pool 192.168.1.200-192.168.1.210ciscoasa (config) # access-list split-acl permit ip 192.168 0.0 255.255.255.0 anyciscoasa (config) # group-policy test-group internal ciscoasa (config) # group-policy test-group attributesciscoasa (config-group-policy) # split-tunnel-policy tunnelspecified ciscoasa (config-group-policy) # split-tunnel-network-list value split-aclciscoasa (config-group-policy) # exitciscoasa (config) # tunnel-group bdqn-group type ipsec-ra ciscoasa (config) # tunnel-group bdqn-group general-attributesciscoasa (config-tunnel-general) # default-group-policy test- Groupciscoasa (config-tunnel-general) # exitciscoasa (config) # tunnel-group bdqn-group ipsec-attributesciscoasa (config-tunnel-ipsec) # pre-shared-key bdqn-keyciscoasa (config-tunnel-ipsec) # exitciscoasa (config) # crypto ipsec transform-set bdqn-set esp-3des esp-sha-hmac ciscoasa (config) # crypto dynamic-map bdqn-dymap 1 set transform-set bdqn-setciscoasa (config) # crypto map bdqn-stamap 1000 ipsec-isakmp dynamic bdqn-dymapciscoasa (config) # crypto map bdqn-stamap int outside

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.