Shulou(Shulou.com)06/01 Report--

Security Protocol-IPSec (Auto-Negotiate Policy Content)

IPSec is a general term for a series of network security protocols. It is developed by IETF (Internet Engineering Task Force) and can provide access control, connectionless integrity, data source authentication, anti-replay, encryption and classified encryption of data streams for both communication parties.

IPSec is a security mechanism at the network layer. By protecting network layer packet information, upper layer applications can automatically benefit from the security provided by the network layer, even if they do not implement security. This dispelled concerns about the security of ××× (Virtual Private Network), making ×× widely available.

I.IPSec processing of messages

(1) Add authentication header to message: read IP message sent by IP module from IPSec queue, select according to configuration

Select the protocol mode (transport or tunnel mode) to add AH header to the message, and then forward it by IP layer.

(2) After authenticating the message, remove the authentication header: IP layer receives IP message and analyzes it as local address, and the protocol number is 51, then look up the corresponding protocol switch table entry and call the corresponding input processing function. This processing function compares the authentication value of the message with the original authentication value. If they are equal, remove the AH header added, restore the original IP message, and then invoke the IP input flow for processing; otherwise, the message is discarded.

II. IPSec configurations include:

Create Encrypted Access Control List: Based on whether it matches the Encrypted Access Control List, you can determine which IP packets are encrypted and sent, and which IP packets are forwarded directly. Secure data flows that need to be protected are defined using extended IP access control lists.

Define security proposals: Security proposals save specific security protocols and encryption/authentication algorithms that IPSec needs to use and provide various security parameters for IPSec negotiation security alliances. In order to successfully negotiate an IPSec security federation, both sides must use the same security proposal.

@@@ What needs to be configured (·Define security proposals

·Set the encapsulation mode of IP message by security protocol

·Choose a security protocol

）

Choose encryption algorithm and authentication algorithm: AH protocol has no encryption function, only authentication of messages. There are five kinds of security encryption algorithms supported by ESP in IPSec, the main software of VRP: 3des, des, blowfish, cast and skipjack.

AH and ESP support two security authentication algorithms: MD5 (Message Digest Version 5) algorithm and SHA (Secure Hash Algorithm) algorithm. The md5 algorithm uses a 128-bit key, while the sha1 algorithm uses a 160-bit key; the md5 algorithm is faster than the sha1 algorithm, while the sha1 algorithm has higher security than the md5 algorithm.

The security encryption algorithm and authentication algorithm chosen at both ends of the security tunnel must be consistent.

Create security policy: What to know·Data to be ipsec protected

·How long does it take for data streams to be protected by security alliances

·Security policies to be used

·Is the security policy created manually or through IKE negotiation

Apply security policy sets on interfaces: For the defined security federation to take effect, you should apply security policy sets on each interface where outbound data to be encrypted, inbound data to be decrypted,

(logical or physical), the interface applies a security policy set based on the configured security policy set

and carries out message encryption processing in cooperation with the opposite-end encryption router. When a security policy group is removed from an interface, the interface no longer has IPSec security. When a message is sent from an interface, each security policy in the security policy group will be searched in sequence according to the sequence number from small to large. If the packet matches the access control list referenced by a security policy, the packet is processed using the security policy; if the packet does not match the access control list referenced by the security policy, the next security policy is searched continuously; if the packet does not match the access control lists referenced by all security policies, the packet is directly sent (IPSec does not protect the packet). Only one security policy group can be applied to one interface; and one security policy group can only be applied to one interface.

Okay, so now that we've learned the basics, let's apply it, and here's a little example that we can look at.

First of all, we declare that this case is a multi-channel, that is, there are two channels.

Because one acl corresponds to one security policy, one security protocol corresponds to one security policy, multiple security policies correspond to one security policy group, and one policy group corresponds to one port.

So we need several records in the configuration process: two acls, two security protocols, two security policies, and one security policy group.

Here are some screenshots of the configuration, please refer to it

detailed configuration information

F1

F2

F3

Sw1

test results

Pc1 ping pc3

Pc2 ping pc3

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.