Shulou(Shulou.com)06/01 Report--

Blog outline:

1. Related concepts of virtual private network 2. Basic concepts of IPSec virtual private network. 3. The establishment process of ISAKMP/IKE phase 1 and stage 2. 4. Configuration and implementation of IPSec virtual private network. 5. Summary.

First, the related concepts of virtual private network.

1. Definition of virtual private network

A virtual private network is a protected connection established between two network entities that can be directly connected through a point-to-point link, but usually they are far apart.

The word "protected" mentioned in the definition can be understood from the following aspects:

Prevent data from being eavesdropped by using encryption technology. Through data integrity verification to prevent data from being destroyed and tampered with. The identity confirmation of the communication party is realized through the authentication mechanism to prevent the communication data from being intercepted and played back.

In addition, VPN technology defines the following functions: what kind of traffic needs to be protected. The mechanism by which data is protected. The process of encapsulating data.

The virtual private network solution in the actual production environment does not necessarily include all the above functions, but also depends on the specific environmental requirements and implementation, and many enterprises may adopt more than one virtual private network solution.

2. Connection mode of virtual private network

There are two connection modes of virtual private network: transmission mode and tunnel mode.

(1) Transmission mode:

In the whole transmission process of the virtual private network, the IP packet header is not encapsulated, which means that the data from the source side always uses the original IP address for communication. The actual data load transmitted is encapsulated in the virtual private network message. For most of the virtual private network transmission, the packet encapsulation process of the virtual private network is the data encryption process. Therefore, the third party can not crack the data content, but can clearly know the address information of both sides of the communication.

Because the encapsulation structure of the transmission mode is relatively simple, the transmission efficiency is high, and it is mostly used when both sides of the communication are in the same local area network.

(2) Tunnel mode:

In tunnel mode, the virtual private network equipment encapsulates the whole three-layer data packet in the virtual private network data, and then adds a new IP packet header to the encapsulated data packet. Because the new IP packet header encapsulates the IP address information of the virtual private network equipment, when the third party intercepts the data, it can not only understand the content of the actual load data, but also can not know the address information of the actual communication parties. After encapsulation, the packet is as follows:

Because the tunnel mode virtual private network has great advantages in security and flexibility, it is widely used in the enterprise environment, such as the communication between head office and branch across wide area network, mobile users accessing the company's internal resources in the public network and so on.

3. Types of virtual private networks

In general, the type of virtual private network is divided into site-to-site virtual private network and remote access virtual private network.

(1) site-to-site VPN:

Site-to-site virtual private network is to protect the traffic between two or more sites through tunnel mode between virtual private network gateways. The traffic between sites usually refers to the traffic between L2L. L2L virtual private network is mostly used to transmit important business data between head office, branch and branch on the public network, and virtual private network can be used mainly for the traffic of a certain network segment.

(2) remote access to virtual private network:

Remote access virtual private network is usually used for the communication connection between single user equipment and virtual private network gateway, single user equipment is generally a PC or small office network and so on. Remote access virtual private network requires higher security, which is more suitable for tunnel mode.

In order to realize the communication in tunnel mode, it is necessary to assign two IP addresses to the remote access client: one is its own network card IP address, and the other is the intranet address, that is to say, the remote client acts as both the virtual private network gateway (using its own IP address) and the end user (using the intranet address) during the establishment of the virtual private network.

The theoretical knowledge involved in virtual private network technology is as follows. If you are interested, you can consult the relevant materials by yourself:

1. Encryption algorithm

Symmetric encryption algorithms (DES, 3DES, AES, etc.) asymmetric encryption algorithms (RSA, DSA, DH, etc., the first two are commonly used in authentication functions, DH is used to implement the Internet key Exchange (IKE) protocol in IPSec)

2. Data message verification data message verification includes two aspects: data source authentication (authentication) and message integrity verification. Virtual private network (VPN) technology is usually used to verify the source of data by means of hash algorithm HMAC.

Two algorithms commonly used in HMAC (MD5 and SHA).

Second, the basic concept of IPSec virtual private network.

IPSec technology to achieve virtual private network is the most widely used at present, in order to quickly locate the problem in the work, so it is particularly important to understand the establishment process of IPSec.

1. IPSec connection process:

The connection process for IPSec is as follows:

1. Traffic triggers IPSec

2. Establish a management connection

3. Establish a data connection.

(1) Traffic triggers IPSec

In short, the simple thing is to use ACL to identify which traffic needs to be "protected". Specifically, the IPSec establishment process is triggered by traffic sent between peers. Once the traffic of the virtual private network passes through the virtual private network gateway, the connection process begins to be established, of course, manual configuration can also achieve this process. Before configuring the device to implement this step, you need to know which traffic needs to be "protected".

(2) establish a management connection

IPSec uses ISAKMP/IKE Phase 1 to build a secure management connection. It should be noted here that this administrative connection is only a preparatory work and is not used to transfer actual data. Before configuring the device to implement this step, you need to make clear how the device implements authentication, which encryption and authentication algorithm to use, which DH group to use, and so on.

(3) establish a data connection

IPSec negotiates the establishment of secure data connections based on secure management connections, and ISAKMP/IKE phase 2 accomplishes this task. Data connections are used to transmit real user data. Before configuring the device to implement this step, it is necessary to specify which security protocol to use, the encryption or authentication algorithm for the specific security protocol, and the mode of data transmission (tunnel mode or transmission mode).

After the trilogy established by IPSec, virtual private network traffic can be encrypted / decrypted according to the negotiated results. However, the virtual private network is not an one-off. Both the management connection and the data connection have a life cycle associated with it. Once the connection expires, the connection will be terminated. If you need to continue to transfer virtual private network data, the connection needs to be rebuilt. This design is mainly for security considerations.

IPSec virtual private network is a security technology. Not all Cisco devices support this feature. You need to include K8 or K9 in the feature set in the IOS name, as follows:

III. The establishment process of ISAKMP/IKE stage 1 and stage 2

1. ISAKMP/IKE stage 1

(1) related concepts of stage 1 (two-way):

There are two modes in the exchange process of stage 1: the main mode and the positive mode. The active mode is faster than the main mode, and the main mode is safer than the active mode. My configuration below is based on the main mode.

Regardless of whether the type of virtual private network is site-to-site or remote access, you need to complete three tasks:

Negotiate how to establish a management connection.

Share the key information through the DH algorithm.

Peers authenticate each other.

In the main mode, these three tasks are accomplished by six data packets: the first two packets are used to negotiate which security strategy to use for the management connection between peers (exchange ISAKMP/IKE transmission set); the middle two packets generate and exchange keys required by the encryption algorithm and HMAC function through the DH algorithm; and the last two packets use pre-shared keys to perform peer-to-peer authentication. It should be noted that the first four messages are transmitted in plaintext, and the last two messages are ciphertext transmission. the keys generated by the first four packets through various algorithms are used to encrypt the fifth and sixth data packets and subsequent data.

(2) ISAKMP/IKE stage 1 establishment process:

1) swap ISAKMP/IKE transfer sets

ISAKMP/IKE transfer set is a set of security policies used to protect administrative connections, and some people call it IKE policy or ISAKMP policy.

The ISAKMP/IKE transfer set mainly includes the following aspects:

Encryption algorithms: DES, 3DES, or AES (AES is generally used, which is more secure). HMAC function: MD5 or SHA-1 (SHA-1 is generally used, again, because of high security). Type of device authentication: pre-shared key or RSA signature (I use pre-shared key here, which is easier to configure). DH key group: Cisco supports 1, 2, 5, 7 (Cisco routers do not support key group 7).

Manage the life cycle of the connection.

2) implement key exchange through DH algorithm

The previous step is only to negotiate the security policy of managing connections, and the generation and exchange of shared keys should be realized by DH algorithm.

3) implement authentication between devices

The most common method of device authentication is to pre-share the key, that is, the key is shared out-of-band between peers and stored locally on the device. The process of device authentication can be realized by encryption algorithm or HMAC function, while encryption algorithm is rarely used for authentication, and in most cases it will be realized through HMAC function.

2. ISAKMP/IKE stage 2

(1) related concepts of stage 2 (one-way):

ISAKMP/IKE phase 2 focuses on establishing a data connection between two IPSec peers and accomplishes the following tasks:

Define what traffic needs to be protected between peers (matched through ACL). Define the security protocol used to protect data. Define the transmission mode. Define the life cycle of the data connection and how the key is refreshed.

(2) ISAKMP/IKE stage 1 establishment process:

1) Security association

IPSec needs to establish a logical connection between two peers, which uses a signaling protocol called security association. This is because IPSec requires a connectionless IP protocol to be called a connection-oriented protocol before it runs securely. The connection of the SA is an one-way connection between the source point and the end point. If you need a two-way connection, you need two SA connections, one in each direction.

The SA connection is defined by three elements:

Security Parameter Index (SPI): used to uniquely identify each SA connection. Types of security protocols: IPSec defines two security protocols, AH (Authentication header Protocol) and ESP (Encapsulation Security Payload Protocol). Destination IP address.

ISAKMP/IKE Phase 2 has the above feature, which means that ISAKMP/IKE 's data connection is actually established through two one-way connections. Both connections are encrypted or authenticated in the same way, which makes the ISAKMP/IKE phase 2 feature difficult to detect.

2) transfer set of ISAKMP/IKE phase 2:

The transfer set of a data connection defines how the data connection is protected. Similar to a transfer set that manages a connection, a peer device can save one or more transfer sets, but its content is completely different.

The transfer set for a data connection is as follows:

Security protocols: AH protocol, ESP protocol. Connection mode: tunnel mode, transmission mode. Encryption: for ESP, there are DES, 3DES, AES-128, AES-192, AES-256 or no encryption algorithm. Verification method: MD5 or SHA-1.

The above-mentioned relevant encryption / authentication methods to consult other materials yourself, it is too much to say. The connection modes are the two mentioned at the beginning of the article.

3) ISAKMP/IKE phase 2 security protocol

The data connection of IPSec can be protected by security protocol: AH protocol and ESP protocol. Data encryption and authentication can be achieved through one of the protocols, such as using the ESP protocol, or using both protocols. AH uses IP protocol number 51 IP ESP uses IP protocol number 50.

The AH protocol provides the following security features:

Data integrity; data verification; protection of data playback function.

The AH protocol protects the entire data packet, except for volatile fields, such as the TTL value in the IP header.

The AH protocol only implements authentication, but does not provide any form of data encryption; and because it implements authentication for the entire IP Datagram, it cannot be used with NAT or PAT.

ESP is clearly defined in RFC 2402, and it differs from AH as follows:

ESP encrypts user data. ESP only validates the payload of IP data and does not include external IP headers.

Therefore, if a third party changes the content of the IP header, ESP cannot detect it. NAT also modifies the outer IP information, so ESP can be shared with NAT, so AH cannot be shared with NAT anyway, while ESP can be configured with NAT-T technology, and ESP can even be shared with PAT (ESP cannot traverse PAT devices by default, because PAT modifies the port information of the transport layer header, and the transport layer header is encrypted in the ESP encapsulation, so PAT cannot modify the port information. The NAT-T technology is to make PAT work by adding an additional transport layer header.

4. Configuration and implementation of IPSec virtual private network.

There is a lot of wordiness above, which consumes patience, so let's make an actual configuration.

The network environment is as follows:

Environmental Analysis:

The main contents are as follows: 1. The intranet of the head office uses the address of 192.168.1.0 Universe 24 network segment, and the branch uses the address of 192.168.2.0 Universe 24 network segment. The R2 router is a router on the public network. R1 and R3 are the gateway servers of the head office and the branch, respectively, so there must be routers with a default route to the public network.

2. Virtual private network should be established between the intranet of the head office and the intranet of the branch, but if nothing else is configured, it will affect the intranet access to the Internet. Generally speaking, it is possible to establish a virtual private network and also access the Internet, so this problem should also be solved.

The requirements are as follows:

The main contents are as follows: 1. It is required to realize the interworking between the 192.168.1.0 control 24 network segment of the head office and the 192.168.2.0 control 24 network segment of the branch office through the virtual private network, and do not affect the access of these two network segments to the public network, that is, the R2 router (access to the public network router, through the PAT technology of port multiplexing, do not configure any routes on the R2 router).

Start the configuration:

1. Configure the relevant interface address and enable the interface, which is not detailed here. The configuration interface IP address format is as follows:

Router configures interface IP address

R1#conf tR1 (config) # in f0/0R1 (config-if) # ip add 200.0.0.1 255.255.255.0R1 (config-if) # no sh

Configuration of IP address on PC in GNS3 Simulator

PC1 > ip 192.168.1.1 192.168.1.254 # configure IP and gateway

2. Configure the R1 router:

R1 (config) # ip route 0.0.0.0 0.0.0.0 200.0.0.2 # configure the default route # 'the following is the configuration of the ISAKMP policy (that is, the configuration of the management connection)' R1 (config) # crypto isakmp policy 1 # policy serial number is "1", the range is 1mm 10000, the smaller the value The higher the priority R1 (config-isakmp) # encryption aes # configure the encryption algorithm R1 (config-isakmp) # hash sha # hash command specifies the hash algorithm R1 (config-isakmp) # authentication pre-share # to be used in the authentication process declares that the device authentication method is "pre-shared key" R1 (config-isakmp) # group2 # the strength of the DH algorithm is group2R1 (config-isakmp) # lifetime 10000 # optional, manage the connection lifetime Default is 86400s (24-hour) R1 (config-isakmp) # exitR1 (config) # crypto isakmp key 6 2019.com address 201.0.0.2 # configuration "pre-shared key" # below is the data connection configuration'R1 (config) # access-list 101 permit ip 192.168.1.0 0.0.255 192.168.2.0 0.0.255 # define the traffic protected by the virtual private network R1 (config) # Crypto ipsec transform-set test-set ah-sha-hmac esp-aes # data connection negotiation parameters "test-set" is the custom name R1 (cfg-crypto-trans) # mode tunnel # optional and configured in tunnel mode. By default, tunnel mode R1 (cfg-crypto-trans) # exitR1 (config) # crypto map test-map 1 ipsec-isakmp # sets the data connection configuration to MAP "test-map" is the custom name% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R1 (config-crypto-map) # set peer 201.0.0.2 # Virtual Private Network peer address R1 (config-crypto-map) # set transform-set test-set # Associates the data connection with the transport set R1 (config-crypto-map) # match address 101 # matching ACLR1 ( Config-crypto-map) # int f0amp 0 # enters the external interface R1 (config-if) # crypto map test-map # applies to the external network interface # 'the following is to solve the problem of internal host access to the Internet' R1 (config-if) # access-list 102 deny ip 192.168.1.0 0.0.255 192.168.2.0 0.0.0.255 # deny traffic from the virtual private network R1 (config ) # access-list 102 permit ip any any # release any other traffic R1 (config) # ip nat inside source list 102 int f0and0 overload # uses port multiplexing PAT Solve the problem of intranet access to the Internet # 'the following is to enter the relevant interface to enable the NAT function'. R1 (config) # int f0/0R1 (config-if) # ip nat outside R1 (config-if) # in f1/0R1 (config-if) # ip nat inside

Note: when there is NAT and virtual private network traffic, the NAT is matched first, and then the virtual private network is matched, so when you want to do PAT on it, reject the traffic of the virtual private network.

3. Configure the R3 router:

Since the configurations of R3 and R1 routers are more or less the same (and even many configurations must be the same, such as shared key and the algorithm adopted, otherwise a virtual private network cannot be established), there will be no comments below.

R3 (config) # ip route 0.0.0.0 0.0.0.0 201.0.0.1R3 (config) # crypto isakmp policy 1R3 (config-isakmp) # encryption aesR3 (config-isakmp) # hash shaR3 (config-isakmp) # authentication pre-shareR3 (config-isakmp) # group 2R3 (config-isakmp) # lifetime 10000R3 (config-isakmp) # exitR3 (config) # crypto isakmp key 6 2019.com address 200.0.0.1R3 (config) # access-list 101 permit ip 192.168.2. 0 0.0.255 192.168.1.0 0.0.255 R3 (config) # crypto ipsec transform-set test-set ah-sha-hmac esp-aesR3 (cfg-crypto-trans) # mode tunnelR3 (cfg-crypto-trans) # exitR3 (config) # crypto map test-map 1 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R3 (config-crypto-map) # set peer 200.0.0. 1R3 (config-crypto-map) # set transform-set test-setR3 (config-crypto-map) # match address 101R3 (config-crypto-map) # int f0/0R3 (config-if) # crypto map test-mapR3 (config-if) # * Mar 100 Von 51 purse 55.511:% CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONR3 (config-if) # $102 deny ip 192.168.2.0 0.0.255 192.168.1.0 0.0.0. 255R3 (config) # access-list 102permit ip any anyR3 (config) # ip nat inside source list 102int f0amp 0 overloadR3 (config) # int f0/0R3 (config-if) # ip nat outsideR3 (config-if) # in f1/0R3 (config-if) # ip nat inside

At this point, PC1 and PC2 can be interconnected (the role of virtual private network), and both PCs can ping R2 routers. You know, although R1 and R3 routers have a default route to R2 routers, R2 routers do not have routes to 192.168.1.0 and 2.0 network segments, which is what PAT is for. You can do your own ping testing.

4. Come with some commands to view the configuration:

R1#show crypto isakmp policy # View the configuration results of the ISAKMP negotiation policy R1#show crypto isakmp sa # View the status of the management connection SA R1#show crypto ipsec transform-set # View the IPSec transfer set R1#show crypto ipsec security-association lifetime # View the lifecycle of data connection establishment R1#show crypto ipsec sa # View the details of the data connection SA R1#show crypto map # View the information of crypto Map This command can view the name of the crypto map, / / ACL, the IP address of the peer, the interface on which the Crypto map is applied, and so on.

V. Summary

1. Because there are too many technologies, algorithms, and other technologies involved, troubleshooting may not be that easy. You can use the "show run" command to view all configurations, compare which configurations on the two routers are mismatched, and then reconfigure them.

two。 Be sure to note that when NAT and virtual private network traffic exist at the same time, the NAT will be matched first, and then the virtual private network will be matched, so when doing PAT mapping, the traffic to the virtual private network of the branch network will be rejected by extending ACL, otherwise it will be directly PAT and then forwarded, which will eventually lead to the discarding of the packet because the R1 router does not have a route to 192.168.2.0ther 24.

This is the end of this article. Thank you for reading

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.