Shulou(Shulou.com)06/01 Report--

* blog outline * various security features implemented in virtual private network * understand the negotiation and establishment process of the two stages of ISAKMP/IKE

1. Overview of Virtual Private Network

Virtual private network technology was originally developed to solve the security risks caused by the transmission of plaintext data on the network.

two。 Definition of Virtual Private Network

A virtual private network is a protected connection established between two entities that can be directly connected by a point-to-point link, but usually they are far apart.

3. Modes and types of Virtual Private Network

(1) connection mode of virtual private network

There are two basic connection modes: transmission mode and tunnel mode.

Transmission mode (applicable to public or private networks)

One of the most prominent features of the transmission mode is that the IP packet header is not encapsulated in the whole process of the virtual private network, which means that the data from the source end to the destination end always use the original IP address for communication.

Tunnel mode (for a mixed environment of public and private addresses)

There is an obvious difference between tunnel mode and transmission mode. Tunnel mode protects IP header and data, while transmission mode only protects data.

4. Types of virtual private network

Site to site (L2L) (Lna to Lna)

Site-to-site virtual private network is to protect the traffic between two or more sites through tunnel mode between virtual private network gateways. Site traffic usually refers to the traffic between L2L.

As shown in the figure:

Remote access virtual private network (Ra)

The remote access virtual private network is usually used for the communication connection between the single user equipment and the gateway of the virtual private network. The single user equipment is usually a PC or a small office network.

5. Encryption algorithm

DES3DESAES

Encryption is a process of converting data into another form, and decryption is impossible without understanding the encryption algorithm.

Symmetric encryption algorithm (using the same key to provide secure protection of information)

The data encryption process is as follows:

1. Sender and receiver share key "k"

two。 The sender's virtual private network gateway encrypts plaintext data M into ciphertext data through encryption function E

3. The receiver restores the data to the civilized data "M" through the decryption function D

DES algorithm

DES algorithm has been widely used in the field of virtual private network, which belongs to the product developed by IBM Company. Its key length is 64 bits, of which 8 bits are used for parity, so the actual effective length is 56 bits. Although the algorithm has not found a better way to crack it, the DES algorithm can be cracked in a short time by some technical means, so it is not recommended to use this algorithm in the actual project implementation.

3DES algorithm

Theoretically, the 3DES algorithm is the enhanced version of the DES algorithm, because 3DES uses three stages of DES, that is, three different 56-bit keys at the same time, so it produces a valid key length of 168. at present, this level of key does not have the ability to crack it in a short time, and although its execution efficiency is slow in the software environment, it is not obvious in the hardware environment.

AES algorithm

Although the 3DES algorithm is safe so far, it will become insecure one day with the update of computer hardware. The AES algorithm is more secure than the 3DES algorithm, it supports 128,192,256 as the key degree, and the valid key length can reach thousands of bits. More importantly, the AES algorithm adopts a more efficient writing method and occupies less lv for CPU, so practical projects such as IPSec virtual private network tend to use AES to provide better encryption functions.

Asymmetric encryption algorithm

1) the principle of algorithm

Asymmetric algorithms use two different keys, public key and private key, for encryption and decryption. Data encrypted with one key can only be decrypted by another key, and another key cannot be inferred from one key. The data encryption and decryption process of asymmetric encryption algorithm is shown in the figure:

Advantages and disadvantages of the algorithm

The biggest advantage of asymmetric encryption algorithm lies in its security. So far, there is no way to crack the algorithm within a reasonable time range.

The algorithm of asymmetric encryption is not perfect. Because of its complex calculation process, its computational efficiency is much lower than that of symmetric encryption algorithm.

DH algorithm

The commonly used asymmetric algorithms are RSA, DSA and DH. The first two algorithms are often used to verify functions, while the DH algorithm is generally used to implement the internet key Exchange (IKE) protocol in IPSec.

6. Data message verification

Data message authentication includes two aspects: database source authentication (authentication) and message integrity verification.

MD5 and SHA

MD5 (Information-Digest algorithm) is clearly defined in REC 1321. It creates a 128bit digital signature and is currently the most extensive algorithm in HMAC.

7.IPSec virtual private network

1) Traffic triggers IPSec

Generally speaking, the IPSec establishment process is triggered by traffic sent between peers. Once virtual private network traffic passes through the virtual private network gateway, the connection process begins to be established. Of course, manual configuration can also achieve this process. Before configuring devices to implement this step, network engineers need to know which traffic needs to be "protected".

2) establish a management connection (phase 1)

IPSec uses ISAKMP/IKE phase 1 to build a secure administrative connection, and it is important to note that this administrative connection is only a preparatory work, and it is not used to transfer actual data. Before configuring the device to implement this step, the network engineer needs to know how the device implements authentication, which encryption machine authentication algorithm to use, which DH group to use, and so on.

3) establish a data connection (phase 2)

PSec negotiates the establishment of secure data connections based on secure management connections, and ISAKMP/IKE phase 2 is used to accomplish this task, and data connections are used to transmit real user data. Before configuring the device to implement this step, the network engineer needs to be clear about which security protocol to use, the encryption or authentication algorithm for the specific security protocol, and the transmission mode of the data (tunnel mode or transmission mode).

After the trilogy established by IPSec, the virtual private network traffic can be encrypted / decrypted according to the negotiated results, but the virtual private network connection is not an one-time, both the management connection and the database connection have a life cycle associated with it, and the connection will be terminated once it expires. If you need to continue to transfer virtual private network data, the connection needs to be rebuilt, this design is mainly for security considerations.

ISAKMP/IKE stage 1

Three tasks: * negotiate to establish a management connection in any way * share key information through the DH algorithm * peers authenticate each other

ISAKMP/IKE stage 1 establishment process

SAKMP/IKE transport set is a set of security measures used to protect administrative connections, which mainly includes the following aspects: encryption algorithms: DES, 3DES and AES;HMAC algorithms: types of authentication of MD5 or SHA-1; devices: pre-shared keys; DH key groups: Cisco supports 1, 2, 5, 7 (Cisco routers do not support key group 7); manage the life cycle of connections

Configure security policy

The ISAKMP/IKE policy contains the following parameters: sequence number of the policy, encryption algorithm, hash algorithm, authentication method, DH group, lifetime, etc.

R1 (config) # crypto isakmp policy 1ramp / used to establish a management connection policy for establishing ISAKMP/IKE; / / each policy corresponds to a sequence number, ranging from 1 to 10000. The lower the value, the higher the priority. R1 (config-isakmp) # encryption des// is used to specify which encryption algorithm (des, 3des, aes) R1 (config-isakmp) # hash sha// is used to specify the last two messages (authentication) established by the management connection. Md5) R1 (config-isakmp) # authentication pre-share// specifies the method of device authentication {pre-shara (pre-shared key) | rsa-encr | rsa-sig} R1 (config-isakmp) # group 1 move / used to specify the DH key group DH1 is used by default / / the group number is also large, and the more secure the algorithm is, the more resources the device will take up. Range (1, 2, 5, 14, 15, 16) R1 (config-isakmp) # lifetime 86400 / / specifies the life cycle of the administrative connection. The default value is 86400s (24 hours) R1#show crypto isakmp policy// to view the relevant configuration of the security policy Global IKE policyProtection suite of priority 1 / / here are the parameters specified in policy 1: encryption algorithm: DES-Data Encryption Standard (56 bit keys). Hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: # 1 (768 bit) lifetime: 86400 seconds, no volume limitDefault protection suite / / here shows the default configuration parameter encryption algorithm: DES-Data Encryption Standard (56 bit keys). Hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: # 1 (bit) lifetime: 86400 seconds, no volume limit

Configure a pre-shared key

R1 (config) # crypto isakmp key 0 123456 address 192.168.1.1 / where 0 means plaintext, 6 means ciphertext / / 123456 is the specific content of the key / / 192.168.1.1 is the peer device address / / IP address with which the peer shares the key, if no subnet mask is added By default, use 32-bit mask R1#show crypto isakmp key / / to view the configuration of the pre-shared key. In the plaintext state of Keyring Hostname/Address Preshared Key//, if it is in ciphertext, the key content will not be displayed in default 192.168.1.1 123456.

ISAKMP/IKE stage 2

ISAKMP/IKE phase 2 mainly establishes a data connection between two IPSec peers, which mainly accomplishes the following tasks: define what kind of traffic needs to be protected between peers; define the security protocol used to protect data; define the transmission mode; define the life cycle of the data connection and how to refresh the key.

IPSec peers typically use ACL to match virtual private network traffic that needs to be encrypted.

ISAKMP/IKE stage 2 establishment process

SA connections are defined by three elements: security parameter index (SPI): used to uniquely identify each SA connection; type of security protocol: IPSec defines two security protocols, namely AH (authentication header protocol) and ESP (encapsulating security payload protocol); destination IP address

Transport sets for ISAKMP/IKE Phase 2

The transfer set of a data connection defines how the data connection is protected. Similar to managing connected transmission sets, peer devices can save one or more transmission sets, but the specific contents are different: security protocols: AH protocol, ESP protocol; connection mode: tunnel mode, transmission mode; encryption method: for ESP, there are DES, 3DES, AES-128, AES-192, AES-256 or unusable encryption algorithms; authentication method: MD5 or SHA-1

Security protocols for ISAKMP/IKE Phase 2

The data connection of IPSec can be protected by security protocols: AH protocol and ESP protocol, one of which can be used to encrypt and verify data, such as using ESP protocol, or two protocols can be used together. AH uses IP protocol number 51 IP ESP uses IP protocol number 50.

8. Configuration and implementation of IPSec Virtual Private Network

Request:

(1) as shown in the figure above, configure the relevant address and use the router to act as a PC. Except that ISP does not need to configure a default route, everything else needs to be configured.

(2) configure Ipsec VPN on R2 and R4 respectively, and note that the parameters related to the configuration need to be consistent.

(3) ping R5 on R1 to test whether it can communicate.

(4) using NAT, the internal host can access ISP.

Configure IP,r1,r2,r4,r5 to do the next hop first.

Such as R1:

Ip route 0.0.0.0 0.0.0.0 192.168.1.1

Configure the management connection on R2

Crypto isakmp policy 1 encr aes encryption algorithm hash sha authentication algorithm authentication pre-share declares that the device authentication method is "pre-shared key" group2 uses the strength of the DH algorithm to manage the connection lifetime for group2 lifetime 10000

Crypto isakmp key benet.123 address 201.0.0.2 configure pre-shared key

Access-list 101 permit ip 192.168.1.0 0.0.255 192.168.2.0 0.0.0.255 (virtual private network protected traffic) crypto ipsec transform-set test-set ah-sha-hmac esp-aes (data connection negotiation parameter) crypto map test-map 1 ipsec-isakmp sets the data connection related configuration to MAP set peer 201.0.0.2 virtual private network peer address set transform -transfer set used for set test-set data transmission match address 101matching ACL applies MAP to the external interface: int F1/0crypto map test-map

Configure on R4

Crypto isakmp policy 1 encr aes encryption algorithm hash sha authentication algorithm authentication pre-share declares that the device authentication method is "pre-shared key" group2 adopts the strength of the DH algorithm for group2 lifetime 10000 management connection life cycle crypto isakmp key benet.123 address 201.0.0.2 configure "pre-shared key" access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (virtual private network protected traffic) crypto ipsec transform-set test-set ah-sha-hmac esp-aes (data connection negotiation parameter) crypto map test-map 1 ipsec-isakmp sets the data connection related configuration to MAP set peer 200.0.0.1 virtual private network peer address set transform-set test-set data transfer The transport set match address 101matches the ACL3, Apply MAP to the external interface: int F0/0crypto map test-map

After finishing the above R1 and R5 can be interconnected through virtual private network

Resolve internal host access to internet

Access-list 102 deny ip 192.168.1.0 0.0.255 192.168.2.0 0.0.0.255 (deny traffic from virtual private network) access-list 102 permit ip any any (release all traffic) Note: when there is NAT and virtual private network, match NAT first, then match virtual private network. Therefore, it is necessary to reject the traffic of virtual private network. Enable the nat function on the ip nat inside source list 102 interface FastEthernet1/0 overload interface: int f0 ip nat inside int f1max 0 ip nat outside

At this point, R1 can access R3.

R5 access R3 is configured as follows

Access-list 102 deny ip 192.168.2.0 0.0.255 192.168.1.0 0.0.0.255 (deny traffic from virtual private network) access-list 102 permit ip any any (release all traffic) nat is enabled on the ip nat inside source list 102 interface FastEthernet0/0 overload interface: int f1amp 0 ip nat inside int f0 ip nat outside

Done!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.