Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Review of IPSEC × ×

2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

As shown in the topology diagram above, enable the three routers of R1, R2, R5, the access between the loopback of R1 and the loopback of R2, and the loopback of R1, 192.168.1.0, 24.

The loopback of R2 is 192.168.2.0ax 24.

R1#show version

If there is a k flag in the version identification of Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4 (11) T, RELEASE SOFTWARE (fc2) router, it means that the router can use RSA DH to generate public and private keys.

Experimental results

R1#show crypto isakmp sa view the first phase database

IPv4 Crypto ISAKMP SA

Dst src state conn-id slot status

25.1.1.1 15.1.1.1 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

When state is QM, the tunnel has been established

R1#show crypto ipsec sa View Phase II Database

Interface: Serial1/2

Crypto map tag: openlab, local addr 15.1.1.1

Protected vrf: (none)

Local ident (addr/mask/prot/port): (192.168.1.0)

Remote ident (addr/mask/prot/port): (192.168.2.0)

Current_peer 25.1.1.1 port 500

PERMIT, flags= {origin_is_acl,}

# pkts encaps: 14, # pkts encrypt: 14, # pkts digest: 14

# pkts decaps: 14, # pkts decrypt: 14, # pkts verify: 14

# pkts compressed: 0, # pkts decompressed: 0

# pkts not compressed: 0, # pkts compr. Failed: 0

# pkts not decompressed: 0, # pkts decompress failed: 0

# send errors 1, # recv errors 0

Local crypto endpt.: 15.1.1.1, remote crypto endpt.: 25.1.1.1

Path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2

Current outbound spi: 0xC39B730 (205109040)

Inbound esp sas:

Spi: 0xC1A0D62B (3248543275)

Transform: esp-3des esp-md5-hmac

In use settings = {Tunnel,}

Conn id: 1, flow_id: 1, crypto map: openlab

Sa timing: remaining key lifetime (k/sec): (4429687 Universe 1379)

IV size: 8 bytes

Replay detection support: Y

Status: ACTIVE

Inbound ah sas:

Inbound pcp sas:

Outbound esp sas:

Spi: 0xC39B730 (205109040)

Transform: esp-3des esp-md5-hmac

In use settings = {Tunnel,}

Conn id: 2, flow_id: 2, crypto map: openlab

Sa timing: remaining key lifetime (k/sec): (4429687 Universe 1377)

IV size: 8 bytes

Replay detection support: Y

Status: ACTIVE

Outbound ah sas:

Outbound pcp sas:

The configuration of inbound and outbound is the same.

R1#ping 192.168.2.1 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

! (in order to trigger the update, the establishment of the tunnel needs to be triggered by traffic, so the first packet will be lost.)

Success rate is 80 percent (4amp 5), round-trip min/avg/max = 36-42-52 ms

R1#ping 192.168.2.1 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!

Key points of configuration

1. The database of the first phase

If the authentication method you choose is a shared key, you also need to configure a shared key.

two。 Configure ACL

3. Configure the second phase database

4. Finally, use a MAP to combine the above configurations and call map on the interface.

Configuration of R1

# show run

Crypto isakmp policy 10 Phase I Database

Encr 3des

Hash md5

The authentication pre-share authentication method chooses the shared key.

Group 2

Crypto isakmp key 6 cisco123 address 25.1.1.1 setting shared key address writes the IP address of the peer

Crypto ipsec transform-set xxx esp-3des esp-md5-hmac Phase II Database

Crypto map openlab 10 ipsec-isakmp matches to the same map

Set peer 25.1.1.1

Set transform-set xxx

Match address 100

Interface Loopback0

Ip address 192.168.1.1 255.255.255.0

Interface Serial1/2

Ip address 15.1.1.1 255.255.255.0

Serial restart-delay 0

Crypto map openlab call on the interface

Ip route 0.0.0.0 0.0.0.0 15.1.1.2

Access-list 100 permit ip 192.168.1.0 0.0.255 192.168.2.0 0.0.0.255 capture the traffic of × ×

Configuration of R2 (same reason as R1)

# show run

Crypto isakmp policy 10

Encr 3des

Hash md5

Authentication pre-share

Group 2

Crypto isakmp key 6 cisco123 address 15.1.1.1

Crypto ipsec transform-set xxx esp-3des esp-md5-hmac

Crypto map openlab 10 ipsec-isakmp

Set peer 15.1.1.1

Set transform-set xxx

Match address 100

Interface Loopback0

Ip address 192.168.2.1 255.255.255.0

Interface Serial1/2

Ip address 25.1.1.1 255.255.255.0

Serial restart-delay 0

Crypto map openlab

Ip route 0.0.0.0 0.0.0.0 25.1.1.2

Access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Configuration of R5

Interface Loopback0

Ip address 5.5.5.5 255.255.255.0

Interface Serial1/0

Ip address 15.1.1.2 255.255.255.0

Serial restart-delay 0

Interface Serial1/1

Ip address 25.1.1.2 255.255.255.0

Serial restart-delay 0

Grabbing the traffic of R1's S1amp 2.

You can only see the public address, and when you find three layers, it becomes ESP, and all the traffic is encrypted.

Review IPSEC × × on November 6, 2018.

Classification of × × ×

The IP addresses at both ends of the LAN-TO-LAN are fixed

Including: GRE,ATM,MPLS × ×, Frame Relay (frame Relay)

Remote is fixed at one end and not fixed at the other end.

Including: IPSec × ×, PPTP (Windows), L2TP+IPSEC (Windows), SSL × × (mainly used for web pages)

IPSec × ×

Security.

Private, complete, source authentication, undeniable

IPSEC framework

Encrypted DES 3DES AES

Verify MD5 SHA-1 integrity (check)

Encapsulation protocol ESP (encryption + verification) AH (for verification only)

Mode transport (transport mode, encapsulated after layer 3) tunnel (tunnel mode, encapsulated after layer 4)

The key is valid for 3600s 1800s

Cryptographic algorithm

Symmetric algorithm DES 3DES AES (including 128 192 256)

Asymmetric algorithm RSA DH

Symmetric algorithm encryption: the data becomes larger and smaller after encryption and decryption with the same key.

Advantages: fast, safe and compact

Disadvantages: plaintext transmission keys may be hijacked or eavesdropped; a large number of keys (according to the number of participants squared growth, exponential growth); a large number of management storage problems; does not support digital signatures and undeniable

Asymmetric algorithm encryption: encryption and decryption do not use the same key; only for key signature and digital signature; data becomes larger after encryption

Advantages: because the encrypted data is large, it is more secure; you don't have to send the key to the receiver, and you don't have to rest assured that the key will be hijacked halfway; the number of keys is the same as the number of participants; there is no need to establish a relationship with participants in advance to exchange keys; support digital signature and non-repudiation

Disadvantages: slow encryption speed; large data length after encryption

2018.11.8

Check

(compare only the first 96 bits) MD5 128bit unequal input, equal length output check algorithm often used

SHA 160 256 384 512

The characteristics of hash function

Fixed size, avalanche effect, one-way, collision avoidance (the values generated by two different data are not the same). It is recommended that MD5 only carry a 96-bit check when the traffic is actually transmitted.

Popular hashing algorithm

MD5,SHA-1

ESP can encrypt and verify traffic.

AH can only verify traffic.

The process of establishing × × × in IKE

CA Certification Authority verifies the authenticity of the certificate

November 14, 2018

IKE establishes tunneling, ESP encryption, and shared key guarantees non-repudiation

EASY IP address devolving stage 1.5

If the two databases are verified, the consistency between the two sides will be established.

Send plaintext in the first phase of iskmp database

(1)

a. The information contained in the packet is: encryption algorithm (default DES) HASH algorithm (default SHA) authentication method (digital signature or shared key) SA validity period 86400 (changed once a day)

B. * * DH group number 1-2-5 2-1024 bits security can only use DH algorithm

The database of the first stage is to encrypt the database of the second stage.

In the first stage of Iskmp sa, the first four packages are in plain text, and the last two packages are in ciphertext.

1.2 package SA if the same, set up × × ×

3.4 the public keys of the packet DH algorithm are exchanged with each other, and the public key length is defined.

The packet traffic is encrypted and the key is encrypted by DH. HASH, peer IP address, host name, using digital signature (* * shared key)

The second stage of Ipsec sa

All encrypted traffic

* * (1) ACL (take × × × traffic) grab traffic and pay attention to source IP and destination IP

* * (2) P2 SA Phase II Database

Pattern

Timeout time

Encapsulation protocol

Encryption algorithm

HASH algorithm

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report