In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
As shown in the topology diagram above, enable the three routers of R1, R2, R5, the access between the loopback of R1 and the loopback of R2, and the loopback of R1, 192.168.1.0, 24.
The loopback of R2 is 192.168.2.0ax 24.
R1#show version
If there is a k flag in the version identification of Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4 (11) T, RELEASE SOFTWARE (fc2) router, it means that the router can use RSA DH to generate public and private keys.
Experimental results
R1#show crypto isakmp sa view the first phase database
IPv4 Crypto ISAKMP SA
Dst src state conn-id slot status
25.1.1.1 15.1.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
When state is QM, the tunnel has been established
R1#show crypto ipsec sa View Phase II Database
Interface: Serial1/2
Crypto map tag: openlab, local addr 15.1.1.1
Protected vrf: (none)
Local ident (addr/mask/prot/port): (192.168.1.0)
Remote ident (addr/mask/prot/port): (192.168.2.0)
Current_peer 25.1.1.1 port 500
PERMIT, flags= {origin_is_acl,}
# pkts encaps: 14, # pkts encrypt: 14, # pkts digest: 14
# pkts decaps: 14, # pkts decrypt: 14, # pkts verify: 14
# pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 0, # pkts compr. Failed: 0
# pkts not decompressed: 0, # pkts decompress failed: 0
# send errors 1, # recv errors 0
Local crypto endpt.: 15.1.1.1, remote crypto endpt.: 25.1.1.1
Path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2
Current outbound spi: 0xC39B730 (205109040)
Inbound esp sas:
Spi: 0xC1A0D62B (3248543275)
Transform: esp-3des esp-md5-hmac
In use settings = {Tunnel,}
Conn id: 1, flow_id: 1, crypto map: openlab
Sa timing: remaining key lifetime (k/sec): (4429687 Universe 1379)
IV size: 8 bytes
Replay detection support: Y
Status: ACTIVE
Inbound ah sas:
Inbound pcp sas:
Outbound esp sas:
Spi: 0xC39B730 (205109040)
Transform: esp-3des esp-md5-hmac
In use settings = {Tunnel,}
Conn id: 2, flow_id: 2, crypto map: openlab
Sa timing: remaining key lifetime (k/sec): (4429687 Universe 1377)
IV size: 8 bytes
Replay detection support: Y
Status: ACTIVE
Outbound ah sas:
Outbound pcp sas:
The configuration of inbound and outbound is the same.
R1#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
! (in order to trigger the update, the establishment of the tunnel needs to be triggered by traffic, so the first packet will be lost.)
Success rate is 80 percent (4amp 5), round-trip min/avg/max = 36-42-52 ms
R1#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!
Key points of configuration
1. The database of the first phase
If the authentication method you choose is a shared key, you also need to configure a shared key.
two。 Configure ACL
3. Configure the second phase database
4. Finally, use a MAP to combine the above configurations and call map on the interface.
Configuration of R1
# show run
Crypto isakmp policy 10 Phase I Database
Encr 3des
Hash md5
The authentication pre-share authentication method chooses the shared key.
Group 2
Crypto isakmp key 6 cisco123 address 25.1.1.1 setting shared key address writes the IP address of the peer
Crypto ipsec transform-set xxx esp-3des esp-md5-hmac Phase II Database
Crypto map openlab 10 ipsec-isakmp matches to the same map
Set peer 25.1.1.1
Set transform-set xxx
Match address 100
Interface Loopback0
Ip address 192.168.1.1 255.255.255.0
Interface Serial1/2
Ip address 15.1.1.1 255.255.255.0
Serial restart-delay 0
Crypto map openlab call on the interface
Ip route 0.0.0.0 0.0.0.0 15.1.1.2
Access-list 100 permit ip 192.168.1.0 0.0.255 192.168.2.0 0.0.0.255 capture the traffic of × ×
Configuration of R2 (same reason as R1)
# show run
Crypto isakmp policy 10
Encr 3des
Hash md5
Authentication pre-share
Group 2
Crypto isakmp key 6 cisco123 address 15.1.1.1
Crypto ipsec transform-set xxx esp-3des esp-md5-hmac
Crypto map openlab 10 ipsec-isakmp
Set peer 15.1.1.1
Set transform-set xxx
Match address 100
Interface Loopback0
Ip address 192.168.2.1 255.255.255.0
Interface Serial1/2
Ip address 25.1.1.1 255.255.255.0
Serial restart-delay 0
Crypto map openlab
Ip route 0.0.0.0 0.0.0.0 25.1.1.2
Access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Configuration of R5
Interface Loopback0
Ip address 5.5.5.5 255.255.255.0
Interface Serial1/0
Ip address 15.1.1.2 255.255.255.0
Serial restart-delay 0
Interface Serial1/1
Ip address 25.1.1.2 255.255.255.0
Serial restart-delay 0
Grabbing the traffic of R1's S1amp 2.
You can only see the public address, and when you find three layers, it becomes ESP, and all the traffic is encrypted.
Review IPSEC × × on November 6, 2018.
Classification of × × ×
The IP addresses at both ends of the LAN-TO-LAN are fixed
Including: GRE,ATM,MPLS × ×, Frame Relay (frame Relay)
Remote is fixed at one end and not fixed at the other end.
Including: IPSec × ×, PPTP (Windows), L2TP+IPSEC (Windows), SSL × × (mainly used for web pages)
IPSec × ×
Security.
Private, complete, source authentication, undeniable
IPSEC framework
Encrypted DES 3DES AES
Verify MD5 SHA-1 integrity (check)
Encapsulation protocol ESP (encryption + verification) AH (for verification only)
Mode transport (transport mode, encapsulated after layer 3) tunnel (tunnel mode, encapsulated after layer 4)
The key is valid for 3600s 1800s
Cryptographic algorithm
Symmetric algorithm DES 3DES AES (including 128 192 256)
Asymmetric algorithm RSA DH
Symmetric algorithm encryption: the data becomes larger and smaller after encryption and decryption with the same key.
Advantages: fast, safe and compact
Disadvantages: plaintext transmission keys may be hijacked or eavesdropped; a large number of keys (according to the number of participants squared growth, exponential growth); a large number of management storage problems; does not support digital signatures and undeniable
Asymmetric algorithm encryption: encryption and decryption do not use the same key; only for key signature and digital signature; data becomes larger after encryption
Advantages: because the encrypted data is large, it is more secure; you don't have to send the key to the receiver, and you don't have to rest assured that the key will be hijacked halfway; the number of keys is the same as the number of participants; there is no need to establish a relationship with participants in advance to exchange keys; support digital signature and non-repudiation
Disadvantages: slow encryption speed; large data length after encryption
2018.11.8
Check
(compare only the first 96 bits) MD5 128bit unequal input, equal length output check algorithm often used
SHA 160 256 384 512
The characteristics of hash function
Fixed size, avalanche effect, one-way, collision avoidance (the values generated by two different data are not the same). It is recommended that MD5 only carry a 96-bit check when the traffic is actually transmitted.
Popular hashing algorithm
MD5,SHA-1
ESP can encrypt and verify traffic.
AH can only verify traffic.
The process of establishing × × × in IKE
CA Certification Authority verifies the authenticity of the certificate
November 14, 2018
IKE establishes tunneling, ESP encryption, and shared key guarantees non-repudiation
EASY IP address devolving stage 1.5
If the two databases are verified, the consistency between the two sides will be established.
Send plaintext in the first phase of iskmp database
(1)
a. The information contained in the packet is: encryption algorithm (default DES) HASH algorithm (default SHA) authentication method (digital signature or shared key) SA validity period 86400 (changed once a day)
B. * * DH group number 1-2-5 2-1024 bits security can only use DH algorithm
The database of the first stage is to encrypt the database of the second stage.
In the first stage of Iskmp sa, the first four packages are in plain text, and the last two packages are in ciphertext.
1.2 package SA if the same, set up × × ×
3.4 the public keys of the packet DH algorithm are exchanged with each other, and the public key length is defined.
The packet traffic is encrypted and the key is encrypted by DH. HASH, peer IP address, host name, using digital signature (* * shared key)
The second stage of Ipsec sa
All encrypted traffic
* * (1) ACL (take × × × traffic) grab traffic and pay attention to source IP and destination IP
* * (2) P2 SA Phase II Database
Pattern
Timeout time
Encapsulation protocol
Encryption algorithm
HASH algorithm
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.