Home > Operation and Maintenance > Safety > How to configure IPsec instructions

How to configure IPsec instructions

王林
Release: 2023-05-12 14:13:13
forward
3365 people have browsed it

How to configure IPsec instructions

Experimental configuration steps:

The first stage: iaskmp SA (the object to be protected by IKE SA is related to the key)

IKE does not directly care about user data, and IKE SA serves for secure negotiation of IPSec SA

1, shared key or digital certificate

IKE adopts Diffie-Hellman algorithm, the key is derived from the peer through the peer
group1 The key length is 768bit
group2 The key length is 1024bit
group5 The key length is 1536bit
is used for data The value of the encrypted key is calculated by the algorithm and cannot be defined or modified by the administrator

2. Verify neighbor (establish neighbor)

Second phase: IPsec SA (user The data traffic is actually transmitted on the IPSec SA)

IPSec SA directly serves user data flow. All security policies in IPSec SA are for the security of user data flow

1. Data encapsulation protocol (ESP\AH is a security protocol)

2. Working mode (transmission\transparent)

3. Encryption algorithm (DES\3DES\AES)

4 , Authentication method (MD5\SHA)

The third phase: Define the flow of interest (communication network segment, based on extended ACL)
The fourth phase: Security Association (SA)

1. Verify neighbor

2, Data encryption method

3, Interested flow
Phase 5: Interface call

R1
Router>enable                                                                                                                                                                                                                         because                  
R1(config)#service timestamps debug datetime localtime
R1(config)#service timestamps log datetime localtime
R1(config)#interface f0/1                                                        #no shutdown                                                                                                                               .1 255.255.255.0
R1(config -if)#no shutdown
R1(config-if)#exit
R1(config)#interface loop0 config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2

R1(config)#interface tunnel10
R1(config-if)#tunnel source 12.1.1.1
R1(config-if)#tunnel destination 23.1.1.3
R1(config-if)# ip address 172.16.1.1 255.255.255.0
R1(config-if)#tunnel mode gre ip
R1(config-if)#no shutdown

R1(config)#ip route 192.168.1.0 255.255.255.0 tunnel10

R1(config)#crypto isakmp policy 10 IKE first-stage authentication policy (ensure key security)

R1(config-isakmp)#authentication pre-share Authentication method

R1(config- isakmp)#encryption des IKE stage 1.5 encryption (data encryption, encryption method, default is DES)
R1(config-isakmp)#group 2 key algorithm (Diffie-Hellman)
group1(768bit), group2 (1024bit), group5 (1536bit), the default is group1

R1(config-isakmp)#hash md5 authentication method
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 6 cisco address 23.1.1.3 255.255.255.0 Authentication

R1(config)#crypto isakmp keepalive 10 3 Send DPD every 10s to detect ××× establishment, if there is no reply within 3s, send it again 3 times

R1(config)#crypto ipsec transform-set cisco esp-des esp-md5-hmac isakmp policy, data encapsulation mode

R1(cfg-crypto-trans)#mode tunnel mode, The default is tunnel mode

R1(cfg-crypto-trans)#exit

R1(config)#ip access-list extended interested Define flow of interest

R1(config-ext-nacl )#permit gre host 12.1.1.1 host 23.1.1.3 The host for local communication and the host for peer communication
R1(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 tunnel mode defines the flow of interest

R1(config-ext-nacl)#exit

R1(config)#crypto map IPSec*** 10 ipsec-isakmp security association (above association Data encapsulation method, stream of interest)

R1(config-crypto-map)# set peer 23.1.1.3

R1(config-crypto-map)#set transform-set cisco
R1(config-crypto-map)#match address interested
R1(config-crypto-map)#exit
R1(config)#interface f0/0                                  -if)#crypto map IPSec***

R1(config)#ip access-list extended nat
R1(config-ext-nacl)#10 permit ip 1.1.1.0 0.0.0.255 any
R1(config-ext-nacl)#exit
R1(config)#int loop0
R1(config-if)#ip nat inside
R1(config-if)#int s0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#ip nat inside source list nat int f0/0 overload
R1(config)# ip nat inside source static udp 192.168.2.2 4500 interface f0/0 4500
R1(config)#ip nat inside source static udp 192.168.2.2 500 interface f0/0 500


R3
Router>enable                                                                                                                                                                                                                                 because                 
R3(config)#service timestamps debug datetime localtime
R3(config)#service timestamps log datetime localtime
R3(config)#interface f0/0                                                                                           no shutdown                                                                                                                                      255.255.255.0
R3(config- if)#no shutdown
R3(config-if)#exit

R3(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.2
R3(config)#interface tunnel11 #R3(config-if)#tunnel source 23.1.1.3
R3(config-if)#tunnel destination 12.1.1.1
R3(config-if)# ip address 172.16.1.3 255.255.255.0
R3 (config-if)#tunnel mode gre ip
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#ip route 10.1.1.0 255.255.255.0 tunnel11

R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption des
R3(config-isakmp) #group 2
R3(config-isakmp)#hash md5
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 6 cisco address 12.1.1.1 255.255.255.0

R3(config)#crypto ipsec transform-set cisco esp-des esp-md5-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(cfg-crypto-trans)#exit

R3(config)#ip access-list extended interested
R3(config-ext-nacl)#permit gre host 23.1.1.3 host 12.1.1.1
R3(config-ext-nacl)#exit

R3(config)#crypto map IPSec*** 10 ipsec-isakmp
R3(config-crypto-map)#set peer 12.1.1.1
R3(config-crypto-map)# set transform-set cisco
R3(config-crypto-map)#match address interested
R3(config-crypto-map)#exit

R3(config)#interface serial 0/1
R3(config-if)#crypto map IPSec***

IPSec also has the disadvantages of complex configuration, consuming more computing resources, increased latency, and not supporting multicast

View strategy :
show crypto isakmp policy Define domain shared key to establish *** connection
show crypto engine connections active View the number of encrypted and decrypted packets

clear crypto isakmp Clear the first phase of IKE

clear crypto sa Clear the second phase of IKE

Traffic optimization:

access-list 101 permit esp host 12.1.1.1 host 23.1.1.3

access-list 101 permit udp host 12.1.1.1 host 23.1.1.3 eq isakmp

access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

First of all, there are MM (main mode) and brutal mode in the first stage, and QM (quick mode) in the second stage.
Secondly, the last two messages in the main mode are encrypted, which can provide identity protection function
The message integration in aggressive mode is too high, so there is no identity protection function

In aggressive mode (in this case, the responder cannot select the corresponding pre-shared key based on the IP address, that is, it does not rely on the IP address to identify the identity, making the aggressive mode The mode has better flexibility)

View the results through display ike sa
1. The first phase of ike sa has been successfully established
3. ike is using version v1
peer The status of this security association
flag displays the status of this security association
RD (ready) indicates that the SA has been established successfully
ST (stayalive) indicates that this end is the initiator of channel negotiation
RL (Replaced) means that this channel has been replaced by a new channel and will be deleted after a period of time
FD (Fading) means that this channel has experienced a soft timeout and is still in use. This channel will be deleted when a hard timeout occurs
TO (timeout) means that this SA has not received a keepalive message after the last keepalive timeout occurred. If the keepalive message is not received when the next keepalive timeout occurs, this SA will be deleted
TD (deleting ) indicates that the SA is about to be deleted
NEG (negotiating) indicates that the IKE SA is being negotiated, which is caused by inconsistencies in certain parameters set at both ends of the tunnel
D (DPD) indicates that the DPD detection function is enabled and is being negotiated Do DPD detection
M (active) indicates that the IKE SA status is primary
S (standby) indicates that the IKE SA status is standby
A(alone) indicates that the IKE SA status is Alone, and there is no backup between IPSec tunnels
The phase this SA belongs to: Phase1: The phase of establishing a secure channel for communication. This phase establishes the ISAKMP SA Phase2: The phase of negotiating security services. IPSec SA is established at this stage

The security association is uniquely identified by three elements (security protocol number (AH or ESP), destination IP address, security parameter index (SPI, Security Parameter Index))
Security The parameter index is a 32-bit value generated to uniquely identify the SA. It is transmitted in the IPsec header

IPSec-IKE aggressive mode
1. The problem of slow negotiation at both ends of the tunnel
2. Uncertainty of the initiator’s source address
(When the initiator’s IP address is dynamically allocated, the initiator’s IP address cannot be known by the responder in advance, and both parties intend to use pre-shared key verification. Method)

In tunnel mode, ESP messages can maintain the confidentiality of the original IP header data
Configuring the pre-shared key must be configured on both ends, and the keys on both sides must be consistent
In tunnel mode in IPSEC, ESP does not verify new IP packet header fields (tunnel mode encapsulates new headers and does not verify them)
IKE uses DH group2 default group by default

AH Features that can be implemented (AH protocol, AH is a message header verification protocol, the main functions provided are data source verification, data integrity verification and message replay prevention functions)
AH does not encrypt the protected data. All cannot complete confidentiality
IKE Internet Password Exchange Protocol: The IKE protocol is used to automatically negotiate the cryptographic algorithms used by AH and ESP

The above is the detailed content of How to configure IPsec instructions. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template