1. vpn: virtual private network
2. Function: realize secure communication between private networks through insecure networks.
3. Principle:
It is realized by four technologies: encryption, authentication, ACL, and tunnel (encapsulation).
vpn connection mode:
tunnel mode: suitable for mixed environment of public address and private address.
Transmission Mode: Applicable to pure public network or pure private network.
Comparison of encryption and authentication:
Encryption: It is a two-way process. There is encryption and decryption. It is mainly used to achieve data confidentiality. Commonly used encryption algorithms DES, 3DES, AES, RSA, GPG, DH
authentication: it is a one-way process, mainly used for message integrity verification and identity confirmation. Commonly used algorithms are MD5, SHA
Asymmetric algorithm: high security, slow speed. Generally used to encrypt a small amount of sensitive information.
Symmetric algorithm: poor security, fast speed. Typically used for large data transfers, to increase security by changing passwords frequently.
Application of encryption algorithm:
encrypt the key of symmetric encryption algorithm by asymmetric encryption algorithm.
The actual data to be transmitted is then encrypted with a symmetric encryption algorithm.
Configuration of ipsec VPN:
1. Management connection configuration:
crypto isakmp policy 1
encr aes encryption algorithm
hash sha authentication algorithm
authentication pre-share declaring that the device authentication method is "pre-shared key"
group 2 The strength of the DH algorithm is group2
lifetime 10000 management connection life cycle
crypto isakmp key benet.123 address 201.0.0.2 configure "pre-shared key"
2. Data connection configuration
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 (vpn protected traffic)
crypto ipsec transform-set test-set ah-sha-hmac esp-aes (data connection negotiation parameters)
crypto map test-map 1 ipsec-isakmp Set the data connection related configuration to MAP
set peer 201.0.0.2 vpn peer address
set transform-set test-set The transport set used for data transmission
match address 101 The matching ACL
3. Set the MAP Apply on external interface:
int F1/0
crypto map test-map
4. PAT (solve internal hosts accessing the internet)
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 (deny VPN traffic)
access-list 102 permit ip any any (allow all traffic)
Note: When there are NAT and VPN, match NAT first, then match VPN. All traffic to VPN is denied.
ip nat inside source list 102 interface FastEthernet1/0 overload
Enable nat function on the interface:
int f0/0
ip nat inside
int f1/0
ip nat outside