vpn : virtual private network
Role: Secure communication between private networks through insecure networks.
Principle: It is realized by four technologies: encryption, authentication, ACL, and tunnel (encapsulation).
vpn connection mode:
Tunnel mode: applicable to a mixed environment of public addresses and private addresses.
Transmission Mode: Applicable to pure public network or pure private network.
Comparison of encryption and authentication:
Encryption: It is a two-way process. There is encryption and decryption. It is mainly used to realize the confidentiality of data. Commonly used encryption algorithms DES, 3DES, AES, RSA, GPG, DH
Authentication: It is a one-way process, mainly used for packet integrity verification and identity confirmation. Commonly used algorithms are MD5, SHA
Asymmetric algorithm: high security, slow speed. Generally used to encrypt a small amount of sensitive information.
Symmetric algorithm: poor security, fast speed. Typically used for large data transfers, to increase security by changing passwords frequently.
Application of encryption algorithm:
The key of the symmetric encryption algorithm is encrypted by the asymmetric encryption algorithm.
The actual data to be transmitted is then encrypted with a symmetric encryption algorithm.
--------------------------------------------------------------
Configure Ip secVPN on R2 and R4 respectively
Using NAT implementation, internal hosts can access ISP
Configuration of ipsec VPN:
1. Manage connection configuration:
crypto isakmp policy 1
encr aes encryption algorithm
hash sha authentication algorithm
authentication pre-share declares that the device authentication method is "pre-shared key"
The strength of group 2 using DH algorithm is group2
lifetime 10000 management connection lifetime
crypto isakmp key benet.123 address 201.0.0.2 configure "pre-shared key"
2. Data connection configuration
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 (vpn protected traffic)
crypto ipsec transform-set test-set ah-sha-hmac esp-aes (data connection negotiation parameters)
crypto map test-map 1 ipsec-isakmp Set the data connection related configuration to MAP
set peer 201.0.0.2 vpn peer address
set transform-set test-set The transfer set used for data transfer
match address 101 matches the ACL
3. Apply MAP to the external interface:
int F1/0
crypto map test-map
4. PAT (solve internal hosts accessing the internet)
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 (deny VPN traffic)
access-list 102 permit ip any any (allow all traffic)
Note: When there are NAT and VPN, match NAT first, then match VPN. All traffic to VPN is denied.
ip nat inside source list 102 interface FastEthernet1/0 overload
Enable the nat function on the interface:
int f0/0
ip nat inside
int f1/0
ip nat outside