Security Defense --- IPSec Theory (02)

Enterprise 2023-07-21 04:36:50 views: null

Attached:

Protocol and Pattern Classification

Classification of esp and ah:

  1. Data security: ESP has confidentiality; AH has no confidentiality
  2. Scenarios: ESP is suitable for public network scenarios; AH is suitable for intranet/private network scenarios

(Data security mainly depends on the need for authentication between transmission terminals)

Classification of transport mode and tunnel mode:

  1. The reachability of the transmission end: the transmission mode has reachability; the tunnel mode has no reachability
  2. Scenario: transmission mode (private network data is transmitted through the public network; heterogeneous networks are transmitted through other networks); tunnel mode (dedicated line, tunnel has been built, and its own route is reachable)

ipsec configuration (router)

IPSec under static routing protocol

保证基础网络可达
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ip add 100.1.1.1 24
[r1]ip route-static 0.0.0.0 0 100.1.1.2


[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip add 100.1.1.2 24
[ISP]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip ad 100.1.2.1 24

[r2]int g0/0/0
[r2-GigabitEthernet0/0/0]ip add 100.1.2.2 24
[r2]ip route-static 0.0.0.0 0 100.1.2.1

[r1]int LoopBack 0
[r1-LoopBack0]ip add 172.16.10.1 24
[r2]int LoopBack 0
[r2-LoopBack0]ip add 172.16.1.1 24

(1) Deployment IKE SA

<1> Security Proposal

[r1]ike proposal 1  // 安全提议编号
[r1-ike-proposal-1]encryption-algorithm 3des-cbc // 加密算法(3des)
[r1-ike-proposal-1]authentication-algorithm sha1 // 认证算法(sha1)
[r1-ike-proposal-1]authentication-method pre-share  // 认证模式(预共享:pre)
[r1-ike-proposal-1]dh group2 // 非对称加密算法强度

[r1]dis ike proposal --- 查看未显示以及默认配置

Number of IKE Proposals: 2

-------------------------------------------
 IKE Proposal: 1
   Authentication method      : pre-shared
   Authentication algorithm   : SHA1
   Encryption algorithm       : 3DES-CBC
   DH group                   : MODP-1024
   SA duration                : 3600
   PRF                        : PRF-HMAC-SHA
-------------------------------------------

-------------------------------------------
 IKE Proposal: Default
   Authentication method      : pre-shared
   Authentication algorithm   : SHA1
   Encryption algorithm       : DES-CBC
   DH group                   : MODP-768
   SA duration                : 86400
   PRF                        : PRF-HMAC-SHA
-------------------------------------------

[r2]ike proposal 1
[r2-ike-proposal-1]encryption-algorithm 3des-cbc
[r2-ike-proposal-1]dh group2
[r2-ike-proposal-1]sa duration 3600

PRF: Perfect Forward Method.

<2> Safety certification

[r1]ike peer 12 v1  // ike认证名称和版本
[r1-ike-peer-12]exchange-mode main // 模式选择(默认主模式)
[r1-ike-peer-12]pre-shared-key cipher 234  // 编译预共享密钥
[r1-ike-peer-12]ike-proposal 1 // 调用安全提议
[r1-ike-peer-12]remote-address 100.1.2.2 // 调用远端地址

[r2]ike peer 12 v1
[r2-ike-peer-12]ike-proposal 1
[r2-ike-peer-12]pre-shared-key cipher 234
[r2-ike-peer-12]remote-address 100.1.1.1
[r2-ike-peer-12]exchange-mode main

(2) Configure IPSec SA security proposal information

[r1]ipsec proposal 1 // ipsec提议
[r1-ipsec-proposal-1]transform esp  // 选择传输协议
[r1-ipsec-proposal-1]esp authentication-algorithm sha2-512 // 认证算法
[r1-ipsec-proposal-1]esp encryption-algorithm aes-128 // 加密算法
[r1-ipsec-proposal-1]encapsulation-mode tunnel // 封装模式(隧道模式)

[r1]dis ipsec proposal --- 查看

Number of proposals: 1

IPSec proposal name: 1                            
 Encapsulation mode: Tunnel                            
 Transform         : esp-new
 ESP protocol      : Authentication SHA2-HMAC-512                             
                     Encryption     AES-128

[r2]ipsec proposal 1
[r2-ipsec-proposal-1]transform esp 
[r2-ipsec-proposal-1]encapsulation-mode tunnel
[r2-ipsec-proposal-1]esp authentication-algorithm sha2-512
[r2-ipsec-proposal-1]esp encryption-algorithm aes-128

(3) Define encrypted traffic (flow of interest)

[r1]acl 3000
[r1-acl-adv-3000]rule 5 permit ip source 172.16.10.1 0.0.0.0 destination 172.16.1.1 0.0.0.0

[r2]acl 3000
[r2-acl-adv-3000]rule 5 permit ip source 172.16.1.1 0.0.0.0 destination 172.16.10.1 0.0.0.0

(4) Configure the security policy set

[r1]ipsec policy k 10 isakmp --- 定义名为k,序列号为10,运用isakmp(IKE)进行协商
[r1-ipsec-policy-isakmp-k-10]ike-peer 12 // 关联ike-peer
[r1-ipsec-policy-isakmp-k-10]security acl 3000 // 关联感兴趣流
[r1-ipsec-policy-isakmp-k-10]pfs dh-group2 // pfs:完美向前法

[r2]ipsec policy k 10 isakmp 
[r2-ipsec-policy-isakmp-k-10]ike-peer 12
[r2-ipsec-policy-isakmp-k-10]proposal 1
[r2-ipsec-policy-isakmp-k-10]security acl 3000
[r2-ipsec-policy-isakmp-k-10]pfs dh-group2

(5) Interface call security policy set

[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ipsec policy k
[r2]int g0/0/0
[r2-GigabitEthernet0/0/0]ipsec policy k

To trigger:

(6) View the establishment of the security alliance

<r1>dis ike sa
    Conn-ID  Peer            VPN   Flag(s)                Phase  
  ---------------------------------------------------------------
        2    100.1.2.2       0     RD|ST                  2     
        1    100.1.2.2       0     RD|ST                  1     

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
<r1>dis ipsec sa
    [Outbound ESP SAs] 
      SPI: 1407390962 (0x53e314f2)
      Proposal: ESP-ENCRYPT-AES-128 SHA2-512-256
      SA remaining key duration (bytes/sec): 1887329280/2740
      Max sent sequence-number: 5
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs] 
      SPI: 3197321182 (0xbe933fde)
      Proposal: ESP-ENCRYPT-AES-128 SHA2-512-256
      SA remaining key duration (bytes/sec): 1887436380/2740
      Max received sequence-number: 5
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N

IPSec under Dynamic Routing Protocol

新建环回
[r1]int LoopBack 0
[r1-LoopBack1]ip ad 1.1.1.1 24
gre下的隧道配置
[r1]int  t0/0/0
[r1-Tunnel0/0/0]tunnel-protocol gre
[r1-Tunnel0/0/0]source g0/0/0
[r1-Tunnel0/0/0]destination 100.1.2.2
[r1-Tunnel0/0/0]ip add 10.1.1.1 24

[r2]int lo 1
[r2-LoopBack1]ip add 2.2.2.2 24
[r2]int t0/0/0
[r2-Tunnel0/0/0]tunnel-protocol gre 
[r2-Tunnel0/0/0]source g0/0/0
[r2-Tunnel0/0/0]destination 100.1.1.1
[r2-Tunnel0/0/0]ip add 10.1.1.2 24

ospf配置
[r1]ospf 1
[r1-ospf-1]a 0
[r1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[r1-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.0
[r2]ospf 1
[r2-ospf-1]a 0
[r2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[r2-ospf-1-area-0.0.0.0]network 10.1.1.2 0.0.0.0

查看邻居建立情况
[r1]dis ospf peer brief 
	 OSPF Process 1 with Router ID 100.1.1.1
		  Peer Statistic Information
 ----------------------------------------------------------------------------
 Area Id          Interface                        Neighbor id      State    
 0.0.0.0          Tunnel0/0/0                      100.1.2.2        Full        
 ----------------------------------------------------------------------------

(1) Deployment IKE SA 

<1> Security Proposal

[r1]ike proposal 10
[r1-ike-proposal-10]encryption-algorithm 3des-cbc 
[r1-ike-proposal-10]authentication-algorithm sha1
[r1-ike-proposal-10]authentication-method pre-share 
[r1-ike-proposal-10]dh group2

[r2]ike proposal 10
[r2-ike-proposal-10]encryption-algorithm 3des-cbc 
[r2-ike-proposal-10]authentication-algorithm sha1
[r2-ike-proposal-10]authentication-method pre-share
[r2-ike-proposal-10]dh group2

<2> Safety certification

[r1]ike peer gre v1
[r1-ike-peer-gre]pre-shared-key simple aaa  // 设置预共享密钥(simple:本地不加密)
[r1-ike-peer-gre]exchange-mode aggressive  // 采用野蛮模式
[r1-ike-peer-gre]local-id-type name  // 采用name定义
[r1-ike-peer-gre]remote-name a1  // 远端name为a1
[r1-ike-peer-gre]remote-address 100.1.2.2 // 远端IP
[r1-ike-peer-gre]ike-proposal 10  // 引用ike
[r1]ike local-name a1 // 全局定义本地name

[r2]ike peer gre v1
[r2-ike-peer-gre]ike-proposal 10 
[r2-ike-peer-gre]pre-shared-key simple aaa
[r2-ike-peer-gre]remote-address 100.1.1.1
[r2-ike-peer-gre]exchange-mode aggressive 
[r2-ike-peer-gre]local-id-type name
[r2-ike-peer-gre]remote-name a1

(2) Configure security proposal information for ipsec sa

[r1]ipsec proposal gre
[r1-ipsec-proposal-gre]encapsulation-mode transport 

[r2]ipsec proposal gre 
[r2-ipsec-proposal-gre]encapsulation-mode transport

(3) Define encrypted traffic (flow of interest)

[r1]acl 3001
[r1-acl-adv-3001]rule 10 permit gre source 100.1.1.1 0 destination 100.1.2.2 0

[r2]acl 3001
[r2-acl-adv-3001]rule 10 permit gre source 100.1.2.2 0 destination 100.1.1.1 0

(4) Configure the security policy set

[r1]ipsec policy gre 10 isakmp 
[r1-ipsec-policy-isakmp-gre-10]ike-peer gre 
[r1-ipsec-policy-isakmp-gre-10]proposal gre
[r1-ipsec-policy-isakmp-gre-10]security acl 3001

[r2]ipsec policy gre 10 isakmp
[r2-ipsec-policy-isakmp-gre-10]security acl 3001
[r2-ipsec-policy-isakmp-gre-10]proposal gre
[r2-ipsec-policy-isakmp-gre-10]ike-peer gre

(5) Interface call security policy set

[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ipsec policy gre

[r2]int g0/0/0
[r2-GigabitEthernet0/0/0]ipsec policy gre

ping to trigger:


Traffic is encrypted

(6) Analysis

Guess you like

Origin blog.csdn.net/weixin_62443409/article/details/131084245
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com