Bowen outline:
- A virtual private network concepts
- Two, IPSec virtual private network basic concept
- The process of establishing three, ISAKMP / IKE Phase 1 and Phase 2
- Fourth, configure IPSec virtual private network implementation
- V. Summary
Preface: As the "Virtual Private Network" (see the first letter, I know what cough) is a sensitive \ sense of words, so use its Chinese name "virtual private network" in the blog post instead.
A virtual private network concepts.
Definition 1, a virtual private network
A protected virtual private network connection is established between two network entities, the two entities can be directly connected via point to point links, but usually they far apart distance.
For the word "protected" mentioned in the definition can be understood from the following aspects:
- Eavesdropping is prevented by using encryption data.
- The data integrity verification to prevent data destruction, alteration.
- Authentication mechanism for communication party identity by confirming to prevent the communication of data being intercepted and playback.
In addition, virtual private network technology also defines the following functions:- What kind of traffic needs to be protected.
- Data protection mechanism.
- Data encapsulation process.
Environment Virtual Private Network solution does not necessarily contain the actual production of all of the above features, but also determined by the specific needs of the environment and implementation, and many companies may adopt more than one virtual private network solutions.
2, a virtual private network connection mode
Virtual private network connection mode in two ways: transport mode and tunnel mode.
(1) Transfer Mode:
During transmission across the virtual private network, and the IP header is not encapsulated in, which means that always use the original IP address of the source data from the communication. The actual payload data transmission is encapsulated in a virtual private network packets, for most virtual private network transmission, virtual private network packet encapsulation process of data encryption process is, therefore, a third party can not decipher the data content, but it can clearly know the address of information and communication between the two sides.
Since the package is relatively simple transmission mode, a higher transmission efficiency, both used for communication is within the same local area network.
(2) tunnel mode:
In tunnel mode, the entire apparatus VPN Layer packets encapsulated within a virtual private data network, the data is then encapsulated packet to add a new IP header. Since the new IP header is encapsulated in a virtual private network device's IP address information, so when intercepted by a third party data, not only can not understand the content of the actual load data, but can not know the address information of the actual communication between the two sides. After the packet encapsulated as follows:
Since the tunnel mode VPN has great advantages in terms of security and flexibility, in an enterprise environment is widely used, such as: communications, mobile users across the WAN head office and branch of the public network to access internal resources .
3, the type of virtual private network
Typically, the type of virtual private network is divided into site-to-site virtual private network and remote access virtual private network.
(1) site-to-site virtual private network:
Site-to-site virtual private network tunnel mode protection is through traffic between two or more sites between the virtual private network gateways, traffic between sites usually refers to traffic between local area networks (L2L) of. L2L used for virtual private network between head office and branch offices in the public network transmission of critical business data, mainly for traffic for a network segment can use virtual private networks.
(2) remote access virtual private network:
Remote access virtual private network between a single-user devices are commonly used in the virtual private network gateway, a communication connection, the user equipment is typically a single PC or small office network and the like. Remote access virtual private network security requirements are higher, more suitable for tunnel mode.
To achieve the tunnel mode of communication, we need to give the remote access client is assigned two IP addresses: one is its own LAN IP address, and the other is the network address, that is, in the process of establishing a remote client virtual private network at the same time acts as a virtual private network gateway (using its own IP address) and the end user (using the IP address).
Virtual Private Network technology involves too many concepts and algorithms, here not long-winded.
About Virtual Private Network theoretical knowledge related to the following, are interested can access relevant information on their own:
1, the encryption algorithm
- Symmetric encryption algorithm (DES, 3DES, AES, etc.)
- Asymmetric encryption algorithm (RSA, DSA, DH, etc., commonly used in the first two verification,
DH IPSec be used to implement the Internet Key Exchange (IKE) protocol)
2, a data packet authentication- 数据报文验证包括的两个方面:数据来源验证(身份验证)和报文完整性验证。
- 虚拟专用网技术对数据进行来源验证通常借助散列算法HMAC实现的。
- HMAC常用的两种算法(MD5和SHA)。
二、IPSec 虚拟专用网的基本概念
IPSec技术实现虚拟专用网是目前最为广泛的一种应用,为了可以在工作中快速的定位问题所在,所以了解IPSec的建立过程尤为重要。
1、IPSec连接过程:
IPSec的连接过程如下:
1、流量触发IPSec;
2、建立管理连接;
3、建立数据连接。
(1)流量触发IPSec
简而言之,言而简之就是通过ACL来明确哪些流量需要被“保护”。详细来说,就是IPSec建立过程是由对等体之间发送的流量触发的。一旦有虚拟专用网的流量经过虚拟专用网网关,连接过程便开始建立了,当然,手动配置也可以实现这一过程。在配置设备实现此步骤前,需要明确哪些流量需要被“保护”。
(2)建立管理连接
IPSec使用ISAKMP/IKE阶段1来构建一个安全的管理连接。这里需要注意的是,这个管理连接只是一个准备工作,它不被用来传输实际的数据。在配置设备实现此步骤前,需要明确设备如何实现验证,使用何种加密及认证算法,使用哪种DH组等问题。
(3)建立数据连接
IPSec基于安全的管理连接协商建立安全的数据连接,而ISAKMP/IKE阶段2就是来完成这个任务的,数据连接用于传输真正的用户数据。在配置设备实现此步骤前,需要明确使用何种安全协议,针对具体的安全协议应使用加密或验证算法,以及数据传输的模式(隧道模式或传输模式)等问题。
经过IPSec建立的三部曲后,虚拟专用网流量就可以按照协商的结果被加密/解密了。但是虚拟专用网并不是一次性的,无论是管理连接还是数据连接都有一个生存周期与之关联,一旦到期连接会被中止,如果需要继续传输虚拟专用网数据,连接需要重新被构建,这种设计主要是处于安全考虑。
IPSec 虚拟专用网属于安全技术,并非所有的Cisco设备都支持该功能,需要IOS名称中的功能集中涵盖K8或K9,如下:
三、ISAKMP/IKE阶段1及阶段2的建立过程
1、ISAKMP/IKE阶段1
(1)阶段1(是双向的)的相关概念:
阶段1的交换过程有两个模式:主模式和积极模式。积极模式比主模式快,主模式比积极模式安全,我下面的配置是基于主模式进行的。
无论虚拟专用网的类型是站点到站点还是远程访问,都需要完成三个任务:
- 协商采用何种方式建立管理连接。
- 通过DH算法共享密钥信息。
- 对等体彼此进行身份验证。
在主模式中,这三个任务是通过六个数据报文完成的:前两个数据包用于协商对等体间的管理连接使用何种安全策略(交换ISAKMP/IKE传输集);中间两个数据包通过DH算法产生并交换加密算法和HMAC功能所需的密钥;最后两个数据包使用预共享密钥等方式执行对等体间的身份验证。需要注意的是,前四个报文是明文传输的,后面两个报文才是密文传输,前四个数据包通过各种算法最终产生的密钥用于第5、和第6个数据包及后续数据的加密。
(2)ISAKMP/IKE阶段1建立过程:
1)交换ISAKMP/IKE传输集
ISAKMP/IKE传输集就是一组用来保护管理连接的安全策略,也有人将它称之为IKE策略或ISAKMP策略。
ISAKMP/IKE传输集主要包括以下几个方面:
- 加密算法:DES、3DES或AES(一般用AES,安全性更高些)。
- HMAC功能:MD5或SHA-1(一般使用SHA-1,同样,因为安全性高)。
- 设备验证的类型:预共享密钥或使用RSA签名(我这里使用预共享密钥,配置简单些)。
- DH密钥组:Cisco支持1、2、5、7(Cisco的路由器不支持密钥组7)。
- 管理连接的生存周期。
2)通过DH算法实现密钥交换
上一步只是协商管理连接的安全策略,而共享密钥的产生与交换就要通过DH算法来实现。
3)实现设备间的身份验证
设备身份验证时最常用的方法就是预共享密钥,即在对等体之间通过带外的方式共享密钥,并存储在设备的本地。设备验证的过程可以通过加密算法或HMAC功能两种方法实现,而加密算法很少用于身份验证,多数情况都会通过HMAC功能实现。
2、ISAKMP/IKE阶段2
(1)阶段2(是单向的)的相关概念:
ISAKMP/IKE阶段2主要是在两个IPSec对等体间建立数据连接,其主要完成以下任务:
- 定义对等体间需要保护何种流量(通过ACL来匹配)。
- 定义用来保护数据的安全协议。
- 定义传输模式。
- 定义数据连接的生存周期及密钥刷新的方式。
(2)ISAKMP/IKE阶段1建立过程:
1)安全关联
IPSec需要在两个对等体之间建立一条逻辑连接,这就要使用一个被称为安全关联的信令协议,这是因为IPSec需要无连接的IP协议在安全运行之前就要称为面向连接的协议。SA的连接是在源点和终点之间的单向连接,如果需要双向连接,就需要两个SA连接,每个方向一个。
SA连接由三个要素定义:
- 安全参数索引(SPI):用于唯一标识每条SA连接。
- 安全协议的类型:IPSec定义了两种安全协议,即AH(认证头协议)和ESP(封装安全载荷协议)。
- 目的IP地址。
ISAKMP/IKE阶段2具有上面这种特性,也就是说ISAKMP/IKE的数据连接实际是通过两个单向连接建立的。而两个连接采用的加密或认证方式都是相同的,这就使ISAKMP/IKE阶段2这个特征不易被发现。
2)ISAKMP/IKE阶段2的传输集:
数据连接的传输集定义了数据连接是如何被保护的。与管理连接的传输集类似,对等体设备可以保存一个或多个传输集,但其内容完全不同。
数据连接的传输集内容如下:
- 安全协议: AH 协议、ESP协议。
- 连接模式:隧道模式,传输模式。
- 加密方式:对于ESP而言,有DES、3DES、AES-128、AES-192、AES-256或不使用加密算法。
- 验证方式:MD5或SHA-1。
上述相关加密/验证方式自己查阅其他资料吧,说起来太多了。关于连接模式就是文章开头说的那两种。
3)ISAKMP/IKE阶段2的安全协议
IPSec的数据连接可以通过安全协议实现对数据连接的保护:AH协议和ESP协议。可以通过其中一个协议来实现数据的加密和验证,如使用ESP协议;也可以使用两个协议一起来实现。AH使用IP协议号51,ESP使用IP协议号50。
AH协议提供以下安全功能:
- 数据完整性;
- 数据验证;
- 保护数据回放功能。
AH协议保护整个数据报文,但易变的字段除外,如IP包头中的TTL值等。
AH协议只是实现验证功能,而并未提供任何形式的数据加密;而且正因为其对于整个IP数据报文实现验证功能,所以它与NAT或PAT不能一起使用。
ESP在RFC 2402中有明确的定义,它与AH的区别如下:
- ESP对用户数据实现加密功能。
- ESP只对IP数据的有效载荷进行验证,不包括外部的IP包头。
因此,如果有第三者对IP包头内容进行更改,ESP是无法检测到的。而NAT也会修改外层的IP信息,所以ESP可以和NAT共用,所以,AH无论如何也不能和NAT共用,而ESP却可以,再配置NAT-T技术,ESP甚至还可以和PAT共用(ESP默认情况下不能穿越PAT设备,因为PAT会修改传输层头部的端口信息,而传输层的头部在ESP的封装中是被加密的,所以PAT无法修改端口信息。而NAT-T技术就是通过额外增加一个传输层头部让PAT可以工作)。
四、IPSec 虚拟专用网的配置实现
上面啰嗦那么一大堆,好消耗耐心,还是来个实际配置吧!
网络环境如下:
环境分析:
1、总公司内网使用192.168.1.0/24网段地址,分公司使用192.168.2.0/24网段地址。R2路由器为公网上的路由器。R1及R3分别为总公司及分公司的网关服务器,所以一定会存在默认路由指向公网的路由器。
2、总公司的内网及分公司的内网之间要建立虚拟专用网,但如果不配置别的东西,是会影响内网访问Internet的,一般都是既可以建立虚拟专用网,也可以访问Internet,所以这个问题也要解决。
需求如下:
1, required to achieve 192.168.2.0/24 network segment 192.168.1.0/24 head office and branch offices communicate with each other through a virtual private network, and the impact of these two segments do not access the public network, which is the R2 router (public network access control by PAT port complex technology implementations do not configure any routing on the R2 router).
Start the configuration:
1, configure their own interface address relevant and open interfaces, there is not written in detail, configure the interface IP address format is as follows:
Interface IP address of the router configuration
R1#conf t
R1(config)#in f0/0
R1(config-if)#ip add 200.0.0.1 255.255.255.0
R1(config-if)#no shGNS3 simulator PC, configure the IP address
PC1> ip 192.168.1.1 192.168.1.254 #配置IP及网关2, the R1 router configuration:
R1(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.2 #配置默认路由
#'以下是配置ISAKMP策略(也就是管理连接的配置)'
R1(config)#crypto isakmp policy 1 #策略序列号为“1”,范围是1~10000,数值越小,优先级越高
R1(config-isakmp)#encryption aes #配置加密算法
R1(config-isakmp)#hash sha #hash命令指定验证过程中采用的散列算法
R1(config-isakmp)#authentication pre-share #声明设备认证方式为“预先共享密钥”
R1(config-isakmp)#group 2 #采用DH算法的强度为group2
R1(config-isakmp)#lifetime 10000 #可选,管理连接生存周期,默认为86400s(24小时)
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 6 2019.com address 201.0.0.2 #配置“预先共享密钥”
#'下面是数据连接配置'
R1(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 #定义虚拟专用网保护的流量
R1(config)#crypto ipsec transform-set test-set ah-sha-hmac esp-aes #数据连接协商参数,“test-set”是自定义的名称
R1(cfg-crypto-trans)#mode tunnel #可选,配置为隧道模式,默认就是隧道模式
R1(cfg-crypto-trans)#exit
R1(config)#crypto map test-map 1 ipsec-isakmp #将数据连接相关配置设定为MAP,“test-map”是自定义的名字
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 201.0.0.2 #虚拟专用网对端地址
R1(config-crypto-map)#set transform-set test-set #将数据连接关联刚才创建的传输集
R1(config-crypto-map)#match address 101 #匹配的ACL
R1(config-crypto-map)#int f0/0 #进入外部接口
R1(config-if)#crypto map test-map #应用在外网接口
#'下面是要解决内部主机访问互联网问题'
R1(config-if)#access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 #拒绝虚拟专用网的流量
R1(config)#access-list 102 permit ip any any #放行其他任何流量
R1(config)#ip nat inside source list 102 int f0/0 overload #采用端口复用的PAT方式,解决内网访问互联网的问题
#'下面是进入相关接口启用NAT功能'。
R1(config)#int f0/0
R1(config-if)#ip nat outside
R1(config-if)#in f1/0
R1(config-if)#ip nat inside Note: Since when have NAT and VPN traffic, NAT priority match, after matching a virtual private network, so on top of doing PAT, refused virtual private network traffic.
3, the R3 router configuration:
Due to the configuration of the router R1 and R3 or less the same (or even a lot of configuration must be the same, such as shared key algorithm is used, otherwise it is impossible to establish a virtual private network), the following is not a comment
R3(config)#ip route 0.0.0.0 0.0.0.0 201.0.0.1
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encryption aes
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 10000
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 6 2019.com address 200.0.0.1
R3(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#crypto ipsec transform-set test-set ah-sha-hmac esp-aes
R3(cfg-crypto-trans)#mode tunnel
R3(cfg-crypto-trans)#exit
R3(config)#crypto map test-map 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 200.0.0.1
R3(config-crypto-map)#set transform-set test-set
R3(config-crypto-map)#match address 101
R3(config-crypto-map)#int f0/0
R3(config-if)#crypto map test-map
R3(config-if)#
*Mar 1 00:51:55.511: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#$ 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#access-list 102 permit ip any any
R3(config)#ip nat inside source list 102 int f0/0 overload
R3(config)#int f0/0
R3(config-if)#ip nat outside
R3(config-if)#in f1/0
R3(config-if)#ip nat inside Configuration At this point, you can achieve the interoperability PC1 and PC2 (virtual private network effect), and two PC can ping the router R2, you know, although the R1 and R3 routers have a default route to the router R2, but R2 router no route to 192.168.1.0 and 2.0 segment, which is the role of the PAT. You can ping test yourself.
4, with some commands to view the configuration:
R1#show crypto isakmp policy #查看ISAKMP协商策略的配置结果
R1#show crypto isakmp sa #查看管理连接SA的状态
R1#show crypto ipsec transform-set #查看IPSec传输集
R1#show crypto ipsec security-association lifetime #查看数据连接建立的生存周期
R1#show crypto ipsec sa #查看数据连接SA的细节信息
R1#show crypto map #查看crypto Map的信息,这个命令可以查看到crypto map的名称、
//ACL、对等体的IP地址、应用Crypto map的接口等。V. Summary
- Because of too much technology, algorithms, and a series of technologies involved, the fault may not be so simple troubleshooting, you can use the "show run" command to view all configurations, the control does not match what is configured on the two routers, then reconfiguration.
- Must pay attention to when NAT and virtual private network traffic exist, it will give priority to matching NAT, virtual private network after the match, so when doing PAT mapping, by extending the ACL denies traffic within the virtual private network destined for the branch network, otherwise it will directly PAT, then forward, will eventually lead because there is no route router 192.168.2.0/24 R1 destined for discarded packets.
-------- end of this article so far, thanks for reading --------