当前位置:   article > 正文

安全防御 --- IPSec理论(02)_esp protocol

esp protocol

附:

协议与模式分类

esp 和 ah 的分类:

  1. 数据的安全性:ESP有机密性;AH无机密性
  2. 场景:ESP适合公网场景;AH适合内网 / 私网场景

(数据的安全性主要依赖于传输端之间需要做认证)

传输模式和隧道模式的分类:

  1. 传输端的可达性:传输模式有可达性;隧道模式无可达性
  2. 场景:传输模式(私网数据通过公网传输;异种网络之间通过其他网络传输);隧道模式(专线,隧道已做,本身路由可达)

ipsec配置(路由器)

静态路由协议下的IPSec

  1. 保证基础网络可达
  2. [r1]int g0/0/0
  3. [r1-GigabitEthernet0/0/0]ip add 100.1.1.1 24
  4. [r1]ip route-static 0.0.0.0 0 100.1.1.2
  5. [ISP]int g0/0/0
  6. [ISP-GigabitEthernet0/0/0]ip add 100.1.1.2 24
  7. [ISP]int g0/0/1
  8. [ISP-GigabitEthernet0/0/1]ip ad 100.1.2.1 24
  9. [r2]int g0/0/0
  10. [r2-GigabitEthernet0/0/0]ip add 100.1.2.2 24
  11. [r2]ip route-static 0.0.0.0 0 100.1.2.1
  12. [r1]int LoopBack 0
  13. [r1-LoopBack0]ip add 172.16.10.1 24
  14. [r2]int LoopBack 0
  15. [r2-LoopBack0]ip add 172.16.1.1 24

(1)配置 IKE SA

<1> 安全提议

  1. [r1]ike proposal 1 // 安全提议编号
  2. [r1-ike-proposal-1]encryption-algorithm 3des-cbc // 加密算法(3des)
  3. [r1-ike-proposal-1]authentication-algorithm sha1 // 认证算法(sha1)
  4. [r1-ike-proposal-1]authentication-method pre-share // 认证模式(预共享:pre)
  5. [r1-ike-proposal-1]dh group2 // 非对称加密算法强度
  6. [r1]dis ike proposal --- 查看未显示以及默认配置
  7. Number of IKE Proposals: 2
  8. -------------------------------------------
  9. IKE Proposal: 1
  10. Authentication method : pre-shared
  11. Authentication algorithm : SHA1
  12. Encryption algorithm : 3DES-CBC
  13. DH group : MODP-1024
  14. SA duration : 3600
  15. PRF : PRF-HMAC-SHA
  16. -------------------------------------------
  17. -------------------------------------------
  18. IKE Proposal: Default
  19. Authentication method : pre-shared
  20. Authentication algorithm : SHA1
  21. Encryption algorithm : DES-CBC
  22. DH group : MODP-768
  23. SA duration : 86400
  24. PRF : PRF-HMAC-SHA
  25. -------------------------------------------
  26. [r2]ike proposal 1
  27. [r2-ike-proposal-1]encryption-algorithm 3des-cbc
  28. [r2-ike-proposal-1]dh group2
  29. [r2-ike-proposal-1]sa duration 3600

PRF:完美向前法。

<2> 安全认证

  1. [r1]ike peer 12 v1 // ike认证名称和版本
  2. [r1-ike-peer-12]exchange-mode main // 模式选择(默认主模式)
  3. [r1-ike-peer-12]pre-shared-key cipher 234 // 编译预共享密钥
  4. [r1-ike-peer-12]ike-proposal 1 // 调用安全提议
  5. [r1-ike-peer-12]remote-address 100.1.2.2 // 调用远端地址
  6. [r2]ike peer 12 v1
  7. [r2-ike-peer-12]ike-proposal 1
  8. [r2-ike-peer-12]pre-shared-key cipher 234
  9. [r2-ike-peer-12]remote-address 100.1.1.1
  10. [r2-ike-peer-12]exchange-mode main

(2)配置IPSec  SA 安全提议信息

  1. [r1]ipsec proposal 1 // ipsec提议
  2. [r1-ipsec-proposal-1]transform esp // 选择传输协议
  3. [r1-ipsec-proposal-1]esp authentication-algorithm sha2-512 // 认证算法
  4. [r1-ipsec-proposal-1]esp encryption-algorithm aes-128 // 加密算法
  5. [r1-ipsec-proposal-1]encapsulation-mode tunnel // 封装模式(隧道模式)
  6. [r1]dis ipsec proposal --- 查看
  7. Number of proposals: 1
  8. IPSec proposal name: 1
  9. Encapsulation mode: Tunnel
  10. Transform : esp-new
  11. ESP protocol : Authentication SHA2-HMAC-512
  12. Encryption AES-128
  13. [r2]ipsec proposal 1
  14. [r2-ipsec-proposal-1]transform esp
  15. [r2-ipsec-proposal-1]encapsulation-mode tunnel
  16. [r2-ipsec-proposal-1]esp authentication-algorithm sha2-512
  17. [r2-ipsec-proposal-1]esp encryption-algorithm aes-128

(3)定义加密流量(感兴趣流)

  1. [r1]acl 3000
  2. [r1-acl-adv-3000]rule 5 permit ip source 172.16.10.1 0.0.0.0 destination 172.16.1.1 0.0.0.0
  3. [r2]acl 3000
  4. [r2-acl-adv-3000]rule 5 permit ip source 172.16.1.1 0.0.0.0 destination 172.16.10.1 0.0.0.0

(4)配置安全策略集

  1. [r1]ipsec policy k 10 isakmp --- 定义名为k,序列号为10,运用isakmp(IKE)进行协商
  2. [r1-ipsec-policy-isakmp-k-10]ike-peer 12 // 关联ike-peer
  3. [r1-ipsec-policy-isakmp-k-10]security acl 3000 // 关联感兴趣流
  4. [r1-ipsec-policy-isakmp-k-10]pfs dh-group2 // pfs:完美向前法
  5. [r2]ipsec policy k 10 isakmp
  6. [r2-ipsec-policy-isakmp-k-10]ike-peer 12
  7. [r2-ipsec-policy-isakmp-k-10]proposal 1
  8. [r2-ipsec-policy-isakmp-k-10]security acl 3000
  9. [r2-ipsec-policy-isakmp-k-10]pfs dh-group2

(5)接口调用安全策略集

  1. [r1]int g0/0/0
  2. [r1-GigabitEthernet0/0/0]ipsec policy k
  3. [r2]int g0/0/0
  4. [r2-GigabitEthernet0/0/0]ipsec policy k

进行触发:

(6)查看安全联盟建立情况

  1. <r1>dis ike sa
  2. Conn-ID Peer VPN Flag(s) Phase
  3. ---------------------------------------------------------------
  4. 2 100.1.2.2 0 RD|ST 2
  5. 1 100.1.2.2 0 RD|ST 1
  6. Flag Description:
  7. RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
  8. HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
  9. <r1>dis ipsec sa
  10. [Outbound ESP SAs]
  11. SPI: 1407390962 (0x53e314f2)
  12. Proposal: ESP-ENCRYPT-AES-128 SHA2-512-256
  13. SA remaining key duration (bytes/sec): 1887329280/2740
  14. Max sent sequence-number: 5
  15. UDP encapsulation used for NAT traversal: N
  16. [Inbound ESP SAs]
  17. SPI: 3197321182 (0xbe933fde)
  18. Proposal: ESP-ENCRYPT-AES-128 SHA2-512-256
  19. SA remaining key duration (bytes/sec): 1887436380/2740
  20. Max received sequence-number: 5
  21. Anti-replay window size: 32
  22. UDP encapsulation used for NAT traversal: N

动态路由协议下的IPSec

  1. 新建环回
  2. [r1]int LoopBack 0
  3. [r1-LoopBack1]ip ad 1.1.1.1 24
  4. gre下的隧道配置
  5. [r1]int t0/0/0
  6. [r1-Tunnel0/0/0]tunnel-protocol gre
  7. [r1-Tunnel0/0/0]source g0/0/0
  8. [r1-Tunnel0/0/0]destination 100.1.2.2
  9. [r1-Tunnel0/0/0]ip add 10.1.1.1 24
  10. [r2]int lo 1
  11. [r2-LoopBack1]ip add 2.2.2.2 24
  12. [r2]int t0/0/0
  13. [r2-Tunnel0/0/0]tunnel-protocol gre
  14. [r2-Tunnel0/0/0]source g0/0/0
  15. [r2-Tunnel0/0/0]destination 100.1.1.1
  16. [r2-Tunnel0/0/0]ip add 10.1.1.2 24
  17. ospf配置
  18. [r1]ospf 1
  19. [r1-ospf-1]a 0
  20. [r1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
  21. [r1-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.0
  22. [r2]ospf 1
  23. [r2-ospf-1]a 0
  24. [r2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
  25. [r2-ospf-1-area-0.0.0.0]network 10.1.1.2 0.0.0.0
  26. 查看邻居建立情况
  27. [r1]dis ospf peer brief
  28. OSPF Process 1 with Router ID 100.1.1.1
  29. Peer Statistic Information
  30. ----------------------------------------------------------------------------
  31. Area Id Interface Neighbor id State
  32. 0.0.0.0 Tunnel0/0/0 100.1.2.2 Full
  33. ----------------------------------------------------------------------------

(1)配置 IKE SA 

<1> 安全提议

  1. [r1]ike proposal 10
  2. [r1-ike-proposal-10]encryption-algorithm 3des-cbc
  3. [r1-ike-proposal-10]authentication-algorithm sha1
  4. [r1-ike-proposal-10]authentication-method pre-share
  5. [r1-ike-proposal-10]dh group2
  6. [r2]ike proposal 10
  7. [r2-ike-proposal-10]encryption-algorithm 3des-cbc
  8. [r2-ike-proposal-10]authentication-algorithm sha1
  9. [r2-ike-proposal-10]authentication-method pre-share
  10. [r2-ike-proposal-10]dh group2

<2> 安全认证

  1. [r1]ike peer gre v1
  2. [r1-ike-peer-gre]pre-shared-key simple aaa // 设置预共享密钥(simple:本地不加密)
  3. [r1-ike-peer-gre]exchange-mode aggressive // 采用野蛮模式
  4. [r1-ike-peer-gre]local-id-type name // 采用name定义
  5. [r1-ike-peer-gre]remote-name a1 // 远端name为a1
  6. [r1-ike-peer-gre]remote-address 100.1.2.2 // 远端IP
  7. [r1-ike-peer-gre]ike-proposal 10 // 引用ike
  8. [r1]ike local-name a1 // 全局定义本地name
  9. [r2]ike peer gre v1
  10. [r2-ike-peer-gre]ike-proposal 10
  11. [r2-ike-peer-gre]pre-shared-key simple aaa
  12. [r2-ike-peer-gre]remote-address 100.1.1.1
  13. [r2-ike-peer-gre]exchange-mode aggressive
  14. [r2-ike-peer-gre]local-id-type name
  15. [r2-ike-peer-gre]remote-name a1

(2)配置ipsec sa 的安全提议信息

  1. [r1]ipsec proposal gre
  2. [r1-ipsec-proposal-gre]encapsulation-mode transport
  3. [r2]ipsec proposal gre
  4. [r2-ipsec-proposal-gre]encapsulation-mode transport

(3)定义加密流量(感兴趣流)

  1. [r1]acl 3001
  2. [r1-acl-adv-3001]rule 10 permit gre source 100.1.1.1 0 destination 100.1.2.2 0
  3. [r2]acl 3001
  4. [r2-acl-adv-3001]rule 10 permit gre source 100.1.2.2 0 destination 100.1.1.1 0

(4)配置安全策略集

  1. [r1]ipsec policy gre 10 isakmp
  2. [r1-ipsec-policy-isakmp-gre-10]ike-peer gre
  3. [r1-ipsec-policy-isakmp-gre-10]proposal gre
  4. [r1-ipsec-policy-isakmp-gre-10]security acl 3001
  5. [r2]ipsec policy gre 10 isakmp
  6. [r2-ipsec-policy-isakmp-gre-10]security acl 3001
  7. [r2-ipsec-policy-isakmp-gre-10]proposal gre
  8. [r2-ipsec-policy-isakmp-gre-10]ike-peer gre

(5)接口调用安全策略集

  1. [r1]int g0/0/0
  2. [r1-GigabitEthernet0/0/0]ipsec policy gre
  3. [r2]int g0/0/0
  4. [r2-GigabitEthernet0/0/0]ipsec policy gre

ping进行触发:


流量已加密

(6)分析

声明:本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:【wpsshop博客】
推荐阅读
相关标签
  

闽ICP备14008679号