How to perform ipsec instructions and tunnel case analysis

1. Introduction to IPSEC

IPSec includes security protocol (Security Protocol) and key exchange protocol (IKE). It was developed by IETF (Internet Engineering Task Force, Internet Engineering Task Force) and can provide communication for both parties. A general term for a series of network security protocols that provide services such as access control, connectionless integrity, data source authentication, anti-replay, encryption, and data flow classification and encryption. The security protocols include AH (Header Authentication Protocol) and ESP ( Security encapsulation payload); and IKE is a TCP/IP framework based on ISAKMP (Internet Security Association and Key Management Protocol, Internet Security Association and Key Management Protocol), which merges part of Oakley (Key Exchange Protocol) and SKEME ( Key technology protocol) hybrid protocol.

2. IPSEC security features

(1) Non-repudiation: "Non-repudiation" can prove that the sender of a message is the only possible sender, and the sender cannot deny sending the message. "Non-repudiation" is a feature of using public key technology. When using public key technology, the sender uses the private key to generate a digital signature and sends it with the message, and the receiver uses the sender's public key to verify the digital signature. Since in theory only the sender has the private key, and only the sender can generate the digital signature, as long as the digital signature passes verification, the sender cannot deny that the message was sent. But "non-repudiation" is not a feature of authentication-based shared key technology, because in authentication-based shared key technology, the sender and receiver have the same key.

(2) Anti-Replay: The IPsec receiver can detect the uniqueness of each IP packet based on the 32-bit sequence number added before the data segment of the data packet and refuse to receive outdated or duplicate packets. message to prevent attackers from intercepting and deciphering the information and then using the same information package to obtain illegal access rights (even if this fraudulent behavior occurs months later).

(3) Data Integrity: The IPsec receiver uses hash algorithms such as md5 and sha-1 to authenticate the packets sent by the sender to prevent data from being tampered with during the transmission process and ensure that the data is sent out. Consistency of data and received data.

(4) Data reliability (Confidentiality): The IPsec sender encrypts the packet before transmitting it over the network through symmetric encryption algorithms such as des, 3des, aes, etc. to ensure that during the transmission process, even if the data packet is Intercepted, the information cannot be read. Relevant to the specific settings of the IPSec policy, this feature can be enabled or disabled in IPSec.

(5) Data source authentication (Data Authentication): IPsec can authenticate whether the sending end of IPsec messages is legitimate through preshared key (domain shared key), certificate, kerberos v5, etc. at the receiving end.

3. IPSEC working mode

(1) Tunnel mode: The user’s entire IP data packet is used to calculate the AH or ESP header, AH or ESP header and ESP encryption User data is encapsulated in a new IP packet. Typically, tunnel mode is used for communication between two security gateways.

(2) Transport mode: Only the transport layer data is used to calculate the AH or ESP header, and the AH or ESP header and ESP-encrypted user data are placed behind the original IP header. Commonly, transport mode is used for communication between two hosts or between a host and a security gateway.

4. Comparison of two protocols in IPSEC security mechanism

AH protocol (IP protocol number is 51) provides data source authentication, data integrity verification and packet replay prevention functions. It protects communications from tampering, but not eavesdropping, and is suitable for transmitting non-confidential data. The working principle of AH is to add an authentication header to each data packet. This header is inserted behind the standard IP header to provide integrity protection for the data. , but because the IP header contains many variables, such as type of service (TOS), flags, fragment offset, TTL and header checksum. Therefore, these values ​​must be cleared before authentication. Otherwise, the hash will mismatch and cause packet loss. Therefore AH does not support NAT translation.

ESP protocol, numbered 50 in the IP protocol, can provide functions of data encryption, data source verification, data integrity check and prevention of repeated transmission. The working principle of ESP is to add an ESP header after the standard IP header of each data packet, and append an ESP trailer after the data packet. The difference of the ESP protocol is that it encrypts the user data that needs to be protected and then encapsulates it into IP packets to ensure the confidentiality of the data.

The following figure better explains the encryption and authentication of data packets by AH and ESP in the two working modes of IPSEC

5. Basic concepts of IPsec (Based on H3C)

1. Data flow: In IPSec, a set of data with the same source address/mask/port, destination address/mask/port and upper layer protocol is called a data flow. Usually, a data flow is defined by an access control list (ACL), and all packets allowed to pass by the ACL are logically regarded as one data flow.

The security policy specifies the security measures manually configured by the user, which is used to specify which security operations are used for which data flows. The definition of data flows is achieved by configuring multiple rules in an access control list. This access control list is referenced in the security policy to determine the data flows that need to be protected. A security policy is uniquely determined by "name" and "sequence number".

3. Security policy group: a collection of all security policies with the same name. On an interface, you can apply or cancel a security policy group, so that multiple security policies in the security policy group can be applied to the interface at the same time, thereby implementing different security protections for different data flows. In the same security policy group, the security policy with the smaller sequence number has a higher priority.

4. Security Association (SA): The security services provided by IPSec for data flows are implemented through the security association SA. It includes protocols, algorithms, keys, etc., and specifically determines how to protect IP The message is processed. An SA is a one-way logical connection between two IPSec systems. The input data flow and the output data flow are processed by the input security association and the output security association respectively. A security association is uniquely identified by a triplet (security parameter index (SPI), IP destination address, security protocol number (AH or ESP)).
Security associations can be established through manual configuration and automatic negotiation.
Manually establishing a security association means that users manually set all SA information on both ends, and then apply security policies on the interface to establish a security alliance. The disadvantage is that the configuration is complex and does not support some advanced features (such as regularly updating passwords). key), suitable for small businesses.
The automatic negotiation method is generated and maintained by IKE. The communicating parties match and negotiate based on their respective security policy libraries, and finally establish a security alliance without user intervention. The configuration is simple and suitable for large enterprises. Auto-negotiation is divided into main mode and aggressive mode. The main difference between aggressive mode exchange and main mode exchange is that aggressive mode does not provide identity protection. In situations where identity protection requirements are not high, the aggressive mode, which exchanges fewer packets, can increase the speed of negotiation; in situations where identity protection requirements are high, main mode should be used.

Each IPSec message carries a 32-bit security parameter index (SPI). The triplet consists of SPI, destination IP address and security protocol number, and is used to uniquely identify a specific security association. When manually configuring a security association, you need to manually specify the SPI value. To ensure the uniqueness of the security association, each security association needs to specify a different SPI value; when using IKE negotiation to generate a security association, the SPI will be randomly generated.

6. Security proposal: including the security protocol, the algorithm used by the security protocol, and the encapsulation form of the packet by the security protocol. It stipulates the way to convert ordinary IP packets into IPSec packets. Security policies can specify the protocols, algorithms, etc. used by citing security recommendations.

6.IPsec IPSEC configuration steps

Create an encrypted access control list

According to whether it matches the encrypted access control list, you can determine which IP packets are sent after being encrypted, and which IP packets are sent directly.

Receive and forward. The secure traffic that needs to be protected is defined using extended IP access control lists.

acl acl-number

rule { normal | special }{ permit | deny } pro-number[source source-addr source-wildcard | any ][source-port operator port1 [ port2 ] ] [ destination dest-addr dest- wildcard | any ][destination-port operator port1 [ port2 ] ] [icmp-type icmp-type icmp-code][logging]

Define security proposal

Define security proposal ipsec proposal proposal-name

Set the encapsulation mode of IP packets by the security protocol encapsulation-mode { transport | tunnel }

Select the security protocol transform { ah-new | ah- esp-new | esp-new }

Select encryption algorithm and authentication algorithm

In the ESP protocol, the conversion option can be {ah-new | ah-esp-new | esp-new }

Transform { ah-new | ah-esp-new | esp-new }

Create security policy under AH protocol

The configuration of manually creating security policy includes:

Manually create a security policy ipsec policy policy-name sequence-number manual

Configure the access control list referenced by the security policy security acl access-list-number

Specify the starting point and Endpoint tunnel local ip-address

tunnel remote ip-address

Configure the security proposal referenced in the security policy proposal proposal-name

Configure the SPI of the security policy alliance and use it Key

SPI configuration sa inbound { ah | esp } spi spi-number

sa outbound { ah | esp } spi spi-number

Key configuration

AH16 hexadecimal key sa { inbound | outbound } ah hex-key-string hex-key

AH character key sa { inbound | outbound } ah string-key string-key

ESP16 hexadecimal key sa { inbound | outbound } esp encryption-hex hex-key

ESP character key sa { inbound | outbound } esp string-key string-key

Apply the security policy group on the interface

ipsec policy policy-name

IKE configuration to create a security policy alliance includes:

Use IKE to create a security policy alliance

ipsec policy policy-name sequence-number isakmp

Configure the access control list referenced by the security policy

security acl access-list- number

Specify the end point of the security tunnel

tunnel remote ip-address

Configure the security proposal referenced in the security policy

proposal proposal-name1 [proposal- name2...proposal-name6 ]

Configure the survival time of the security association (optional)

Configure the global time

ipsec sa global-duration time-based seconds

ipsec sa global-duration traffic-based kilobytes

Configure independent time

sa duration { time-based seconds |traffic-based kilobytes }

IPsec configuration case :Use ipsec tunnel protocol to complete enterprise secure communication

Experimental equipment: three Huawei AR1220 routers, one Huawei s5700 switch

Topology diagram:

Configuration process:

Switch: (To add a port on this switch, you need to enable the port mode to access)

vlan 10

port GE0/0/10

vlan 20

port GE0/0/20

vlan 24

port GE0/0/24

int vlan 10

ip add 1.1.1.2 255.255.255.0

int vlan 20

ip add 1.1.2.2 255.255.255.0

int vlan 24

ip add 1.1 .3.2 255.255.255.0

R1

system-view

sysname R1

int eth0/0/0

ip add 192.168 .1.1 24

loopback

int eth0/0/1

ip add 1.1.1.1 24

quit

ip route 0.0 .0.0 0 1.1.2.2

ping 1.1.1.1

R2

system-view

sysname R2

int eth0/0 /0

ip add 192.168.2.1 24

loopback

int eth0/0/1

ip add 1.1.2.1 24

quit

ip route 0.0.0.0 0 1.1.2.2

ping 1.1.1.1

R3

system-view

sysname R3

int eth0/0/0

ip add 192.168.3.1 24

loopback

int eth0/0/1

ip add 1.1.3.1 24

quit

ip route 0.0.0.0 0 1.1.3.2

ping 1.1.1.1

R1 to R2, R3 Tunnel

acl number 3000 match-order auto

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 20 deny ip source any destination any

acl number 3001 match-order auto

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 20 deny ip source any destination any

quit

Security proposal

ipsec proposal tran1

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5 (verification algorithm)

esp encryption-algorithm des (encryption algorithm)

ipsec proposal tran2

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5

esp encryption-algorithm des

quit

Configure the corresponding IKE

ike peer R2

remote-address 1.1.2.1

pre-shared-key simple abcdef

ike peer R3

remote-address 1.1.3.1

pre-shared-key simple 123456

Add policy

ipsec policy policy1 10 isakmp

ike peer R2

security acl 3000

proposal tran1

ipsec policy policy1 20 isakmp

ike peer R3

security acl 3000

proposal tran2

out Apply policy on the interface

int e0/0/1

ipsec policy policy1

R2 to R1

acl number 3000 match-order auto

rule 10 permitip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 20 deny ip source any destination any

quit

ipsec proposal tran1

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5

esp encryption-algorithm des

quit

ike peer R1

remote-address 1.1.1.1

pre-shared-key simple abcdef

quit

ipsec policy policy1 10 isakmp

ike peer R1

security acl 3000

proposal tran1

Apply policy on outbound interface

int e0/0/1

ipsec policy policy1

R3 to R1

acl number 3000 match-order auto

rule 10 permitip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 20 deny ip source any destination any

quit

ipsec proposal tran1

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5

esp encryption-algorithm des

quit

ike peer R1

remote-address 1.1. 1.1

pre-shared-key simple 123456

quit

ipsec policy policy1 10 isakmp

ike peer R1

security acl 3000

proposal tran1

Apply policy on outbound interface

int e0/0/1

ipsec policy policy1

That’s it Got it!

The above is the detailed content of How to perform ipsec instructions and tunnel case analysis. For more information, please follow other related articles on the PHP Chinese website!