Home > Article > Operation and Maintenance > How to perform ipsec instructions and tunnel case analysis
1. Introduction to IPSEC
IPSec includes security protocol (Security Protocol) and key exchange protocol (IKE). It was developed by IETF (Internet Engineering Task Force, Internet Engineering Task Force) and can provide communication for both parties. A general term for a series of network security protocols that provide services such as access control, connectionless integrity, data source authentication, anti-replay, encryption, and data flow classification and encryption. The security protocols include AH (Header Authentication Protocol) and ESP ( Security encapsulation payload); and IKE is a TCP/IP framework based on ISAKMP (Internet Security Association and Key Management Protocol, Internet Security Association and Key Management Protocol), which merges part of Oakley (Key Exchange Protocol) and SKEME ( Key technology protocol) hybrid protocol.
2. IPSEC security features
(1) Non-repudiation: "Non-repudiation" can prove that the sender of a message is the only possible sender, and the sender cannot deny sending the message. "Non-repudiation" is a feature of using public key technology. When using public key technology, the sender uses the private key to generate a digital signature and sends it with the message, and the receiver uses the sender's public key to verify the digital signature. Since in theory only the sender has the private key, and only the sender can generate the digital signature, as long as the digital signature passes verification, the sender cannot deny that the message was sent. But "non-repudiation" is not a feature of authentication-based shared key technology, because in authentication-based shared key technology, the sender and receiver have the same key.
(2) Anti-Replay: The IPsec receiver can detect the uniqueness of each IP packet based on the 32-bit sequence number added before the data segment of the data packet and refuse to receive outdated or duplicate packets. message to prevent attackers from intercepting and deciphering the information and then using the same information package to obtain illegal access rights (even if this fraudulent behavior occurs months later).
(3) Data Integrity: The IPsec receiver uses hash algorithms such as md5 and sha-1 to authenticate the packets sent by the sender to prevent data from being tampered with during the transmission process and ensure that the data is sent out. Consistency of data and received data.
(4) Data reliability (Confidentiality): The IPsec sender encrypts the packet before transmitting it over the network through symmetric encryption algorithms such as des, 3des, aes, etc. to ensure that during the transmission process, even if the data packet is Intercepted, the information cannot be read. Relevant to the specific settings of the IPSec policy, this feature can be enabled or disabled in IPSec.
(5) Data source authentication (Data Authentication): IPsec can authenticate whether the sending end of IPsec messages is legitimate through preshared key (domain shared key), certificate, kerberos v5, etc. at the receiving end.
3. IPSEC working mode
(1) Tunnel mode: The user’s entire IP data packet is used to calculate the AH or ESP header, AH or ESP header and ESP encryption User data is encapsulated in a new IP packet. Typically, tunnel mode is used for communication between two security gateways.
(2) Transport mode: Only the transport layer data is used to calculate the AH or ESP header, and the AH or ESP header and ESP-encrypted user data are placed behind the original IP header. Commonly, transport mode is used for communication between two hosts or between a host and a security gateway.
4. Comparison of two protocols in IPSEC security mechanism
AH protocol (IP protocol number is 51) provides data source authentication, data integrity verification and packet replay prevention functions. It protects communications from tampering, but not eavesdropping, and is suitable for transmitting non-confidential data. The working principle of AH is to add an authentication header to each data packet. This header is inserted behind the standard IP header to provide integrity protection for the data. , but because the IP header contains many variables, such as type of service (TOS), flags, fragment offset, TTL and header checksum. Therefore, these values must be cleared before authentication. Otherwise, the hash will mismatch and cause packet loss. Therefore AH does not support NAT translation.
ESP protocol, numbered 50 in the IP protocol, can provide functions of data encryption, data source verification, data integrity check and prevention of repeated transmission. The working principle of ESP is to add an ESP header after the standard IP header of each data packet, and append an ESP trailer after the data packet. The difference of the ESP protocol is that it encrypts the user data that needs to be protected and then encapsulates it into IP packets to ensure the confidentiality of the data.
The following figure better explains the encryption and authentication of data packets by AH and ESP in the two working modes of IPSEC
5. Basic concepts of IPsec (Based on H3C)
1. Data flow: In IPSec, a set of data with the same source address/mask/port, destination address/mask/port and upper layer protocol is called a data flow. Usually, a data flow is defined by an access control list (ACL), and all packets allowed to pass by the ACL are logically regarded as one data flow.
The security policy specifies the security measures manually configured by the user, which is used to specify which security operations are used for which data flows. The definition of data flows is achieved by configuring multiple rules in an access control list. This access control list is referenced in the security policy to determine the data flows that need to be protected. A security policy is uniquely determined by "name" and "sequence number".
3. Security policy group: a collection of all security policies with the same name. On an interface, you can apply or cancel a security policy group, so that multiple security policies in the security policy group can be applied to the interface at the same time, thereby implementing different security protections for different data flows. In the same security policy group, the security policy with the smaller sequence number has a higher priority.
4. Security Association (SA): The security services provided by IPSec for data flows are implemented through the security association SA. It includes protocols, algorithms, keys, etc., and specifically determines how to protect IP The message is processed. An SA is a one-way logical connection between two IPSec systems. The input data flow and the output data flow are processed by the input security association and the output security association respectively. A security association is uniquely identified by a triplet (security parameter index (SPI), IP destination address, security protocol number (AH or ESP)).
Security associations can be established through manual configuration and automatic negotiation.
Manually establishing a security association means that users manually set all SA information on both ends, and then apply security policies on the interface to establish a security alliance. The disadvantage is that the configuration is complex and does not support some advanced features (such as regularly updating passwords). key), suitable for small businesses.
The automatic negotiation method is generated and maintained by IKE. The communicating parties match and negotiate based on their respective security policy libraries, and finally establish a security alliance without user intervention. The configuration is simple and suitable for large enterprises. Auto-negotiation is divided into main mode and aggressive mode. The main difference between aggressive mode exchange and main mode exchange is that aggressive mode does not provide identity protection. In situations where identity protection requirements are not high, the aggressive mode, which exchanges fewer packets, can increase the speed of negotiation; in situations where identity protection requirements are high, main mode should be used.
Each IPSec message carries a 32-bit security parameter index (SPI). The triplet consists of SPI, destination IP address and security protocol number, and is used to uniquely identify a specific security association. When manually configuring a security association, you need to manually specify the SPI value. To ensure the uniqueness of the security association, each security association needs to specify a different SPI value; when using IKE negotiation to generate a security association, the SPI will be randomly generated.
6. Security proposal: including the security protocol, the algorithm used by the security protocol, and the encapsulation form of the packet by the security protocol. It stipulates the way to convert ordinary IP packets into IPSec packets. Security policies can specify the protocols, algorithms, etc. used by citing security recommendations.
6.IPsec IPSEC configuration steps
Create an encrypted access control list
According to whether it matches the encrypted access control list, you can determine which IP packets are sent after being encrypted, and which IP packets are sent directly.
Receive and forward. The secure traffic that needs to be protected is defined using extended IP access control lists.
acl acl-number
rule { normal | special }{ permit | deny } pro-number[source source-addr source-wildcard | any ][source-port operator port1 [ port2 ] ] [ destination dest-addr dest- wildcard | any ][destination-port operator port1 [ port2 ] ] [icmp-type icmp-type icmp-code][logging]
Define security proposal
Define security proposal ipsec proposal proposal-name
Set the encapsulation mode of IP packets by the security protocol encapsulation-mode { transport | tunnel }
Select the security protocol transform { ah-new | ah- esp-new | esp-new }
Select encryption algorithm and authentication algorithm
In the ESP protocol, the conversion option can be {ah-new | ah-esp-new | esp-new }
Transform { ah-new | ah-esp-new | esp-new }
Create security policy under AH protocol
The configuration of manually creating security policy includes:
Manually create a security policy ipsec policy policy-name sequence-number manual
Configure the access control list referenced by the security policy security acl access-list-number
Specify the starting point and Endpoint tunnel local ip-address
tunnel remote ip-address
Configure the security proposal referenced in the security policy proposal proposal-name
Configure the SPI of the security policy alliance and use it Key
SPI configuration sa inbound { ah | esp } spi spi-number
sa outbound { ah | esp } spi spi-number
Key configuration
AH16 hexadecimal key sa { inbound | outbound } ah hex-key-string hex-key
AH character key sa { inbound | outbound } ah string-key string-key
ESP16 hexadecimal key sa { inbound | outbound } esp encryption-hex hex-key
ESP character key sa { inbound | outbound } esp string-key string-key
Apply the security policy group on the interface
ipsec policy policy-name
IKE configuration to create a security policy alliance includes:
Use IKE to create a security policy alliance
ipsec policy policy-name sequence-number isakmp
Configure the access control list referenced by the security policy
security acl access-list- number
Specify the end point of the security tunnel
tunnel remote ip-address
Configure the security proposal referenced in the security policy
proposal proposal-name1 [proposal- name2...proposal-name6 ]
Configure the survival time of the security association (optional)
Configure the global time
ipsec sa global-duration time-based seconds
ipsec sa global-duration traffic-based kilobytes
Configure independent time
sa duration { time-based seconds |traffic-based kilobytes }
IPsec configuration case :Use ipsec tunnel protocol to complete enterprise secure communication
Experimental equipment: three Huawei AR1220 routers, one Huawei s5700 switch
Topology diagram:
Configuration process:
Switch: (To add a port on this switch, you need to enable the port mode to access)
vlan 10
port GE0/0/10
vlan 20
port GE0/0/20
vlan 24
port GE0/0/24
int vlan 10
ip add 1.1.1.2 255.255.255.0
int vlan 20
ip add 1.1.2.2 255.255.255.0
int vlan 24
ip add 1.1 .3.2 255.255.255.0
R1
system-view
sysname R1
int eth0/0/0
ip add 192.168 .1.1 24
loopback
int eth0/0/1
ip add 1.1.1.1 24
quit
ip route 0.0 .0.0 0 1.1.2.2
ping 1.1.1.1
R2
system-view
sysname R2
int eth0/0 /0
ip add 192.168.2.1 24
loopback
int eth0/0/1
ip add 1.1.2.1 24
quit
ip route 0.0.0.0 0 1.1.2.2
ping 1.1.1.1
R3
system-view
sysname R3
int eth0/0/0
ip add 192.168.3.1 24
loopback
int eth0/0/1
ip add 1.1.3.1 24
quit
ip route 0.0.0.0 0 1.1.3.2
ping 1.1.1.1
R1 to R2, R3 Tunnel
acl number 3000 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
acl number 3001 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 20 deny ip source any destination any
quit
Security proposal
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5 (verification algorithm)
esp encryption-algorithm des (encryption algorithm)
ipsec proposal tran2
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
Configure the corresponding IKE
ike peer R2
remote-address 1.1.2.1
pre-shared-key simple abcdef
ike peer R3
remote-address 1.1.3.1
pre-shared-key simple 123456
Add policy
ipsec policy policy1 10 isakmp
ike peer R2
security acl 3000
proposal tran1
ipsec policy policy1 20 isakmp
ike peer R3
security acl 3000
proposal tran2
out Apply policy on the interface
int e0/0/1
ipsec policy policy1
R2 to R1
acl number 3000 match-order auto
rule 10 permitip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ike peer R1
remote-address 1.1.1.1
pre-shared-key simple abcdef
quit
ipsec policy policy1 10 isakmp
ike peer R1
security acl 3000
proposal tran1
Apply policy on outbound interface
int e0/0/1
ipsec policy policy1
R3 to R1
acl number 3000 match-order auto
rule 10 permitip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ike peer R1
remote-address 1.1. 1.1
pre-shared-key simple 123456
quit
ipsec policy policy1 10 isakmp
ike peer R1
security acl 3000
proposal tran1
Apply policy on outbound interface
int e0/0/1
ipsec policy policy1
That’s it Got it!
The above is the detailed content of How to perform ipsec instructions and tunnel case analysis. For more information, please follow other related articles on the PHP Chinese website!