××× 笔记(持续更新中。。)
生活随笔
收集整理的這篇文章主要介紹了
××× 笔记(持续更新中。。)
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
加密歷史
以前:安全的算法現(xiàn)代:安全的密鑰
解密:最好的方法從密鑰管理和密鑰分發(fā)中尋找機(jī)會(huì),而不是從算法本身入手
因此,一個(gè)密碼系統(tǒng)的成功與否的關(guān)鍵是密鑰的生成,分發(fā),管理
加密安全
不存在絕對(duì)的安全一樣有加密方法的健壯度是由其復(fù)雜度在決定的
用“計(jì)算安全”來量度一個(gè)現(xiàn)代加密系統(tǒng)的安全程度
兩種加密模式:流加密和塊加密
對(duì)稱加密算法的特點(diǎn)優(yōu)點(diǎn) ?速度快安全密文緊湊
缺點(diǎn) ?密鑰的傳輸和管理密鑰數(shù)目指數(shù)整張不支持?jǐn)?shù)字簽名和不可否認(rèn)性
非對(duì)稱加密算法的缺點(diǎn)
優(yōu)點(diǎn) ?安全密鑰管理安全,方便支持?jǐn)?shù)字簽名和不可否認(rèn)性
缺點(diǎn) ?速度慢密文便很長(zhǎng)
Hmac(密鑰化散列)KEY+Date+Hash=Key+data+hash
數(shù)字簽名|data+公鑰|+Hash單純的數(shù)字簽名不能完成身份驗(yàn)證,必須結(jié)合證書
證書保證公鑰對(duì)應(yīng)個(gè)身份=格式化個(gè)公鑰包含姓名、地址、組織、公鑰、有效期、認(rèn)證機(jī)構(gòu)數(shù)字簽名
完整解決方案SSLA--->B
A--證書+A公鑰-->B
--共享密鑰+A公鑰--密文-----\ ? ? ? ?-明文+Hash-| ? ? ? ? ? ? ? ? ? ? ? ? ? ?\ ? ? ?| ? ? ? ? ? |--驗(yàn)證B-|--明文+hash+B私鑰---數(shù)字簽名------>A----Hash---| ? ? ? ? ? ? ? ? ? ? ? ? ? ?/ ? ? ?| ? ? |---------------B公鑰+證書--/ ? ? ? ?----B公鑰
B--->共享密鑰+data-->密文-----A---->共享密鑰---->明文
---------------------------------------------------------各種×××技術(shù)的比較
目前已經(jīng)投入實(shí)際當(dāng)中使用的×××技術(shù)包括IPSec ×××、SSL ×××、MPLS ×××。這三種×××技術(shù)各有特色、各有所長(zhǎng)。目前國(guó)外主要廠商對(duì)SSL ×××技術(shù)、MPLS ×××技術(shù)發(fā)展相對(duì)比較重視發(fā)展較快,但是目前應(yīng)用最為廣泛,技術(shù)最為成熟的仍然是IPSec ×××技術(shù)。
IPSec協(xié)議是網(wǎng)絡(luò)層協(xié)議, 是為保障IP通信而提供的一系列協(xié)議族。SSL是套接層協(xié)議,它是保障在Internet上基于Web的通信的安全而提供的協(xié)議。以標(biāo)簽交換是作為底層轉(zhuǎn)發(fā)機(jī)制的MPLS(MultiProtocol Label Switching,多協(xié)議標(biāo)記交換)×××。
1.IPSec針對(duì)數(shù)據(jù)在通過公共網(wǎng)絡(luò)時(shí)的數(shù)據(jù)完整性、安全性和合法性等問題設(shè)計(jì)了一整套隧道、加密和認(rèn)證方案。IPSec能為IPv4/IPv6網(wǎng)絡(luò)提供能共同操作/使用的、高品質(zhì)的、基于加密的安全機(jī)制。提供包括存取控制、無連接數(shù)據(jù)的完整性、數(shù)據(jù)源認(rèn)證、防止重發(fā)***、基于加密的數(shù)據(jù)機(jī)密性和受限數(shù)據(jù)流的機(jī)密性服務(wù)。2.SSL用公鑰加密通過SSL連接傳輸?shù)臄?shù)據(jù)來工作。SSL是一種高層安全協(xié)議,建立在應(yīng)用層上。SSL ×××使用SSL協(xié)議和代理為終端用戶提供HrrP、客戶機(jī)/服務(wù)器和共享的文件資源的訪問認(rèn)證和訪問安全SSL ×××傳遞用戶層的認(rèn)證。確保只有通過安全策略認(rèn)證的用戶可以訪問指定的資源。3.MPLS是一個(gè)可以在多種第二層媒質(zhì)上進(jìn)行標(biāo)記交換的網(wǎng)絡(luò)技術(shù)。不論什么格式的數(shù)據(jù)均可以第三層的路由在網(wǎng)絡(luò)的邊緣實(shí)施,而在MPLS的網(wǎng)絡(luò)核心采用第二層交換,因此可以用一句話概括MPLS的特點(diǎn):“邊緣路由,核心交換”
IPsec基本概念源于IPv6網(wǎng)絡(luò)層加密
IPsec框架加密 ? ?:DES、3DES、AES、RSAHASH ? ?:SHA-1、md5封裝方式:ESP、AH認(rèn)證方式:Pre-key,數(shù)字證書
| IP | IPSEC Header | TCP | FTP | Date |-----------------|加密兩種模型L2L/Remote Access
兩種模式tunnel/TransportTunnel :通信點(diǎn)不等于加密點(diǎn)| NIP | ESP/AH | IP | DATA |
Transport :通信點(diǎn)=加密點(diǎn)| IP | ESP/AH | DATA |
L2L/Remote Access用Tunnel封裝模式Pc--Pc和GRE over IPsec用Transport封裝模式
SA(安全關(guān)聯(lián))構(gòu)成IPsec的基礎(chǔ)SA是兩個(gè)通信實(shí)體經(jīng)協(xié)商建立起來的一種協(xié)定。它決定了用來保護(hù)數(shù)據(jù)包的IPsec?協(xié)議(ESP/AH)、轉(zhuǎn)碼方式(加密/Hash)、密鑰、密鑰有效時(shí)間
SADB(SA數(shù)據(jù)庫)SA是單向的與協(xié)議相關(guān)的
SPD(安全策略數(shù)據(jù)庫)丟棄,繞過,應(yīng)用
IPsec的組成部分ESP(封裝安全負(fù)載)AH(認(rèn)證頭部)IKE(網(wǎng)絡(luò)密鑰交換)
ESP?協(xié)議號(hào):50私密性,數(shù)據(jù)完整性,源認(rèn)證,抵御重放***| IP | ESP header | TCP | Data | ESP auth |------------加密-------------驗(yàn)證-------------
ESP包結(jié)構(gòu)(tunnel mode)IP header?SPI--------------------------- ? ? ? ? ? ? ? ? ? ? ? ? ?sequence number ? ? ? ? ? ? ?|--IV ? ? ? ? ? ? ? ? ? ? ? ? ? |加 | IP header ? ? ? ? ? ? ? ? ? ?| 認(rèn)證密 | TCP header ? ? ? ? ? ? ? ? ? || Date ? ? ? ? ? ? ? ? ? ? ? ? |--Pad+pad length+next header---- ? ?Authentication data
明文=SPI(在SADB中找到相應(yīng)策略)+序列號(hào)(防重放)ESP auth=Hmac(96bit)
ESP處理流程出方向(傳輸模式)1.插入ESP頭部并填充相應(yīng)字段2.選擇SA進(jìn)行加密3.Hash 插入ESP尾部4.重算IP頭部校驗(yàn)和
入方向1.檢查SA是否存在2.序列號(hào)是否有效3.數(shù)據(jù)包完整性和源驗(yàn)證4.解密5.有效性驗(yàn)證(模式是否匹配)6.傳送模式(查詢路由表 轉(zhuǎn)發(fā))
對(duì)分片的處理:默認(rèn) 先分片再加密
AH(Authentication Header)AH 協(xié)議號(hào):51不支持加密不支持NAT
IKE負(fù)責(zé)在兩個(gè)IPSec對(duì)等體間協(xié)商一條IPsec隧道的協(xié)議協(xié)商協(xié)議參數(shù)交換公共密鑰對(duì)雙方進(jìn)行認(rèn)證在交換后對(duì)密鑰進(jìn)行管理
IKE三個(gè)組成部分(混合協(xié)議)SKEME:(定義一種密鑰交換方式)Oakley:(對(duì)多模式的支持,例如對(duì)新加密技術(shù),并沒有具體定義交換信息)ISAKMP:定義了消息交換的體系結(jié)構(gòu),包括兩個(gè)IPsec對(duì)等體間分組形式和狀態(tài)(定義封裝格式和協(xié)商包交換個(gè)方式)
三個(gè)模式主模式,主動(dòng)模式,快速模式主動(dòng)模式:預(yù)共享密鑰的遠(yuǎn)程撥號(hào)×××(降低PC的資源消耗)主IKE 1階段1-2個(gè)數(shù)據(jù)包模式:其余所有---------------------------------------------------------
Phase 1 SA(ISAKMP SA/雙向):用于認(rèn)證(吃飯)主模式(6個(gè)包) ? ? ? ? ? ?主動(dòng)模式(3個(gè)包)
| ? ? ? ? ? ? ? ? ? ? ? ? ? ?|| ? ? ? ? ? ? ? ? ? ? ? ? ? ?|----------------------------| ? 新的IPsec隧道或者rekey----------------------------Phase 2 SA (IPSEC SA) ? ?Phase 2 SA (IPSEC SA/單向) (簽合同)?快速模式(3個(gè)包) ? ? ? ? ? 快速模式| ? ? ? ? ? ? ? ? ? ? ? ? ?|A<---受保護(hù)的數(shù)據(jù)--->B ? c<---受保護(hù)的數(shù)據(jù)--->d----------------------------------------------------------
第一階段:認(rèn)證第二階段:協(xié)商具體流量的處理辦法
IKE 1階段主模式第1-2個(gè)數(shù)據(jù)包(明文)交換IP地址(設(shè)置對(duì)端)和策略(認(rèn)證方式、HASH認(rèn)證、加密5-9個(gè)包,DH組,Key life)
發(fā)送方將自己的策略全部交給接收方,接收方根據(jù)序號(hào)匹配自己的策略,然后將相同的策略交給發(fā)送方
IKE 1階段主模式第3-4個(gè)數(shù)據(jù)包(明文)交換DH公共值
IKE 1階段主模式第5-6個(gè)數(shù)據(jù)包(密文)雙方認(rèn)證初始化設(shè)備
IKE 1階段主動(dòng)模式第1-2個(gè)數(shù)據(jù)包(明文)=主模式1-6個(gè)包,但認(rèn)證的信息是通過hash明文顯示
IKE 1階段主動(dòng)模式第3個(gè)數(shù)據(jù)包確認(rèn)IKE 2階段快速模式3個(gè)數(shù)據(jù)包基于感興趣流1.提交發(fā)送方對(duì)實(shí)際流量處理策略2.接受方匹配并返回策略3.確認(rèn)
IPsec ××× 標(biāo)準(zhǔn)配置R1-----R2-----R3R1--R2:12.1.1.1/2R2--R3:23.1.1.2/3R1 lo 0:1.1.1.1R3 lo 0:3.3.3.31.開啟crypto isakmpcrypto isakmp enable
2.定義第一階段策略cry isakmp po 10默認(rèn)策略為R1#show crypto isakmp policy?Default protection suiteencryption algorithm: ? DES - Data Encryption Standard (56 bit keys).hash algorithm: ? ? ? ? Secure Hash Standardauthentication method: ?Rivest-Shamir-Adleman SignatureDiffie-Hellman group: ? #1 (768 bit)lifetime: ? ? ? ? ? ? ? 86400 seconds, no volume limit只有當(dāng)配置和默認(rèn)策略不相同是才會(huì)顯示出啦
3.定義預(yù)共享密鑰和peercry isa key 0 cisco add 23.1.1.3(這里的key僅用于認(rèn)證,加密使用的是DH產(chǎn)生的隨機(jī)數(shù))4.定義感興趣流ip access-l EX ×××per ip ho 1.1.1.1 ho 3.3.3.3
5.定義轉(zhuǎn)換集(第二階段策略)cry ipsec transform-set trans esp-3des esp-sha-hmacmode tunnel/transport(這里的模式可以不用設(shè)置,因?yàn)橹挥袟l件(加密點(diǎn)=通信點(diǎn))達(dá)到是才會(huì)使用傳輸模式)
6.匯總cry map ×××-1 10 ipsec-isakmpmatch add ***set transform-set transset peer 23.1.1.37.在接口上調(diào)用int f0/0cry map ***-1
8.檢查show cry engine connections acticveCrypto Engine Connections
ID Interface ?Type ?Algorithm ? ? ? ? ? Encrypt ?Decrypt IP-Address1 Fa0/1 ? ? ?IPsec 3DES+SHA ? ? ? ? ? ? ? ? ?0 ? ? ? ?4 23.1.1.32 Fa0/1 ? ? ?IPsec 3DES+SHA ? ? ? ? ? ? ? ? ?4 ? ? ? ?0 23.1.1.show cry isakmp sashow cry ipsec sa
9.清除(兩邊都要清除)clear cry isa ? 默認(rèn)1天clear cry sa ? ?默認(rèn)1小時(shí)
Debug IPsec ×××建立過程---------------------------------------------------------------------------------------------------Apr 14 10:27:00.923: IPSEC(sa_request): ,(key eng. msg.) OUTBOUND local= 12.1.1.1, remote= 23.1.1.3,?local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),?remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),protocol= ESP, transform= NONE ?(Tunnel),?lifedur= 3600s and 4608000kb,?spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0Apr 14 10:27:00.931: ISAKMP:(0): SA request profile is (NULL)Apr 14 10:27:00.935: ISAKMP: Created a peer struct for 23.1.1.3, peer port 500Apr 14 10:27:00.935: ISAKMP: New peer created peer = 0x63F335E8 peer_handle = 0x80000003Apr 14 10:27:00.935: ISAKMP: Locking peer struct 0x63F335E8, refcount 1 for isakmp_initiatorApr 14 10:27:00.935: ISAKMP: local port 500, remote port 500Apr 14 10:27:00.939: ISAKMP: set new node 0 to QM_IDLE ? ? ?Apr 14 10:27:00.939: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63F38D24Apr 14 10:27:00.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.Apr 14 10:27:00.939: ISAKMP:(0):found peer pre-shared key matching 23.1.1.3Apr 14 10:27:00.943: ISAKMP:(0): constructed NAT-T vendor-07 IDApr 14 10:27:00.943: ISAKMP:(0): constructed NAT-T vendor-03 IDApr 14 10:27:00.947: ISAKMP:(0): constructed NAT-T vendor-02 IDApr 14 10:27:00.947: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MMApr 14 10:27:00.947: ISAKMP:(0):Old State = IKE_READY ?New State = IKE_I_MM1?
Apr 14 10:27:00.947: ISAKMP:(0): beginning Main Mode exchangeApr 14 10:27:00.951: ISAKMP:(0): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_NO_STATE ? ? ? ? ? //第1個(gè)包Apr 14 10:27:00.951: ISAKMP:(0):Sending an IKE IPv4 Packet.Apr 14 10:27:01.487: ISAKMP (0:0): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_NO_STATE ? ? //第2個(gè)包Apr 14 10:27:01.491: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHApr 14 10:27:01.491: ISAKMP:(0):Old State = IKE_I_MM1 ?New State = IKE_I_MM2?
Apr 14 10:27:01.495: ISAKMP:(0): processing SA payload. message ID = 0Apr 14 10:27.:01.495: ISAKMP:(0): processing vendor id payloadApr 14 10:27:01.495: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatchApr 14 10:27:01.499: ISAKMP (0:0): vendor ID is NAT-T v7Apr 14 10:27:01.499: ISAKMP:(0):found peer pre-shared key matching 23.1.1.3Apr 14 10:27:01.499: ISAKMP:(0): local preshared key foundApr 14 10:27:01.499: ISAKMP : Scanning profiles for xauth ...Apr 14 10:27:01.503: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policyApr 14 10:27:01.503: ISAKMP: ? ? ?encryption AES-CBCApr 14 10:27:01.503: ISAKMP: ? ? ?keylength of 128Apr 14 10:27:01.503: ISAKMP: ? ? ?hash SHAApr 14 10:27:01.503: ISAKMP: ? ? ?default group 2Apr 14 10:27:01.503: ISAKMP: ? ? ?auth pre-shareApr 14 10:27:01.507: ISAKMP: ? ? ?life type in secondsApr 14 10:27:01.507: ISAKMP: ? ? ?life duration (VPI) of ?0x0 0x1 0x51 0x80?Apr 14 10:27:01.507: ISAKMP:(0):atts are acceptable. Next payload is 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? //1-2個(gè)包成功Apr 14 10:27:01.511: ISAKMP:(0): processing vendor id payloadApr 14 10:27:01.511: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatchApr 14 10:27:01.511: ISAKMP (0:0): vendor ID is NAT-T v7Apr 14 10:27:01.515: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEApr 14 10:27:01.515: ISAKMP:(0):Old State = IKE_I_MM2 ?New State = IKE_I_MM2?
Apr 14 10:27:01.523: ISAKMP:(0): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_SA_SETUP ? ? ? //第3個(gè)包Apr 14 10:27:01.523: ISAKMP:(0):Sending an IKE IPv4 Packet.Apr 14 10:27:01.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEApr 14 10:27:01.527: ISAKMP:(0):Old State = IKE_I_MM2 ?New State = IKE_I_MM3?
Apr 14 10:27:02.119: ISAKMP (0:0): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_SA_SETUP ?//第4個(gè)包Apr 14 10:27:02.123: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHApr 14 10:27:02.123: ISAKMP:(0):Old State = IKE_I_MM3 ?New State = IKE_I_MM4?
Apr 14 10:27:02.131: ISAKMP:(0): processing KE payload. message ID = 0Apr 14 10:27:02.239: ISAKMP:(0): processing NONCE payload. message ID = 0Apr 14 10:27:02.243: ISAKMP:(0):found peer pre-shared key matching 23.1.1.3Apr 14 10:27:02.247: ISAKMP:(1002): processing vendor id payloadApr 14 10:27:02.247: ISAKMP:(1002): vendor ID is UnityApr 14 10:27:02.251: ISAKMP:(1002): processing vendor id payloadApr 14 10:27:02.251: ISAKMP:(1002): vendor ID is DPDApr 14 10:27:02.251: ISAKMP:(1002): processing vendor id payloadApr 14 10:27:02.255: ISAKMP:(1002): speaking to another IOS box!Apr 14 10:27:02.255: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEApr 14 10:27:02.255: ISAKMP:(1002):Old State = IKE_I_MM4 ?New State = IKE_I_MM4?
Apr 14 10:27:02.263: ISAKMP:(1002):Send initial contactApr 14 10:27:02.263: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDRApr 14 10:27:02.263: ISAKMP (0:1002): ID payload?next-payload : 8type ? ? ? ? : 1?address ? ? ?: 12.1.1.1?protocol ? ? : 17?port ? ? ? ? : 500?length ? ? ? :12Apr 14 10:27:02.267: ISAKMP:(1002):Total payload length: 12Apr 14 10:27:02.271: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_KEY_EXCH ? ? ? ? ?//第5個(gè)包Apr 14 10:27:02.271: ISAKMP:(1002):Sending an IKE IPv4 Packet.Apr 14 10:27:02.275: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEApr 14 10:27:02.275: ISAKMP:(1002):Old State = IKE_I_MM4 ?New State = IKE_I_MM5?
Apr 14 10:27:02.883: ISAKMP (0:1002): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH ? //第6個(gè)包Apr 14 10:27:02.887: ISAKMP:(1002): processing ID payload. message ID = 0Apr 14 10:27:02.887: ISAKMP (0:1002): ID payload?next-payload : 8type ? ? ? ? : 1?address ? ? ?: 23.1.1.3?protocol ? ? : 17?port ? ? ? ? : 500?length ? ? ? : 12Apr 14 10:27:02.887: ISAKMP:(0):: peer matches *none* of the profilesApr 14 10:27:02.891: ISAKMP:(1002): processing HASH payload. message ID = 0Apr 14 10:27:02.891: ISAKMP:(1002):SA authentication status:authenticated
Apr 14 10:27:02.895: ISAKMP:(1002):SA has been authenticated with 23.1.1.3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? //第一階段完成Apr 14 10:27:02.895: ISAKMP: Trying to insert a peer 12.1.1.1/23.1.1.3/500/, ?and inserted successfully 63F335E8. ? ? ? ?Apr 14 10:27:02.895: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHApr 14 10:27:02.899: ISAKMP:(1002):Old State = IKE_I_MM5 ?New State = IKE_I_MM6?
Apr 14 10:27:02.903: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEApr 14 10:27:02.903: ISAKMP:(1002):Old State = IKE_I_MM6 ?New State = IKE_I_MM6?
Apr 14 10:27:02.911: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEApr 14 10:27:02.911: ISAKMP:(1002):Old State = IKE_I_MM6 ?New State = IKE_P1_COMPLETE?
Apr 14 10:27:02.915: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 2121302861Apr 14 10:27:02.919: ISAKMP:(1002):QM Initiator gets spiApr 14 10:27:02.923: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE ? ? ? ? ? //第7個(gè)包Apr 14 10:27:02.923: ISAKMP:(1002):Sending an IKE IPv4?R1#Packet.Apr 14 10:27:02.927: ISAKMP:(1002):Node 2121302861, Input = IKE_MESG_INTERNAL, IKE_INIT_QMApr 14 10:27:02.927: ISAKMP:(1002):Old State = IKE_QM_READY ?New State = IKE_QM_I_QM1Apr 14 10:27:02.927: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETEApr 14 10:27:02.931: ISAKMP:(1002):Old State = IKE_P1_COMPLETE ?New State = IKE_P1_COMPLETE?
Apr 14 10:27:03.331: ISAKMP (0:1002): received packet from 23.1.1.3 dport 500 sport 500 Global (I) QM_IDLE ? ? //第8個(gè)包Apr 14 10:27:03.335: ISAKMP:(1002): processing HASH payload. message ID = 2121302861Apr 14 10:27:03.335: ISAKMP:(1002): processing SA payload. message ID = 2121302861Apr 14 10:27:03.335: ISAKMP:(1002):Checking IPSec proposal 1Apr 14 10:27:03.339: ISAKMP: transform 1, ESP_3DESApr 14 10:27:03.339: ISAKMP: ? attributes in transform:Apr 14 10:27:03.339: ISAKMP: ? ? ?encaps is 1 (Tunnel)Apr 14 10:27:03.339: ISAKMP: ? ? ?SA life type in secondsApr 14 10:27:03.339: ISAKMP: ? ? ?SA life duration (basic) of?R1#3600Apr 14 10:27:03.339: ISAKMP: ? ? ?SA life type in kilobytesApr 14 10:27:03.343: ISAKMP: ? ? ?SA life duration (VPI) of ?0x0 0x46 0x50 0x0?Apr 14 10:27:03.343: ISAKMP: ? ? ?authenticator is HMAC-SHAApr 14 10:27:03.343: ISAKMP:(1002):atts are acceptable. ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? //7-8協(xié)商完成Apr 14 10:27:03.347: IPSEC(validate_proposal_request): proposal part #1Apr 14 10:27:03.347: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 12.1.1.1, remote= 23.1.1.3,?local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),?remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-3des esp-sha-hmac ?(Tunnel),?lifedur= 0s and 0kb,?spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0Apr 14 10:27:03.351: Crypto mapdb : proxy_matchsrc addr ? ? : 1.1.1.1dst addr ? ? : 3.3.3.3protocol ? ? : 0src port ? ? : 0dst port ? ? : 0Apr 14 10:27:03.351: ISAKMP:(1002): processing NONCE payload. message ID = 2121302861Apr 14 10:27:03.355:?R1#ISAKMP:(1002): processing ID payload. message ID = 2121302861Apr 14 10:27:03.355: ISAKMP:(1002): processing ID payload. message ID = 2121302861Apr 14 10:27:03.367: ISAKMP:(1002): Creating IPSec SAsApr 14 10:27:03.367: ? ? ? ? inbound SA from 23.1.1.3 to 12.1.1.1 (f/i) ?0/ 0(proxy 3.3.3.3 to 1.1.1.1)Apr 14 10:27:03.367: ? ? ? ? has spi 0x699EB1D4 and conn_id 0Apr 14 10:27:03.367: ? ? ? ? lifetime of 3600 secondsApr 14 10:27:03.371: ? ? ? ? lifetime of 4608000 kilobytesApr 14 10:27:03.371: ? ? ? ? outbound SA from 12.1.1.1 to 23.1.1.3 (f/i) 0/0(proxy 1.1.1.1 to 3.3.3.3)Apr 14 10:27:03.371: ? ? ? ? has spi ?0x720F5EE8 and conn_id 0Apr 14 10:27:03.371: ? ? ? ? lifetime of 3600 secondsApr 14 10:27:03.371: ? ? ? ? lifetime of 4608000 kilobytesApr 14 10:27:03.375: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE ? ? ? //第9個(gè)包Apr 14 10:27:03.375: ISAKMP:(1002):Sending an IKE IPv4 Packet.Apr 14 10:27:03.379: ISAKMP:(1002):delR1#eting node 2121302861 error FALSE reason "No Error"Apr 14 10:27:03.379: ISAKMP:(1002):Node 2121302861, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHApr 14 10:27:03.379: ISAKMP:(1002):Old State = IKE_QM_I_QM1 ?New State = IKE_QM_PHASE2_COMPLETEApr 14 10:27:03.383: IPSEC(key_engine): got a queue event with 1 KMI message(s)Apr 14 10:27:03.387: Crypto mapdb : proxy_matchsrc addr ? ? : 1.1.1.1dst addr ? ? : 3.3.3.3protocol ? ? : 0src port ? ? : 0dst port ? ? : 0Apr 14 10:27:03.387: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 23.1.1.3Apr 14 10:27:03.391: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 3.3.3.3, dest_port 0
Apr 14 10:27:03.391: IPSEC(create_sa): sa created, ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?//SA創(chuàng)建(sa) sa_dest= 12.1.1.1, sa_proto= 50,?sa_spi= 0x699EB1D4(1772007892),?sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3Apr 14 10:27:03.395: IPSEC(create_sa): sa created,(sa) sa_dest= 23.1.1.3, sa_proto= 50,?sa_spi= 0x720F5EE8(1913609960)R1#,?sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4Apr 14 10:27:03.395: IPSEC(update_current_outbound_sa): updated peer 23.1.1.3 current outbound sa to SPI 720F5EE8Apr 14 10:27:03.935: ISAKMP:(1001):purging node -224027478Apr 14 10:27:03.935: ISAKMP:(1001):purging node -1975374832R1#Apr 14 10:27:13.939: ISAKMP:(1001):purging SA., sa=63F32D14, delme=63F32D14---------------------------------------------------------------------------------------------------
傳統(tǒng)IPsec×××的缺點(diǎn)IPsec ×××不能夠支持加密二層的組播流量,這就意味著不能夠通過IPsec ×××允許動(dòng)態(tài)路由協(xié)議而且不好定義感興趣流且沒有接口可以調(diào)用所以不支持FW和QOS但是這個(gè)限制在12.4之后就消除了。cisco 12.4版本IOS中引入了SVTI(靜態(tài)虛擬隧道接口)的技術(shù)
GRE(通用路由封裝)
協(xié)議號(hào):47
它能很好的封裝組播和二層協(xié)議,能夠?yàn)槲覀兊膇psec ×××提供動(dòng)態(tài)路由協(xié)議的服務(wù),
但他不提供安全功能
動(dòng)態(tài)路由協(xié)議為我們消除了手動(dòng)寫靜態(tài)路由的煩惱,并且可以動(dòng)態(tài)的探測(cè)對(duì)方網(wǎng)段是否可達(dá)
GRE包格式| NIP | GRE | IP | Date |
GRE的配置R1---could---R3
R1--could:12.1.1.1/2could--R3:23.1.1.2/3R1 lo 0 ?:1.1.1.1R3 lo 0 ?:3.3.3.3R1interface Tunnel0ip address 10.1.1.1 255.255.255.0tunnel source 12.1.1.1tunnel destination 23.1.1.3
R2interface Tunnel0ip address 10.1.1.2 255.255.255.0tunnel source 23.1.1.3tunnel destination 12.1.1.1
然后我們?cè)赗1和R3上指一條默認(rèn)路由出外網(wǎng)就行了
GRE隧道的抖動(dòng)
這時(shí)我們還可以在R1和R3上運(yùn)行OSPF但這里有一點(diǎn)要注意不能將物理口宣告到OSPF進(jìn)程中去,否則會(huì)形成遞歸路由,造成GRE隧道的抖動(dòng)Apr 15 10:52:01.963: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
造成遞歸路由的原因環(huán)境:R1正常宣告,R2將連接外網(wǎng)的物理口宣告到OSPF中去R2通過Hello包告訴R1,通過tunnel 0可以到達(dá)23.1.1.0網(wǎng)段R1 1.1.1.1有數(shù)據(jù)包去往R2 3.3.3.3時(shí),首先查看路由表,發(fā)現(xiàn)通過tunnel口可以到達(dá)于是封裝GRE報(bào)頭?| sou:12.1.1.1 | ?GRE ?| sou :1.1.1.1 | ICMP| des:23.1.1.3 | ? ? ? | des :3.3.3.3 |
如果在正常情況下,R1再次查詢路由表發(fā)現(xiàn)沒有到達(dá)23.1.1.3的路由于是通過默認(rèn)路由轉(zhuǎn)發(fā)出去但此時(shí)由于R3將23.1.1.0網(wǎng)段宣告進(jìn)了OSPF進(jìn)程,所以R1 從tunnel學(xué)到去往23.1.1.3的路由,而起他的優(yōu)先級(jí)高于默認(rèn)路由所以會(huì)再次經(jīng)過tunnel進(jìn)行GRE的封裝| sou:12.1.1.1 | ?GRE ?| sou:12.1.1.1 | ?GRE ?| sou :1.1.1.1 | data| des:23.1.1.3 | ? ? ? | des:23.1.1.3 | ? ? ? | des :3.3.3.3 | ? ? ?此時(shí)再次循環(huán)之前的步驟,就在數(shù)據(jù)包不斷的進(jìn)行封裝,無法正常轉(zhuǎn)發(fā)隧道的建立的條件是能到達(dá)數(shù)據(jù)包能到達(dá)23.1.1.3,此時(shí)隧道無法在繼續(xù)建立因而由UP變?yōu)镈OWN。既然沒有隧道OSPF也無法在傳遞路由信息,路由表回到了只有直連跟一條默認(rèn)路由的狀態(tài)。由于沒有比它優(yōu)先的OSPF路由存在,那條默認(rèn)路由在這里“從獲新生”,GRE又可以通過它來建立隧道,隧道建立好以后OSPF繼續(xù)通過它來學(xué)習(xí)路由,把學(xué)習(xí)到的路由放在路由表里再一次替代那條默認(rèn)路由導(dǎo)致隧道又由UP變?yōu)镈OWN。如此反復(fù)而出現(xiàn)GRE隧道的抖動(dòng)。
GER over IPsec包格式| IP | ESP/AH | ip | GRE | ip | data | ? ? ? ? ?隧道模式| IP | ESP/AH | GRE | IP | Data | ? ? ? ? ? ? ? 傳輸模式
配置(old)ip route 0.0.0.0 0.0.0.0 12.1.1.2
router ospf 100log-adjacency-changesnetwork 1.1.1.1 0.0.0.0 area 0network 10.1.1.1 0.0.0.0 area 0
interface Tunnel0ip address 10.1.1.1 255.255.255.0tunnel source 12.1.1.1tunnel destination 23.1.1.3crypto isakmp policy 10authentication pre-share
crypto isakmp key cisco address 23.1.1.3
crypto ipsec transform-set trans esp-des esp-md5-hmac?mode transport
ip access-list extended ***permit ip host 12.1.1.1 host 23.1.1.3
crypto map cry-map 10 ipsec-isakmp?set peer 23.1.1.3set transform-set trans?match address ***
interface FastEthernet0/0ip address 12.1.1.1 255.255.255.0cry map cry-map
配置(new)crypto isakmp policy 10authentication pre-sharacrypro isakmp key 0 cisco address 23.1.1.3
cryto ipsec trnasfrom-set cisco esp-des esp-md5-hmacmode transport
crypto ipsec profile ipsecprofset transfrom-set cisco
int tunnel 0ip add 10.1.1.1 255.255.255.0tunnel source 12.1.1.1tunnel destination 23.1.1.3tunnel protection ipsec profile ipsecprof
IPsec over GRE
沒有實(shí)際意義,僅作為原理研究,數(shù)據(jù)包被封裝的過程數(shù)據(jù)包先進(jìn)行ESP/AH封裝,在進(jìn)行GRE封裝
R1int lo 10ip add 11.1.1.1 255.255.255.0router os 100net 11.1.1.1 0.0.0.0 a 0R2int lo 0ip add 33.1.1.1 255.255.255.0router os 100network 33.1.1.1 0.0.0.0 a 0
ISAKMP策略R1:cryto isa po 10auth precry isa key 0 cisco add 33.1.1.1R2cryto isa po 10auth precry isa key 0 cisco add 11.1.1.1
ipsec 策略R1:cry ipsec tran trans cisco esp-des esp-md5-hmacR2cry ipsec tran trans cisco esp-des esp-md5-hmac
感興趣流R1:IP access-list ***per ip ho 1.1.1.1 ho 4.4.4.4.....(1-5,1-6,2-4,2-5...)R1ip access-list ***per ip ho 4.4.4.4 ho 1.1.1.1.....Crypto MAPR1:crypto map cry-map local-add lo 10(改變更新源)crypto map cry-map 10 ipsec-isamatch address ***set trnas transset peer 33.1.1.1R1:crypto map cry-map local-add lo 10(改變更新源)crypto map cry-map 10 ipsec-isamatch address ***set trnas transset peer 11.1.1.1
在接口上銷售R1int t 0cry map cry-mapint F0/0cry map cry-map<建議運(yùn)用,能夠阻止未加密的感興趣流進(jìn)入>
---->R1---->F0/0||_____T0
包處理過程1.source 1.1.1.1 des 4.4.4.4 到達(dá)R1?2.查詢路由表 送到Tunnel口3.撞上Tunnel口的map 匹配上感興趣流量4.觸發(fā)加密
| SIP:11.1.1.1 | ? ? | SIP:1.1.1.1 | ? ? ?|| DIP:33.1.1.3 | ESP | DIP:4.4.4.4 | Data |
5.新包再次查詢路由表 送到Tunnel口,由于ip頭的修改沒有匹配感興趣流量,所以直接傳出tunnel,進(jìn)行GRE封裝
|SIP 12.1.1.1 | ? ? | SIP:11.1.1.1 | ? ? | SIP:1.1.1.1 | ? ? ?||DIP 23.1.1.3 | GRE | DIP:33.1.1.3 | ESP | DIP:4.4.4.4 | Data |
6.再次查詢路由表 送到f0/0接口,轉(zhuǎn)發(fā)
GRE over IPsec 與 IPsec over GRE 的比較GRE over IPsec ? ? ? ? ? ? IPsec over GRE-------------------------------------------------------------------| ? GRE數(shù)據(jù)在公網(wǎng)傳輸 ? ?| ? 加密了的數(shù)據(jù)通過GRE tunnel理解 ? ?| ? 時(shí)是加密的 ? ? ? ? ? | ? 在公網(wǎng)上傳輸?-------------------------------------------------------------------封裝 ? ?| ? IPsec封裝 GRE ? ? ? ?| ? GRE封裝IPsec?| ? 整體是IPsec隧道 ? ? ?| ? 整體是GRE隧道?-------------------------------------------------------------------ACL定義 ?| ? GRE數(shù)據(jù)量(公網(wǎng)) ? ?| ? 內(nèi)網(wǎng)數(shù)據(jù)流?-------------------------------------------------------------------SetPeer ?| ? 對(duì)方公網(wǎng)地址 ? ? ? ? | ? 對(duì)方GRE tunnel地址-------------------------------------------------------------------應(yīng)用端口 | ? 共網(wǎng)出口 ? ? ? ? ? ? | ? GRE tunnel?-------------------------------------------------------------------
在ASA上配置GRE over Ipsec ×××site1---could---ASA--site2Site1 lo 0 : 172.16.1.1site1-could: 12.1.1.1/2could-ASA ?: 23.1.1.2/3ASA-site2 ?: 192.168.1.254/1
ASA1.初始化接口int e0/0nameif outsideip add 23.1.1.3 255.255.255.0int e0/1nameif insideip add 192.168.1.254
2.開啟crypto isakmpcrypto isakmp enable outside
3.配置ISAKMP策略crypto isakmp policy 10此時(shí)show run可以看到
crypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400crypto isakmp policy 65535authentication pre-shareencryption 3deshash shagroup 2lifetime 86400ASA有一個(gè)默認(rèn)策略編號(hào)是65535,和路由器一樣如策略沒有配置則自動(dòng)配置為默認(rèn)策略因?yàn)閏isco建議是ASA主要用來做遠(yuǎn)程訪問××× 而在路由器上做L2L ×××
4.配置Key和peercrypto isakmp key cisco add 12.1.1.1這條命令在ASA里被轉(zhuǎn)換為tunnel-group 12.1.1.1 type ipsec-l2ltunnel-group 12.1.1.1 ipsec-attributespre-shared-key *
5.配置感興趣流量access-list *** extended permit ip ho 192.168.1.1 ho 172.16.1.16.配置轉(zhuǎn)換集crypto ipsec transform-set trans esp-3des esp-sha-hmac
7.匯總crypto map cry-map 10 ipsec-isakmp?crypto map cry-map 10 set peer 12.1.1.1crypto map cry-map 10 set transform-set trans?crypto map cry-map 10 match address ***
8.調(diào)用crypto map cry-map int ouside
此時(shí)若是site1 ping site2 開啟debug 則會(huì)提示ISAKMP:(0):Notify has no hash. Rejected.%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 23.1.1.3策略不相同,但此時(shí)兩邊的策略確實(shí)是相同的
解決辦法:修改兩端的策略 然后再次觸發(fā)就會(huì)建立成功之所以這里不必寫放行策略是因?yàn)閟how run sysopt可以看到sysopt connection permit-***這個(gè)選項(xiàng)的作用就是×××解密后流量自動(dòng)放過
也可以no掉之后對(duì)流量進(jìn)行過濾access-list out per tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq telnetaccess-group out in int outside
NAT-TPAT穿越AH不支持NAT,ESP只支持一對(duì)一的NAT(NAT overload)為了讓經(jīng)過IPsec封裝加密的包經(jīng)穿越NAT 所以在原始數(shù)據(jù)包中插入了一個(gè)UDP字段
ipsec ***的pat穿越技術(shù)有IPsec over TCP,ipsec over UDP ,NAT-T(把esp包封裝在udp4500里)ASA默認(rèn)沒有開啟任何穿越技術(shù),但提供對(duì)3種技術(shù)的支持路由器只支持NAT-t 并且默認(rèn)是開啟的封裝格式| IP | UDP |ESP/AH | GRE | IP | Data |?UDP=4500cisco路由路由默認(rèn)是開啟NAT-T的,而ASA默認(rèn)沒有打開Cry ipsec Nat-t udp-en?
路由器判斷是否開啟UDP-encapsulation的方法第一階段 ISAKMP 交換一、二個(gè)包時(shí)會(huì)附帶是否支持NAT-T然后地三、四個(gè)包交換源目ip+源目端口進(jìn)行哈希如果hash相等則不開啟NAT-T如果Hash不相等且都支持NAT-T則開啟
ISAKMP ProfileIOS 12.3如果在一臺(tái)路由器上運(yùn)行了多種××× 建議使用ISAKMP Profile配置方式標(biāo)準(zhǔn)配置的缺點(diǎn)cry isakmp key cisco add 23.1.1.3是一個(gè)全局命令,如果路由器上運(yùn)行的多種×××,如遠(yuǎn)程撥號(hào)×××做認(rèn)證時(shí)候有可能會(huì)拿錯(cuò)
cry map是對(duì)第二階段進(jìn)行匯總,與第一階段沒有關(guān)系 ?沒有一個(gè)貫穿第一個(gè)第二階段的命令
crypto isakmp policy 10authentication pre-share!crypto keyring isakay?pre-shared-key address 12.1.1.1 key cisco!crypto isakmp profile isaprokeyring isakaymatch identity address 12.1.1.1 255.255.255.255?!crypto ipsec transform-set trans esp-des esp-md5-hmac?!crypto map cisco 10 ipsec-isakmp?set peer 12.1.1.1set transform-set trans?set isakmp-profile isapromatch address ***
Cry map cisco
IPsec Profile(SVTI/Route ×××)IOS 12.4 與之前的配置不兼容
標(biāo)準(zhǔn)IPsec ×××的缺點(diǎn)感興趣流定義復(fù)雜,成指數(shù)增長(zhǎng)
沒有接口調(diào)用,不支持組播,不能跑動(dòng)態(tài)路由協(xié)議
crypto isakmp policy 10authentication pre-share
crypto isakmp key cisco address 23.1.1.3
crypto ipsec transform-set trans esp-des esp-md5-hmac?
crypto ipsec profile ipsecproset transform-set trans?
interface Tunnel0ip address 10.1.1.1 255.255.255.0tunnel source 12.1.1.1tunnel destination 23.1.1.3tunnel mode ipsec ipv4tunnel protection ipsec profile ipsecpro
router ospf 100log-adjacency-changesnetwork 1.1.1.1 0.0.0.0 area 0network 10.1.1.1 0.0.0.0 area 0!ip route 0.0.0.0 0.0.0.0 12.1.1.2
結(jié)合ISAKMP Pofile的優(yōu)點(diǎn) 可以對(duì)R3進(jìn)行配置
crypto keyring key?pre-shared-key address 12.1.1.1 key cisco!crypto isakmp policy 10authentication pre-sharecrypto isakmp profile isaprokeyring keymatch identity address 12.1.1.1 255.255.255.255?!!crypto ipsec transform-set trans esp-des esp-md5-hmac?!crypto ipsec profile ipsecproset transform-set trans?set isakmp-profile isapro!interface Loopback0ip address 3.3.3.3 255.255.255.0!interface Tunnel0ip address 10.1.1.2 255.255.255.0tunnel source 23.1.1.3tunnel destination 12.1.1.1tunnel mode ipsec ipv4tunnel protection ipsec profile ipsecpro!router ospf 100log-adjacency-changesnetwork 3.3.3.3 0.0.0.0 area 0network 10.1.1.2 0.0.0.0 area 0!ip route 0.0.0.0 0.0.0.0 23.1.1.2
Crypto Map 對(duì)密文或明文流量的處理(接收方)
是否有感興趣流 ? ? ? ? 是否加密 ? ? ? ?有無MAP ? ? ? ActiconN/A ? ? ? ? ? ? ? ? 是 ? ? ? ? ? ? ?有 ? ? ? ? ?解密 ? ? (正常流量)是 ? ? ? ? ? ? ? ? ?不 ? ? ? ? ? ? ?有 ? ? ? ? ?Drop ? ??是 ? ? ? ? ? ? ? ? ?不 ? ? ? ? ? ? 沒有 ? ? ? ? Forward ?(正常路由)N/A ? ? ? ? ? ? ? ? 是 ? ? ? ? ? ? 沒有 ? ? ? ? 解密 ? ? (異步路由)__M_________| ? ? ? ? ? |R1 ? ? ? ? R2|_______M___|
動(dòng)態(tài) Vs 靜態(tài) Crypro MAP中心有固定IP但分支沒有只有中心機(jī)構(gòu)是cisco設(shè)備是才可行,但不建議使用如果是其他廠商設(shè)備只能使用EZ×××R1 (center)
crypto isakmp policy 10authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set trans esp-des esp-md5-hmac?!crypto dynamic-map dymap 10set transform-set trans?!!crypto map crymap 1000 ipsec-isakmp dynamic dymap?
interface FastEthernet0/0ip address 12.1.1.1 255.255.255.0duplex autospeed autocrypto map crymap
ip route 0.0.0.0 0.0.0.0 12.1.1.2RRI(反向路由注入)DM ××× ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?高擴(kuò)展性EZ ××× ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?易用性RRI/Keepalive/HA(鏈路備份)/Redundancy(設(shè)備備份) 高可用性
TOP------R3---PC1--R1---cloud-| ? ? ? ? ? |---R5--PC2| ? ? ? ? ? |------R4---
RRI使用場(chǎng)所R1與R3或R4建立IPsec ×××隧道,實(shí)現(xiàn)線路冗余為了讓R5能動(dòng)態(tài)的感知去cloud到R3、R4的鏈路狀況,這里就不能在R3和R4上使用默認(rèn)路由來告知PC1的路由需要使用動(dòng)態(tài)路由協(xié)議,使R1或R3建立×××之后會(huì)動(dòng)態(tài)的產(chǎn)生一條到達(dá)PC1網(wǎng)段的靜態(tài)路由,然后將其發(fā)布到動(dòng)態(tài)路由進(jìn)程中RRI的實(shí)現(xiàn)當(dāng)R1與R3或R4建立起IPsec ×××,并產(chǎn)生了SA后,就會(huì)動(dòng)態(tài)的產(chǎn)生一條到達(dá)PC1網(wǎng)段的靜態(tài)路由
靜態(tài)路由的格式目的 ? ?感興趣流的目的 (PC1網(wǎng)段)下一條 ?SA的peer ? (加密點(diǎn)/R1的外網(wǎng)接口)//下一條必須可達(dá)
RRI產(chǎn)生的條件1.知道對(duì)方的加密點(diǎn) (peer)2.知道對(duì)方的通信點(diǎn) ?(access-list的目的)reverse-route配置top R1---R2(cloud)---R3---R4?
//R1 ?crypto keyring key?pre-shared-key address 23.1.1.3 key cisco!crypto isakmp policy 10authentication pre-sharecrypto isakmp profile isaprokeyring keymatch identity address 23.1.1.3 255.255.255.255?!!crypto ipsec transform-set trans esp-des esp-md5-hmac?!!crypto map crymap 10 ipsec-isakmp?set peer 23.1.1.3set transform-set trans?set isakmp-profile isapromatch address ***!interface Loopback0ip address 1.1.1.1 255.255.255.0!interface FastEthernet0/0ip address 12.1.1.1 255.255.255.0duplex autospeed autocrypto map crymap!ip route 0.0.0.0 0.0.0.0 12.1.1.2!ip access-list extended ***permit ip host 1.1.1.1 3.3.3.0 0.0.0.255-------------------------------------------------------//R3crypto keyring key?pre-shared-key address 12.1.1.1 key cisco!crypto isakmp policy 10authentication pre-sharecrypto isakmp profile isaprokeyring keymatch identity address 12.1.1.1 255.255.255.255?!!crypto ipsec transform-set trans esp-des esp-md5-hmac?!crypto map crymap 10 ipsec-isakmp?set peer 12.1.1.1set transform-set trans?set isakmp-profile isapromatch address ***reverse-route ? ??!!!!interface FastEthernet0/0ip address 3.3.3.1 255.255.255.0duplex autospeed auto!interface FastEthernet0/1ip address 23.1.1.3 255.255.255.0duplex autospeed autocrypto map crymap!router ospf 100log-adjacency-changesredistribute static subnetsnetwork 3.3.3.1 0.0.0.0 area 0
-----------------------------------------------
reverse-route 參數(shù)reverse-route [ remote-peer | Static | tag (有些版本要使用Set reverse-route tag N)]remote-peer:設(shè)置動(dòng)態(tài)產(chǎn)生的 靜態(tài)路由下一條地址Static ? ? :根據(jù)配置中peer和感興趣流目的靜態(tài)產(chǎn)生一條靜態(tài)路由(路由會(huì)一直存在不管有沒SA)Tag ? ? ? ?:標(biāo)記,可以使用Route-map 在重分布時(shí)對(duì)路由進(jìn)行過濾,僅僅分布動(dòng)態(tài)產(chǎn)生的路由1.reverse-route tag 10
2.route-map cicsomatch tag 103.router os 100redistribute static route-map cisco subnets
×××的ACL必須放行的流量ISAKMP(UDP:500),ESP/AH,如果有NAT-T還需要放行(UDP:4500)
12.3(8)T之前ACL對(duì)×××流量的匹配流程1.首先檢測(cè)是否是明文的感興趣流量(Reverse crypto map ACL/參考之前的“Crypto Map 對(duì)密文或明文流量的處理”)2.檢測(cè)物理接口進(jìn)方向的ACL(ISAKMP和ESP/AH)3.解密后流量繼續(xù)查詢物理接口In方向上的ACL(解密后再匹配)
例:int f0/0ip access-group a inExtended IP access list a10 permit udp ho 21.1.1.2 h 12.1.1.1 eq isakmp?20 permit esp ho 21.1.1.2 h 12.1.1.130 per icmp ho 2.2.2.2 ho 1.1.1.1Extended IP access list ***10 permit ip host 2.2.2.2 host 1.1.1.1
12.3(8)T之后ACL對(duì)×××流量的匹配流程1.首先檢測(cè)是否是明文的感興趣流量2.檢測(cè)物理接口進(jìn)方向的ACL(ISAKMP和ESP/AH)3.解密后再匹配Crypto map下的ACL(只對(duì)解密后流量進(jìn)行匹配)如果沒有配置則表示放行所有
例:R2(config-crypto-map)#set ip access-group acl inint f0/0ip access-group a in
Extended IP access list a10 permit esp host 12.1.1.1 host 21.1.1.220 permit udp host 12.1.1.1 host 21.1.1.2 eq isakmpExtended IP access list acl10 permit icmp host 1.1.1.1 host 2.2.2.2Extended IP access list ***10 permit ip host 2.2.2.2 host 1.1.1.1
ISAKMP Keeplive
探測(cè)當(dāng)前IPSEC SA是否可用Keeplive會(huì)發(fā)送DPD(Dead Peer Detetion),如果發(fā)生的DPD包沒有回應(yīng)就意味ipsec SA不可用Keeplive機(jī)制是高可用×××的基礎(chǔ)keeplive需要雙方進(jìn)行協(xié)商,需要兩邊都配置
Crypto isakmp keeplive 10 periodickeeplive包會(huì)周期性的每10s發(fā)送一次
Crypto isakmp keeplive 10 (/on-demand 默認(rèn))為了更加節(jié)約資源,這里就有一種新的發(fā)送機(jī)制(on-demand/按需)怎么樣才能確定一個(gè)ipsec sa是好的?既有加密也有解密如果發(fā)現(xiàn)我的加密包卻沒有回來的解密包,這個(gè)時(shí)候就發(fā)生DPD包雖然有些協(xié)議是單向的沒有回應(yīng)包,但我們有10s的等待時(shí)間
HA(高可用性)鏈路備份綜合實(shí)驗(yàn)
TOP------R3---PC1--R1---(R2)cloud-| ? ? ? ? ? |---R5--PC21.1.1.1 ? ? ? ? ? ? ? ?| ? ? ? ? ? | ? ? ? 5.5.5.5------R4---
R1配置crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco address 23.1.1.3crypto isakmp key cisco address 24.1.1.4crypto isakmp keepalive 10 periodic!!crypto ipsec transform-set trans esp-des esp-md5-hmac?!crypto map cry-map 10 ipsec-isakmp?set peer 23.1.1.3 defaultset peer 24.1.1.4set transform-set trans?match address ***!!interface FastEthernet0/0ip address 12.1.1.1 255.255.255.0duplex autospeed autocrypto map cry-map!ip route 0.0.0.0 0.0.0.0 12.1.1.2!ip access-list extended ***permit ip host 1.1.1.1 host 5.5.5.5
R3配置crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco address 12.1.1.1crypto isakmp keepalive 10 periodic!!crypto ipsec transform-set trans esp-des esp-md5-hmac?!crypto map cry-map 10 ipsec-isakmp?set peer 12.1.1.1set transform-set trans?match address ***reverse-route tag 10!!!!interface FastEthernet0/0ip address 23.1.1.3 255.255.255.0duplex autospeed autocrypto map cry-map!interface FastEthernet0/1ip address 35.1.1.3 255.255.255.0duplex autospeed auto!router ospf 100router-id 3.3.3.3log-adjacency-changesredistribute static subnets route-map mapnetwork 35.1.1.0 0.0.0.255 area 0!ip route 0.0.0.0 0.0.0.0 23.1.1.2! ? ? ? ??!ip access-list extended ***permit ip host 5.5.5.5 host 1.1.1.1!route-map map permit 10match tag 10
R4(配置與R3相同)
轉(zhuǎn)載于:https://blog.51cto.com/netpro/299585
總結(jié)
以上是生活随笔為你收集整理的××× 笔记(持续更新中。。)的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: debian VBoxManage 命令
- 下一篇: 面试中的常见骗局