Vpn tunnel through ipsec

IPSec introduction:

IPSecInternetProtocolSecurity) is the long-term direction of secure networking. It provides active protection through end-to-end security to prevent attacks on private networks and the Internet. In communication, only the sender and receiver are the only computers that must understand IPSec protection. "Internet Protocol Security" is an open standard framework structure. By using encrypted security services, it ensures secure and secure communication over the Internet Protocol (IP) network.

IPSec security features include:

Non-Repudiation

"Non-repudiation" can prove that the message sender is the only possible sender, and the sender cannot deny that the message has been sent. "Undeniable" is a feature of public key technology. When public key technology is used, the sender uses the private key to generate a digital signature that is sent along with the message, the receiver uses the sender's public key to verify the digital signature. Theoretically, only the sender has the private key and only the sender can generate the digital signature. As long as the digital signature passes verification, the sender cannot deny that the message has been sent. However, "Non-repudiation" is not a feature of the authentication-based shared key technology, because in the authentication-based shared key technology, the sender and receiver master the same key.

Anti-Replay

"Anti-replay" ensures the uniqueness of each IP packet and ensures that the information cannot be reused or re-transmitted back to the destination address after it is intercepted and copied. This feature prevents attackers from intercepting deciphering information and using the same information package to obtain illegal access.

Data Integrity

Prevents data tampering during transmission and ensures consistency between sent and received data. IPSec uses the Hash function to generate an encryption check and for each data packet. The receiver calculates the check and the check before opening the packet. If the packet is tampered with, the check and the check are inconsistent, and the packet is discarded.

Data Reliability encryption)

Before transmission, data is encrypted to ensure that information cannot be read even if data packets are intercepted during transmission. This feature is optional in IPSec and depends on the specific settings of the IPSec Policy.

IPSEC working mode:

Tunnel mode: the user's entire IP data packet is used to calculate the AH or ESP header, the AH or ESP header and the user data encrypted by ESP are encapsulated in a new IP data packet. Generally, the tunnel mode is used for communication between two security gateways.

Transmission Mode: only the transmission layer data is used to calculate the AH or ESP header, the AH or ESP header and the user data encrypted by ESP are placed behind the original IP header. Generally, the transmission mode applies communication between two hosts or between one host and one Security Gateway.

Comparison of two IPSEC security protocols:

AH Protocol IP Protocol Number 51) provides data source authentication, data integrity verification, and anti-packet replay function, which can protect communication from tampering, but cannot prevent eavesdropping, and is suitable for transmitting non-confidential data. The working principle of AH is to add an authentication header to each data packet. This header is inserted behind the standard IP header to provide integrity protection for data ., However, the IP header contains many variables, such as type of service (TOS), flags, fragment offset, TTL, and header checksum. Therefore, these values must be completely cleared before authentication. Otherwise, the hash will be mismatch and cause packet loss. Therefore, AH does not support NAT translation.

ESP Protocol IP Protocol Number 50) provides encryption, data source authentication, data integrity verification and anti-packet replay functions. The working principle of ESP is to add an ESP packet header after the standard IP packet header of each data packet, and append an ESP packet to the end. Unlike the AH protocol, ESP encrypts user data to be protected and then encapsulates it into an IP packet to ensure data confidentiality.

IPSec configurations include:

Create an encrypted access control list

Aclacl-number [match-order config | auto]

Rule {normal | special} {permit | deny} pro-number [source-addrsource-wildcard | any] [source-port operator port1 [port2] [destinationdest-addr dest- wildcard | any] [destination-portoperator port1 [port2] [icmp-type icmp-code] [logging]

Define security proposal:

Ipsec proposal-name

Sets the encapsulation mode of packets based on security protocols.

Encapsulation-mode {transport | tunnel}

Set the Security Association proposed for security

Transform {ah-new | ah-esp-new | esp-new}

Select the encryption algorithm and authentication algorithm:

Sets the encryption algorithm used by the ESP protocol in the VRP main software IPSec

Esp-new encryption-algorithm {3des | des | blowfish | cast | skipjack}

Sets the authentication algorithm used by the ESP protocol.

Esp-new authentication-algorithm {md5-hmac-96 | sha1-hmac-96}

Create security policy

Manually create security policies

Ipsec policy-name sequence-numbermanual

Set the encrypted access control list referenced by the Security Policy

Security acl access-list-number

Specifies the local address of the security tunnel.

Tunnel local ip-address

End-to-end of the specified security tunnel

Tunnel remote ip-address

Configure the security proposal referenced in the security policy

Proposal-name

Configure the AH/ESP protocol and input the Security Alliance's SPI

Sa inbound {ah | esp} spi-number

Configure the AH/ESP protocol to output the Security Alliance's SPI

Sa outbound {ah | esp} spi-number

Configure the authentication key for the ESP Protocol

Sa {inbound | outbound} esp authentication-hexhex-key

Configure the encryption key for the ESP Protocol

Sa {inbound | outbound} espencryption-hexhex-key

Configure the encryption and authentication keys for the ESP protocol at the same time.

Sa {inbound | outbound} espstring-keystring-key

Creating security policy alliances with IKE

Ipsec policy-name sequence-numberisakmp

Set the encrypted access control list referenced by the Security Policy

Security acl access-list-number

Specifies the peer address of the security tunnel.

Tunnel remote ip-address

Security proposal used in security policy configuration

Proposal proposal-name1 [proposal-name2… proposal-name6]

Apply security policy groups on interfaces

Ipsec policy-name

Ipsec configurations for Huawei and Cisco lab environments:

Huawei environment:

Huawei ipsec

The topology is as follows:

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201308/170253633.png "title =" topology. PNG "/>

Switch configuration:

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201308/170420821.png "style =" float: none; "title =" 01.PNG"/>

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201308/170433671.png "style =" float: none; "title =" 02.PNG"/>

Basic configurations of vro1 1:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441II8-3.png "title =" 01.PNG"/>

Basic configurations of vro2 2:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441LE5-4.png "title =" 01.PNG"/>

Basic test:

Router 1:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441G517-5.png "title =" 02ping. PNG "/>

Vro2 2:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441G405-6.png "title =" 02ping. PNG "/>

IPSec Configuration

Router 1:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441H296-7.png "style =" float: none; "title =" 10.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441G649-8.png "style =" float: none; "title =" 11.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441K342-9.png "style =" float: none; "title =" 12.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441H364-10.png "style =" float: none; "title =" 13.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441M5O-11.png "style =" float: none; "title =" 14.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441H300-12.png "style =" float: none; "title =" 15.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441H558-13.png "style =" float: none; "title =" 16.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441M161-14.png "style =" float: none; "title =" 17.PNG"/>

Vro2 2:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441K211-15.png "style =" float: none; "title =" 10.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441L631-16.png "style =" float: none; "title =" 11.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441H529-17.png "style =" float: none; "title =" 12.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441M919-18.png "style =" float: none; "title =" 13.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441I308-19.png "style =" float: none; "title =" 14.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441H0T-20.png "style =" float: none; "title =" 15.PNG"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441K4R-21.png "style =" float: none; "title =" 16.PNG"/>

Last test:

Ping 192.168.2.1 on vro1 1

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/05441K035-22.png "title =" test. PNG "/>