IPsec VPN basics: Understanding IPsec VPN

IPsec VPN basics: Understanding IPsec VPN
1. IPSEC provides the following services: Data Confidentiality ---------- encryption is used to prevent data from eavesdropping attacks. Data Integrity and verification -------- the HMAC function is used to verify that the data packet is not damaged and received by an effective peer. Anti-replay detection -------- this ensures that anti-replay attacks from man-in-the-middle attack devices cannot occur by including encrypted serial numbers in data packets. Peer verification -------- this is to be passed between two peers. The other party is the device that "he said it was. Device verification supports symmetric access key sharing, asymmetric access key sharing, and digital certificates. Remote access connections also support XAUTH user authentication. 2. Basic ipsec vpn process: ISAKMP/IKE stage 11> a VPN gateway peer initiates a session to another remote VPN gateway peer. 2> at the beginning of ISAKMP/IKE phase 1, the two peers negotiate on how to protect the management connection. 3> DH is used to securely share keys with encryption algorithms and HMAC functions on Management connections. 4> perform device authentication on secure management connections. ISAKMP/IKE phase 25> peer-to-peer negotiation parameters and key messages are used to protect data connections (implemented through secure management connections, or re-use DH with optionality) 6> establish data connections, VPN gateway can now protect user traffic through data connections. Phase 2 ends. 3. Basic Process of remote access to ipsec vpn isakmp/IKE stage 11> remote access the connection from the client to the remote VPN gateway. 2> when you negotiate with the VPN gateway about how to protect the management connection, IKE Phase 1 starts. 3> DH is a shared key used to secure encryption algorithms and HMAC functions on Management connections. 4> implement device authentication on secure management connections. ISAKMP/IKE stage 1.55> (optional) performs user authentication. This is implemented through the XAUTH standard. The VPN gateway requires the user to enter the user name and password. 6> (optional) the IPSEC gateway pushes the policy to the customer. The vendor may have private properties during implementation. For example, A non-cisco customer may not understand the policy pushed by a cisco VPN gateway. In cisco implementation, the customer can push an internal IP address, a domain name, a DNS address and a WINS server address, a tunneling policy, a firewall policy, and other connection policies. 7> (optional) reverse route injection. This is why the customer can inject route selection information to the VPN gateway through the IPSEC management connection, and the VPN gateway can inject the route selection information to the internal network. ISAKMP/IKE phase 28> Phase 2 start: the customer negotiates parameters and key information with the VPN gateway to protect data connections. 9> data connection establishment, phase 2 is over: VPN gateway can now protect user data through data connection. 10> the final lifecycle related to management and data connections will expire and these connections will be re-built. 4. encryption algorithms include symmetric encryption and asymmetric encryption. The advantage of symmetric encryption is that the encryption speed is fast and there is little data after encryption, but the disadvantage is that the key exchange is insecure. Key Exchange security is an advantage of asymmetric encryption such as DES, 3DES, and AES. It can be used for both encryption and authentication. The disadvantage is that encryption is slow and the data after encryption is long. There are mainly RSA and so on. 5. packet Authentication (HMAC Function + DH calculated key) VPN mainly enables HMAC) data Packet Authentication and device authentication (data packet integrity authentication and Source Authentication ). Generally, a hash function has a disadvantage: If a Eavesdropper can intercept the sent data, it can easily generate a signature for the data. HMAC uses a shared key to generate a digital signature to overcome this problem. Only the other party that knows the key can establish and verify the signature of the sent data. Here, we can only confirm that the data is complete, but the source is not determined or the target is the one who wants to establish the connection, because although their keys are the same, the key is exchanged through the DH method, DH cannot determine whether the other party is the party where the key should be exchanged. That is to say, the source or target here may be an attacker. Another problem with HMAC is that when your data is sent between two devices, your signature may be damaged by an intermediate device. For example, an address translation device. Or you need to change the QOS information. Solution: do not include certain fields in the data packet when using the HMAC function to calculate the digital signature. These fields include the following fields in the IP packet: IP address field, survival time field, service type, TCP or UDP port number field, and other fields. 6. Key Exchange (DH) DH algorithms can be divided into 1, 2, 3, 4, 5, 7, 14, 15 and other types. Cisco routers only support three types: 1, 2, and 5. DH algorithms can be linear algorithms or elliptic curves. The DH algorithm can refresh keys dynamically, securely, and in-band. Reduce the actual time for managing them to a very small amount of time. The DH algorithm provides key DH key exchange for data encryption and data integrity authentication (HMAC) on an insecure network, the public key cannot be sent to the Peer to be sent. That is to say, man-in-the-middle attacks exist. Therefore, you also need to perform peer-to-peer authentication, that is, device authentication. 7. device authentication and user authentication (this part is source authentication) device authentication usually uses the following three methods: to share a symmetric key (HMAC Function + configuration to share a key) to share an asymmetric key digital certificate, remote access to VPN adds an additional feature: the ability to put users into a group. In this case, the key to be shared is the key to be shared by the Group, authenticate the group. users in the same group authenticate that VPN gateway uses the same key to share. VPN gateway uses the same key to authenticate a group. However, if the VPN gateway needs to authenticate a user, user authentication is required, that is, the user needs to provide a user name and password. This is done in XAUTH of VPN1.5. ========================================================== ================================================================ 1, some basic commands. R1 (config) # crypto? Dynamic-map Specify a dynamic crypto map template // create or modify a dynamic encryption ing table ipsec Configure IPSEC policy // create an IPSec Security policy isakmp Configure ISAKMP policy // create an IKE policy key Long term key operations // generates an encryption key for the SSH encrypted session of the vro. Followed by the value key modulus size, in the unit of bit map Enter a crypto map // create or modify a common encryption ing table Router (config) # cryptodynamic-map? WORD Dynamic crypto map template tag // WORD is the name of the Dynamic encryption ing table Router (config) # cryptoipsec? Security-association Securityassociation parameters // The ipsec security association is not configured, specify transform-set Define transform and settings in map // Define an ipsec transformation set (a feasible combination of security protocols and algorithms) Router (config) # cryptoisakmp? Client Set client configuration policy // create an address pool enable Enable ISAKMP // start the IKE policy, the key Set pre-shared key for remote peer is started by default. // Set the key policy Set policy for an ISAKMP protection suite // Set the priority of the IKE policy Router (config) # cryptokey? Generate Generate new keys // generate a new key zeroize Remove keys // Remove the key Router (config) # cryptomap? WORD Crypto map tag // WORD is the name of map Table 2 and some important commands. Router (config) # cryptoisakmp policy? <1-10000> Priority of protection suite // sets the IKE policy, followed by numbers 1-. These numbers represent the Priority of the policy. Router (config) # cryptoisakmp policy 100 // enter the IKE policy configuration mode for the following configuration Router (config-isakmp) # encryption? // Set the Encryption method. There are Three 3des Three key triple DES aes-Advanced Encryption Standard des-Data Encryption Standard (56 bitkeys ). router (config-isakmp) # hash? // Uses the hash algorithm. MD5 is 160 bits and sha is 128 bits. Md5 Message Digest 5 sha Secure Hash StandardRouter (config-isakmp) # authenticationpre-share // use the pre-shared key authentication method Router (config-isakmp) # group? // Specify the number of digits of the key. The higher the security, but the encryption speed is slower. 1 Diffie-Hellman group 1 2 Diffie-Hellman group 2 5 Diffie-Hellman group 5 Router (config-isakmp) # lifetime? // Specify the lifetime of the Security Association, which is 60-86400 seconds <60-> lifetime insecondsRouter (config) # cryptoisakmp key *** address XXX. XXX. XXX. XXX // set the IKE exchange key. *** indicates the key composition, XXX. XXX. XXX. XXX indicates the IP address of the other party, Router (config) # cryptoipsec transform-set zx? // Set the IPsec exchange set, and set the encryption and authentication methods. zx is the name of the exchange set, which can be set by yourself. The names at both ends can also be different, but other parameters must be consistent. Ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-3des ESP transform using 3DES (EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth example: router (config) # cryptoipsec transform-set zx esp-des esp-md5-hmacRouter (config) # cryptomap _ Zx 100 ipsec-isakmp // create an encrypted ing table. zx is the table name and can be customized. 100 is the priority (range: 1-65535). If multiple tables exist, the smaller the number, the higher the priority. Router (config-crypto-map) # matchaddress? // Use ACL to define encrypted communication <100-199> IP access-list number WORD Access-list nameRouter (config-crypto-map) # set? Peer Allowed Encryption/Decryptionpeer. // identify the IP address of the Peer router pfs Specify pfs settings // Specify the key length defined above, group security-association Securityassociation parameters // Specify the lifetime of the security association transform-set Specify list of transform sets inpriority order // Specify the IPSEC exchange set router (config-if) used by the encryption Graph) # crypto map zx // enter the specified interface of the router, apply the encryption graph to the interface, and zx is the encrypted graph name. 3. Configure an experiment. 1. configuration on R1. Router> enableRouter # config terminalEnter configuration commands, one per line. end with CNTL/Z. router (config) # hostname R1 // configure IKE policy R1 (config) # crypto isakmp enableR1 (config) # crypto isakmp policy 100R1 (config-isakmp) # encryption desR1 (config-isakmp) # hash md5R1 (config-isakmp) # authentication pre-shareR1 (config-isakmp) # group 1R1 (config-isakmp) # lifetime 86400R1 (config-isakmp) # exit // configure IKE key R1 (config) # crypto Isakmp key 123456 address 10.1.1.2 // create an IPSec exchange set R1 (config) # crypto ipsec transform-set zx esp-desesp-md5-hmac // create a R1 ing encryption diagram R1 (config) # crypto map zx_map 100 ipsec-isakmpR1 (config-crypto-map) # match address 111R1 (config-crypto-map) # set peer 10.1.1.2R1 (config-crypto-map) # set transform-set zxR1 (config-crypto-map) # set security-association lifetimeseconds 86400R1 (config-crypto-map) # set pfs group1R1 (config-crypt O-map) # exit // configure ACLR1 (config) # access-list 111 permit ip 192.168.1.10 0.0.0.255192.168.2.10 0.0.0.255 // apply the encryption graph to interface R1 (config) # interface s1/0R1 (config-if) # crypto map zx_map 2. the configuration on R2. The configuration is basically the same as that of R1. You only need to change the following commands: R1 (config) # crypto isakmp key 123456 address 10.1.1.1R1 (config-crypto-map) # set peer 10.1.1.1R1 (config) # access-list 111 permit ip 192.168.2.10 0.0.255192.168.1.10 0.0.0.255 3. experiment debugging. Run the following command on R1 and R2 to view the configuration information. R1 # show crypto ipsec? Sa ipsec sa table transform-set Crypto transform sets R1 # show crypto isakmp? Policy Show ISAKMP protection suite policy sa Show ISAKMP Security Associations 4. Related Knowledge points. Symmetric encryption or private key encryption: encryption and decryption use the same private key DES-data encryption Standard data encryption standard3DES-3x data encryption Standard triple data encryptionstandardAES-advanced encryption Standard advanced encryptionstandard some technologies provide verification: MAC -- message Verification Code messageauthentication codeHMAC -- hash-basedmessage authentication codeMD5 and SHA are hash functions provided for verification. symmetric encryption is used for large data volumes, because asymmetric encryption sites use a large number of cpu resources for asymmetric or public key encryption: RSA rivest-shamir-adelman uses public key encryption to decrypt the private key. The Public Key is public, but only the owner of the private key can decrypt two common hashing algorithms: The HMAC-MD5 uses a 128-bit shared private key HMAC-SHA-I using a 160-bit private key ESP protocol: this service is used to provide confidentiality, data source verification, non-connection integrity, and anti-replay services. It also restricts the confidentiality of traffic by preventing traffic analysis. These services have been established and implemented by SA since then. Encryption is completed by the DES or 3DES algorithm. Optional verification and data integrity provided by the HMAC, keyed SHA-I or MD5 IKE -- internet Key Exchange: He provides IPSEC peer verification, components 1: des and 3des used to encrypt IKE through negotiation of IPSEC key and IPSEC Security Association: diffie-Hellman's public key-based encryption protocol allows the other party to establish a public key on an insecure channel and is used to establish a session key in IKE. Group 1 indicates 768 bits, group 2 indicates 1024 bits, 3: MD5, SHA -- verifies the hash algorithm of data packets. RAS signature-based public key encryption system