The application of IPSec in Enterprise network

VPN!--Special Portal

IPSec principle Description:

IPSec is the short name for IP Security, which is designed to provide high safety features for IP, and VPNs are solutions that are generated in the way that this security feature is implemented.

IPSec is a framework structure that consists of two types of protocols:

1, AH protocol (authentication Header, less use): can provide data integrity validation, data source validation, playback and other security features; Ah Common digest algorithm (one-way hash function) MD5 and SHA1 implement this feature.

2, ESP protocol (encapsulated security Payload, use a wider): can provide data integrity validation, data encryption, anti-replay and other safety features; ESP usually uses DES, 3DES, AES and other encryption algorithms to achieve data encryption, Use MD5 or SHA1 to achieve data integrity.

The application scenarios for IPSEC VPN are divided into 3 types:

1, Site-to-site (site to the site or gateway to the Gateway): such as bending the comments of the 3 organizations distributed in the Internet 3 different places, each using a commercial navigation gateway to establish a VPN tunnel with each other, The data between enterprise intranet (several PCs) is secure interconnected through IPSec tunnels established by these gateways.

2, End-to-end (End-to-end or PC to PC): Communication between two PCs is protected by IPSec sessions between two PCs, not gateways.

3. End-to-site (end to site or PC to Gateway): Communication between two PCs is protected by IPSec between the gateway and the offsite PC.

VPN Protocol classification:

Two-Layer Tunneling protocol: PPTP L2TP l2f, user VPN "stand-alone----network"

Three-Layer Tunneling Protocol: GRE IPSec, enterprise network VPN "network----Network"

Advantages of VPN:

1, low cost, can save 30% to 70% of the cost;

2, high security, can achieve encryption communication;

3. Simplify network design;

4, easy to expand;

5. Support Emerging applications

Disadvantages of VPN:

1, forwarding delay is relatively large;

2. High cost of hardware VPN

To configure the Access control list:

1, for the selection of the data flow to meet a particular feature;

2, to determine what kind of IP users to pass the tunnel;

3, need to use the extended ACL;

What is the package form of the message?

1, transmission mode, no tunnel server, stand-alone----single machine;

2. Tunnel mode; There is at least one tunnel server;

What is this end and the right end?

A secure tunnel is built between the local and the End-to-end gateways, so it is necessary to set up both the local and the End-to-end addresses to successfully establish a secure tunnel. A manually created security policy can have only one pair of end-to-end addresses, and if you have specified a pair of addresses, you must first delete the original address before you can specify a new one. Both parties can create a secure tunnel only after they have correctly specified both the end and the End-to-end address.

Case 1:

Case Description:

A security tunnel is established between the headquarters router R1 and the branch structure 1 router R2 and the headquarters router R1 and the branch structure 2 router R3;

Implementing VPN communication between the subnet (192.168.1.x) represented by PC1 and the subnet (192.168.2.x) represented by PC2;

Implementing VPN communication between the subnet (192.168.1.x) represented by PC1 and the subnet (192.168.3.x) represented by PC3;

The security protocol uses the ESP protocol, the encryption algorithm adopts DES, the authentication algorithm adopts sha1-hmac-96, and the Negotiation method adopts manual method.