IPSec是一個IETF的標準(公開的標準),他有以下三個特點:
1. 可驗證每一個IP封包 --> 確認真的是某一使用者所傳過來的
2. 可確認每一個封包在傳遞的過程是否有被修改過 -->
3. 可確保資料的隱密性 --> Hash: MD5 or SHA
在Microsoft用PPTP或是L2TP
IPSec用三種Protocols來做security的架構:
IKE (Internet Key Exchange): 用於協商安全性的參數和建立authentication key
ESP (Encapsulatint Security Paypload): 一種header(檔頭),提供一個encrypting, authenticating, and securing of data 的架構。
AH (Authentication Header): 提供一個authenticating and securing of data 的架構
當Internet的兩端要互相溝通的時候會有兩個Phases:
<-------------------------------------IKE Phase 1 (ISAKMP Phase)----------------------------------------->
Authentication: PSK (Pre-Shared Key)(是由兩方事先先決定好的一個KEY, RSA Signature
Key Exchange: DH(Diffie-Hellman) Group 1,2, or 5
--> Diffie–Hellman密鑰交換(Diffie–Hellman key exchange,簡稱「D–H」)是一種安全協定。它可以讓雙方在完全沒有對方任何預先資訊的條件下透過 不安全信道建立起一個密鑰。這個密鑰可以在後續的通訊中作為對稱密鑰來加密通訊內容。
Security Negociation: Encryption (加密) --> DES, 3DES, or AES
Hash --> MD5 or SHA
*當兩方完成協商後會有兩份SA (Service Agreement),這份SA中包含兩方協商過那一些資訊;
這份資料會由我們來設定是由Time Life or 多少Data Size被傳輸後這份SA就會過期。
<-------------------------------------IKE Phase 2 (IPSec Phase)-------------------------------------------->
Encryption (加密):DES, 3DES, or AES
Hash:MD5 or SHA
Headers: ESP or AH
Modes: Tunnel or Transport Mode
由以上的圖,我們可以看到Transfer Mode 和 Tunnel Mode封包的差別:
1. Transport Mode:在舊IP (灰色IP格)後會加上一個ESP/AH的Header,但是這不能在Internet上流動,因為Router會看不懂Private IP(灰色IP格),所以,如果公司內要用Transport Mode一定要內部的設備也是用Public IP才可以通。
2. Tunnel Mode:在ESP/AH Header前面我們會加一個New IP,所以當一個設備收到這個封包,會知道這往那送,因為New IP是個Public IP,當在把NEW IP拿掉後,Gateway Router就可以知道Private IP是屬於其內部的那一台設備。
**還有一點要注意的是如果是Tunnel Mode,從公司內部出去的話會要轉PAT的話會Fail(NAT不會,因為不用看port number),因為ESP header裡的Layer 4的port info被加密了。所以我們要在ESP Header前加一個UDP Header (UDP 4500),這也就是要在Router上啟用NAT Traversal的功能。
當然,ESP和AH用的Port號也要注意,不要被Firewall擋掉了:ESP IP protocol = 50; AH IP Protocol = 51
話不多說,來點實作吧:
1. ISAKMP policy
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
Authentication: pre-share or RA Signature
Pre-Share Key: crypto isakmp key PASSWORD address 100.140.4.2
DH group --> group #
Lifetime --> crypto ipsec security-association lifetime kilo 1048576 (1024 x 1024 k)
2. IPSec transform-set
crypto ipsec transform-set ESP_AES ah-sha-hmac esp-aes 256
3. Access-List
access-list 100 permit ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255
4. MAP
crypto map S0/0_VPN_MAP 10 ipsec-isakmp
set peer 100.140.4.2
set transform-set ESP_AES
match address (ACL) 100
5. Apply to the interface
int s 0/0
crypto map S0/0_VPN_MAP
---------------------------------------------------------------------
sh runn....
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp policy 30
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key MYCISCO address 100.140.4.2
crypto isakmp key Cisco address 100.140.1.2
crypto isakmp key CCNP address 100.140.2.2
!
crypto ipsec security-association lifetime kilobytes 1048576
!
crypto ipsec transform-set ESP_SHA ah-sha-hmac esp-aes 256
crypto ipsec transform-set ESP_AES_AH ah-sha-hmac esp-aes 256
crypto ipsec transform-set ESP_AH esp-aes 256 esp-sha-hmac
!
crypto map S0/0_VPN_MAP 10 ipsec-isakmp
set peer 100.140.4.2
set transform-set ESP_SHA
match address 100
crypto map S0/0_VPN_MAP 20 ipsec-isakmp
set peer 100.140.1.2
set transform-set ESP_AES_AH
match address 110
crypto map S0/0_VPN_MAP 30 ipsec-isakmp
set peer 100.140.2.2
set transform-set ESP_AH
match address 130
!
crypto map TU10_VPN_MAP 10 ipsec-isakmp
set peer 100.140.2.2
set transform-set ESP_AH
match address 130
!
!
!
!
interface Loopback100
ip address 3.3.3.3 255.255.255.0
!
interface Tunnel10
ip address 100.23.23.2 255.255.255.0
tunnel source Serial0/0
tunnel destination 100.140.2.2
crypto map TU10_VPN_MAP
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 100.140.3.2 255.255.255.0
crypto map S0/0_VPN_MAP
!
interface FastEthernet0/1
ip address 192.168.103.254 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 100.23.23.2 0.0.0.0 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 192.168.102.0 255.255.255.0 Tunnel10
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 110 permit ip 192.168.103.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 130 permit gre host 100.140.3.2 host 100.140.2.2
!
留言列表
