加密历史
以前:安全的算法
现代:安全的密钥
解密:最好的方法从密钥管理和密钥分发中寻找机会,
而不是从算法本身入手
因此,一个密码系统的成功与否的关键是密钥的生成,分发,管理
加密安全
不存在绝对的安全一样有
加密方法的健壮度是由其复杂度在决定的
用“计算安全”来量度一个现代加密系统的安全程度
两种加密模式:流加密和块加密
对称加密算法的特点
优点 速度快
安全
密文紧凑
缺点 密钥的传输和管理
密钥数目指数整张
不支持数字签名和不可否认性
非对称加密算法的缺点
优点 安全
密钥管理安全,方便
支持数字签名和不可否认性
缺点 速度慢
密文便很长
Hmac(密钥化散列)
KEY+Date+Hash=Key+data+hash
数字签名
|data+公钥|+Hash
单纯的数字签名不能完成身份验证,必须结合证书
证书
保证公钥对应个身份
=格式化个公钥
包含姓名、地址、组织、公钥、有效期、认证机构数字签名
完整解决方案SSL
A--->B
A--证书+A公钥-->B
--共享密钥+A公钥--密文-----\ -明文+Hash-
| \ | |--验证
B-|--明文+hash+B私钥---数字签名------>A----Hash---
| / | |
---------------B公钥+证书--/ ----B公钥
B--->共享密钥+data-->密文-----A---->共享密钥---->明文
---------------------------------------------------------
各种×××技术的比较
目前已经投入实际当中使用的×××技术包括IPSec ×××、SSL ×××、MPLS ×××。
这三种×××技术各有特色、各有所长。目前国外主要厂商对SSL ×××技术、MPLS ×××技术发展相对比较重视发展较快,
但是目前应用最为广泛,技术最为成熟的仍然是IPSec ×××技术。
IPSec协议是网络层协议, 是为保障IP通信而提供的一系列协议族。
SSL是套接层协议,它是保障在Internet上基于Web的通信的安全而提供的协议。
以标签交换是作为底层转发机制的MPLS(MultiProtocol Label Switching,多协议标记交换)×××。
1.IPSec针对数据在通过公共网络时的数据完整性、安全性和合法性等问题设计了一整套隧道、
加密和认证方案。IPSec能为IPv4/IPv6网络提供能共同操作/使用的、高品质的、基于加密的安全机制。
提供包括存取控制、无连接数据的完整性、数据源认证、防止重发***、基于加密的数据机密性和受限数据流的机密性服务。
2.SSL用公钥加密通过SSL连接传输的数据来工作。SSL是一种高层安全协议,建立在应用层上。
SSL ×××使用SSL协议和代理为终端用户提供HrrP、客户机/服务器和共享的文件资源的访问认证和访问安全SSL ×××传递用户层的认证。确保只有通过安全策略认证的用户可以访问指定的资源。
3.MPLS是一个可以在多种第二层媒质上进行标记交换的网络技术。
不论什么格式的数据均可以第三层的路由在网络的边缘实施,而在MPLS的网络核心采用第二层交换,
因此可以用一句话概括MPLS的特点:“边缘路由,核心交换”
IPsec基本概念
源于IPv6
网络层加密
IPsec框架
加密 :DES、3DES、AES、RSA
HASH :SHA-1、md5
封装方式:ESP、AH
认证方式:Pre-key,数字证书
| IP | IPSEC Header | TCP | FTP | Date |
-----------------
|
加密
两种模型
L2L/Remote Access
两种模式
tunnel/Transport
Tunnel :通信点不等于加密点
| NIP | ESP/AH | IP | DATA |
Transport :通信点=加密点
| IP | ESP/AH | DATA |
L2L/Remote Access用Tunnel封装模式
Pc--Pc和GRE over IPsec用Transport封装模式
SA(安全关联)
构成IPsec的基础
SA是两个通信实体经协商建立起来的一种协定。
它决定了用来保护数据包的IPsec
协议(ESP/AH)、转码方式(加密/Hash)、密钥、密钥有效时间
SADB(SA数据库)
SA是单向的与协议相关的
SPD(安全策略数据库)
丢弃,绕过,应用
IPsec的组成部分
ESP(封装安全负载)
AH(认证头部)
IKE(网络密钥交换)
ESP
协议号:50
私密性,数据完整性,源认证,抵御重放***
| IP | ESP header | TCP | Data | ESP auth |
------------加密----
---------验证-------------
ESP包结构(tunnel mode)
IP header
SPI---------------------------
sequence number |
--IV |
加 | IP header | 认证
密 | TCP header |
| Date |
--Pad+pad length+next header----
Authentication data
明文=SPI(在SADB中找到相应策略)+序列号(防重放)
ESP auth=Hmac(96bit)
ESP处理流程
出方向(传输模式)
1.插入ESP头部并填充相应字段
2.选择SA进行加密
3.Hash 插入ESP尾部
4.重算IP头部校验和
入方向
1.检查SA是否存在
2.序列号是否有效
3.数据包完整性和源验证
4.解密
5.有效性验证(模式是否匹配)
6.传送模式(查询路由表 转发)
对分片的处理:默认 先分片再加密
AH(Authentication Header)
AH 协议号:51
不支持加密
不支持NAT
IKE
负责在两个IPSec对等体间协商一条IPsec隧道的协议
协商协议参数
交换公共密钥
对双方进行认证
在交换后对密钥进行管理
IKE三个组成部分(混合协议)
SKEME:(定义一种密钥交换方式)
Oakley:(对多模式的支持,例如对新加密技术,并没有具体定义交换信息)
ISAKMP:定义了消息交换的体系结构,包括两个IPsec对等体间分组形式和状态
(定义封装格式和协商包交换个方式)
三个模式
主模式,主动模式,快速模式
主动模式:预共享密钥的远程拨号×××(降低PC的资源消耗)
主IKE 1阶段1-2个数据包模式:其余所有
---------------------------------------------------------
Phase 1 SA(ISAKMP SA/双向):用于认证(吃饭)
主模式(6个包) 主动模式(3个包)
| |
| |
----------------------------
| 新的IPsec隧道或者rekey
----------------------------
Phase 2 SA (IPSEC SA) Phase 2 SA (IPSEC SA/单向) (签合同)
快速模式(3个包) 快速模式
| |
A<---受保护的数据--->B c<---受保护的数据--->d
----------------------------------------------------------
第一阶段:认证
第二阶段:协商具体流量的处理办法
IKE 1阶段主模式第1-2个数据包(明文)
交换IP地址(设置对端)和策略(认证方式、HASH认证、加密5-9个包,DH组,Key life)
发送方将自己的策略全部交给接收方,接收方根据序号匹配自己的策略,然后将相同的策略交给发送方
IKE 1阶段主模式第3-4个数据包(明文)
交换DH公共值
IKE 1阶段主模式第5-6个数据包(密文)
双方认证初始化设备
IKE 1阶段主动模式第1-2个数据包(明文)
=主模式1-6个包,但认证的信息是通过hash明文显示
IKE 1阶段主动模式第3个数据包
确认
IKE 2阶段快速模式3个数据包
基于感兴趣流
1.提交发送方对实际流量处理策略
2.接受方匹配并返回策略
3.确认
IPsec ××× 标准配置
R1-----R2-----R3
R1--R2:12.1.1.1/2
R2--R3:23.1.1.2/3
R1 lo 0:1.1.1.1
R3 lo 0:3.3.3.3
1.开启crypto isakmp
crypto isakmp enable
2.定义第一阶段策略
cry isakmp po 10
默认策略为
R1#show crypto isakmp policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
只有当配置和默认策略不相同是才会显示出啦
3.定义预共享密钥和peer
cry isa key 0 cisco add 23.1.1.3
(这里的key仅用于认证,加密使用的是DH产生的随机数)
4.定义感兴趣流
ip access-l EX ×××
per ip ho 1.1.1.1 ho 3.3.3.3
5.定义转换集(第二阶段策略)
cry ipsec transform-set trans esp-3des esp-sha-hmac
mode tunnel/transport
(这里的模式可以不用设置,因为只有条件(加密点=通信点)达到是才会使用传输模式)
6.汇总
cry map ×××-1 10 ipsec-isakmp
match add ***
set transform-set trans
set peer 23.1.1.3
7.在接口上调用
int f0/0
cry map ***-1
8.检查
show cry engine connections acticve
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/1 IPsec 3DES+SHA 0 4 23.1.1.3
2 Fa0/1 IPsec 3DES+SHA 4 0 23.1.1.
show cry isakmp sa
show cry ipsec sa
9.清除(两边都要清除)
clear cry isa 默认1天
clear cry sa 默认1小时
Debug IPsec ×××建立过程
---------------------------------------------------------------------------------------------------
Apr 14 10:27:00.923: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 12.1.1.1, remote= 23.1.1.3,
local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Apr 14 10:27:00.931: ISAKMP:(0): SA request profile is (NULL)
Apr 14 10:27:00.935: ISAKMP: Created a peer struct for 23.1.1.3, peer port 500
Apr 14 10:27:00.935: ISAKMP: New peer created peer = 0x63F335E8 peer_handle = 0x80000003
Apr 14 10:27:00.935: ISAKMP: Locking peer struct 0x63F335E8, refcount 1 for isakmp_initiator
Apr 14 10:27:00.935: ISAKMP: local port 500, remote port 500
Apr 14 10:27:00.939: ISAKMP: set new node 0 to QM_IDLE
Apr 14 10:27:00.939: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63F38D24
Apr 14 10:27:00.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Apr 14 10:27:00.939: ISAKMP:(0):found peer pre-shared key matching 23.1.1.3
Apr 14 10:27:00.943: ISAKMP:(0): constructed NAT-T vendor-07 ID
Apr 14 10:27:00.943: ISAKMP:(0): constructed NAT-T vendor-03 ID
Apr 14 10:27:00.947: ISAKMP:(0): constructed NAT-T vendor-02 ID
Apr 14 10:27:00.947: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 14 10:27:00.947: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Apr 14 10:27:00.947: ISAKMP:(0): beginning Main Mode exchange
Apr 14 10:27:00.951: ISAKMP:(0): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_NO_STATE //第1个包
Apr 14 10:27:00.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 14 10:27:01.487: ISAKMP (0:0): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_NO_STATE //第2个包
Apr 14 10:27:01.491: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 14 10:27:01.491: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Apr 14 10:27:01.495: ISAKMP:(0): processing SA payload. message ID = 0
Apr 14 10:27.:01.495: ISAKMP:(0): processing vendor id payload
Apr 14 10:27:01.495: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Apr 14 10:27:01.499: ISAKMP (0:0): vendor ID is NAT-T v7
Apr 14 10:27:01.499: ISAKMP:(0):found peer pre-shared key matching 23.1.1.3
Apr 14 10:27:01.499: ISAKMP:(0): local preshared key found
Apr 14 10:27:01.499: ISAKMP : Scanning profiles for xauth ...
Apr 14 10:27:01.503: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Apr 14 10:27:01.503: ISAKMP: encryption AES-CBC
Apr 14 10:27:01.503: ISAKMP: keylength of 128
Apr 14 10:27:01.503: ISAKMP: hash SHA
Apr 14 10:27:01.503: ISAKMP: default group 2
Apr 14 10:27:01.503: ISAKMP: auth pre-share
Apr 14 10:27:01.507: ISAKMP: life type in seconds
Apr 14 10:27:01.507: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Apr 14 10:27:01.507: ISAKMP:(0):atts are acceptable. Next payload is 0 //1-2个包成功
Apr 14 10:27:01.511: ISAKMP:(0): processing vendor id payload
Apr 14 10:27:01.511: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Apr 14 10:27:01.511: ISAKMP (0:0): vendor ID is NAT-T v7
Apr 14 10:27:01.515: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 14 10:27:01.515: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Apr 14 10:27:01.523: ISAKMP:(0): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_SA_SETUP //第3个包
Apr 14 10:27:01.523: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 14 10:27:01.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 14 10:27:01.527: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Apr 14 10:27:02.119: ISAKMP (0:0): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_SA_SETUP //第4个包
Apr 14 10:27:02.123: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 14 10:27:02.123: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Apr 14 10:27:02.131: ISAKMP:(0): processing KE payload. message ID = 0
Apr 14 10:27:02.239: ISAKMP:(0): processing NONCE payload. message ID = 0
Apr 14 10:27:02.243: ISAKMP:(0):found peer pre-shared key matching 23.1.1.3
Apr 14 10:27:02.247: ISAKMP:(1002): processing vendor id payload
Apr 14 10:27:02.247: ISAKMP:(1002): vendor ID is Unity
Apr 14 10:27:02.251: ISAKMP:(1002): processing vendor id payload
Apr 14 10:27:02.251: ISAKMP:(1002): vendor ID is DPD
Apr 14 10:27:02.251: ISAKMP:(1002): processing vendor id payload
Apr 14 10:27:02.255: ISAKMP:(1002): speaking to another IOS box!
Apr 14 10:27:02.255: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 14 10:27:02.255: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4
Apr 14 10:27:02.263: ISAKMP:(1002):Send initial contact
Apr 14 10:27:02.263: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Apr 14 10:27:02.263: ISAKMP (0:1002): ID payload
next-payload : 8
type : 1
address : 12.1.1.1
protocol : 17
port : 500
length :12
Apr 14 10:27:02.267: ISAKMP:(1002):Total payload length: 12
Apr 14 10:27:02.271: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_KEY_EXCH //第5个包
Apr 14 10:27:02.271: ISAKMP:(1002):Sending an IKE IPv4 Packet.
Apr 14 10:27:02.275: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 14 10:27:02.275: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5
Apr 14 10:27:02.883: ISAKMP (0:1002): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH //第6个包
Apr 14 10:27:02.887: ISAKMP:(1002): processing ID payload. message ID = 0
Apr 14 10:27:02.887: ISAKMP (0:1002): ID payload
next-payload : 8
type : 1
address : 23.1.1.3
protocol : 17
port : 500
length : 12
Apr 14 10:27:02.887: ISAKMP:(0):: peer matches *none* of the profiles
Apr 14 10:27:02.891: ISAKMP:(1002): processing HASH payload. message ID = 0
Apr 14 10:27:02.891: ISAKMP:(1002):SA authentication status:
authenticated
Apr 14 10:27:02.895: ISAKMP:(1002):SA has been authenticated with 23.1.1.3 //第一阶段完成
Apr 14 10:27:02.895: ISAKMP: Trying to insert a peer 12.1.1.1/23.1.1.3/500/, and inserted successfully 63F335E8.
Apr 14 10:27:02.895: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 14 10:27:02.899: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6
Apr 14 10:27:02.903: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 14 10:27:02.903: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6
Apr 14 10:27:02.911: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 14 10:27:02.911: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Apr 14 10:27:02.915: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 2121302861
Apr 14 10:27:02.919: ISAKMP:(1002):QM Initiator gets spi
Apr 14 10:27:02.923: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE //第7个包
Apr 14 10:27:02.923: ISAKMP:(1002):Sending an IKE IPv4
R1#Packet.
Apr 14 10:27:02.927: ISAKMP:(1002):Node 2121302861, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Apr 14 10:27:02.927: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Apr 14 10:27:02.927: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Apr 14 10:27:02.931: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Apr 14 10:27:03.331: ISAKMP (0:1002): received packet from 23.1.1.3 dport 500 sport 500 Global (I) QM_IDLE //第8个包
Apr 14 10:27:03.335: ISAKMP:(1002): processing HASH payload. message ID = 2121302861
Apr 14 10:27:03.335: ISAKMP:(1002): processing SA payload. message ID = 2121302861
Apr 14 10:27:03.335: ISAKMP:(1002):Checking IPSec proposal 1
Apr 14 10:27:03.339: ISAKMP: transform 1, ESP_3DES
Apr 14 10:27:03.339: ISAKMP: attributes in transform:
Apr 14 10:27:03.339: ISAKMP: encaps is 1 (Tunnel)
Apr 14 10:27:03.339: ISAKMP: SA life type in seconds
Apr 14 10:27:03.339: ISAKMP: SA life duration (basic) of
R1#3600
Apr 14 10:27:03.339: ISAKMP: SA life type in kilobytes
Apr 14 10:27:03.343: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Apr 14 10:27:03.343: ISAKMP: authenticator is HMAC-SHA
Apr 14 10:27:03.343: ISAKMP:(1002):atts are acceptable. //7-8协商完成
Apr 14 10:27:03.347: IPSEC(validate_proposal_request): proposal part #1
Apr 14 10:27:03.347: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 12.1.1.1, remote= 23.1.1.3,
local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Apr 14 10:27:03.351: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 3.3.3.3
protocol : 0
src port : 0
dst port : 0
Apr 14 10:27:03.351: ISAKMP:(1002): processing NONCE payload. message ID = 2121302861
Apr 14 10:27:03.355:
R1#ISAKMP:(1002): processing ID payload. message ID = 2121302861
Apr 14 10:27:03.355: ISAKMP:(1002): processing ID payload. message ID = 2121302861
Apr 14 10:27:03.367: ISAKMP:(1002): Creating IPSec SAs
Apr 14 10:27:03.367: inbound SA from 23.1.1.3 to 12.1.1.1 (f/i) 0/ 0
(proxy 3.3.3.3 to 1.1.1.1)
Apr 14 10:27:03.367: has spi 0x699EB1D4 and conn_id 0
Apr 14 10:27:03.367: lifetime of 3600 seconds
Apr 14 10:27:03.371: lifetime of 4608000 kilobytes
Apr 14 10:27:03.371: outbound SA from 12.1.1.1 to 23.1.1.3 (f/i) 0/0
(proxy 1.1.1.1 to 3.3.3.3)
Apr 14 10:27:03.371: has spi 0x720F5EE8 and conn_id 0
Apr 14 10:27:03.371: lifetime of 3600 seconds
Apr 14 10:27:03.371: lifetime of 4608000 kilobytes
Apr 14 10:27:03.375: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE //第9个包
Apr 14 10:27:03.375: ISAKMP:(1002):Sending an IKE IPv4 Packet.
Apr 14 10:27:03.379: ISAKMP:(1002):del
R1#eting node 2121302861 error FALSE reason "No Error"
Apr 14 10:27:03.379: ISAKMP:(1002):Node 2121302861, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Apr 14 10:27:03.379: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
Apr 14 10:27:03.383: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Apr 14 10:27:03.387: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 3.3.3.3
protocol : 0
src port : 0
dst port : 0
Apr 14 10:27:03.387: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 23.1.1.3
Apr 14 10:27:03.391: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 3.3.3.3, dest_port 0
Apr 14 10:27:03.391: IPSEC(create_sa): sa created, //SA创建
(sa) sa_dest= 12.1.1.1, sa_proto= 50,
sa_spi= 0x699EB1D4(1772007892),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
Apr 14 10:27:03.395: IPSEC(create_sa): sa created,
(sa) sa_dest= 23.1.1.3, sa_proto= 50,
sa_spi= 0x720F5EE8(1913609960)
R1#,
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
Apr 14 10:27:03.395: IPSEC(update_current_outbound_sa): updated peer 23.1.1.3 current outbound sa to SPI 720F5EE8
Apr 14 10:27:03.935: ISAKMP:(1001):purging node -224027478
Apr 14 10:27:03.935: ISAKMP:(1001):purging node -1975374832
R1#
Apr 14 10:27:13.939: ISAKMP:(1001):purging SA., sa=63F32D14, delme=63F32D14
---------------------------------------------------------------------------------------------------
传统IPsec×××的缺点
IPsec ×××不能够支持加密二层的组播流量,这就意味着不能够通过IPsec ×××允许动态路由协议
而且不好定义感兴趣流
且没有接口可以调用所以不支持FW和QOS
但是这个限制在12.4之后就消除了。cisco 12.4版本IOS中引入了SVTI(静态虚拟隧道接口)的技术
GRE(通用路由封装)
协议号:47
它能很好的封装组播和二层协议,能够为我们的ipsec ×××提供动态路由协议的服务,
但他不提供安全功能
动态路由协议为我们消除了手动写静态路由的烦恼,并且可以动态的探测对方网段是否可达
GRE包格式
| NIP | GRE | IP | Date |
GRE的配置
R1---could---R3
R1--could:12.1.1.1/2
could--R3:23.1.1.2/3
R1 lo 0 :1.1.1.1
R3 lo 0 :3.3.3.3
R1
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
tunnel source 12.1.1.1
tunnel destination 23.1.1.3
R2
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source 23.1.1.3
tunnel destination 12.1.1.1
然后我们在R1和R3上指一条默认路由出外网就行了
GRE隧道的抖动
这时我们还可以在R1和R3上运行OSPF
但这里有一点要注意
不能将物理口宣告到OSPF进程中去,否则会形成递归路由,造成GRE隧道的抖动
Apr 15 10:52:01.963: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
造成递归路由的原因
环境:R1正常宣告,R2将连接外网的物理口宣告到OSPF中去
R2通过Hello包告诉R1,通过tunnel 0可以到达23.1.1.0网段
R1 1.1.1.1有数据包去往R2 3.3.3.3时,首先查看路由表,发现通过tunnel口可以到达
于是封装GRE报头
| sou:12.1.1.1 | GRE | sou :1.1.1.1 | ICMP
| des:23.1.1.3 | | des :3.3.3.3 |
如果在正常情况下,R1再次查询路由表发现没有到达23.1.1.3的路由于是通过默认路由转发出去
但此时由于R3将23.1.1.0网段宣告进了OSPF进程,所以R1 从tunnel学到去往23.1.1.3的路由,而起他的优先级高于默认路由
所以会再次经过tunnel进行GRE的封装
| sou:12.1.1.1 | GRE | sou:12.1.1.1 | GRE | sou :1.1.1.1 | data
| des:23.1.1.3 | | des:23.1.1.3 | | des :3.3.3.3 |
此时再次循环之前的步骤,就在数据包不断的进行封装,无法正常转发
隧道的建立的条件是能到达数据包能到达23.1.1.3,此时隧道无法在继续建立因而由UP变为DOWN。
既然没有隧道OSPF也无法在传递路由信息,路由表回到了只有直连跟一条默认路由的状态。
由于没有比它优先的OSPF路由存在,那条默认路由在这里“从获新生”,GRE又可以通过它来建立隧道,
隧道建立好以后OSPF继续通过它来学习路由,把学习到的路由放在路由表里再一次替代那条默认路由导致隧道又由UP变为DOWN。
如此反复而出现GRE隧道的抖动。
GER over IPsec
包格式
| IP | ESP/AH | ip | GRE | ip | data | 隧道模式
| IP | ESP/AH | GRE | IP | Data | 传输模式
配置(old)
ip route 0.0.0.0 0.0.0.0 12.1.1.2
router ospf 100
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
tunnel source 12.1.1.1
tunnel destination 23.1.1.3
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 23.1.1.3
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode transport
ip access-list extended ***
permit ip host 12.1.1.1 host 23.1.1.3
crypto map cry-map 10 ipsec-isakmp
set peer 23.1.1.3
set transform-set trans
match address ***
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
cry map cry-map
配置(new)
crypto isakmp policy 10
authentication pre-shara
crypro isakmp key 0 cisco address 23.1.1.3
cryto ipsec trnasfrom-set cisco esp-des esp-md5-hmac
mode transport
crypto ipsec profile ipsecprof
set transfrom-set cisco
int tunnel 0
ip add 10.1.1.1 255.255.255.0
tunnel source 12.1.1.1
tunnel destination 23.1.1.3
tunnel protection ipsec profile ipsecprof
IPsec over GRE
没有实际意义,仅作为原理研究,数据包被封装的过程
数据包先进行ESP/AH封装,在进行GRE封装
R1
int lo 10
ip add 11.1.1.1 255.255.255.0
router os 100
net 11.1.1.1 0.0.0.0 a 0
R2
int lo 0
ip add 33.1.1.1 255.255.255.0
router os 100
network 33.1.1.1 0.0.0.0 a 0
ISAKMP策略
R1:
cryto isa po 10
auth pre
cry isa key 0 cisco add 33.1.1.1
R2
cryto isa po 10
auth pre
cry isa key 0 cisco add 11.1.1.1
ipsec 策略
R1:
cry ipsec tran trans cisco esp-des esp-md5-hmac
R2
cry ipsec tran trans cisco esp-des esp-md5-hmac
感兴趣流
R1:
IP access-list ***
per ip ho 1.1.1.1 ho 4.4.4.4
.....(1-5,1-6,2-4,2-5...)
R1
ip access-list ***
per ip ho 4.4.4.4 ho 1.1.1.1
.....
Crypto MAP
R1:
crypto map cry-map local-add lo 10(改变更新源)
crypto map cry-map 10 ipsec-isa
match address ***
set trnas trans
set peer 33.1.1.1
R1:
crypto map cry-map local-add lo 10(改变更新源)
crypto map cry-map 10 ipsec-isa
match address ***
set trnas trans
set peer 11.1.1.1
在接口上销售
R1
int t 0
cry map cry-map
int F0/0
cry map cry-map<建议运用,能够阻止未加密的感兴趣流进入>
---->R1---->F0/0
|
|_____T0
包处理过程
1.source 1.1.1.1 des 4.4.4.4 到达R1
2.查询路由表 送到Tunnel口
3.撞上Tunnel口的map 匹配上感兴趣流量
4.触发加密
| SIP:11.1.1.1 | | SIP:1.1.1.1 | |
| DIP:33.1.1.3 | ESP | DIP:4.4.4.4 | Data |
5.新包再次查询路由表 送到Tunnel口,由于ip头的修改
没有匹配感兴趣流量,所以直接传出tunnel,进行GRE封装
|SIP 12.1.1.1 | | SIP:11.1.1.1 | | SIP:1.1.1.1 | |
|DIP 23.1.1.3 | GRE | DIP:33.1.1.3 | ESP | DIP:4.4.4.4 | Data |
6.再次查询路由表 送到f0/0接口,转发
GRE over IPsec 与 IPsec over GRE 的比较
GRE over IPsec IPsec over GRE
-------------------------------------------------------------------
| GRE数据在公网传输 | 加密了的数据通过GRE tunnel
理解 | 时是加密的 | 在公网上传输
-------------------------------------------------------------------
封装 | IPsec封装 GRE | GRE封装IPsec
| 整体是IPsec隧道 | 整体是GRE隧道
-------------------------------------------------------------------
ACL定义 | GRE数据量(公网) | 内网数据流
-------------------------------------------------------------------
SetPeer | 对方公网地址 | 对方GRE tunnel地址
-------------------------------------------------------------------
应用端口 | 共网出口 | GRE tunnel
-------------------------------------------------------------------
在ASA上配置GRE over Ipsec ×××
site1---could---ASA--site2
Site1 lo 0 : 172.16.1.1
site1-could: 12.1.1.1/2
could-ASA : 23.1.1.2/3
ASA-site2 : 192.168.1.254/1
ASA
1.初始化接口
int e0/0
nameif outside
ip add 23.1.1.3 255.255.255.0
int e0/1
nameif inside
ip add 192.168.1.254
2.开启crypto isakmp
crypto isakmp enable outside
3.配置ISAKMP策略
crypto isakmp policy 10
此时show run可以看到
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ASA有一个默认策略编号是65535,和路由器一样如策略没有配置则自动配置为默认策略
因为cisco建议是ASA主要用来做远程访问××× 而在路由器上做L2L ×××
4.配置Key和peer
crypto isakmp key cisco add 12.1.1.1
这条命令在ASA里被转换为
tunnel-group 12.1.1.1 type ipsec-l2l
tunnel-group 12.1.1.1 ipsec-attributes
pre-shared-key *
5.配置感兴趣流量
access-list *** extended permit ip ho 192.168.1.1 ho 172.16.1.1
6.配置转换集
crypto ipsec transform-set trans esp-3des esp-sha-hmac
7.汇总
crypto map cry-map 10 ipsec-isakmp
crypto map cry-map 10 set peer 12.1.1.1
crypto map cry-map 10 set transform-set trans
crypto map cry-map 10 match address ***
8.调用
crypto map cry-map int ouside
此时若是site1 ping site2 开启debug 则会提示
ISAKMP:(0):Notify has no hash. Rejected.
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 23.1.1.3
策略不相同,但此时两边的策略确实是相同的
解决办法:修改两端的策略 然后再次触发就会建立成功
之所以这里不必写放行策略是因为show run sysopt可以看到
sysopt connection permit-***
这个选项的作用就是×××解密后流量自动放过
也可以no掉之后对流量进行过滤
access-list out per tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq telnet
access-group out in int outside
NAT-T
PAT穿越
AH不支持NAT,ESP只支持一对一的NAT(NAT overload)
为了让经过IPsec封装加密的包经穿越NAT 所以在原始数据包中插入了一个UDP字段
ipsec ***的pat穿越技术有IPsec over TCP,ipsec over UDP ,NAT-T(把esp包封装在udp4500里)
ASA默认没有开启任何穿越技术,但提供对3种技术的支持
路由器只支持NAT-t 并且默认是开启的
封装格式
| IP | UDP |ESP/AH | GRE | IP | Data |
UDP=4500
cisco路由路由默认是开启NAT-T的,而ASA默认没有打开
Cry ipsec Nat-t udp-en
路由器判断是否开启UDP-encapsulation的方法
第一阶段 ISAKMP 交换一、二个包时会附带是否支持NAT-T
然后地三、四个包交换源目ip+源目端口进行哈希
如果hash相等则不开启NAT-T
如果Hash不相等且都支持NAT-T则开启
ISAKMP Profile
IOS 12.3
如果在一台路由器上运行了多种××× 建议使用ISAKMP Profile配置方式
标准配置的缺点
cry isakmp key cisco add 23.1.1.3
是一个全局命令,如果路由器上运行的多种×××,如远程拨号×××做认证时候有可能会拿错
cry map
是对第二阶段进行汇总,与第一阶段没有关系 没有一个贯穿第一个第二阶段的命令
crypto isakmp policy 10
authentication pre-share
!
crypto keyring isakay
pre-shared-key address 12.1.1.1 key cisco
!
crypto isakmp profile isapro
keyring isakay
match identity address 12.1.1.1 255.255.255.255
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set trans
set isakmp-profile isapro
match address ***
Cry map cisco
IPsec Profile(SVTI/Route ×××)
IOS 12.4 与之前的配置不兼容
标准IPsec ×××的缺点
感兴趣流定义复杂,成指数增长
没有接口调用,不支持组播,不能跑动态路由协议
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 23.1.1.3
crypto ipsec transform-set trans esp-des esp-md5-hmac
crypto ipsec profile ipsecpro
set transform-set trans
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
tunnel source 12.1.1.1
tunnel destination 23.1.1.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecpro
router ospf 100
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 12.1.1.2
结合ISAKMP Pofile的优点 可以对R3进行配置
crypto keyring key
pre-shared-key address 12.1.1.1 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile isapro
keyring key
match identity address 12.1.1.1 255.255.255.255
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto ipsec profile ipsecpro
set transform-set trans
set isakmp-profile isapro
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source 23.1.1.3
tunnel destination 12.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecpro
!
router ospf 100
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.1.1.2 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 23.1.1.2
Crypto Map 对密文或明文流量的处理(接收方)
是否有感兴趣流 是否加密 有无MAP Acticon
N/A 是 有 解密 (正常流量)
是 不 有 Drop
是 不 没有 Forward (正常路由)
N/A 是 没有 解密 (异步路由)
__M_________
| |
R1 R2
|_______M___|
动态 Vs 静态 Crypro MAP
中心有固定IP但分支没有
只有中心机构是cisco设备是才可行,但不建议使用
如果是其他厂商设备只能使用EZ×××
R1 (center)
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto dynamic-map dymap 10
set transform-set trans
!
!
crypto map crymap 1000 ipsec-isakmp dynamic dymap
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map crymap
ip route 0.0.0.0 0.0.0.0 12.1.1.2
RRI(反向路由注入)
DM ××× 高扩展性
EZ ××× 易用性
RRI/Keepalive/HA(链路备份)/Redundancy(设备备份) 高可用性
TOP
------R3---
PC1--R1---cloud-| |---R5--PC2
| |
------R4---
RRI使用场所
R1与R3或R4建立IPsec ×××隧道,实现线路冗余
为了让R5能动态的感知去cloud到R3、R4的链路状况,
这里就不能在R3和R4上使用默认路由来告知PC1的路由
需要使用动态路由协议,使R1或R3建立×××之后会动态的产生一条到达PC1网段的静态路由,
然后将其发布到动态路由进程中
RRI的实现
当R1与R3或R4建立起IPsec ×××,并产生了SA后,就会动态的产生一条到达PC1网段的静态路由
静态路由的格式
目的 感兴趣流的目的 (PC1网段)
下一条 SA的peer (加密点/R1的外网接口)
//下一条必须可达
RRI产生的条件
1.知道对方的加密点 (peer)
2.知道对方的通信点 (access-list的目的)
reverse-route配置
top R1---R2(cloud)---R3---R4
//R1
crypto keyring key
pre-shared-key address 23.1.1.3 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile isapro
keyring key
match identity address 23.1.1.3 255.255.255.255
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
!
crypto map crymap 10 ipsec-isakmp
set peer 23.1.1.3
set transform-set trans
set isakmp-profile isapro
match address ***
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map crymap
!
ip route 0.0.0.0 0.0.0.0 12.1.1.2
!
ip access-list extended ***
permit ip host 1.1.1.1 3.3.3.0 0.0.0.255
-------------------------------------------------------
//R3
crypto keyring key
pre-shared-key address 12.1.1.1 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile isapro
keyring key
match identity address 12.1.1.1 255.255.255.255
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map crymap 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set trans
set isakmp-profile isapro
match address ***
reverse-route
!
!
!
!
interface FastEthernet0/0
ip address 3.3.3.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 23.1.1.3 255.255.255.0
duplex auto
speed auto
crypto map crymap
!
router ospf 100
log-adjacency-changes
redistribute static subnets
network 3.3.3.1 0.0.0.0 area 0
-----------------------------------------------
reverse-route 参数
reverse-route [ remote-peer | Static | tag (有些版本要使用Set reverse-route tag N)]
remote-peer:设置动态产生的 静态路由下一条地址
Static :根据配置中peer和感兴趣流目的静态产生一条静态路由(路由会一直存在不管有没SA)
Tag :标记,可以使用Route-map 在重分布时对路由进行过滤,仅仅分布动态产生的路由
1.reverse-route tag 10
2.route-map cicso
match tag 10
3.router os 100
redistribute static route-map cisco subnets
×××的ACL
必须放行的流量ISAKMP(UDP:500),ESP/AH,如果有NAT-T还需要放行(UDP:4500)
12.3(8)T之前ACL对×××流量的匹配流程
1.首先检测是否是明文的感兴趣流量(Reverse crypto map ACL/参考之前的“Crypto Map 对密文或明文流量的处理”)
2.检测物理接口进方向的ACL(ISAKMP和ESP/AH)
3.解密后流量继续查询物理接口In方向上的ACL(解密后再匹配)
例:
int f0/0
ip access-group a in
Extended IP access list a
10 permit udp ho 21.1.1.2 h 12.1.1.1 eq isakmp
20 permit esp ho 21.1.1.2 h 12.1.1.1
30 per icmp ho 2.2.2.2 ho 1.1.1.1
Extended IP access list ***
10 permit ip host 2.2.2.2 host 1.1.1.1
12.3(8)T之后ACL对×××流量的匹配流程
1.首先检测是否是明文的感兴趣流量
2.检测物理接口进方向的ACL(ISAKMP和ESP/AH)
3.解密后再匹配Crypto map下的ACL(只对解密后流量进行匹配)
如果没有配置则表示放行所有
例:
R2(config-crypto-map)#set ip access-group acl in
int f0/0
ip access-group a in
Extended IP access list a
10 permit esp host 12.1.1.1 host 21.1.1.2
20 permit udp host 12.1.1.1 host 21.1.1.2 eq isakmp
Extended IP access list acl
10 permit icmp host 1.1.1.1 host 2.2.2.2
Extended IP access list ***
10 permit ip host 2.2.2.2 host 1.1.1.1
ISAKMP Keeplive
探测当前IPSEC SA是否可用
Keeplive会发送DPD(Dead Peer Detetion),如果发生的DPD包没有回应就意味ipsec SA不可用
Keeplive机制是高可用×××的基础
keeplive需要双方进行协商,需要两边都配置
Crypto isakmp keeplive 10 periodic
keeplive包会周期性的每10s发送一次
Crypto isakmp keeplive 10 (/on-demand 默认)
为了更加节约资源,这里就有一种新的发送机制(on-demand/按需)
怎么样才能确定一个ipsec sa是好的?既有加密也有解密
如果发现我的加密包却没有回来的解密包,这个时候就发生DPD包
虽然有些协议是单向的没有回应包,但我们有10s的等待时间
HA(高可用性)链路备份综合实验
TOP
------R3---
PC1--R1---(R2)cloud-| |---R5--PC2
1.1.1.1 | | 5.5.5.5
------R4---
R1配置
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 23.1.1.3
crypto isakmp key cisco address 24.1.1.4
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cry-map 10 ipsec-isakmp
set peer 23.1.1.3 default
set peer 24.1.1.4
set transform-set trans
match address ***
!
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cry-map
!
ip route 0.0.0.0 0.0.0.0 12.1.1.2
!
ip access-list extended ***
permit ip host 1.1.1.1 host 5.5.5.5
R3配置
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 12.1.1.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cry-map 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set trans
match address ***
reverse-route tag 10
!
!
!
!
interface FastEthernet0/0
ip address 23.1.1.3 255.255.255.0
duplex auto
speed auto
crypto map cry-map
!
interface FastEthernet0/1
ip address 35.1.1.3 255.255.255.0
duplex auto
speed auto
!
router ospf 100
router-id 3.3.3.3
log-adjacency-changes
redistribute static subnets route-map map
network 35.1.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 23.1.1.2
!
!
ip access-list extended ***
permit ip host 5.5.5.5 host 1.1.1.1
!
route-map map permit 10
match tag 10
R4(配置与R3相同)
转载于:https://blog.51cto.com/netpro/299585
4830
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
