××× 筆記(持續更新中。。)
加密歷史
以前:安全的算法
現代:安全的密鑰
解密:最好的方法從密鑰管理和密鑰分發中尋找機會,
而不是從算法本身入手
因此,一個密碼系統的成功與否的關鍵是密鑰的生成,分發,管理
加密安全
不存在絕對的安全一樣有
加密方法的健壯度是由其複雜度在決定的
用“計算安全”來量度一個現代加密系統的安全程度
兩種加密模式:流加密和塊加密
對稱加密算法的特點
優點 速度快
安全
密文緊湊
缺點 密鑰的傳輸和管理
密鑰數目指數整張
不支持數字簽名和不可否認性
非對稱加密算法的缺點
優點 安全
密鑰管理安全,方便
支持數字簽名和不可否認性
缺點 速度慢
密文便很長
Hmac(密鑰化散列)
KEY+Date+Hash=Key+data+hash
數字簽名
|data+公鑰|+Hash
單純的數字簽名不能完成身份驗證,必須結合證書
證書
保證公鑰對應個身份
=格式化個公鑰
包含姓名、地址、組織、公鑰、有效期、認證機構數字簽名
完整解決方案SSL
A--->B
A--證書+A公鑰-->B
--共享密鑰+A公鑰--密文-----\ -明文+Hash-
| \ | |--驗證
B-|--明文+hash+B私鑰---數字簽名------>A----Hash---
| / | |
---------------B公鑰+證書--/ ----B公鑰
B--->共享密鑰+data-->密文-----A---->共享密鑰---->明文
---------------------------------------------------------
各種×××技術的比較
目前已經投入實際當中使用的×××技術包括IPSec ×××、SSL ×××、MPLS ×××。
這三種×××技術各有特色、各有所長。目前國外主要廠商對SSL ×××技術、MPLS ×××技術發展相對比較重視發展較快,
但是目前應用最爲廣泛,技術最爲成熟的仍然是IPSec ×××技術。
IPSec協議是網絡層協議, 是爲保障IP通信而提供的一系列協議族。
SSL是套接層協議,它是保障在Internet上基於Web的通信的安全而提供的協議。
以標籤交換是作爲底層轉發機制的MPLS(MultiProtocol Label Switching,多協議標記交換)×××。
1.IPSec針對數據在通過公共網絡時的數據完整性、安全性和合法性等問題設計了一整套隧道、
加密和認證方案。IPSec能爲IPv4/IPv6網絡提供能共同操作/使用的、高品質的、基於加密的安全機制。
提供包括存取控制、無連接數據的完整性、數據源認證、防止重發***、基於加密的數據機密性和受限數據流的機密性服務。
2.SSL用公鑰加密通過SSL連接傳輸的數據來工作。SSL是一種高層安全協議,建立在應用層上。
SSL ×××使用SSL協議和代理爲終端用戶提供HrrP、客戶機/服務器和共享的文件資源的訪問認證和訪問安全SSL ×××傳遞用戶層的認證。確保只有通過安全策略認證的用戶可以訪問指定的資源。
3.MPLS是一個可以在多種第二層媒質上進行標記交換的網絡技術。
不論什麼格式的數據均可以第三層的路由在網絡的邊緣實施,而在MPLS的網絡核心採用第二層交換,
因此可以用一句話概括MPLS的特點:“邊緣路由,核心交換”
IPsec基本概念
源於IPv6
網絡層加密
IPsec框架
加密 :DES、3DES、AES、RSA
HASH :SHA-1、md5
封裝方式:ESP、AH
認證方式:Pre-key,數字證書
| IP | IPSEC Header | TCP | FTP | Date |
-----------------
|
加密
兩種模型
L2L/Remote Access
兩種模式
tunnel/Transport
Tunnel :通信點不等於加密點
| NIP | ESP/AH | IP | DATA |
Transport :通信點=加密點
| IP | ESP/AH | DATA |
L2L/Remote Access用Tunnel封裝模式
Pc--Pc和GRE over IPsec用Transport封裝模式
SA(安全關聯)
構成IPsec的基礎
SA是兩個通信實體經協商建立起來的一種協定。
它決定了用來保護數據包的IPsec
協議(ESP/AH)、轉碼方式(加密/Hash)、密鑰、密鑰有效時間
SADB(SA數據庫)
SA是單向的與協議相關的
SPD(安全策略數據庫)
丟棄,繞過,應用
IPsec的組成部分
ESP(封裝安全負載)
AH(認證頭部)
IKE(網絡密鑰交換)
ESP
協議號:50
私密性,數據完整性,源認證,抵禦重放***
| IP | ESP header | TCP | Data | ESP auth |
------------加密----
---------驗證-------------
ESP包結構(tunnel mode)
IP header
SPI---------------------------
sequence number |
--IV |
加 | IP header | 認證
密 | TCP header |
| Date |
--Pad+pad length+next header----
Authentication data
明文=SPI(在SADB中找到相應策略)+序列號(防重放)
ESP auth=Hmac(96bit)
ESP處理流程
出方向(傳輸模式)
1.插入ESP頭部並填充相應字段
2.選擇SA進行加密
3.Hash 插入ESP尾部
4.重算IP頭部校驗和
入方向
1.檢查SA是否存在
2.序列號是否有效
3.數據包完整性和源驗證
4.解密
5.有效性驗證(模式是否匹配)
6.傳送模式(查詢路由表 轉發)
對分片的處理:默認 先分片再加密
AH(Authentication Header)
AH 協議號:51
不支持加密
不支持NAT
IKE
負責在兩個IPSec對等體間協商一條IPsec隧道的協議
協商協議參數
交換公共密鑰
對雙方進行認證
在交換後對密鑰進行管理
IKE三個組成部分(混合協議)
SKEME:(定義一種密鑰交換方式)
Oakley:(對多模式的支持,例如對新加密技術,並沒有具體定義交換信息)
ISAKMP:定義了消息交換的體系結構,包括兩個IPsec對等體間分組形式和狀態
(定義封裝格式和協商包交換個方式)
三個模式
主模式,主動模式,快速模式
主動模式:預共享密鑰的遠程撥號×××(降低PC的資源消耗)
主IKE 1階段1-2個數據包模式:其餘所有
---------------------------------------------------------
Phase 1 SA(ISAKMP SA/雙向):用於認證(吃飯)
主模式(6個包) 主動模式(3個包)
| |
| |
----------------------------
| 新的IPsec隧道或者rekey
----------------------------
Phase 2 SA (IPSEC SA) Phase 2 SA (IPSEC SA/單向) (籤合同)
快速模式(3個包) 快速模式
| |
A<---受保護的數據--->B c<---受保護的數據--->d
----------------------------------------------------------
第一階段:認證
第二階段:協商具體流量的處理辦法
IKE 1階段主模式第1-2個數據包(明文)
交換IP地址(設置對端)和策略(認證方式、HASH認證、加密5-9個包,DH組,Key life)
發送方將自己的策略全部交給接收方,接收方根據序號匹配自己的策略,然後將相同的策略交給發送方
IKE 1階段主模式第3-4個數據包(明文)
交換DH公共值
IKE 1階段主模式第5-6個數據包(密文)
雙方認證初始化設備
IKE 1階段主動模式第1-2個數據包(明文)
=主模式1-6個包,但認證的信息是通過hash明文顯示
IKE 1階段主動模式第3個數據包
確認
IKE 2階段快速模式3個數據包
基於感興趣流
1.提交發送方對實際流量處理策略
2.接受方匹配並返回策略
3.確認
IPsec ××× 標準配置
R1-----R2-----R3
R1--R2:12.1.1.1/2
R2--R3:23.1.1.2/3
R1 lo 0:1.1.1.1
R3 lo 0:3.3.3.3
1.開啓crypto isakmp
crypto isakmp enable
2.定義第一階段策略
cry isakmp po 10
默認策略爲
R1#show crypto isakmp policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
只有當配置和默認策略不相同是纔會顯示出啦
3.定義預共享密鑰和peer
cry isa key 0 cisco add 23.1.1.3
(這裏的key僅用於認證,加密使用的是DH產生的隨機數)
4.定義感興趣流
ip access-l EX ×××
per ip ho 1.1.1.1 ho 3.3.3.3
5.定義轉換集(第二階段策略)
cry ipsec transform-set trans esp-3des esp-sha-hmac
mode tunnel/transport
(這裏的模式可以不用設置,因爲只有條件(加密點=通信點)達到是纔會使用傳輸模式)
6.彙總
cry map ×××-1 10 ipsec-isakmp
match add ***
set transform-set trans
set peer 23.1.1.3
7.在接口上調用
int f0/0
cry map ***-1
8.檢查
show cry engine connections acticve
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/1 IPsec 3DES+SHA 0 4 23.1.1.3
2 Fa0/1 IPsec 3DES+SHA 4 0 23.1.1.
show cry isakmp sa
show cry ipsec sa
9.清除(兩邊都要清除)
clear cry isa 默認1天
clear cry sa 默認1小時
Debug IPsec ×××建立過程
---------------------------------------------------------------------------------------------------
Apr 14 10:27:00.923: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 12.1.1.1, remote= 23.1.1.3,
local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Apr 14 10:27:00.931: ISAKMP:(0): SA request profile is (NULL)
Apr 14 10:27:00.935: ISAKMP: Created a peer struct for 23.1.1.3, peer port 500
Apr 14 10:27:00.935: ISAKMP: New peer created peer = 0x63F335E8 peer_handle = 0x80000003
Apr 14 10:27:00.935: ISAKMP: Locking peer struct 0x63F335E8, refcount 1 for isakmp_initiator
Apr 14 10:27:00.935: ISAKMP: local port 500, remote port 500
Apr 14 10:27:00.939: ISAKMP: set new node 0 to QM_IDLE
Apr 14 10:27:00.939: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63F38D24
Apr 14 10:27:00.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Apr 14 10:27:00.939: ISAKMP:(0):found peer pre-shared key matching 23.1.1.3
Apr 14 10:27:00.943: ISAKMP:(0): constructed NAT-T vendor-07 ID
Apr 14 10:27:00.943: ISAKMP:(0): constructed NAT-T vendor-03 ID
Apr 14 10:27:00.947: ISAKMP:(0): constructed NAT-T vendor-02 ID
Apr 14 10:27:00.947: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 14 10:27:00.947: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Apr 14 10:27:00.947: ISAKMP:(0): beginning Main Mode exchange
Apr 14 10:27:00.951: ISAKMP:(0): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_NO_STATE //第1個包
Apr 14 10:27:00.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 14 10:27:01.487: ISAKMP (0:0): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_NO_STATE //第2個包
Apr 14 10:27:01.491: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 14 10:27:01.491: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Apr 14 10:27:01.495: ISAKMP:(0): processing SA payload. message ID = 0
Apr 14 10:27.:01.495: ISAKMP:(0): processing vendor id payload
Apr 14 10:27:01.495: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Apr 14 10:27:01.499: ISAKMP (0:0): vendor ID is NAT-T v7
Apr 14 10:27:01.499: ISAKMP:(0):found peer pre-shared key matching 23.1.1.3
Apr 14 10:27:01.499: ISAKMP:(0): local preshared key found
Apr 14 10:27:01.499: ISAKMP : Scanning profiles for xauth ...
Apr 14 10:27:01.503: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Apr 14 10:27:01.503: ISAKMP: encryption AES-CBC
Apr 14 10:27:01.503: ISAKMP: keylength of 128
Apr 14 10:27:01.503: ISAKMP: hash SHA
Apr 14 10:27:01.503: ISAKMP: default group 2
Apr 14 10:27:01.503: ISAKMP: auth pre-share
Apr 14 10:27:01.507: ISAKMP: life type in seconds
Apr 14 10:27:01.507: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Apr 14 10:27:01.507: ISAKMP:(0):atts are acceptable. Next payload is 0 //1-2個包成功
Apr 14 10:27:01.511: ISAKMP:(0): processing vendor id payload
Apr 14 10:27:01.511: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Apr 14 10:27:01.511: ISAKMP (0:0): vendor ID is NAT-T v7
Apr 14 10:27:01.515: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 14 10:27:01.515: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Apr 14 10:27:01.523: ISAKMP:(0): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_SA_SETUP //第3個包
Apr 14 10:27:01.523: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 14 10:27:01.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 14 10:27:01.527: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Apr 14 10:27:02.119: ISAKMP (0:0): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_SA_SETUP //第4個包
Apr 14 10:27:02.123: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 14 10:27:02.123: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Apr 14 10:27:02.131: ISAKMP:(0): processing KE payload. message ID = 0
Apr 14 10:27:02.239: ISAKMP:(0): processing NONCE payload. message ID = 0
Apr 14 10:27:02.243: ISAKMP:(0):found peer pre-shared key matching 23.1.1.3
Apr 14 10:27:02.247: ISAKMP:(1002): processing vendor id payload
Apr 14 10:27:02.247: ISAKMP:(1002): vendor ID is Unity
Apr 14 10:27:02.251: ISAKMP:(1002): processing vendor id payload
Apr 14 10:27:02.251: ISAKMP:(1002): vendor ID is DPD
Apr 14 10:27:02.251: ISAKMP:(1002): processing vendor id payload
Apr 14 10:27:02.255: ISAKMP:(1002): speaking to another IOS box!
Apr 14 10:27:02.255: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 14 10:27:02.255: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4
Apr 14 10:27:02.263: ISAKMP:(1002):Send initial contact
Apr 14 10:27:02.263: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Apr 14 10:27:02.263: ISAKMP (0:1002): ID payload
next-payload : 8
type : 1
address : 12.1.1.1
protocol : 17
port : 500
length :12
Apr 14 10:27:02.267: ISAKMP:(1002):Total payload length: 12
Apr 14 10:27:02.271: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_KEY_EXCH //第5個包
Apr 14 10:27:02.271: ISAKMP:(1002):Sending an IKE IPv4 Packet.
Apr 14 10:27:02.275: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 14 10:27:02.275: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5
Apr 14 10:27:02.883: ISAKMP (0:1002): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH //第6個包
Apr 14 10:27:02.887: ISAKMP:(1002): processing ID payload. message ID = 0
Apr 14 10:27:02.887: ISAKMP (0:1002): ID payload
next-payload : 8
type : 1
address : 23.1.1.3
protocol : 17
port : 500
length : 12
Apr 14 10:27:02.887: ISAKMP:(0):: peer matches *none* of the profiles
Apr 14 10:27:02.891: ISAKMP:(1002): processing HASH payload. message ID = 0
Apr 14 10:27:02.891: ISAKMP:(1002):SA authentication status:
authenticated
Apr 14 10:27:02.895: ISAKMP:(1002):SA has been authenticated with 23.1.1.3 //第一階段完成
Apr 14 10:27:02.895: ISAKMP: Trying to insert a peer 12.1.1.1/23.1.1.3/500/, and inserted successfully 63F335E8.
Apr 14 10:27:02.895: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 14 10:27:02.899: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6
Apr 14 10:27:02.903: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 14 10:27:02.903: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6
Apr 14 10:27:02.911: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 14 10:27:02.911: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Apr 14 10:27:02.915: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 2121302861
Apr 14 10:27:02.919: ISAKMP:(1002):QM Initiator gets spi
Apr 14 10:27:02.923: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE //第7個包
Apr 14 10:27:02.923: ISAKMP:(1002):Sending an IKE IPv4
R1#Packet.
Apr 14 10:27:02.927: ISAKMP:(1002):Node 2121302861, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Apr 14 10:27:02.927: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Apr 14 10:27:02.927: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Apr 14 10:27:02.931: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Apr 14 10:27:03.331: ISAKMP (0:1002): received packet from 23.1.1.3 dport 500 sport 500 Global (I) QM_IDLE //第8個包
Apr 14 10:27:03.335: ISAKMP:(1002): processing HASH payload. message ID = 2121302861
Apr 14 10:27:03.335: ISAKMP:(1002): processing SA payload. message ID = 2121302861
Apr 14 10:27:03.335: ISAKMP:(1002):Checking IPSec proposal 1
Apr 14 10:27:03.339: ISAKMP: transform 1, ESP_3DES
Apr 14 10:27:03.339: ISAKMP: attributes in transform:
Apr 14 10:27:03.339: ISAKMP: encaps is 1 (Tunnel)
Apr 14 10:27:03.339: ISAKMP: SA life type in seconds
Apr 14 10:27:03.339: ISAKMP: SA life duration (basic) of
R1#3600
Apr 14 10:27:03.339: ISAKMP: SA life type in kilobytes
Apr 14 10:27:03.343: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Apr 14 10:27:03.343: ISAKMP: authenticator is HMAC-SHA
Apr 14 10:27:03.343: ISAKMP:(1002):atts are acceptable. //7-8協商完成
Apr 14 10:27:03.347: IPSEC(validate_proposal_request): proposal part #1
Apr 14 10:27:03.347: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 12.1.1.1, remote= 23.1.1.3,
local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
remote_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Apr 14 10:27:03.351: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 3.3.3.3
protocol : 0
src port : 0
dst port : 0
Apr 14 10:27:03.351: ISAKMP:(1002): processing NONCE payload. message ID = 2121302861
Apr 14 10:27:03.355:
R1#ISAKMP:(1002): processing ID payload. message ID = 2121302861
Apr 14 10:27:03.355: ISAKMP:(1002): processing ID payload. message ID = 2121302861
Apr 14 10:27:03.367: ISAKMP:(1002): Creating IPSec SAs
Apr 14 10:27:03.367: inbound SA from 23.1.1.3 to 12.1.1.1 (f/i) 0/ 0
(proxy 3.3.3.3 to 1.1.1.1)
Apr 14 10:27:03.367: has spi 0x699EB1D4 and conn_id 0
Apr 14 10:27:03.367: lifetime of 3600 seconds
Apr 14 10:27:03.371: lifetime of 4608000 kilobytes
Apr 14 10:27:03.371: outbound SA from 12.1.1.1 to 23.1.1.3 (f/i) 0/0
(proxy 1.1.1.1 to 3.3.3.3)
Apr 14 10:27:03.371: has spi 0x720F5EE8 and conn_id 0
Apr 14 10:27:03.371: lifetime of 3600 seconds
Apr 14 10:27:03.371: lifetime of 4608000 kilobytes
Apr 14 10:27:03.375: ISAKMP:(1002): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE //第9個包
Apr 14 10:27:03.375: ISAKMP:(1002):Sending an IKE IPv4 Packet.
Apr 14 10:27:03.379: ISAKMP:(1002):del
R1#eting node 2121302861 error FALSE reason "No Error"
Apr 14 10:27:03.379: ISAKMP:(1002):Node 2121302861, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Apr 14 10:27:03.379: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
Apr 14 10:27:03.383: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Apr 14 10:27:03.387: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 3.3.3.3
protocol : 0
src port : 0
dst port : 0
Apr 14 10:27:03.387: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 23.1.1.3
Apr 14 10:27:03.391: IPSEC(policy_db_add_ident): src 1.1.1.1, dest 3.3.3.3, dest_port 0
Apr 14 10:27:03.391: IPSEC(create_sa): sa created, //SA創建
(sa) sa_dest= 12.1.1.1, sa_proto= 50,
sa_spi= 0x699EB1D4(1772007892),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
Apr 14 10:27:03.395: IPSEC(create_sa): sa created,
(sa) sa_dest= 23.1.1.3, sa_proto= 50,
sa_spi= 0x720F5EE8(1913609960)
R1#,
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
Apr 14 10:27:03.395: IPSEC(update_current_outbound_sa): updated peer 23.1.1.3 current outbound sa to SPI 720F5EE8
Apr 14 10:27:03.935: ISAKMP:(1001):purging node -224027478
Apr 14 10:27:03.935: ISAKMP:(1001):purging node -1975374832
R1#
Apr 14 10:27:13.939: ISAKMP:(1001):purging SA., sa=63F32D14, delme=63F32D14
---------------------------------------------------------------------------------------------------
傳統IPsec×××的缺點
IPsec ×××不能夠支持加密二層的組播流量,這就意味着不能夠通過IPsec ×××允許動態路由協議
而且不好定義感興趣流
且沒有接口可以調用所以不支持FW和QOS
但是這個限制在12.4之後就消除了。cisco 12.4版本IOS中引入了SVTI(靜態虛擬隧道接口)的技術
GRE(通用路由封裝)
協議號:47
它能很好的封裝組播和二層協議,能夠爲我們的ipsec ×××提供動態路由協議的服務,
但他不提供安全功能
動態路由協議爲我們消除了手動寫靜態路由的煩惱,並且可以動態的探測對方網段是否可達
GRE包格式
| NIP | GRE | IP | Date |
GRE的配置
R1---could---R3
R1--could:12.1.1.1/2
could--R3:23.1.1.2/3
R1 lo 0 :1.1.1.1
R3 lo 0 :3.3.3.3
R1
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
tunnel source 12.1.1.1
tunnel destination 23.1.1.3
R2
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source 23.1.1.3
tunnel destination 12.1.1.1
然後我們在R1和R3上指一條默認路由出外網就行了
GRE隧道的抖動
這時我們還可以在R1和R3上運行OSPF
但這裏有一點要注意
不能將物理口宣告到OSPF進程中去,否則會形成遞歸路由,造成GRE隧道的抖動
Apr 15 10:52:01.963: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
造成遞歸路由的原因
環境:R1正常宣告,R2將連接外網的物理口宣告到OSPF中去
R2通過Hello包告訴R1,通過tunnel 0可以到達23.1.1.0網段
R1 1.1.1.1有數據包去往R2 3.3.3.3時,首先查看路由表,發現通過tunnel口可以到達
於是封裝GRE報頭
| sou:12.1.1.1 | GRE | sou :1.1.1.1 | ICMP
| des:23.1.1.3 | | des :3.3.3.3 |
如果在正常情況下,R1再次查詢路由表發現沒有到達23.1.1.3的路由於是通過默認路由轉發出去
但此時由於R3將23.1.1.0網段宣告進了OSPF進程,所以R1 從tunnel學到去往23.1.1.3的路由,而起他的優先級高於默認路由
所以會再次經過tunnel進行GRE的封裝
| sou:12.1.1.1 | GRE | sou:12.1.1.1 | GRE | sou :1.1.1.1 | data
| des:23.1.1.3 | | des:23.1.1.3 | | des :3.3.3.3 |
此時再次循環之前的步驟,就在數據包不斷的進行封裝,無法正常轉發
隧道的建立的條件是能到達數據包能到達23.1.1.3,此時隧道無法在繼續建立因而由UP變爲DOWN。
既然沒有隧道OSPF也無法在傳遞路由信息,路由表回到了只有直連跟一條默認路由的狀態。
由於沒有比它優先的OSPF路由存在,那條默認路由在這裏“從獲新生”,GRE又可以通過它來建立隧道,
隧道建立好以後OSPF繼續通過它來學習路由,把學習到的路由放在路由表裏再一次替代那條默認路由導致隧道又由UP變爲DOWN。
如此反覆而出現GRE隧道的抖動。
GER over IPsec
包格式
| IP | ESP/AH | ip | GRE | ip | data | 隧道模式
| IP | ESP/AH | GRE | IP | Data | 傳輸模式
配置(old)
ip route 0.0.0.0 0.0.0.0 12.1.1.2
router ospf 100
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
tunnel source 12.1.1.1
tunnel destination 23.1.1.3
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 23.1.1.3
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode transport
ip access-list extended ***
permit ip host 12.1.1.1 host 23.1.1.3
crypto map cry-map 10 ipsec-isakmp
set peer 23.1.1.3
set transform-set trans
match address ***
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
cry map cry-map
配置(new)
crypto isakmp policy 10
authentication pre-shara
crypro isakmp key 0 cisco address 23.1.1.3
cryto ipsec trnasfrom-set cisco esp-des esp-md5-hmac
mode transport
crypto ipsec profile ipsecprof
set transfrom-set cisco
int tunnel 0
ip add 10.1.1.1 255.255.255.0
tunnel source 12.1.1.1
tunnel destination 23.1.1.3
tunnel protection ipsec profile ipsecprof
IPsec over GRE
沒有實際意義,僅作爲原理研究,數據包被封裝的過程
數據包先進行ESP/AH封裝,在進行GRE封裝
R1
int lo 10
ip add 11.1.1.1 255.255.255.0
router os 100
net 11.1.1.1 0.0.0.0 a 0
R2
int lo 0
ip add 33.1.1.1 255.255.255.0
router os 100
network 33.1.1.1 0.0.0.0 a 0
ISAKMP策略
R1:
cryto isa po 10
auth pre
cry isa key 0 cisco add 33.1.1.1
R2
cryto isa po 10
auth pre
cry isa key 0 cisco add 11.1.1.1
ipsec 策略
R1:
cry ipsec tran trans cisco esp-des esp-md5-hmac
R2
cry ipsec tran trans cisco esp-des esp-md5-hmac
感興趣流
R1:
IP access-list ***
per ip ho 1.1.1.1 ho 4.4.4.4
.....(1-5,1-6,2-4,2-5...)
R1
ip access-list ***
per ip ho 4.4.4.4 ho 1.1.1.1
.....
Crypto MAP
R1:
crypto map cry-map local-add lo 10(改變更新源)
crypto map cry-map 10 ipsec-isa
match address ***
set trnas trans
set peer 33.1.1.1
R1:
crypto map cry-map local-add lo 10(改變更新源)
crypto map cry-map 10 ipsec-isa
match address ***
set trnas trans
set peer 11.1.1.1
在接口上銷售
R1
int t 0
cry map cry-map
int F0/0
cry map cry-map<建議運用,能夠阻止未加密的感興趣流進入>
---->R1---->F0/0
|
|_____T0
包處理過程
1.source 1.1.1.1 des 4.4.4.4 到達R1
2.查詢路由表 送到Tunnel口
3.撞上Tunnel口的map 匹配上感興趣流量
4.觸發加密
| SIP:11.1.1.1 | | SIP:1.1.1.1 | |
| DIP:33.1.1.3 | ESP | DIP:4.4.4.4 | Data |
5.新包再次查詢路由表 送到Tunnel口,由於ip頭的修改
沒有匹配感興趣流量,所以直接傳出tunnel,進行GRE封裝
|SIP 12.1.1.1 | | SIP:11.1.1.1 | | SIP:1.1.1.1 | |
|DIP 23.1.1.3 | GRE | DIP:33.1.1.3 | ESP | DIP:4.4.4.4 | Data |
6.再次查詢路由表 送到f0/0接口,轉發
GRE over IPsec 與 IPsec over GRE 的比較
GRE over IPsec IPsec over GRE
-------------------------------------------------------------------
| GRE數據在公網傳輸 | 加密了的數據通過GRE tunnel
理解 | 時是加密的 | 在公網上傳輸
-------------------------------------------------------------------
封裝 | IPsec封裝 GRE | GRE封裝IPsec
| 整體是IPsec隧道 | 整體是GRE隧道
-------------------------------------------------------------------
ACL定義 | GRE數據量(公網) | 內網數據流
-------------------------------------------------------------------
SetPeer | 對方公網地址 | 對方GRE tunnel地址
-------------------------------------------------------------------
應用端口 | 共網出口 | GRE tunnel
-------------------------------------------------------------------
在ASA上配置GRE over Ipsec ×××
site1---could---ASA--site2
Site1 lo 0 : 172.16.1.1
site1-could: 12.1.1.1/2
could-ASA : 23.1.1.2/3
ASA-site2 : 192.168.1.254/1
ASA
1.初始化接口
int e0/0
nameif outside
ip add 23.1.1.3 255.255.255.0
int e0/1
nameif inside
ip add 192.168.1.254
2.開啓crypto isakmp
crypto isakmp enable outside
3.配置ISAKMP策略
crypto isakmp policy 10
此時show run可以看到
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ASA有一個默認策略編號是65535,和路由器一樣如策略沒有配置則自動配置爲默認策略
因爲cisco建議是ASA主要用來做遠程訪問××× 而在路由器上做L2L ×××
4.配置Key和peer
crypto isakmp key cisco add 12.1.1.1
這條命令在ASA裏被轉換爲
tunnel-group 12.1.1.1 type ipsec-l2l
tunnel-group 12.1.1.1 ipsec-attributes
pre-shared-key *
5.配置感興趣流量
access-list *** extended permit ip ho 192.168.1.1 ho 172.16.1.1
6.配置轉換集
crypto ipsec transform-set trans esp-3des esp-sha-hmac
7.彙總
crypto map cry-map 10 ipsec-isakmp
crypto map cry-map 10 set peer 12.1.1.1
crypto map cry-map 10 set transform-set trans
crypto map cry-map 10 match address ***
8.調用
crypto map cry-map int ouside
此時若是site1 ping site2 開啓debug 則會提示
ISAKMP:(0):Notify has no hash. Rejected.
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 23.1.1.3
策略不相同,但此時兩邊的策略確實是相同的
解決辦法:修改兩端的策略 然後再次觸發就會建立成功
之所以這裏不必寫放行策略是因爲show run sysopt可以看到
sysopt connection permit-***
這個選項的作用就是×××解密後流量自動放過
也可以no掉之後對流量進行過濾
access-list out per tcp 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq telnet
access-group out in int outside
NAT-T
PAT穿越
AH不支持NAT,ESP只支持一對一的NAT(NAT overload)
爲了讓經過IPsec封裝加密的包經穿越NAT 所以在原始數據包中插入了一個UDP字段
ipsec ***的pat穿越技術有IPsec over TCP,ipsec over UDP ,NAT-T(把esp包封裝在udp4500裏)
ASA默認沒有開啓任何穿越技術,但提供對3種技術的支持
路由器只支持NAT-t 並且默認是開啓的
封裝格式
| IP | UDP |ESP/AH | GRE | IP | Data |
UDP=4500
cisco路由路由默認是開啓NAT-T的,而ASA默認沒有打開
Cry ipsec Nat-t udp-en
路由器判斷是否開啓UDP-encapsulation的方法
第一階段 ISAKMP 交換一、二個包時會附帶是否支持NAT-T
然後地三、四個包交換源目ip+源目端口進行哈希
如果hash相等則不開啓NAT-T
如果Hash不相等且都支持NAT-T則開啓
ISAKMP Profile
IOS 12.3
如果在一臺路由器上運行了多種××× 建議使用ISAKMP Profile配置方式
標準配置的缺點
cry isakmp key cisco add 23.1.1.3
是一個全局命令,如果路由器上運行的多種×××,如遠程撥號×××做認證時候有可能會拿錯
cry map
是對第二階段進行彙總,與第一階段沒有關係 沒有一個貫穿第一個第二階段的命令
crypto isakmp policy 10
authentication pre-share
!
crypto keyring isakay
pre-shared-key address 12.1.1.1 key cisco
!
crypto isakmp profile isapro
keyring isakay
match identity address 12.1.1.1 255.255.255.255
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set trans
set isakmp-profile isapro
match address ***
Cry map cisco
IPsec Profile(SVTI/Route ×××)
IOS 12.4 與之前的配置不兼容
標準IPsec ×××的缺點
感興趣流定義複雜,成指數增長
沒有接口調用,不支持組播,不能跑動態路由協議
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 23.1.1.3
crypto ipsec transform-set trans esp-des esp-md5-hmac
crypto ipsec profile ipsecpro
set transform-set trans
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
tunnel source 12.1.1.1
tunnel destination 23.1.1.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecpro
router ospf 100
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 12.1.1.2
結合ISAKMP Pofile的優點 可以對R3進行配置
crypto keyring key
pre-shared-key address 12.1.1.1 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile isapro
keyring key
match identity address 12.1.1.1 255.255.255.255
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto ipsec profile ipsecpro
set transform-set trans
set isakmp-profile isapro
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source 23.1.1.3
tunnel destination 12.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecpro
!
router ospf 100
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.1.1.2 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 23.1.1.2
Crypto Map 對密文或明文流量的處理(接收方)
是否有感興趣流 是否加密 有無MAP Acticon
N/A 是 有 解密 (正常流量)
是 不 有 Drop
是 不 沒有 Forward (正常路由)
N/A 是 沒有 解密 (異步路由)
__M_________
| |
R1 R2
|_______M___|
動態 Vs 靜態 Crypro MAP
中心有固定IP但分支沒有
只有中心機構是cisco設備是纔可行,但不建議使用
如果是其他廠商設備只能使用EZ×××
R1 (center)
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto dynamic-map dymap 10
set transform-set trans
!
!
crypto map crymap 1000 ipsec-isakmp dynamic dymap
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map crymap
ip route 0.0.0.0 0.0.0.0 12.1.1.2
RRI(反向路由注入)
DM ××× 高擴展性
EZ ××× 易用性
RRI/Keepalive/HA(鏈路備份)/Redundancy(設備備份) 高可用性
TOP
------R3---
PC1--R1---cloud-| |---R5--PC2
| |
------R4---
RRI使用場所
R1與R3或R4建立IPsec ×××隧道,實現線路冗餘
爲了讓R5能動態的感知去cloud到R3、R4的鏈路狀況,
這裏就不能在R3和R4上使用默認路由來告知PC1的路由
需要使用動態路由協議,使R1或R3建立×××之後會動態的產生一條到達PC1網段的靜態路由,
然後將其發佈到動態路由進程中
RRI的實現
當R1與R3或R4建立起IPsec ×××,併產生了SA後,就會動態的產生一條到達PC1網段的靜態路由
靜態路由的格式
目的 感興趣流的目的 (PC1網段)
下一條 SA的peer (加密點/R1的外網接口)
//下一條必須可達
RRI產生的條件
1.知道對方的加密點 (peer)
2.知道對方的通信點 (access-list的目的)
reverse-route配置
top R1---R2(cloud)---R3---R4
//R1
crypto keyring key
pre-shared-key address 23.1.1.3 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile isapro
keyring key
match identity address 23.1.1.3 255.255.255.255
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
!
crypto map crymap 10 ipsec-isakmp
set peer 23.1.1.3
set transform-set trans
set isakmp-profile isapro
match address ***
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map crymap
!
ip route 0.0.0.0 0.0.0.0 12.1.1.2
!
ip access-list extended ***
permit ip host 1.1.1.1 3.3.3.0 0.0.0.255
-------------------------------------------------------
//R3
crypto keyring key
pre-shared-key address 12.1.1.1 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile isapro
keyring key
match identity address 12.1.1.1 255.255.255.255
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map crymap 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set trans
set isakmp-profile isapro
match address ***
reverse-route
!
!
!
!
interface FastEthernet0/0
ip address 3.3.3.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 23.1.1.3 255.255.255.0
duplex auto
speed auto
crypto map crymap
!
router ospf 100
log-adjacency-changes
redistribute static subnets
network 3.3.3.1 0.0.0.0 area 0
-----------------------------------------------
reverse-route 參數
reverse-route [ remote-peer | Static | tag (有些版本要使用Set reverse-route tag N)]
remote-peer:設置動態產生的 靜態路由下一條地址
Static :根據配置中peer和感興趣流目的靜態產生一條靜態路由(路由會一直存在不管有沒SA)
Tag :標記,可以使用Route-map 在重分佈時對路由進行過濾,僅僅分佈動態產生的路由
1.reverse-route tag 10
2.route-map cicso
match tag 10
3.router os 100
redistribute static route-map cisco subnets
×××的ACL
必須放行的流量ISAKMP(UDP:500),ESP/AH,如果有NAT-T還需要放行(UDP:4500)
12.3(8)T之前ACL對×××流量的匹配流程
1.首先檢測是否是明文的感興趣流量(Reverse crypto map ACL/參考之前的“Crypto Map 對密文或明文流量的處理”)
2.檢測物理接口進方向的ACL(ISAKMP和ESP/AH)
3.解密後流量繼續查詢物理接口In方向上的ACL(解密後再匹配)
例:
int f0/0
ip access-group a in
Extended IP access list a
10 permit udp ho 21.1.1.2 h 12.1.1.1 eq isakmp
20 permit esp ho 21.1.1.2 h 12.1.1.1
30 per icmp ho 2.2.2.2 ho 1.1.1.1
Extended IP access list ***
10 permit ip host 2.2.2.2 host 1.1.1.1
12.3(8)T之後ACL對×××流量的匹配流程
1.首先檢測是否是明文的感興趣流量
2.檢測物理接口進方向的ACL(ISAKMP和ESP/AH)
3.解密後再匹配Crypto map下的ACL(只對解密後流量進行匹配)
如果沒有配置則表示放行所有
例:
R2(config-crypto-map)#set ip access-group acl in
int f0/0
ip access-group a in
Extended IP access list a
10 permit esp host 12.1.1.1 host 21.1.1.2
20 permit udp host 12.1.1.1 host 21.1.1.2 eq isakmp
Extended IP access list acl
10 permit icmp host 1.1.1.1 host 2.2.2.2
Extended IP access list ***
10 permit ip host 2.2.2.2 host 1.1.1.1
ISAKMP Keeplive
探測當前IPSEC SA是否可用
Keeplive會發送DPD(Dead Peer Detetion),如果發生的DPD包沒有迴應就意味ipsec SA不可用
Keeplive機制是高可用×××的基礎
keeplive需要雙方進行協商,需要兩邊都配置
Crypto isakmp keeplive 10 periodic
keeplive包會週期性的每10s發送一次
Crypto isakmp keeplive 10 (/on-demand 默認)
爲了更加節約資源,這裏就有一種新的發送機制(on-demand/按需)
怎麼樣才能確定一個ipsec sa是好的?既有加密也有解密
如果發現我的加密包卻沒有回來的解密包,這個時候就發生DPD包
雖然有些協議是單向的沒有迴應包,但我們有10s的等待時間
HA(高可用性)鏈路備份綜合實驗
TOP
------R3---
PC1--R1---(R2)cloud-| |---R5--PC2
1.1.1.1 | | 5.5.5.5
------R4---
R1配置
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 23.1.1.3
crypto isakmp key cisco address 24.1.1.4
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cry-map 10 ipsec-isakmp
set peer 23.1.1.3 default
set peer 24.1.1.4
set transform-set trans
match address ***
!
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cry-map
!
ip route 0.0.0.0 0.0.0.0 12.1.1.2
!
ip access-list extended ***
permit ip host 1.1.1.1 host 5.5.5.5
R3配置
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 12.1.1.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cry-map 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set trans
match address ***
reverse-route tag 10
!
!
!
!
interface FastEthernet0/0
ip address 23.1.1.3 255.255.255.0
duplex auto
speed auto
crypto map cry-map
!
interface FastEthernet0/1
ip address 35.1.1.3 255.255.255.0
duplex auto
speed auto
!
router ospf 100
router-id 3.3.3.3
log-adjacency-changes
redistribute static subnets route-map map
network 35.1.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 23.1.1.2
!
!
ip access-list extended ***
permit ip host 5.5.5.5 host 1.1.1.1
!
route-map map permit 10
match tag 10
R4(配置與R3相同)
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.