Beruflich Dokumente
Kultur Dokumente
Private Networks
VPN
Terminology
data transactions.
secret key?
The easiest method is Diffie-Hellman public key exchange.
negotiation.
The key must be pre-shared with another party before the
10
primary functions.
First, it selects data flows that need security processing.
Second, it defines the policy for these flows and the crypto peer
that traffic needs to go to.
11
SA.
12
VPNs
13
14
15
16
17
18
19
20
VPN
Topologies
21
Site-to-Site VPNs:
Intranet VPNs connect corporate headquarters, remote offices, and
branch offices over a public infrastructure.
Extranet VPNs link customers, suppliers, partners, or communities of
interest to a corporate Intranet over a public infrastructure.
22
23
24
25
GRE
Tunnel
26
IP
Only?
User Traffic
Yes
No
No
Use GRE
Tunnel
Yes
Unicast
Only?
Use IPsec
VPN
27
28
29
30
31
32
33
IPsec
34
AH
ESP
ESP
+ AH
DES
3
DES
AES
DH5
DH7
MD5
SHA
PSK
RSA
DH1
DH2
SEAL
35
36
37
38
AH
ESP
ESP
+ AH
DES
3
DES
AES
DH5
DH7
MD5
SHA
PSK
RSA
DH1
DH2
768 bits
1024 bits
SEAL
1536 bits
Used by AES
39
services.
It authenticates the sender of the data.
AH operates on protocol number 51.
AH supports the HMAC-MD5 and HMAC-SHA-1 algorithms.
40
41
42
43
Transport mode works well with GRE, because GRE hides the
44
packet.
The original IP packet is encrypted and then it is encapsulated in another IP
packet (IP-in-IP encryption).
implementations.
45
Key Exchange
46
hosts, and describe how the peers will use IPsec security
services to protect network traffic. SAs contain all the
security parameters needed to securely transport packets
between the peers or hosts, and practically define the
security policy used in IPsec.
2012 Cisco and/or its affiliates. All rights reserved.
47
48
49
1.
IPsec
4.
IPsec
50
51
52
53
Step 1
Step 2
IKE Phase 1 authenticates IPsec peers and negotiates IKE SAs to create a secure
communications channel for negotiating IPsec SAs in Phase 2.
Step 3
IKE Phase 2 negotiates IPsec SA parameters and creates matching IPsec SAs in the
peers to protect data and messages exchanged between endpoints.
Step 4
Data transfer occurs between IPsec peers based on the IPsec parameters and keys
stored in the SA database.
Step 5
54
55
56
DH Key Exchange
57
DH Key Exchange
58
Peer Authentication
59
IPsec Negotiation
60
61
Security Associations
62
IPsec Session
63
Tunnel Termination
64
IPsec Tasks
65
66
3
2
67
68
69
or AES
or D-H 5
70
71
72
73
74
75
76
77
78
79
80
81
82
AH-HMAC-MD5 transform
AH-HMAC-SHA transform
ESP transform using 3DES(EDE) cipher (168 bits)
ESP transform using DES cipher (56 bits)
ESP transform using HMAC-MD5 auth
ESP transform using HMAC-SHA auth
ESP transform w/o cipher
Note:
esp-md5-hmac and esp-sha-hmac provide more data integrity.
They are compatible with NAT/PAT and are used more frequently than
ah-md5-hmac and ah-sha-hmac.
2012 Cisco and/or its affiliates. All rights reserved.
83
84
show
RouterA# show crypto isakmp policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman Group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
85
86
87
88
89
tcp
90
RouterA#(config)
access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
RouterB#(config)
access-list 110 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
91
92
93
94
95
96
97
98
99
100
E0/1 172.30.1.2
E0/1 172.30.2.2
101
E0/1 172.30.1.2
E0/1 172.30.2.2
dst
172.30.2.2
src
172.30.1.2
state
QM_IDLE
conn-id
47
slot
5
102
E0/1 172.30.1.2
E0/1 172.30.2.2
103
E0/1 172.30.1.2
E0/1 172.30.2.2
104
105