科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道全系列VPN技术集锦第二卷第3章(Site-to-Site IPsec VPN)

全系列VPN技术集锦第二卷第3章(Site-to-Site IPsec VPN)

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

ESP和AH IPsec流量可以使用二种协议封装,AH和ESP.比较AH和ESP的不同之处: AH功能为: 为二个系统这间传输的IP包进行数据认证和完整性保障.它用于检查从路由器A到路由器B的传输过程中消息有没有被更改.另外, ...

作者:论坛整理 来源:zdnet网络安全 2008年1月19日

关键字: 安全防护 防火墙 VPN

  • 评论
  • 分享微博
  • 分享邮件

例子:

配置TED-Initiator路由器:

TED-Initiator#show running-config

Building configuration...

Current configuration:

version 12.0

service timestamps debug uptime

service timestamps log uptime

hostname TED-Initiator

enable secret 5 <removed>

enable password <removed>

ip subnet-zero

crypto isakmp policy 10

 authentication pre-share

One of the issues with using a preshared key with TED is the need to use a wildcard preshared key because the peer's address is not known beforehand. A resolution to this is to use digital certificate-based digital signatures as the authentication method.

crypto isakmp key abc123 address 0.0.0.0

crypto ipsec transform-set ted-transforms esp-des esp-md5-hmac

Note that no peer address has been configured in the crypto map below.

crypto dynamic-map ted-map 10

 set transform-set ted-transforms

 match address 101

The keyword discover in the crypto map below triggers the use of TED

crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover

interface Ethernet0/0

 ip address 13.13.13.13 255.255.255.0

 no ip directed-broadcast

 no mop enabled

interface Ethernet0/1

 ip address 11.11.11.1 255.255.255.0

 crypto map tedtag

ip classless

ip route 0.0.0.0 0.0.0.0 11.11.11.2

no ip http server

access-list 101 permit ip 13.13.13.0 0.0.0.255 12.12.12.0 0.0.0.255

access-list 101 permit icmp 13.13.13.0 0.0.0.255 12.12.12.0 0.0.0.255

line con 0

 transport input none

line aux 0

line vty 0 4

 password ww

 login

end

配置TED-Responder路由器:

TED-Responder#show running-config

Building configuration...

Current configuration:

version 12.0

service timestamps debug uptime

service timestamps log uptime

hostname TED-Responder

enable secret 5 <removed>

enable password <removed>

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key abc123 address 0.0.0.0

crypto ipsec transform-set ted-transforms esp-des esp-md5-hmac

crypto dynamic-map ted-map 10

 set transform-set ted-transforms

 match address 101

crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover

interface Ethernet0/0

 ip address 12.12.12.12 255.255.255.0

 no ip directed-broadcast

 no mop enabled

interface Ethernet0/1

 ip address 11.11.11.2 255.255.255.0

 crypto map tedtag

ip classless

ip route 0.0.0.0 0.0.0.0 11.11.11.1

no ip http server

access-list 101 permit ip 12.12.12.0 0.0.0.255 13.13.13.0 0.0.0.255

access-list 101 permit icmp 12.12.12.0 0.0.0.255 13.13.13.0 0.0.0.255

line con 0

 transport input none

line aux 0

line vty 0 4

 password ww

 login

no scheduler allocate

end

在TED-Initiator路由器中的debug:

TED-Initiator#show debug

Cryptographic Subsystem:

  Crypto ISAKMP debugging is on

  Crypto Engine debugging is on

  Crypto IPSEC debugging is on

TED-Initiator#

The TED process has started. The proxy IDs are shown in the message below.

01:33:56: IPSEC(tunnel discover request): ,

  (key eng. msg.) src= 13.13.13.14, dest= 12.12.12.13,

    src_proxy= 13.13.13.0/255.255.255.0/0/0 (type=4),

    dest_proxy= 11.11.11.1/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= esp-des esp-md5-hmac ,

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4044

01:33:56: GOT A PEER DISCOVERY MESSAGE FROM THE SA MANAGER!!!

01:33:56: src = 13.13.13.14 to 12.12.12.13, protocol 3, transform 2, hmac 1

The TED process below determines which address is the source address in the TED packet and which addresses are the proxy IDs.

01:33:56: proxy source is 13.13.13.0     /255.255.255.0   and my address (not used now) is 11.11.11.1

01:33:56: ISAKMP (1): ID payload

        next-payload : 5

        type         : 1

        protocol     : 17

        port         : 500

        length       : 8

01:33:56: ISAKMP (1): Total payload length: 12

The initiator determines below that the first ID payload will be its own IP address, 11.11.11.1, and the second payload contains its source IPsec proxy:13.13.13.0/24

01:33:56: 1st ID is 11.11.11.1

01:33:56: 2nd ID is 13.13.13.0     /255.255.255.0

01:33:56: ISAKMP (0:1): beginning peer discovery exchange

The TED probe is being sent to the destination IP address found in the original packet that was received on the initiator and that matched the IPsec interesting traffic access list.

01:33:56: ISAKMP (1): sending packet to 12.12.12.13 (I) PEER_DISCOVERY

The peer has been discovered to be 12.12.12.13, and it responds as shown below

01:33:56: ISAKMP (1): received packet from 12.12.12.13 (I) PEER_DISCOVERY

Upon processing the vendor ID payload, the initiator ascertains that the responder does indeed understand what was sent to it.

01:33:56: ISAKMP (0:1): processing vendor id payload

01:33:56: ISAKMP (0:1): speaking to another IOS box!

01:33:56: ISAKMP (0:1): processing ID payload. message ID = 0

The responder's IP address is encoded in the ID payload. It is equal to 11.11.11.2

01:33:56: ISAKMP (0:1): processing ID payload. message ID = 1168952014

Upon looking at the ID payload sent by the responder, the initiator finds that the responder's proxy ID indeed matches the proxy configured on itself.

01:33:56: ISAKMP (1): ID_IPV4_ADDR_SUBNET dst 12.12.12.0/255.255.255.0 prot 0 port 0

01:33:56: ISAKMP (1): received response to my peer discovery probe!

Normal IKE processing starts at this point to the IP address discovered through TED

01:33:56  ISAKMP: initiating IKE to 11.11.11.2 in response to probe.

01:33:56: ISAKMP (2): sending packet to 11.11.11.2 (I) MM_NO_STATE

01:33:56: ISAKMP (0:1): deleting SA

01:33:56: ISAKMP (2): received packet from 11.11.11.2 (I) MM_NO_STATE

01:33:56: ISAKMP (0:2): processing SA payload. message ID = 0

01:33:56: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 10 policy

01:33:56: ISAKMP:      encryption DES-CBC

01:33:56: ISAKMP:      hash SHA

01:33:56: ISAKMP:      default group 1

01:33:56: ISAKMP:      auth pre-share

01:33:56: ISAKMP (0:2): atts are acceptable. Next payload is 0

01:33:56: CryptoEngine0: generate alg parameter

01:33:56: CRYPTO_ENGINE: Dh phase 1 status: 0

01:33:56: CRYPTO_ENGINE: Dh phase 1 status: 0

01:33:56: ISAKMP (0:2): SA is doing pre-shared key authentication

01:33:56: ISAKMP (2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

01:33:56: ISAKMP (2): sending packet to 11.11.11.2 (I) MM_SA_SETUP

01:33:56: ISAKMP (2): received packet from 11.11.11.2 (I) MM_SA_SETUP

01:33:56: ISAKMP (0:2): processing KE payload. message ID = 0

01:33:56: CryptoEngine0: generate alg parameter

01:33:57: ISAKMP (0:2): processing NONCE payload. message ID = 0

01:33:57: CryptoEngine0: create ISAKMP SKEYID for conn id 2

01:33:57: ISAKMP (0:2): SKEYID state generated

01:33:57: ISAKMP (0:2): processing vendor id payload

01:33:57: ISAKMP (0:2): speaking to another IOS box!

01:33:57: ISAKMP (2): ID payload

        next-payload : 8

        type         : 1

        protocol     : 17

        port         : 500

        length       : 8

01:33:57: ISAKMP (2): Total payload length: 12

01:33:57: CryptoEngine0: generate hmac context for conn id 2

01:33:57: ISAKMP (2): sending packet to 11.11.11.2 (I) MM_KEY_EXCH

01:33:57: ISAKMP (2): received packet from 11.11.11.2 (I) MM_KEY_EXCH

01:33:57: ISAKMP (0:2): processing ID payload. message ID = 0

01:33:57: ISAKMP (0:2): processing HASH payload. message ID = 0

01:33:57: CryptoEngine0: generate hmac context for conn id 2

01:33:57: ISAKMP (0:2): SA has been authenticated with 11.11.11.2

01:33:57: ISAKMP (0:2): beginning Quick Mode exchange, M-ID of 474637101

01:33:57: CryptoEngine0: clear dh number for conn id 1

01:33:57: IPSEC(key_engine): got a queue event...

01:33:57: IPSEC(spi_response): getting spi 348588451 for SA from 11.11.11.2      to 11.11.11.1      for prot 3

01:33:57: CryptoEngine0: generate hmac context for conn id 2

01:33:57: ISAKMP (2): sending packet to 11.11.11.2 (I) QM_IDLE

01:33:57: ISAKMP (2): received packet from 11.11.11.2 (I) QM_IDLE

01:33:57: CryptoEngine0: generate hmac context for conn id 2

01:33:57: ISAKMP (0:2): processing SA payload. message ID = 474637101

01:33:57: ISAKMP (0:2): Checking IPsec proposal 1

01:33:57: ISAKMP: transform 1, ESP_DES

01:33:57: ISAKMP:   attributes in transform:

01:33:57: ISAKMP:      encaps is 1

01:33:57: ISAKMP:      SA life type in seconds

01:33:57: ISAKMP:      SA life duration (basic) of 3600

01:33:57: ISAKMP:      SA life type in kilobytes

01:33:57: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

01:33:57: ISAKMP:      authenticator is HMAC-MD5

01:33:57: validate proposal 0

01:33:57: ISAKMP (0:2): atts are acceptable.

01:33:57: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) dest= 11.11.11.2, src= 11.11.11.1,

    dest_proxy= 12.12.12.0/255.255.255.0/0/0 (type=4),

    src_proxy= 13.13.13.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-md5-hmac ,

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

01:33:57: validate proposal request 0

01:33:57: ISAKMP (0:2): processing NONCE payload. message ID = 474637101

01:33:57: ISAKMP (0:2): processing ID payload. message ID = 474637101

01:33:57: ISAKMP (0:2): processing ID payload. message ID = 474637101

01:33:57: CryptoEngine0: generate hmac context for conn id 2

01:33:57: ipsec allocate flow 0

01:33:57: ipsec allocate flow 0

01:33:57: ISAKMP (0:2): Creating IPsec SAs

01:33:57:         inbound SA from 11.11.11.2 to 11.11.11.1      (proxy 12.12.12.0 to 13.13.13.0)

01:33:57:         has spi 348588451 and conn_id 2000 and flags 4

01:33:57:         lifetime of 3600 seconds

01:33:57:         lifetime of 4608000 kilobytes

01:33:57:         outbound SA from 11.11.11.1 to 11.11.11.2      (proxy 13.13.13.0 to 12.12.12.0)

01:33:57:         has spi 132187477 and conn_id 2001 and flags 4

01:33:57:         lifetime of 3600 seconds

01:33:57:         lifetime of 4608000 kilobytes

01:33:57: ISAKMP (2): sending packet to 11.11.11.2 (I) QM_IDLE

01:33:57: ISAKMP (0:2): deleting node 474637101

01:33:57: IPSEC(key_engine): got a queue event...

01:33:57: IPSEC(initialize_sas): ,

  (key eng. msg.) dest= 11.11.11.1, src= 11.11.11.2,

    dest_proxy= 13.13.13.0/255.255.255.0/0/0 (type=4),

    src_proxy= 12.12.12.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-md5-hmac ,

    lifedur= 3600s and 4608000kb,

    spi= 0x14C709A3(348588451), conn_id= 2000, keysize= 0, flags= 0x4

01:33:57: IPSEC(initialize_sas): ,

  (key eng. msg.) src= 11.11.11.1, dest= 11.11.11.2,

    src_proxy= 13.13.13.0/255.255.255.0/0/0 (type=4),

dest_proxy= 12.12.12.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-md5-hmac ,

    lifedur= 3600s and 4608000kb,

    spi= 0x7E10555(132187477), conn_id= 2001, keysize= 0, flags= 0x4

01:33:57: IPSEC(create_sa): sa created,

  (sa) sa_dest= 11.11.11.1, sa_prot= 50,

    sa_spi= 0x14C709A3(348588451),

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2000

01:33:57: IPSEC(create_sa): sa created,

  (sa) sa_dest= 11.11.11.2, sa_prot= 50,

    sa_spi= 0x7E10555(132187477),

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001

TED-Initiator路由器show命令输出:

TED-Initiator#show crypto ipsec sa

interface: Ethernet0/1

    Crypto map tag: tedtag, local addr. 11.11.11.1

   local  ident (addr/mask/prot/port): (13.13.13.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (12.12.12.0/255.255.255.0/0/0)

   current_peer: 11.11.11.2

     PERMIT, flags={}

    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9

    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 11.11.11.1, remote crypto endpt.: 11.11.11.2

     path mtu 1500, media mtu 1500

     current outbound spi: 7E10555

     inbound esp sas:

      spi: 0x14C709A3(348588451)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2000, flow_id: 1, crypto map: tedtag

        sa timing: remaining key lifetime (k/sec): (4607998/3557)

        IV size: 8 bytes

        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x7E10555(132187477)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2001, flow_id: 2, crypto map: tedtag

        sa timing: remaining key lifetime (k/sec): (4607998/3557)

        IV size: 8 bytes

        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章