ipsec原理:
1.兼容IPv4和IPv6
2.在ip层实现多种安全服务:访问控制、无连接完整性、数据源验证、抗重播、机密性和有限的业务流机密性
3.ipsec安全体系结构:
体系结构
/ \
/ \
--- ESP协议 AH协议-----
| | | |
| 加密算法 鉴别算法 |
| | | |
|_______|____DOI_______|_______|
|
秘钥管理
4.协议部分,分为
* -AH:Authentication,header 验证头部
为IP包提供数据完整性校验和身份认证功能,验证算法由SA指定,范围是整个包
* -ESP:Encapsulating Security Payload封装安全载荷
提供机密性、数据源验证、抗重播以及数据完整性等安全服务;机密算法和身份认证由SA指定
5.秘钥管理:
*sa:security association安全联盟
*isakmp定义了秘钥管理框架
IKE是目前正式确定用于IPSec的秘钥交换协议
6.有两种模式:区别在于包头
隧道模式:有两个ip包头
传输模式:有一个ip包头
7.SA安全联盟
*sa是单向的
*sa是“协议相关”的
*每个SA通过三个参数来标志:安全参数索引SPI、对方IP地址、安全协议标识AH或ESP
*SA与IPSec系统中实现的两个数据库有关:安全策略数据库(SPD)、安全关联数据库(SAD)
8.Internet秘钥交换协议isakmp
9.ipsec-vpn协议和算法
*ip安全协议:AH,ESPE
*数据加密标准:DES,3DS
*公共密钥密码协议:Diffie-Hellman(D-H)
*散列算法:md5,SHA-1
*公钥加密算法:RSA
*Internet密钥交换:IKE(isakmp)
*证书授权中心:CA
CA证书的IPSEC VPN 案例
背景介绍:
首钢集团财务有限公司和人民银行清算中心做IPSEC VPN,和之前的IPSEC VPN有所不同,由于涉及财务,要求的安全级别比较高,抛弃了常规的共享密钥的方式,而采用CA证书的方式建立IPSEC VPN 隧道。下面简单描述了配置过程,以便自己以后查看,这里自己并没有采用人行要求的前置机NAT以后在走IPSEC,而是直接使用了人行分配个自己的地址,网络拓扑如下:
一、证书配置
在配置证书之前,保证设备,比如防火墙,已经能够访问互联网。
1、 上传根证书之前,检查设备
<H3C>dir
Directory of cfa0:/
0 -rw- 12142 Oct 11 2017 08:45:30 system.xml
1 -rw- 1228 May 15 2017 15:28:16 ca.cer
2 drw- - Apr 26 2000 12:00:06 logfile
3 drw- - May 11 2017 18:11:12 seclog
4 -rw- 21467216 May 11 2017 18:07:24 secbladeii-cmw520-r3181p07.bin
5 -rw- 1208 May 15 2017 15:29:48 dptext_ca.cer
6 -rw- 3246 Oct 11 2017 08:45:32 startup.cfg
7 -rw- 1196 May 15 2017 16:02:52 local.cer
2、 人行会通过邮件或者其他的方式,发来一个CA根证书,需要报根证书上传到设备;
3、 通过tftp或者ftp方式,把根证书上传到设备,我选用ftp的方式,设备开启ftp server,然后在本地电脑上传根证书,这里把根证书名改为f1000.cer,上传后再次dir,查看是否上传成功;
4、 建立PKI实体
pki entity cwgs
common-name cwgs
华为:
pki entity cwgs_1 //配置一个PKI实体,并进入PKI实体视图
organization cwgs
organization-unit cwgs
common-name cwgs //配置PKI实体的通用名
5、 建立PKI域并应用PKI实体
pki domain cwgs
ca identifier cwgs
certificate request from ca
certificate request entity cwgs
crl check disable
华为:
pki realm cwgs //配置Ike对等体所属的PKI域
ca id sgcw_ca //配置PKI域信任的CA,指定PKI域信任的CA名称
entity cwgs_1 //指定申请证书的PKI实体
undo ocsp nonce enable
certificate-check none
rsa local-key-pair rsakey
注意:在使用离线导入证书的时候,pki domain 下务必关闭crl check
6、 查看并修改防火墙系统时间
<H3C>dis clock
09:30:26 UTC Wed 10/11/2017
7、 导入根证书
[H3C]pki import domain cwgs pem ca filename f1000.cer
The trusted CA's finger print is:
MD5 fingerprint:90AD 60A5 DFEA 40D0 1F97 E9BD 6CA8 589F
SHA1 fingerprint:6848 FBC4 CF53 FA89 BE23 9913 5F70 5F2E 239A 3850
Is the finger print correct?(Y/N):y
华为:
[USG6300]pki import-certificate ca realm cwgs pem filename f1000.cer
The CA's Subject is /DC=com/DC=cncc/CN=CNCC
The CA's fingerprint is:
MD5 fingerprint:90AD 60A5 DFEA 40D0 1F97 E9BD 6CA8 589F
SHA1 fingerprint:6848 FBC4 CF53 FA89 BE23 9913 5F70 5F2E 239A 3850
Is the fingerprint correct?(Y/N):y
Info: Succeeded in importing the certificate.
8、 查看导入的根证书
[H3C]dis pki certificate domain cwgs ca
华为
[USG6300]display pki certificate ca realm cwgs
2017-10-14 13:58:00.180
The x509 object type is certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
37:9e:70:4f:24:51:fb:91:4b:3c:18:50:ee:16:16:0c
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=cncc, CN=CNCC
Validity
Not Before: Apr 20 01:51:11 2015 GMT
Not After : Apr 20 02:01:10 2025 GMT
Subject: DC=com, DC=cncc, CN=CNCC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:28:c4:ed:4f:58:57:37:28:dc:69:b7:9e:3d:
4d:8b:2a:82:16:25:1c:8f:d7:98:31:35:7e:31:ae:
52:81:c4:5b:91:99:10:c4:19:75:fc:e7:e7:9c:9c:
2b:07:7b:68:96:27:96:5e:31:4e:75:53:5c:87:86:
74:7d:23:33:80:5a:a3:bf:4a:b8:55:76:bd:1f:b4:
7e:2e:84:4a:51:80:74:ed:b7:90:df:76:1d:56:ed:
40:a1:ba:60:a4:b1:5a:77:39:20:e6:04:58:72:f9:
bf:c5:ad:19:ec:b2:2f:01:9d:f2:47:ac:d8:e0:7c:
1a:7a:f0:94:ad:dc:67:e4:f7:94:83:be:df:56:0d:
82:39:68:75:12:ca:b0:e2:c0:71:5e:1a:c2:7c:50:
96:1a:68:58:6f:c9:f5:ab:85:a2:1e:a8:e4:fd:40:
78:0b:4a:3a:6c:ea:ef:27:dd:ea:ff:94:50:aa:c8:
fd:e7:1b:4b:6f:50:17:99:b5:13:f0:35:7c:46:86:
bd:9a:6e:58:25:3f:db:06:0b:cd:35:08:a3:02:9b:
a8:45:72:b9:a4:b2:22:99:4d:48:7b:cf:6f:2b:b2:
e5:69:eb:6e:78:f3:6c:5e:bf:a6:5b:b6:1a:f4:4b:
15:45:c6:d8:24:a2:90:e3:bb:c6:af:d8:c8:c2:b4:
9e:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
FE:CB:E5:95:AD:B0:F5:86:91:23:16:02:C3:E2:53:08:C4:4A:BA:11
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
78:45:b7:ea:f8:81:38:d9:ec:bd:5d:c6:a0:f0:9c:13:9a:18:
01:2c:33:f2:e8:8a:68:e1:35:51:bb:96:02:1b:3c:73:bb:70:
c0:db:16:3e:7a:ca:78:24:29:22:3f:b2:2f:18:e9:30:70:98:
fa:3d:22:14:c7:bc:d5:21:eb:aa:71:12:1c:73:b3:ff:24:3c:
e2:62:94:5a:aa:c5:92:e6:99:82:27:4f:54:c9:42:80:d6:06:
be:e0:9a:c7:9c:de:59:8a:2f:ed:ac:f0:08:06:9c:76:be:3d:
85:ab:a1:d4:fe:65:60:87:2d:ee:e0:64:38:f2:8d:84:4b:1d:
2a:a6:48:91:e9:e5:0b:d1:52:0d:83:ce:25:e1:aa:6a:06:ac:
8c:5b:5e:93:92:ca:72:52:75:74:d3:5c:70:72:8f:5e:dd:bf:
a2:d1:63:4f:7f:ea:bc:71:fd:4c:a2:3c:43:b7:ab:93:eb:43:
7c:4f:96:e0:5f:36:76:93:1a:91:15:00:af:a2:eb:84:c3:54:
d3:ee:33:dc:b6:50:b4:56:44:ff:e6:58:00:b0:ef:2f:2e:4a:
fd:1f:a6:be:d0:1e:43:5a:c5:77:1b:ce:e5:2f:5a:65:84:1a:
4b:8a:0c:17:f8:e5:08:39:6b:71:af:af:e5:1a:fb:e3:bd:df:
99:43:cc:e5
Pki realm name: cwgs
Certificate file name: f1000.cer
Certificate peer name: -
9、 查看证书 并制作本地设备证书
[H3C]pki request-certificate domain cwgs pkcs10
然后将生成的字符串导出,做local证书
*** Request for general certificate ***
-----BEGIN CERTIFICATE REQUEST-----
MIIBazCB1QIBADAOMQwwCgYDVQQDEwNhYmMwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAKbJcNwbjLasiLIFxCRCBsrHPO5x38k31o3cN5BoIhP+tQRvDAB4O044
NyJciz/IiffZSeGyvGiCrXJseYszrREvkaCS42PN3aAHRy92Pf2AOwNvkbaO91Yf
s7TwjsPLjRQWaE2BCxYeK2x51OQ45qXWRrMNBw0A2e2TGsi9l/VrAgMBAAGgHjAc
BgkqhkiG9w0BCQ4xDzANMAsGA1UdDwQEAwID+DANBgkqhkiG9w0BAQUFAAOBgQCT
vNbN4kAwH4v96Uq0/0Flx9LNZXOsPwq7BweGkAv8TicYLBn325UgFO2EQ6MYTDuj
Xsj0xeF5ysg8xHhZX9TMq62WUgt+X1hJfeH9OPEci8OB60x8aW7Aql6oI8HF9aSo
chBqSGU/tCY4L+RZEvtLLFIHhc91iL+V6FgUTDCTNA==
-----END CERTIFICATE REQUEST-----
注意:将上述字符串全部复制下来发送给人行管理员用于申请本地证书,人行管理员获取字符串去证书服务器上申请证书。
华为:
[USG6300]pki enroll-certificate realm cwgs pkcs10
Error: Please specify a RSA key pair first.
[USG6300]pki rsa local-key-pair create rsakey exportable
Info: The name of the new key-pair will be: rsakey
Warning: RSA keys rsakey already exists.
Are you sure you want to overwrite it? [y/n]:y
The size of the public key ranges from 512 to 2048.
Input the bits in the modules:2048
Generating key-pairs...
.....................................................+++
...........+++
[USG6300]pki realm cwgs
Warning: Modification of the realm configuration may end the certificate request task and fail in obtaining certificate.
[USG6300-pki-realm-cwgs]dis th
#
pki realm cwgs
ca id sgcw_ca
entity cwgs_1
undo ocsp nonce enable
certificate-check none
#
return
[USG6300-pki-realm-cwgs]rsa local-key-pair rsakey
[USG6300]pki enroll-certificate realm cwgs pkcs10
Info: Creating certificate request file...
Info: Create certificate request file successfully.
然后 dir,会发现生成一个cwgs.req的文件
37 -rw- 924 Oct 14 2017 14:02:28 cwgs.req
然后把该文件发给人行。
10、 人行管理员会 通过邮件方式发回来的一个证书,我自己重命名为vpn.cer,然后上传到设备;
11、 导入本地证书并查看
[H3C]pki import-certificate local domain cwgs pem filename vpn.cer
[H3C]dis pki certificate local domain cwgs
华为:
[USG6300]pki import-certificate local realm cwgs pem filename vpn.cer
Info: Succeeded in importing the certificate.
[USG6300]display pki certificate local realm cwgs
2017-10-14 14:10:42.460
The x509 object type is certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:55:23:74:00:00:00:00:03:71
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=cncc, CN=CNCC
Validity
Not Before: Nov 14 05:09:51 2017 GMT
Not After : Nov 14 05:19:51 2018 GMT
Subject: O=cwgs, OU=cwgs, CN=cwgs
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:2b:2c:aa:dc:44:79:8c:1e:62:c7:4a:ba:86:
5e:ca:cd:da:e4:39:ae:a8:c3:de:35:fc:7e:96:2e:
7a:10:aa:76:cd:69:7b:b8:a2:75:b7:81:27:7f:2a:
87:5e:ae:4b:f9:2c:fd:28:6c:99:8c:37:8c:b3:37:
3b:90:5c:ca:60:be:ba:c3:0c:24:64:01:a9:21:21:
c4:bc:24:c7:4f:0a:f6:4c:e6:f4:f0:df:b2:62:35:
60:1a:8b:60:d1:e2:54:24:63:3f:cb:50:87:37:39:
8d:f6:94:43:40:f7:2b:07:92:43:51:96:d7:00:1e:
fc:cf:d3:c6:5f:7e:1e:a7:e7:09:1e:08:5a:fa:53:
b2:2b:33:4e:33:39:7a:25:c9:1d:c5:f9:9f:d3:af:
a7:50:44:bc:3d:42:7a:64:64:6f:7c:d5:23:8d:fc:
9d:39:1e:85:0c:68:59:70:f7:1a:e4:3e:42:d7:79:
61:8c:e3:b3:ff:87:e0:03:b9:4a:66:9a:a9:c3:c3:
a0:b6:38:6c:a7:28:90:28:8d:69:ae:e7:bc:56:0f:
da:a8:a8:67:07:32:7a:3b:5d:6b:09:07:44:8b:3c:
a5:35:68:16:35:a6:9f:3e:34:3f:a0:b8:30:4b:0f:
ed:2f:55:90:1b:20:b9:81:7c:07:79:db:2b:7a:39:
fb:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
BB:6B:9F:FB:A0:55:6B:62:97:23:13:4C:B0:17:2B:F6:39:80:61:C7
X509v3 Authority Key Identifier:
keyid:FE:CB:E5:95:AD:B0:F5:86:91:23:16:02:C3:E2:53:08:C4:4A:BA:11
X509v3 CRL Distribution Points:
Full Name:
URI:file://VPNZSBF003/CertEnroll/CNCC.crl
Authority Information Access:
CA Issuers - URI:file://VPNZSBF003/CertEnroll/VPNZSBF003_CNCC.crt
Signature Algorithm: sha1WithRSAEncryption
0d:af:09:bb:9f:03:bc:93:af:82:fb:61:b7:d0:63:7d:0f:51:
84:d2:ce:44:f8:ee:17:fa:49:44:87:3a:d3:1e:f1:17:03:e7:
dd:9e:9c:80:0f:4e:34:79:83:3c:c5:1c:1d:1a:db:c2:99:fa:
4c:9b:64:12:61:ad:2e:85:79:07:2b:92:b7:d6:24:fb:b6:f3:
e9:40:d8:88:4e:73:68:d9:8b:ed:7e:92:dc:75:04:c8:f7:9a:
aa:59:89:2a:44:93:f4:7b:d9:4d:39:5c:e4:45:92:7f:61:b6:
33:33:ce:59:4a:29:55:2a:1c:58:a3:39:ca:e6:65:a1:ed:9d:
f2:6c:57:f8:61:f5:67:e1:77:20:74:58:79:8e:b9:26:2b:cf:
60:4d:7e:c0:74:15:a8:b9:41:1a:e7:ba:2b:88:63:1c:55:8f:
64:e6:a7:06:5b:f4:bc:9f:cf:a3:29:94:64:53:fc:86:8f:87:
68:f3:a4:29:b6:1c:7e:6d:20:9b:5d:1c:78:b1:59:76:7c:99:
bc:bf:e4:08:75:a2:6c:5b:e4:0b:c1:50:07:a2:2b:1c:51:dd:
52:e1:ef:76:1c:6a:3f:48:92:89:02:6d:ec:e1:51:cb:0d:4c:
29:2a:f7:4a:06:0e:75:2e:ce:e2:fb:f1:b7:10:8c:83:6f:f3:
02:5f:98:54
Pki realm name: cwgs
Certificate file name: vpn.cer
Certificate peer name: -
二、IPSec VPN配置
12、 Ike proposal并配置第一阶段参数
ike proposal 1
authentication-method rsa-signature
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
sa duration 7200
华为:
ike proposal 1
encryption-algorithm 3des
dh group2
authentication-algorithm md5
sa duration 7200
authentication-method rsa-signature
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
13、 配置Ike peer
ike peer 1
proposal 1
remote-address 183.195.117.253
local-address 106.38.56.106
certificate domain cwgs
华为:
ike peer 1
undo version 2
ike-proposal 1
local-id-type dn
remote-id-type dn
remote-address 183.195.117.253
pki realm cwgs
ike negotiate compatible
14、 配置ipsec transform-set并配置第二阶段参数
ipsec transform-set 1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
华为:
ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
15、 配置感兴趣流
acl number 3000
rule 0 deny ip source 19.255.26.160 0.0.0.15 destination 19.194.208.0 0.0.1.255
rule 5 permit ip
acl number 3002
rule 0 permit ip source 19.255.26.160 0.0.0.15 destination 19.194.208.0 0.0.1.255
16、 配置IPSec policy
ipsec policy renhang 10 isakmp
security acl 3002
ike-peer 1
transform-set 1
sa duration time-based 7200
华为:
ipsec policy renhang 10 isakmp
security acl 3002
ike-peer 1
proposal 1
tunnel local applied-interface
sa duration traffic-based 200000000
sa duration time-based 7200
17、 在出接口下应用IPSec policy
interface GigabitEthernet0/1
port link-mode route
nat outbound 3000
ip address 106.38.56.106 255.255.255.248
ipsec policy renhang
华为NAT:
nat-policy
rule name NAT
source-zone trust
egress-interface GigabitEthernet1/0/3
source-address address-set ECDS
destination-address address-set è?DD_?°???ú
action no-nat
rule name NAT2
source-zone trust
egress-interface GigabitEthernet1/0/3
action nat easy-ip
三、测试IPSec并查看状态
1、触发IPSec数据流
在前置机上19.255.26.165上,ping 19.194.209.9
2、查看IPSec状态
执行dis ike sa和dis ipsec sa
<H3C>dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------------
1 183.195.117.253 RD|ST 1 IPSEC
2 183.195.117.253 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/4716.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
微信支付宝扫一扫,打赏作者吧~休息一下~~
官码2024000195号
萌ICP备20248119号
