Está en la página 1de 25

GVHD: Nguyn c Quang

B GIO DC V O TO

SVTH: L Vn Thc

TRNG I HC K THUT CNG NGH TP HCM KHOA: CNG NGH THNG TIN

B MN QUN TR MNG LP 09DTHM CHUYN : SITE

TO SITE IPSEC VPN

GVHD: NGUYN C QUANG

SVTH: L VN THC - 0951020265

TP.H CH MINH 6/2013

GVHD: Nguyn c Quang


I. GII THIU V BI LAB 1. M Hnh GNS3

SVTH: L Vn Thc

2. M T - Cng Ngh Kt ni: Gm 3 router v 1 HUB, Cc router c gn tn R1(HUB),R2,R3,R4 - Router 3 kt ni vi C1(my Client), R4 kt ni vi C2( my server).. - Giao thc nh tuyn: nh tuyn tnh v nh tuyn EIGRP 3. Cng C Thc Hin Bi Lab - My tnh CPU v RAM mnh - Phn mm GNS3 & IOS - Phn mm Vmware - Phn mm Wireshark 4. Yu Cu : 1. L thuyt 2. Ly cu hnh tt c cc router 3. Bt v phn tch gi tin trong qu trnh to IPSEC VPN

GVHD: Nguyn c Quang


II. THC HIN YU CU BI LAB

SVTH: L Vn Thc

1. L thuyt
1. Tng quan Giao thc IPsec c lm vic ti tng Network Layer layer 3 ca m hnh OSI. Cc giao thc bo mt trn Internet khc nh SSL, TLS v SSH, c thc hin t tng transport layer tr ln (T tng 4 ti tng 7 m hnh OSI). iu ny to ra tnh mm do cho IPsec, giao thc ny c th hot ng t tng 4 vi TCP, UDP, hu ht cc giao thc s dng ti tng ny. IPsec c mt tnh nng cao cp hn SSL v cc phng thc khc hot ng ti cc tng trn ca m hnh OSI. Vi mt ng dng s dng IPsec m (code) khng b thay i, nhng nu ng dng bt buc s dng SSL v cc giao thc bo mt trn cc tng trn trong m hnh OSI th on m ng dng s b thay i ln. 2. Cu trc bo mt IPsec c trin khai (1) s dng cc giao thc cung cp mt m (cryptographic protocols) nhm bo mt gi tin (packet) trong qu trnh truyn, (2) phng thc xc thc v (3) thit lp cc thng s m ho. Xy dng IPsec s dng khi nim v bo mt trn nn tng IP. Mt s kt hp bo mt rt n gin khi kt hp cc thut ton v cc thng s (v nh cc kho keys) l nn tng trong vic m ho v xc thc trong mt chiu. Tuy nhin trong cc giao tip hai chiu, cc giao thc bo mt s lm vic vi nhau v p ng qu trnh giao tip. Thc t la chn cc thut ton m ho v xc thc li ph thuc vo ngi qun tr IPsec bi IPsec bao gm mt nhm cc giao thc bo mt p ng m ho v xc thc cho mi gi tin IP. Trong cc bc thc hin phi quyt nh ci g cn bo v v cung cp cho mt gi tin outgoing (i ra ngoi), IPsec s dng cc thng s Security Parameter Index (SPI), mi qu trnh Index (nh th t v lu trong d liu Index v nh mt cun danh b in thoi) bao gm Security Association Database (SADB), theo sut chiu di ca a ch ch trong header ca gi tin, cng vi s nhn dng duy nht ca mt tho hip bo mt (tm dch t - security association) cho mi gi tin. Mt qu trnh tng t cng c lm vi gi tin i vo (incoming packet), ni IPsec thc hin qu trnh gii m v kim tra cc kho t SADB. Cho cc gi multicast, mt tho hip bo mt s cung cp cho mt group, v thc hin cho ton b cc receiver trong group . C th c hn mt tho hip bo mt cho mt group, bng cch s dng cc SPI khc nhau, tuy nhin n cng cho php thc hin nhiu

GVHD: Nguyn c Quang

SVTH: L Vn Thc

mc bo mt cho mt group. Mi ngi gi c th c nhiu tho hip bo mt, cho php xc thc, trong khi ngi nhn ch bit c cc keys c gi i trong d liu. Ch cc chun khng miu t lm th no cc tho hip v la chn vic nhn bn t group ti cc c nhn. 3. Thit k theo yu cu IPsec c cung cp bi Transport mode (end-to-end) p ng bo mt gia cc my tnh giao tip trc tip vi nhau hoc s dng Tunnel mode (portal-to-portal) cho cc giao tip gia hai mng vi nhau v ch yu c s dng khi kt ni VPN. IPsec c th c s dng trong cc giao tip VPN, s dng rt nhiu trong giao tip. Tuy nhin trong vic trin khai thc hin s c s khc nhau gia hai mode ny. Giao tip end-to-end c bo mt trong mng Internet c pht trin chm v phi ch i rt lu. Mt phn b l do tnh ph thng ca no khng cao, hay khng thit thc, Public Key Infrastructure (PKI) c s dng trong phng thc ny. IPsec c gii thiu v cung cp cc dch v bo mt: 1. M ho qu trnh truyn thng tin 2. m bo tnh nguyn ven ca d liu 3. Phi c xc thc gia cc giao tip 4. Chng qu trnh replay trong cc phin bo mt. 5. Modes Cc mode C hai mode khi thc hin IPsec l: Transport mode v tunnel mode. Transport mode Trong Transport mode, ch nhng d liu bn giao tip cc gi tin c m ho v/hoc xc thc. Trong qu trnh routing, c IP header u khng b chnh sa hay m ho; tuy nhin khi authentication header c s dng, a ch IP khng th bit c, bi cc thng tin b hash (bm). Transport v application layers thng c bo mt bi hm bm (hash), v chng khng th chnh sa (v d nh port number). Transport mode s dng trong tnh hung giao tip host-to-host. iu ny c ngha l ng gi cc thng tin trong IPsec cho NAT traversal c nh ngha bi cc thng tin trong ti liu ca RFC bi NAT-T.

GVHD: Nguyn c Quang


Tunnel mode

SVTH: L Vn Thc

Trong tunnel mode, ton b gi IP (bao gm c data v header) s c m ho v xc thc. N phi c ng gi li trong mt dng IP packet khc trong qu trnh routing ca router. Tunnel mode c s dng trong giao tip network-to-network (hay gia cc routers vi nhau), hoc host-to-network v host-to-host trn internet. 4. Technical details. C hai giao thc c pht trin v cung cp bo mt cho cc gi tin ca c hai phin bn IPv4 v IPv6: IP Authentication Header gip m bo tnh ton vn v cung cp xc thc. IP Encapsulating Security Payload cung cp bo mt, v l option bn c th la chn c tnh nng authentication v Integrity m bo tnh ton vn d liu. Thut ton m ho c s dng trong IPsec bao gm HMAC-SHA1 cho tnh ton vn d liu (integrity protection), v thut ton TripleDES-CBC v AES-CBC cho m m ho v m bo an ton ca gi tin. Ton b thut ton ny c th hin trong RFC 4305. a. Authentication Header (AH) AH c s dng trong cc kt ni khng c tnh m bo d liu. Hn na n l la chn nhm chng li cc tn cng replay attack bng cch s dng cng ngh tn cng sliding windows v discarding older packets. AH bo v qu trnh truyn d liu khi s dng IP. Trong IPv4, IP header c bao gm TOS, Flags, Fragment Offset, TTL, v Header Checksum. AH thc hin trc tip trong phn u tin ca gi tin IP. di y l m hnh ca AH header. Cc modes thc hin 0 - 7 bit Next header 8 - 15 bit Payload length 16 - 23 bit 24 - 31 bit

RESERVED

Security parameters index (SPI) Sequence number Authentication data (variable)

GVHD: Nguyn c Quang

SVTH: L Vn Thc

ngha ca tng phn: Next header Nhn dng giao thc trong s dng truyn thng tin. Payload length ln ca gi tin AH. RESERVED S dng trong tng lai (cho ti thi im ny n c biu din bng cc s 0). Security parameters index (SPI) Nhn ra cc thng s bo mt, c tch hp vi a ch IP, v nhn dng cc thng lng bo mt c kt hp vi gi tin. Sequence number Mt s t ng tng ln mi gi tin, s dng nhm chng li tn cng dng replay attacks. Authentication data Bao gm thng s Integrity check value (ICV) cn thit trong gi tin xc thc. b. Encapsulating Security Payload (ESP) Giao thc ESP cung cp xc thc, ton vn, m bo tnh bo mt cho gi tin. ESP cng h tr tnh nng cu hnh s dng trong tnh hung ch cn bo m ho v ch cn cho authentication, nhng s dng m ho m khng yu cu xc thc khng m bo tnh bo mt. Khng nh AH, header ca gi tin IP, bao gm cc option khc. ESP thc hin trn top IP s dng giao thc IP v mang s hiu 50 v AH mang s hiu 51.

GVHD: Nguyn c Quang


0 - 7 bit 8 - 15 bit 16 - 23 bit 24 - 31 bit

SVTH: L Vn Thc

Security parameters index (SPI) Sequence number

Payload data (variable)

Padding (0-255 bytes) Pad Length Authentication Data (variable) Next Header

ngha ca cc phn: Security parameters index (SPI) Nhn ra cc thng s c tch hp vi a ch IP. Sequence number T ng tng c tc dng chng tn cng kiu replay attacks. Payload data Cho d liu truyn i Padding S dng vi block m ho Pad length ln ca padding. Next header

GVHD: Nguyn c Quang

SVTH: L Vn Thc

Nhn ra giao thc c s dng trong qu trnh truyn thng tin. Authentication data Bao gm d liu xc thc cho gi tin. 5. Implementations - thc hin IPsec c thc hin trong nhn vi cc trnh qun l cc key v qu trnh thng lng bo mt ISAKMP/IKE t ngi dng. Tuy nhin mt chun giao din cho qun l key, n c th c iu khin bi nhn ca IPsec. Bi v c cung cp cho ngi dng cui, IPsec c th c trin khai trn nhn ca Linux. D n FreeS/WAN l d n u tin hon thnh vic thc hin IPsec trong m ngun m c th l Linux. N bao gm mt nhn IPsec stack (KLIPS), kt hp vi trnh qun l key l deamon v rt nhiu shell scripts. D n FreeS/WAN c bt u vo thng 3 nm 2004. Openswan v strongSwan tip tc d n FreeS/WAN. D n KAME cng hon thnh vic trin khai s dng IPsec cho NetBSB, FreeBSB. Trnh qun l cc kho c gi l racoon. OpenBSB c to ra ISAKMP/IKE, vi tn n gin l isakmpd (n cng c trin khai trn nhiu h thng, bao gm c h thng Linux).

2. Ly cu hnh tt c cc router
R1(HUB)
!* R1.lab.local.CiscoConfig !* IP Address : 192.168.1.65 !* Community : vanthuc !* Downloaded 5/14/2013 9:12:18 AM by SolarWinds Config Transfer Engine Version 5.5.0 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ip cef !

GVHD: Nguyn c Quang


! ! ! no ip domain lookup ip domain name lab.local ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

SVTH: L Vn Thc

archive
log config hidekeys ! !

crypto isakmp policy 10


encr 3des hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set MINE esp-3des !

crypto ipsec profile DMVPN


set transform-set MINE ! ! ! ! ! ! ! !

interface Tunnel0
ip address 10.1.1.1 255.255.255.0 no ip redirects ip mtu 1416

GVHD: Nguyn c Quang


ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip nhrp map multicast dynamic ip nhrp network-id 1 no ip split-horizon eigrp 1 tunnel source 192.168.1.65 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN !

SVTH: L Vn Thc

interface FastEthernet0/0
no ip address shutdown duplex auto speed auto !

interface Serial0/0
ip address 192.168.1.65 255.255.255.0 clock rate 2000000 !

interface FastEthernet0/1
no ip address shutdown duplex auto speed auto !

interface Serial0/1
no ip address shutdown clock rate 2000000 !

router eigrp 1
network 10.0.0.0 network 172.16.0.0 network 192.168.0.0 no auto-summary ! ip forward-protocol nd ip route 192.168.2.0 255.255.255.0 192.168.1.66 ip route 192.168.3.0 255.255.255.0 192.168.1.66 ! ! no ip http server no ip http secure-server ! snmp-server community vanthuc RW ! ! ! ! ! ! control-plane ! ! !

GVHD: Nguyn c Quang


! ! ! ! ! ! !

SVTH: L Vn Thc

line con 0
exec-timeout 0 0 privilege level 15 logging synchronous

line aux 0
exec-timeout 0 0 privilege level 15 logging synchronous

line vty 0 4
login ! ! End

Router R2
!* R2.lab.local.CiscoConfig !* IP Address : 192.168.2.65 !* Community : vanthuc !* Downloaded 5/14/2013 9:12:18 AM by SolarWinds Config Transfer Engine Version 5.5.0 ! version 12.4

service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
hostname R2

! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ip cef ! ! ! ! no ip domain lookup

GVHD: Nguyn c Quang


ip domain name lab.local ! multilink bundle-name authenticated ! ! !
archive

SVTH: L Vn Thc

log config hidekeys ! !


interface FastEthernet0/0

no ip address shutdown duplex auto speed auto !


interface Serial0/0

ip address 192.168.1.66 255.255.255.0 clock rate 2000000 !


interface FastEthernet0/1

no ip address shutdown duplex auto speed auto !


interface Serial0/1

ip address 192.168.2.65 255.255.255.0 clock rate 2000000 !


interface Serial0/2

ip address 192.168.3.65 255.255.255.0 clock rate 2000000 !


interface Serial0/3

no ip address shutdown clock rate 2000000 !


router eigrp 1

network 192.168.0.0 no auto-summary !

GVHD: Nguyn c Quang


ip forward-protocol nd ! ! no ip http server no ip http secure-server ! snmp-server community vanthuc RW ! ! ! control-plane ! ! ! !
line con 0
exec-timeout 0 0 privilege level 15 logging synchronous

SVTH: L Vn Thc

line aux 0
exec-timeout 0 0 privilege level 15 logging synchronous

line vty 0 4
login ! !

end

Router R3
!* R3.lab.local.CiscoConfig !* IP Address : 192.168.3.66 !* Community : vanthuc !* Downloaded 5/14/2013 10:12:23 AM by SolarWinds Config Transfer Engine Version 5.5.0 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model

GVHD: Nguyn c Quang


memory-size iomem 5 ip cef ! ! ! ! no ip domain lookup ip domain name lab.local ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

SVTH: L Vn Thc

archive
log config hidekeys ! !

crypto isakmp policy 10


encr 3des hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set MINE esp-3des !

crypto ipsec profile DMVPN


set transform-set MINE ! ! ! ! ! ! ! !

interface Tunnel0

GVHD: Nguyn c Quang


ip address 10.1.1.2 255.255.255.0 no ip redirects ip mtu 1416 ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip nhrp map 10.1.1.1 192.168.1.65 ip nhrp map multicast 192.168.1.65 ip nhrp network-id 1 ip nhrp nhs 10.1.1.1 no ip split-horizon eigrp 1 tunnel source 192.168.2.66 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN !

SVTH: L Vn Thc

interface FastEthernet0/0
ip address 172.16.1.65 255.255.255.0 duplex auto speed auto !

interface Serial0/0
ip address 192.168.2.66 255.255.255.0 clock rate 2000000 !

interface FastEthernet0/1
no ip address shutdown duplex auto speed auto !

interface Serial0/1
no ip address shutdown clock rate 2000000 !

router eigrp 1
network 10.0.0.0 network 172.16.0.0 network 192.168.0.0 no auto-summary ! ip forward-protocol nd ip route 192.168.1.65 255.255.255.255 192.168.2.65 ! ! no ip http server no ip http secure-server ! snmp-server community vanthuc RW ! ! ! ! ! ! control-plane

GVHD: Nguyn c Quang


! ! ! ! ! ! ! ! ! !

SVTH: L Vn Thc

line con 0
exec-timeout 0 0 privilege level 15 logging synchronous

line aux 0
exec-timeout 0 0 privilege level 15 logging synchronous

line vty 0 4
login ! ! end

Router R4
!* R4.lab.local.CiscoConfig !* IP Address : 192.168.3.66 !* Community : vanthuc !* Downloaded 5/14/2013 10:12:23 AM by SolarWinds Config Transfer Engine Version 5.5.0 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ip cef ! ! ! ! no ip domain lookup

GVHD: Nguyn c Quang


ip domain name lab.local ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

SVTH: L Vn Thc

archive
log config hidekeys ! !

crypto isakmp policy 10


encr 3des hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set MINE esp-3des !

crypto ipsec profile DMVPN


set transform-set MINE ! ! ! ! ! ! ! !

interface Tunnel0
ip address 10.1.1.3 255.255.255.0 no ip redirects ip mtu 1416 ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip nhrp map 10.1.1.1 192.168.1.65 ip nhrp map multicast 192.168.1.65

GVHD: Nguyn c Quang


ip nhrp network-id 1 ip nhrp nhs 10.1.1.1 no ip split-horizon eigrp 1 tunnel source 192.168.3.66 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN !

SVTH: L Vn Thc

interface FastEthernet0/0
ip address 172.16.2.65 255.255.255.0 duplex auto speed auto !

interface Serial0/0
ip address 192.168.3.66 255.255.255.0 clock rate 2000000 !

interface FastEthernet0/1
no ip address shutdown duplex auto speed auto !

interface Serial0/1
no ip address shutdown clock rate 2000000 !

router eigrp 1
network 10.0.0.0 network 172.16.0.0 network 192.168.0.0 no auto-summary ! ip forward-protocol nd ip route 192.168.1.65 255.255.255.255 192.168.3.65 ! ! no ip http server no ip http secure-server ! snmp-server community vanthuc RW ! ! ! ! ! ! control-plane ! ! ! ! ! ! !

GVHD: Nguyn c Quang


! ! !

SVTH: L Vn Thc

line con 0
exec-timeout 0 0 privilege level 15 logging synchronous

line aux 0
exec-timeout 0 0 privilege level 15 logging synchronous

line vty 0 4
login ! ! end

3. Bt v phn tch gi tin trong qu trnh to IPSec VPN


1. Lnh Show Show ip route trn R1, R2 R3 v R4.

GVHD: Nguyn c Quang

SVTH: L Vn Thc

GVHD: Nguyn c Quang

SVTH: L Vn Thc

Show crypto session( kim tra ng hm ).

GVHD: Nguyn c Quang

SVTH: L Vn Thc

Ta thy ng hm c to v tt c u UP-ACTIVE

GVHD: Nguyn c Quang


Show crypto ipsec transform-set

SVTH: L Vn Thc

Show crypto map

GVHD: Nguyn c Quang


Show crypto iaskmp sa

SVTH: L Vn Thc

Show crypto ipsec sa

2. Kt qu. - Ta bt c gi tin ESP trong qu trnh to IPSEC VPN

GVHD: Nguyn c Quang

SVTH: L Vn Thc