Está en la página 1de 56

Nghin cu v trin khai VPN trn thit b Cisco

Li m u
Ngy nay th gii chng ta v ang bc vo k nguyn ca s bng n thng tin. Cng vi s pht trin ca cc phng tin truyn thng i chng, lnh vc truyn thng mng my tnh v ang pht trin khng ngng. Vi internet, bc tng ngn cch gia cc quc gia, gia cc nn vn ha, gia nhng con ngi vi nhau ngy cng gim i. Ngy nay theo thng k c khong 2,4 t ngi ang s dng internet v cc ng dng trn internet l v cng phong ph. Tuy nhin khi internet lm gim i ranh gii gia cc cng ty, t chc, gia cc c nhn vi nhau, th nguy c mt an ton, kh nng b xm phm cc thng tin c nhn, cc ti nguyn thng tin, cng tng ln. Vy lm sao cc t chc, cc c nhn ang s dng mng cc b khi tham gia internet va c th bo v an ton c cc d liu quan trng, va m bo c tnh sn sng cao ca d liu mi khi cn n, ng thi vn m bo kh nng truy xut thun tin, nhanh chng . Vn ny tr nn ht sc quan trng trong thi bui bng n cng ngh thng tin hin nay.Vi nhng l do trn, em chn ti Nghin cu v trin khai VPN trn thit b Cisco l ti nguyn cu thc tp t t nghip ca em. VPN l cng ngh c s dng ph bin hin nay nhm cung cp kt ni an ton v hiu qu truy cp ti nguyn ni b cng ty t bn ngoi thng qua mng Internet. Mc d s dng h tng mng chia s nhng chng ta vn bo m c tnh ring t ca d liu ging nh ang truyn trn mt h thng mng ring. Tp.H Ch Minh, 10, thng 05, nm 2013

Nghin cu v trin khai VPN trn thit b Cisco

Li cm n
Trong t thc tp va qua, em nhn c s hng dn, gip v h tr t nhiu pha. Tt c nhng iu tr thnh mt ng lc rt ln gip em c th hon thnh tt mi cng vic c giao. Vi tt c s cm kch v trn trng, em xin gi li cm n ti tt c mi ngi. Trc tin cho em gi li cm n n Ban lnh o Cng ty TNHH thng mi v k thut tin hc TTC (S 58, Mc nh Chi, Phng a Kao, Qun 1, Tp.H Ch Minh) to iu kin cho em c tham gia thc tp ti cng ty cng nh h tr v mi mt trong thi gian thc tp va qua.Xin cm n anh Nguyn Quang Lm v cc anh ch trong cng ty tn tnh gip em trong sut thi gian thc tp ti cng ty. Em xin chn thnh cm n thy Nguyn Hu Chn Thnh cng cc thy c trong b mn Truyn Thng v mng my tnh tn tnh hng dn, gip em trong thi gian thc tp v hon thnh bi bo co. Xin trn trng cm n!

Nghin cu v trin khai VPN trn thit b Cisco

Nht k thc tp
Thi gian thc tp 25/02/2013 n 03/05/2013. Tun 1(25/02/2013 - 02/03/2012): Tm hiu v cng ty, hot ng lnh vc kinh doanh, tc phong lm vic ti cng ty. Tun 2 (04/03/2013 - 09/03/2013): Cng cc anh trong phng k thut tm hiu cng vic c bn v tham gia h tr mt s cng vic n gin. Tun 3, 4, 5, 6, 7, 8 (18/03/2013 - 20/04/2013): Cng cc anh trong phng k thut i sa cha h thng, bo tr my tnh, giao hng cho khch hng cng ty. Tun 9 (22/04/2013 - 27/04/2013): Tng hp ti liu, hon thnh bo co thc tp tt nghip.

Nghin cu v trin khai VPN trn thit b Cisco

Nhn xt v nh gi ca Ban lnh o cng ty:


........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ...........................................................................................................................

Xc nhn ca Cng ty

Nghin cu v trin khai VPN trn thit b Cisco

Nhn xt v nh gi ca ging vin hng dn: .............................................................................................. .............................................................................................. .............................................................................................. .............................................................................................. .............................................................................................. .............................................................................................. .............................................................................................. .............................................................................................. .............................................................................................. .............................................................................................. .............................................................................................. .............................................................................................. .............................................................................................. ..............................................................................................
Ging vin hng dn

Nghin cu v trin khai VPN trn thit b Cisco

MC LC
Chng 1: TNG QUAN V VPN ..................................................................... 3 1.1 nh ngha v VPN ........................................................................................ 3 1.2 Li ch ca VPN ............................................................................................. 5 1.3 Cc thnh phn cn thit to nn kt ni VPN.......................................... 5 1.4 Cc thnh phn to nn h thng VPN ca Cisco ......................................... 6 1.5 Thit lp mt kt ni VPN ............................................................................. 6 1.6 Cc cng ngh VPN ....................................................................................... 7 1.6.1 Site - to - site VPN ................................................................................ 7 1.6.1.1 Layer 2 VPN................................................................................ 8 1.6.1.2 Layer 3 VPN................................................................................ 8 1.6.1.3 GRE ............................................................................................. 9 1.6.1.4 MPLS VPN.................................................................................. 9 1.6.2 Remote Access VPN............................................................................. 10 1.6.2.1 L2TP ............................................................................................ 11 1.6.2.2 IPSec ............................................................................................ 11 Chng 2: TM HIU V IPSEC........................................................................ 13 2.1 IPSec Transport mode .................................................................................... 13 2.2 IPSec Tunnel mode ........................................................................................ 15 2.3 Tng quan v ESP v AH .............................................................................. 16 2.3.1 ESP........................................................................................................ 16 2.3.1.1 ESP mode .................................................................................... 16 2.3.1.2 ESP Packet Field ......................................................................... 17 2.3.1.3 Qu trnh hot ng v m ho ca ESP ..................................... 18 2.3.2 AH (Authentication Header)................................................................. 21 2.3.2.1 AH mode ..................................................................................... 21 2.3.2.2 AH xc thc v m bo tnh ton vn d liu ........................... 22 2.3.2.3 AH Header................................................................................... 23 2.3.2.4 Hot ng ca giao thc AH ....................................................... 24 2.3.2.5 AH version 3 ............................................................................... 25 2.3.2.6 AH Summary............................................................................... 26

Nghin cu v trin khai VPN trn thit b Cisco

2.4 IKE (Internet Key Exchange)......................................................................... 28 2.4.1 IKE Phase ............................................................................................. 29 2.4.1.1 IKE Phase I.................................................................................. 29 2.4.1.2 IKE Phase II ................................................................................ 30 2.4.1.3 IKE mode .................................................................................... 31 Chng 3: TNG QUAN H IU HNH CISCO IOS .................................. 35 3.1 Kin trc h thng .......................................................................................... 35 3.2 Cisco IOS CLI ................................................................................................ 37 Chng 4: CU HNH VPN TRN THIT B CISCO ..................................... 40 4.1 M hnh .......................................................................................................... 40 4.2 Cu hnh ......................................................................................................... 41 4.3 Kt qu ........................................................................................................... 43 Ti liu tham kho ................................................................................................ 50

Nghin cu v trin khai VPN trn thit b Cisco

Chng 1: TNG QUAN V VPN


Trong thi bui cng ngh hin nay, mng internet pht trin mnh m v h tng mng cng nh cc cng ngh p ng cho nhu cu s dng internet ca ngi dng. Ngi dng c th kt ni, chia s ti nguyn, d liu, mt cch nhanh chng v chnh xc, lm c iu ny chng ta phi s dng 1 thit b gi l router kt ni cc h thng mng LAN, WAN vi nhau. Cc my tnh kt ni vi internet thng qua nh cung cp dch v (Internet Service Provider ISP) cn c mt giao thc chung l TCP/IP. Tuy nhin internet c phm vi ton cu khng mt t chc no c th qun l nn rt kh khn trong vic bo mt an ton d liu v qun l cc dch v. T ngi ta a ra mt m hnh mng tha mn cc nhu cu trn m vn s dng cc h tng ca mng internet c sn, chnh l m hnh mng ring o Virtual Private Network (VPN).Vi m hnh ny, ngi dng khng cn phi u t nhiu v h thng nhng bo mt, tin cy vn m bo v ng thi qun l c h thng mng ring ny. N m bo c s an ton d liu gia cc i l, ngi cung cp, cc cng ty vi nhau trong mi trng internet rng ln v y nguy c tn cng mng. 1.1 nh ngha v VPN VPN c hiu nh l s m rng ca 1 mng ring thng qua 1 mng chung. V cn bn, mi VPN s kt ni vi cng cc VPN khc hay cc ngi dng t xa thng qua internet. Thay cho 1 kt ni thc nh leased line, VPN s dng cc kt ni o c thit lp gia cc mng ring ca cc cng ty ti cc site hay nhn vin lm vic t xa thng qua internet.
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 1

Nghin cu v trin khai VPN trn thit b Cisco

VNP cung cp cc c ch m ha d liu trn ng truyn to ra mt ng ng bo mt (Tunnel) gia ni nhn v ni gi. c th to ra mt Tunnel , d liu phi c m ha, ch cn li phn header (l phn thng tin cung cp a ch ng i) n i n ng ch thng qua mng cng cng mt cch nhanh chng. Do nu cc gi tin (packet) b hacker bt c trn ng truyn cng cng cng khng th c c v b m ha ni dung. Lin kt vi d liu c m ha v ng gi c gi l kt ni VPN. Cc ng kt ni VPN thng c gi l ng ng VPN (VPN Tunnel).

Hnh 1.1 M hnh kt ni VPN

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 2

Nghin cu v trin khai VPN trn thit b Cisco

1.2 Li ch ca VPN VPN cung cp nhiu c tnh li ch hn so vi mng truyn thng v nhng mng leased line. Mt s li ch nh l: Chi ph thp hn cc mng ring khc: VPN c th gim chi ph t 20-40% so vi nhng mng thuc mng leased line v gim chi ph truy cp t xa t 60-80%. Tnh linh hot cho kh nng s dng h thng mng c sn. S dng nhng cu trc mng ng, v th gim vic qun l nhng gnh nng: S dng mt giao thc Internet backbone tch hp vi kt ni hng nhng giao thc nh Frame Relay v ATM. Tng tnh bo mt: Cc d liu quan trng c m ha v phn quyn s dng cho tng ngi dng (user) khc nhau. H tr cc giao thc mng thng dng hin nay nh TCP/IP. Bo mt a ch IP: Bi v thng tin gi i trn VPN c m ha cc a ch bn trong mng ring (private) v ch s dng cc a ch bn ngoi (puplic) internet. 1.3 Cc thnh phn cn thit to kt ni VPN User Authentication: cung cp c ch chng thc ngi dng. Ch cho php user hp l kt ni v truy cp vo h thng VPN. Address Management: cung cp a ch IP hp l cho ngi dng sau khi gia nhp h thng VPN c th truy cp ti ti nguyn mng ni b.
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 3

Nghin cu v trin khai VPN trn thit b Cisco

Data Encryption: cung cp gii php m ha d liu trong qu trnh truyn nhm bo m tnh bo mt v ton vn d liu. Key Management: Cung cp cc gii php qun l m kha dng cho qu trnh m ha v gii m d liu trong qu trnh truyn v nhn. 1.4 Cc thnh phn to nn h thng VNP ca Cisco Cisco VPN Router: s dng phn mm Cisco IOS, IPSec h tr cho vic bo mt trong VPN. C hiu qu cao trong cc mng WAN hn hp. Cisco Secure PIX Firewall: a ra cc s la chn khc ca cng kt ni VPN khi bo mt nhm ring t trong h thng VPN. Cisco VPN Concentrator series: a ra cc chc nng trong vic iu khin truy cp t xa v tng thch vi dng site to site VPN. Cisco Secure VPN Client: VPN Client cho php bo mt truy cp t xa ti router Cisco v Pix Firewall v n chy trn h iu hnh Windown. Cisco Secure Instrusion Detection System v Cisco Secure Scaner: thng dng gim st v kim tra cc vn bo mt trong VPN. Cisco Secure Policy Manager and Cisco Works 2000: Cung cp vic qun l mt h thng VPN rng ln. 1.5 Thit lp mt kt ni VPN My VPN cn kt ni (VPN client) to kt nt VPN (VPN Connection) ti my ch cung cp dch v VPN (VPN Server) thng qua kt ni Internet. My ch cung cp dch vVPN tr li kt ni ti my VPN cn kt ni.
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 4

Nghin cu v trin khai VPN trn thit b Cisco

My ch cung cp dch vVPN chng thc cho kt ni v cp php cho kt ni vo h thng VPN. Bt u trao i d liu gia VPN client v mng ni b.

Hnh 1.2 Thit lp mt kt ni VPN 1.6 Cc cng ngh VPN C th chia VPN thnh 2 loi cng ngh l: Site - to - site VPN v Remote Access VPN. 1.6.1 Site - to - site VPN: Theo cch hiu n gin nht th VPN l mt kt ni gia 2 thit b u cui trn mng cng cng tp nn mt kt ni ph hp vi nh cu ca cng
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 5

Nghin cu v trin khai VPN trn thit b Cisco

ty, doanh nghip. Cc kt ni ny c th thc hin lp 2 (Layer 2) hoc lp 3 (Layer 3) trong m hnh 7 lp OSI v cng ngh VPN c th c phn thnh Layer 2VPN v Layer 3 VPN. Vic thit lp kt ni site - to - site trn Layer 2 hoc Layer 3 l nh nhau. 1.6.1.1 Layer 2 VPN Layer 2 VPN hot ng lp 2 ca m hnh 7 lp OSI, l nhng kt ni point - to - point v thit lp kt ni gia cc tr s trn mt mch o (Virtual Curcuit). Mt mch o l mt kt ni end - to - end hp l gia hai thit b u cui trong mt mng v c th m rng nhiu yu t, nhiu phn on vt l ca mt mng. Cc mch o c cu hnh end - to - end v c gi l mt mch o thng trc (PVC). ATM v Frame Relay l hai trong s cc cng ngh ph bin nht Layer 2 VPN. Hai cng ngh ny c th cung cp kt ni site - to - site cho mt cng ty bng cch cu hnh mch o vnh vin trn mt mng back - point c chia s. Mt trong nhng u im ca Layer 2 VPN l s c lp lu lng c th thc hin trn n. ATM v Frame Relay dng kt ni gia cc tr s c th mng theo nhiu cng ngh ca Layer 3 nh IP, IPX, Apple Talk. Mt khc ATM v Frame Relay cng cung cp cht lng dch v (QoS), mt iu rt quan trng trong cc h thng mng yu cu tr nh voice, video. 1.6.1.2 Layer 3 VPN

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 6

Nghin cu v trin khai VPN trn thit b Cisco

Mt kt ni gia cc site c th thc hin trn lp 3 (Network Layer) trn m hnh 7 lp OSI. V d ph bin ca Layer 3 VPN nh GRE (Generic Routing Encapsulation), MPLS (Multiprotocol Label Switchin) v IPSec VPN. Layer 3 VPN c th l mt kt ni point - to - point kt ni 2 site nh GRE hoc IPSec VPN hoc thit lp mt kt ni any - to - any bng cch dng MPLS, mt cng ngh m cc nh cung cp dch vu ang u t rt ln. 1.6.1.3 GRE L giao thc c pht trin u tin bi Cisco vi mc ch to ra cc knh truyn o (tunnel) mang cc giao thc Layer 3 thng qua mng IP. Vi GRE Tunnel, Cisco router s ng gi cho mi v tr mt giao thc c trng ch nh trong gi IP Header v to ra mt kt ni o n Cisco router cn n. Bng vic kt ni nhiu mng con vi cc giao thc khc nhau trong mi trng c mt giao thc chnh, GRE Tunnel cho php cc giao thc khc nhau c th thun li trong vic nh tuyn cho gi tin. 1.6.1.4 MPLS VPN MPLS l chuyn mch nhn a giao thc c pht trin tin phong bi Cisco. Mt nguyn tc ph bin trong cc cng ngh VPN l ng gi d liu vi mt header, MPLS VPN s dng cc nhn ng gi d liu, sau to thnh kt ni VPN gia cc site.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 7

Nghin cu v trin khai VPN trn thit b Cisco

Mt trong nhng li th ca MPLS VPN so vi cc cng ngh khc l n cung cp s linh hot cu hnh ty cu trc lin kt gia cc tr s VPN da trn h tng mng c sn.

Hnh 1.3 M hnh MPLS VPN

1.6.2 Remote Access VPN Nh phn loi trn, VPN gm site - to - site VPN v Remote Access VPN. Trong , site - to - site VPN l cc kt ni tnh, cc site u bit thng tin cu hnh ca nhau nn khng p ng c nhu cu vi cc user di chuyn nhiu. V d nh cc nhn vin lm vic t xa (telecommuters) c th truy cp vo d
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 8

Nghin cu v trin khai VPN trn thit b Cisco

liu ca cc chi nhnh xa, t gip cho cng vic t hiu sut cao hn. Hai trong s cc phng thc truy cp t xa VPN vo mng ni b ph bin l Layer 2 Tunneling Protocol (L2TP) v IPSec VPN. 1.6.2.1 L2TP Trc khi xut hin chun L2TP (thng 8 nm 1999), Cisco sdng Layer 2 Forwarding (L2F) nhl giao thc chun to kt ni VPN. L2TP ra i sau vi nhng tnh nng c tch hp tL2F. L2TP l dng kt hp ca Cisco L2F v Mircosoft Point-to-Point Tunneling Protocol (PPTP). Microsoft htr chun PPTP v L2TP trong cc phin bn WindowNT v 2000. L2TP c s dng to kt ni c lp, a giao thc cho mng ring o quay s (Virtual Private Dail-up Network). L2TP cho php ngi dng c th kt ni thng qua cc chnh sch bo mt ca cng ty (security policies) to VPN hay VPDN nh l s m rng ca mng ni b cng ty. L2TP khng cung cp m ha. 1.6.2.2 IPSec Mt trong nhng s quan tm hng u trong mng VPN chnh l s an ton d liu khi truyn thng mng Internet. C ngha l lm th no chng vic nghe trm hay n cp thng tin trong mng VPN? M ha d liu l mt trong nhng cch bo v trc s tn cng trn. M ha d liu c th thc hin bng cch dng cc thit b m ha - gii m mi site. IPSec l mt b cc giao thc c pht trin di s bo tr ca IETF (Internet Engineering Task Force) cung cp cc dch v an ton trn nn tng
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 9

Nghin cu v trin khai VPN trn thit b Cisco

mng chuyn mch gi IP. Internet l mng chuyn mch gi ph bin ton cu nn IPSec VPN c trin khai thng qua mng Internet. Chnh v th c th tit kim mt chi ph ng k cho mt cng ty so vi 1 ng truyn Leased Line. IPSec cung cp tnh ton vn (Intergery), tnh xc thc (Authentication), kim sot truy cp (Access Control) v tnh bo mt (Configurity). Vi IPSec, thng tin trao i gia cc chi nhnh t xa c th c m ha hoc xc minh, trnh c tnh trng mt mt d liu khi truyn trong mng Internet. IPSec l s la chn cho vic bo mt trn VPN. IPSec l mt khung bao gm bo mt d liu (data confidentiality), tnh ton vn ca d liu (integrity) v vic chng thc d liu (Authentication). IPSec cung cp dch vbo mt s dng KDE cho php tha thun cc giao thc v thut tan trn nn chnh sch cc b(group policy) v sinh ra cc kha bo m ha v chng thc c sdng trong IPSec.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 10

Nghin cu v trin khai VPN trn thit b Cisco

Hnh 1.4 M hnh dng IPSec

Chng 2: TM HIU V IPSEC


Thut ng IPSec l mt t vit tt ca thut Internet Protocol Security. N c quan h ti mt s b giao thc (AH, ESP, FIP-140, ...) c pht trin bi Internet Engineering Task Force (IETF). Mc ch chnh ca vic pht trin IPSec l cung cp mt c cu bo mt tng 3 (Network layer) ca m hnh OSI. Mi giao tip trong mt mng trn c s IP u da vo cc giao thc IP. Do , khi mt c ch bo mt cao c tch hp vi giao thc IP, ton b mng c bo mt bi v cc giao tip u i qua tng 3 ( l l do ti sao IPSec c pht trin giao thc tng 3 thay v tng 2). IPSec VPN dng cc dch v c

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 11

Nghin cu v trin khai VPN trn thit b Cisco

nh ngha trong IPSec m bo tnh ton vn d liu, tnh nht qun, tnh b mt v xc thc ca truyn d liu trn mt h tng mng cng cng. Encapsulating Security Payload (ESP) v Authentication Header (AH) l hai giao thc c s dng cung cp tnh ton vn cho cc gi tin IP. Nhng trc ht ta phi tm hiu v hai c ch hot ng trong IPSec gm c IPSec Transport Mode v IPSec Tunnel Mode v cc dch v ca n. 2.1 IPSec Transport Mode Transport mode bo v giao thc tng trn v cc ng dng. Trong Transport mode , mt IPSec Header (c th l ESP hay AH) c chn gia phn IP Header v phn header ca tng trn.

Hnh 2.1 M hnh Transport mode packet Nh m hnh trn, AH hoc ESP s c t sau IP header nguyn thy. V vy ch c ti (IP payload) l c m ha v IP header ban u l c gi nguyn vn. Transport mode c th c dng khi c hai host htr IPSec. Ch
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 12

Nghin cu v trin khai VPN trn thit b Cisco

transport ny c thun li l ch thm vo vi bytes cho mi gi tin v n cng cho php cc thit b trn mng thy c a ch ch cui cng ca gi. Kh nng ny cho php cc tc v x l c bit trn cc mng trung gian da trn cc thng tin trong IP header. Tuy nhin cc thng tin Layer 4 s b m ha, lm gii hn kh nng kim tra ca gi. Kh khn ln nht trong vic trin khai Transport mode trong thc t l s phc tp trong vic qun l bo mt cc gi tin IP, v trng IP Header trong Transport mode khng c m ho cng vi s phc tp trong vic nh tuyn gi cc site. Do s phc tp trong vic trin khai trong thc t, nn ngi ta s s dng mt VPN gateway bo v d liu t tt c cc site n mt site ngang hng. 2.2 IPSec Tunnel Mode IPSec VPN s dng Transport mode v c ch ng gi GRE l nhng cch s dng ph bin ti cc site trong mt mng site - to - site VPN. Nhng v mt l do no mt site li khng h tr GRE nhng li i hi thit lp IPSec VPN vi cc site khc. Trong trng hp ny IPSec Tunnel mode s gip gii quyt vn ny mt cch nhanh chng. Trong IPSec Tunnel mode, gi tin IP s c ng gi thm mt IP Header mi v cc IPSec Header (ESP hoc AH) s c chn gia IP Header c v mi. Bi v c ng gi vi mt IP Header mi nn IPSec Tunnel mode s dng tng cng tnh bo mt trong vic truyn ti d liu gia cc site thng qua h tng mng cng cng.
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 13

Nghin cu v trin khai VPN trn thit b Cisco

Cc giao thc bo mt trong IPSec gm hai giao thc chnh l ESP v AH. ESP s dng IP Protocol number 50 v AH s dng IP Protocol number 51. IPSec hot ng hai mode chnh ni trn l Transport mode v Tunnel mode. Khi hot ng Transport mode th IP Header vn c gi nguyn v lc ny giao thc ESP s c chn vo gia ti (Payload) v IP Header ca gi tin. Cn Tunnel mode th sau khi ng gi d liu th giao thc ESP s m ho payload v s chn mt IP Header mi vo gi tin trc khi forward i.

2.3 Tng quan v ESP v AH 2.3.1 ESP Giao thc ny m nhn cng vic m ho, xc thc v m bo tnh ton vn d liu. Sau khi ng gi bng giao thc ESP, mi thng tin dng m ho v gii m gi tin s nm trong ESP Header. Cc thut ton m ho dng trong giao thc ny nh l DES, 3DES, AES, MD5, SHA,...Nhng s m ho ca ESP c th b v hiu ho thng qua thut ton m ho Null ESP Algorithm. Do ESP c th cung cp ch m ho d liu hoc ch m bo tnh ton vn d liu hoc m ho v m bo tnh ton vn d liu. 2.3.1.1 ESP Mode
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 14

Nghin cu v trin khai VPN trn thit b Cisco

ESP hot ng c hai mode: Transport mode v Tunnel mode Transport mode: ESP s dng IP header gc ca gi tin. ESP ch c th m ho hoc m bo tnh ton vn d liu. ESP trong Transport mode khng tng thch vi NAT Tunnel mode: ESP to ra mt IP header mi cho mi gi tin v IP header mi lit k cc u cui ca ESP Tunnel ngun v ch ca gi tin. ESP Tunnel mode c s dng ph bin hn Transport mode v tc truyn nhanh hn.

2.3.1.2 ESP Packet Fields ESP thm mt header v trailer vo xung quanh ni dung ca mi gi tin. ESP Header c cu thnh bi hai trng l: SPI v Sequence Number

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 15

Nghin cu v trin khai VPN trn thit b Cisco

Hnh 2.2 ESP Packet Field SPI (32 bit): mi u cui ca mi kt ni IPSec c tu chn gi tr SPI. Pha nhn s dng gi tr SPI vi a ch ch v giao thc IPSec s xc nh chnh sch SA (Security Associate) duy nht p dng cho gi tin. Sequence Number: Thng c dng cung cp dch v anti - replay. Khi SPI c thit lp, ch s ny l 0. Trc khi mi gi tin c gi, ch s ny lun tng ln 1 v c t trong ESP header. chc chn rng khng c gi tin no c cng nhn th ch s ny khng c php ghi ln bng 0. Phn k tip l Payload, c to bi payload data c m ho v Initialization Vector (IV) khng c m ho. Gi tr ca IV trong sut qu trnh m ho l khc nhau trong mi gi tin. Phn tip theo ca gi tin l ESP Trailer, gm 2 trng nh l:

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 16

Nghin cu v trin khai VPN trn thit b Cisco

i.

Padding (0 - 255 bytes): c thm vo cho kch thc ca mi gi tin. Padlength: Chiu di ca padding.

ii.

Next Header: Trong Tunnel mode, payload l gi tin IP, gi tr Next Header c ci t l 4. Trong Transport mode, payload lun l giao th c lp 4. Nu giao thc lp 4 l TCP th gi tr Next Header l 6, l UDP th gi tr Next Header l 17. Mi ESP Trailer lun cha mt gi tr Next Header. Authentication data: trng ny cha gi tr Intergrity Check Value (ICV) cho gi tin ESP, ICV c tnh ln ton b gi tin ESP, cng nhn cho trng d liu xc thc ca n. 2.3.1.3 Qu trnh hot ng v m ho ca ESP

Hnh 2.3 Hot ng ca ESP ESP s dng mt m i xng cung cp s mt m ho d liu cho gi tin IPSec. C hai bn u cui u phi dng chung mt key ging nhau mi m ho v gii m chnh xc gi tin. Khi mt u cui m ho th n s chia gi tin thnh cc block nh v sau thc hin m ho nhiu ln, s dng cc block d
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 17

Nghin cu v trin khai VPN trn thit b Cisco

liu v key. Khi mt u cui nhn c d liu m ho, n dng key ging nh lc m ho ca ngun v thc hin qu trnh ngc vi lc m ho gii m d liu chnh xc. Gi tin ESP c cha 5 on: Ethernet Header, IP Header, ESP Header,Encrypted Data v Authentication. D liu c m ho khng th xc nh d gi tin truyn trong Transport mode hay Tunnel mode. Tuy vy, v IP Header khng c m ho nn trng giao thc IP trong header vn pht hin c giao thc dng cho payload.

Hnh 2.4 ESP Packet Capture Hnh di cho thy, cc trng ESP Header t 4 gi tin u trong ESP session gia host A v B. Mi host dng mt gi tr SPI khc nhau, v gi tr Sequence Number l 1 v tng dn ln cho cc gi tin sau.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 18

Nghin cu v trin khai VPN trn thit b Cisco

Hnh 2.5 ESP Header Fields t ESP Packets ESP Version 3 Mt phin bn mi cho ESP l phin bn 3, mt phin bn va c b sung, da trn chun phc tho. Tm ra c chc nng chnh cho thy s khc bit gia version 2 v 3, c nhng im nh sau: Chun ESP version 2 ch l h tr cho m ho ch khng c tnh nng bo v ton vn d liu. Do , chun ESP version 3 c a ra nhm h tr cho s la chn ny. ESP version 3 c th dng chui s di hn, ging vi AH version 3. ESP version 3 h tr trong vic s dng kt hp cc thut ton, t vic m ho v bo v tnh ton vn d liu s nhanh v an ton hn.

Tm li:
Trong Transport mode, ESP cung cp s m ho v m bo an ton cho payload ca gi tin IP. ESP trong Transport mode khng tng thch vi NAT.
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 19

Nghin cu v trin khai VPN trn thit b Cisco

Trong Tunnel mode, ESP cung cp s m ho, ton vn d liu v xc thc. ESP tng thch vi NAT. ESP trong Tunnel mode c s dng ph bin hn v n m ho IP Header gc, t c th giu i a ch IP ngun, IP ch tht ca gi tin v n cng c th thm bytes m vo gi tin. 2.3.2 AH L mt trong nhng giao thc cung cp tnh nng m bo tnh ton vn cho gi tin v xc thc d liu. AH khng m ho bt k thnh phn no ca gi tin. Trong phin bn u ca IPSec, giao thc ESP khng cung cp xc thc d liu, v th ngi ta cn kt hp hai giao thc ny cung cp mt s an ton v ton vn cho d liu. 2.3.2.1 AH Mode AH mode c hai mode l: Transport mode v Tunnel mode. Transport mode: AH khng to IP Header mi. Tunnel mode: AH to mt IP Header mi cho mi gi tin. Trong cu trc IPSec s dng gateway, a ch tht ca IP Header phi thay i thnh a ch IP ca gateway. V trong Transport mode ch s dng IP Header gc nn chnh v th Transport mode thng dng trong cu trc host - to - host. AH cung cp tnh ton vn d liu cho ton b gi tin d bt k l Transport mode hay Tunnel mode.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 20

Nghin cu v trin khai VPN trn thit b Cisco

Hnh 2.6 AH Mode 2.3.2.2 AH xc thc v m bo tnh ton vn d liu

Hnh 2.7 Qu trnh xc thc AH Bc 1: AH s em gi d liu v key b mt thng qua cc thut ton cho ra 1 chui s v chui s ny s gn vo AH Header. Bc 2: AH Header ny s chn vo gia Payload v IP Header v chuyn v ch thng qua Router A.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 21

Nghin cu v trin khai VPN trn thit b Cisco

Bc 3: Router B sau khi nhn gi tin ny bao gm: IP Header, AH Header v Payload cng vi key b mt c quy nh gia 2 site v dng thut ton site ngun cho ra mt chui s. Bc 4: So snh chui s va to ra gia site ch v ngun, nu ging nhau th chp nhn gi tin c truyn. 2.3.2.3 AH Header

Hnh 2.8 AH Header Next Header (8 bits): Ch cha s giao thc IP. Trong Tunnel mode, payload l gi tin IP, gi tr Next Header c t l 4. Trong Transport mode, payload lun c xc nh bi giao thc ca lp Transport. Nu giao thc lp Transport l TCP th gi tr Next Header l 6, cn UDP l 17. Length (8 bits): di ca AH Header Security Parameters Index - SPI (32 bits): Cha gi tr ngu nhin, dng xc nh chnh sch Security Association (SA) dng bo mt gi tin. Nu gi tr ny t l 0 th gi tin khng c bo v. Gi tr ngu nhin t 1-255 u c bo v. Sequence Number: Ch s ny tng ln 1 cho mi AH datagram khi mt host trong site gi gi tin c lin quan n SA.Gi tr ban u l 1, khng
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 22

Nghin cu v trin khai VPN trn thit b Cisco

bao gi c t gi tr 0. V khi host gi yu cu kim tra m gi tr ny khng tng ln v n s tho thun mt SA mi nu SA ny c thit lp. Host nhn s dng chui s pht hin replayed datagrams. Bn nhn c th khng kim tra chui s, nhng bn gi phi c tng gi tr ny v gi chui s. Authentication Data: Cha kt qu ca gi tr Integrity Check Value (ICV). Trng ny lun l bi s ca 32 bits, v c chn vo nu chiu di ca ICV trong cc bytes cha y. 2.3.2.4 Hot ng ca giao thc AH Hng tt nht hiu AH lm vic nh th no, ta s xem v phn tch cc gi tin AH. Hnh di y l mt v d r v cch hot ng ca AH.

Hnh 2.9 AH Packet Capture Hnh trn cho thy cc thnh phn ca gi tin AH. Mi section ca AH Packet gm : Ethernet header , IP header , AH header v Payload. Da trn cc trng ca phn AH mode, ta thy y l gi tin Transport Mode v n ch cha IP Header. Trong trng hp ny, payload cha ICMP echo request (hay l Ping).
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 23

Nghin cu v trin khai VPN trn thit b Cisco

Ping gc cha chui mu t c miu t trong gi tin tng dn bi gi tr Hex ( vd : 61, 62, 63). Sau khi giao thc AH c applied, ICMP Payload khng thay i. V AH ch cung cp dch v m bo ton vn d liu, khng m ho.

Hnh 2.10 AH Header Fields t AH Packets Cc trng trong AH Header t 4 gi tin u tin trong AH session gia host A v host B. Cc trng trong header u tin ch l nhn, p ng trong vic nhn dng AH mode. SPI : host A s dng gi tr s Hex cdb59934 cho SPI trong c cc gi tin ca n. Trong khi host B s dng gi tr s Hex a6b32c00 cho SPI trong c cc gi tin. iu ny phn nh c rng kt ni AH tht s gm hai thnh phn kt ni mt chiu. Sequence Number : c hai host bt u thit lp ch s bng 1, v c hai tng ln l 2 cho gi tin th hai ca chng.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 24

Nghin cu v trin khai VPN trn thit b Cisco

Authentication information : Xc thc (m bo ton vn ) thng tin , l mt keyed hash da trn hu nh tt c cc bytes trong gi tin. 2.3.2.5 AH version 3 Mt chun mi ca AH l Version 3, phin bn c pht trin da trn phin bn phc tho. Tnh nng khc nhau gia Version 2 v Version 3 l mi quan h th yu cc qun tr vin IPSec v ngi dng - mt vi s thay i n SPI, v tu chn ch s di hn. Chun phc tho version 3 cng ch n mt chun phc tho khc rng lit k thut ton m ho yu cu cho AH. Bn phc tho u nhim h tr cho HMAC-SHA1-96, gii thiu thut ton h tr mnh hn l AES-XCBC-MAC-96, v cng gii thiu thut ton : HMAC-MD5-96. 2.3.2.6 AH Summary AH cung cp dch v m bo ton vn cho tt c cc header v data gi tin. Ngoi tr mt s trng IP Header m nh tuyn thay i trong chuyn tip. AH bao gm a ch ngun v a ch ch trong dch v m bo ton vn. AH thng khng tng thch vi NAT. Hin nay, hu ht IPSec b sung h tr phin bn th hai ca IPSec m ESP c th cung cp dch cc v m bo ton vn d liu qua s xc thc. AH cung cp mt li ch m ESP khng c, l : m bo ton vn cho outermost IP Header.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 25

Nghin cu v trin khai VPN trn thit b Cisco

Hnh 2.11 Bng tng kt so snh gia ESP v AH

2.4 Internet Key Exchange (IKE)

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 26

Nghin cu v trin khai VPN trn thit b Cisco

IKE SA l qu trnh hai chiu v cung cp mt knh giao tip bo mt gia hai bn. Thut ng hai chiu c ngha l khi c thit lp, mi bn c th khi to ch Quick mode, Informational v New Group mode. IKE SA c nhn ra bi cc cookies ca bn khi to, c theo sau bi cc cookies tr li ca pha i tc. Th t cc cookies c thit lp bi phase 1 s tip tc ch ra IKE SA, bt chp chiu ca n. Chc nng ch yu ca IKE l thit lp v duy tr cc SA. Cc thuc tnh sau y l mc ti thiu phi c thng nht gia hai bn nh l mt phn ca ISAKMP (Internet Security Association and Key Management Protocol) SA: Thut gii m ha. Thut gii bm c dng. Phng thc xc thc s dng. Thng tin v nhm v gii thut Diffie-Hellman (DH). IKE thc hin qu trnh d tm, qu trnh xc thc, qun l v trao i kha. IKE s d tm mt hp ng gia hai u cui IPSec v sau SA s theo di tt ccc thnh phn ca mt phin lm vic IPSec. Sau khi d tm thnh cng, cc thng s SA hp l s c lu tr trong c s d liu ca SA. Thun li chnh ca IKE bao gm: IKE khng phi l mt cng ngh c lp, do n c th dng vi bt k c ch bo mt no.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 27

Nghin cu v trin khai VPN trn thit b Cisco

C ch IKE mc d khng nhanh, nhng hiu qu cao bi v mt lng ln nhng hip hi bo mt tha thun vi nhau vi mt vi thng ip kh t. 2.4.1 IKE Phase Phase I v II l hai phase to nn phin lm vic da trn IKE, hnh di trnh by mt s c im chung ca hai phase. Trong mt phin lm vic IKE, n gi s c mt knh bo mt c thit lp sn. Knh bo mt ny phi c thit lp trc khi c bt k tha thun no xy ra.

Hnh 2.12 Hai phase ca IKE 2.4.1.1 IKE Phase I Phase I ca IKE u tin xc nhn cc im thng tin, sau thit lp mt knh bo mt cho s thit lp SA. Tip , cc bn thng tin tha thun mt ISAKMP SA hay IKE SA ng ln nhau, bao gm cc thut ton m ha, hm bm v cc phng php xc nhn bo v m kha.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 28

Nghin cu v trin khai VPN trn thit b Cisco

Sau khi c ch m ha v hm bm c ng trn, mt kha s b mt c pht sinh. Theo sau l nhng thng tin c dng pht sinh kha b mt: Gi tr Diffie-Hellman SPI ca ISAKMP SA dng cookies S ngu nhin known as nonces (used for signing purposes) Nu hai bn ng s dng phng php xc nhn da trn public key, chng cng cn trao i IDs. Sau khi trao i cc thng tin cn thit, c hai bn pht sinh nhng key ring ca chnh mnh s dng chng chia s b mt. Theo cch ny, nhng kha m ha c pht sinh m khng cn thc s trao i bt k kha no thng qua mng. 2.4.1.2 IKE Phase II Trong khi phase I tha thun thit lp SA cho ISAKMP, phase II gii quyt bng vic thit lp SAs cho IPSec. Trong phase ny, SA dng nhiu dch v khc nhau tha thun. C ch xc nhn, hm bm v thut ton m ha bo v gi d liu IPSec tip theo (s dng AH v ESP) di hnh thc mt phn ca phase SA. S tha thun ca phase ny xy ra thng xuyn hn phase I. in hnh, s tha thun c th lp li sau 4-5 pht. S thay i thng xuyn cc m kha ngn cn cc hacker b gy nhng kha ny v sau l ni dung ca gi d liu.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 29

Nghin cu v trin khai VPN trn thit b Cisco

Tng qut, mt phin lm vic phase II tng ng vi mt phin lm vic n ca phase I. Tuy nhin, nhiu s thay i phase II cng c th c h tr bi mt trng hp n phase I. iu ny lm qu trnh giao dch chm chp ca IKE t ra tng i nhanh hn. Oakley l mt trong s cc giao thc ca IKE. Oakley ln lt nh ngha 4 ch ph bin ca IKE. 2.4.1.3 IKE Mode C 4 ch IKE ph bin thng c trin khai : Ch chnh (Main mode) Ch linh hot (Aggressive mode) Ch nhanh (Quick mode) Ch nhm mi (New Group mode) Main Mode Main mode xc nhn v bo vtnh ng nht ca cc bn c lin quan trong qua trnh giao dch. Trong ch ny, 6 thng ip c trao i gia cc im: Hai thng ip u tin dng tha thun chnh sch bo mt cho s thay i.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 30

Nghin cu v trin khai VPN trn thit b Cisco

Hai thng ip k tip phc v thay i cc kha Diffie-Hellman v nonces. Nhng kha sau ny thc hin mt vai tr quan trng trong c ch m ha.

Hai thng ip cui cng ca ch ny dng xc nhn cc bn giao dch vi s gip ca ch k, cc hm bm v tu chn vi chng nhn.

Hnh 2.13 Main mode v Aggressive Mode Aggressive Mode Aggressive mode v bn cht ging Main mode. Ch khc nhau thay v main mode c 6 thng ip th ch ny chc 3 thng ip c trao i. Do , Aggressive mode nhanh hn Main mode. Cc thng ip bao gm : Thng ip u tin dng a ra chnh sch bo mt, pass data cho kha chnh, v trao i nonces cho vic k v xc minh tip theo. Thng ip k tip hi p li cho thng tin u tin. N xc thc ngi nhn v hon thnh chnh sch bo mt bng cc kha.
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 31

Nghin cu v trin khai VPN trn thit b Cisco

Thng ip cui cng dng xc nhn ngi gi (hoc b khi to ca phin lm vic). C Main mode v Aggressive Mode u thuc phase I. Quick Mode Ch th ba ca IKE l Quick mode, thuc phase II. N dng tha thun SA cho cc dch v bo mt IPSec. Ngoi ra, Quick mode cng c th pht sinh kha chnh mi. Nu chnh sch ca Perfect Forward Secrecy (PFS) c tha thun trong phase I, mt s thay i hon ton Diffie - Hellman key c khi to. Mt khc, kha mi c pht sinh bng cc gi tr bm.

Hnh 2.14 Quick mode

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 32

Nghin cu v trin khai VPN trn thit b Cisco

New Group Mode New Group mode c dng tha thun mt private group mi nhm to iu kin trao i Diffie - Hellman key c d dng. Hnh di m t New Group mode. Mc d ch ny c thc hin sau phase I, nhng n khng thuc phase II.

Hnh 2.15 New Group mode Ngoi 4 ch IKE ph bin trn, cn c thm Informational mode. Ch ny kt hp vi qu trnh thay i ca phase II v SAs. Ch ny cung cp cho cc bn c lin quan mt s thng tin thm, xut pht t nhng tht bi trong qu trnh tha thun. V d, nu vic gii m tht bi ti ngi nhn hoc ch k khng c xc minh thnh cng, Informational mode c dng thng bo cho cc bn khc bit.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 33

Nghin cu v trin khai VPN trn thit b Cisco

Chng 3: TNG QUAN H IU HNH CISCO IOS


3.1 Kin trc h thng Ging nh l 1 my tnh, router c 1 CPU c kh nng x l cc cu lnh da trn nn tng ca router. Phn mm Cisco IOS chy trn Router i hi CPU hay bvi x l gii quyt vic nh tuyn v bc cu, qun l bng nh tuyn v mt vi chc nng khc ca h thng. CPU phi truy cp vo d liu trong b nh gii quyt cc vn hay ly cc cu lnh. C 4 loi bnh thng dng trn mt Router ca Cisco l: ROM: l b nh tng qut trn mt con chip hoc nhiu con. N cn c th nm trn bng mch b vi x l ca router. N ch c ngha l d liu khng th ghi ln trn n. Phn mm u tin chy trn mt router Cisco c gi l bootstrap software v thng c lu trong ROM. Bootstrap software c gi khi router khi ng. Flash: B nh Flash nm trn bng mch SIMM (Single In-line Memory Module) nhng n c th c m rng bng cch s dng th PCMCIA (c th tho ri). B nh flash hu ht c s dng lu tr mt hay nhiu bn sao ca phn mm Cisco IOS. Cc file cu hnh hay thng tin h thng cng c th c sao chp ln flash. . Flash memory cha Cisco IOS software image. Ty theo loi m Flash memory c th l EPROMs, SIMM module hay Flash memory card.
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 34

Nghin cu v trin khai VPN trn thit b Cisco

Internal Flash memory: Internal Flash memory thng cha system image. Mt s loi router c t 2 Flash memory tr ln di dng SIMM. Nu nh SIMM c 2 bank th c gi l dual - band Flash memory. Cc band ny c th c phn thnh nhiu phn logic nh. i. Bootflash: Bootflash thng cha boot image. Bootflash i khi cha ROM Monitor. ii. Flash memory PC card hay PCMCIA card. Flash memory card dng gn vo Personal Computer Memory Card. iii. International Association (PCMCIA) slot: Card ny dng cha system image, boot image v file cu hnh. RAM: L bnh rt nhanh nhng n lm mt thng tin khi h thng khi ng li. N c s dng trong my PC lu cc ng dng ang chy v d liu. Trn router, RAM c s gi cc bng ca h iu hnh IOS v lm b m. RAM l b nh c bn c s dng cho nhu cu lu tr cc h iu hnh. NVRAM: Trn router, NVRAM c s dng lu tr cu hnh khi ng. y l file cu hnh m IOS c khi router khi ng. N l b nh cc k nhanh v lin tc khi khi ng li. Mc d CPU v b nh i hi mt s thnh phn chy h iu hnh IOS, router cn phi c cc interface khc nhau cho php chuyn tip cc packet. Cc interface nhn vo v xut ra cc kt ni n router mang theo d liu cn thit n router hay switch. Cc loi interface thng dng l Ethernet v Serial. Tng t nh l cc phn mm driver trn my tnh vi cng parallel v cng
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 35

Nghin cu v trin khai VPN trn thit b Cisco

USB, IOS cng c cc driver ca thit b htr cho cc loi interface khc nhau. Tt ccc router ca Cisco c mt cng console cung cp mt kt ni serial khng ng b EIA/TIA - 232. Cng console c th c kt ni ti my tnh thng qua kt ni serial lm tng truy cp u cui ti router. Hu ht cc router u c cng auxiliary, n tng t nh cng console nhng c trng hn, c dng cho kt ni modem qun l router t xa. 3.2 Cisco IOS CLI: Cisco c 3 mode lnh, vi tng mode s c quyn truy cp ti nhng b lnh khc nhau. User mode: y l mode u tin m ngi s dng truy cp vo sau khi ng nhp vo router. User mode c th c nhn ra bi k hiu > ngay sau tn router. Mode ny cho php ngi dng ch thc thi c mt s cu lnh c bn chng hn nh xem trng thi ca hthng. H thng khng th c cu hnh hay khi ng li mode ny. Privileged mode: Mode ny cho php ngi dng xem cu hnh ca h thng, khi ng li h thng v i vo mode cu hnh. N cng cho php thc thi tt c cc cu lnh User mode. Privileged mode c th c nhn ra bi k hiu # ngay sau tn router. Ngi s dng s g cu lnh enable cho IOS bit l h mun i vo Privileged mode t User mode. Nu enable password hay enable secret password c ci t, ngi s dng
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 36

Nghin cu v trin khai VPN trn thit b Cisco

cn phi g vo ng mt khu th mi c quyn truy cp vo Privileged mode. Enable secret password s dng phng thc m ho mnh hn khi n c lu tr trong cu hnh, do vy n an ton hn. Privileged mode cho php ngi s dng lm bt c g trn router, v vy nn s dng cn thn. thot khi privileged mode, ngi s dng thc thi cu lnh disable. Configuration mode: Mode ny cho php ngi s dng chnh sa cu hnh ang chy. i vo Configuration mode, g cu lnh configure terminal t Privileged mode. Configuration mode c nhiu mode nh khc nhau, bt u vi global configuration mode, n c th c nhn ra bi k hiu (config)# ngay sau tn router. Cc mode nhtrong configuration mode thay i tu thuc vo bn mun cu hnh g, t bn trong ngoc s thay i. Chng hn khi bn mun vo mode interface, k hiu s thay i thnh (config-if)# ngay sau tn router. thot khi configuration mode, ngi s dng c th g end hay nhn t hp phm Ctrl-Z Ch cc mode, tu vo tnh hung c th m cu lnh ? ti cc v tr s hin th ln cc cu lnh c th c cng mc. K hiu ? cng c th s dng gia cu lnh xem cc tu chn phc tp ca cu lnh.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 37

Nghin cu v trin khai VPN trn thit b Cisco

Hnh 3.1 Mt s cu lnh c bn trong Cisco IOS

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 38

Nghin cu v trin khai VPN trn thit b Cisco

Chng 4: CU HNH VPN TRN THIT B CISCO


4.1 M hnh

Yu cu: Cu hnh VPN site - to - site cho cc host trong 2 site c th lin lc vi nhau.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 39

Nghin cu v trin khai VPN trn thit b Cisco

4.2 Cu hnh Cu hnh c bn trn cc router nh m hnh. Cu hnh static route trn 2 router SITE_1 v SITE_2. Cu hnh VPN: Trn router Cisco h tr cu hnh VPN Bc 1: To Internet Key Exchange (IKE) key policy.
Router(config)#crypto isakmp policy 9 Router(config-isakmp)#hash md5 Router(config-isakmp)#authentication pre-share

Bc 2: To shared key s dng cho kt ni VPN


Router(config)#crypto isakmp key TEN_KEY address xxx.xxx.xxx.xxx //ip ca router site cn li.

Bc 3: Quy nh Lifetime
Router(config)#crypto ipsec security-association lifetime seconds 86400

Bc 4: Cu hnh ACL dy IP c th VPN.


Router(config)#access-list 100 permit ip xxx.xxx.xxx.xxx

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 40

Nghin cu v trin khai VPN trn thit b Cisco

Bc 5: Xc nh cc b chuyn i s c s dng cho kt ni VPN.


Router(config)#crypto ipsec transform-set SET_NAME esp-3des espmd5-hmac

Bc 6: To crypto map
Router(config)#crypto map MAP_NAME 10 ipsec-isakmp //IP ca

Router(config-crypto-map)#set peer xxx.xxx.xxx.xxx router site cn li.

Router(config-crypto-map)#set transform-set SET_NAME Router(config-crypto-map)#match address 100 //ACL to bc 4

Bc7: Gn vo interface
Router(config)#inter s0/0/0 Router(config-if)#crypto map MAP_NAME

Tng t cho router site cn li. Router INTERNET trong m hnh ch cn cu hnh c bn.

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 41

Nghin cu v trin khai VPN trn thit b Cisco

4.3 Kt qu Hnh nh ca router SITE_1 sau khi cu hnh y

:
SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh Page 42

Nghin cu v trin khai VPN trn thit b Cisco

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 43

Nghin cu v trin khai VPN trn thit b Cisco

Hnh nh ca router SITE_2 sau khi cu hnh y :

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 44

Nghin cu v trin khai VPN trn thit b Cisco

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 45

Nghin cu v trin khai VPN trn thit b Cisco

Hnh nh ca router INTERNET sau khi cu hnh y :

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 46

Nghin cu v trin khai VPN trn thit b Cisco

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 47

Nghin cu v trin khai VPN trn thit b Cisco

Hnh nh PC0 SITE_1 ping ti PC1 SITE_2 thnh cng:

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 48

Nghin cu v trin khai VPN trn thit b Cisco

Ti liu tham kho


Cc trang web, din n: 1. http://vnpro.org/forum/ 2. http://www.nhatnghe.com/forum/ 3. http://forum.athena.edu.vn/forum.php 4. http://ciscodocuments.blogspot.com 5. http://www.ciscopress.com/ Cc sch tham kho:
1.

Sch CCNP ROUTE 642-902 Cert Kit (Tc gi: Kevin Wallace, Denise
Donohue, Jerold Swan)

2.

Sch CCNP LABPRO ROUTE (Tc gi: Phm nh Thng, Trnh Anh Lun)
Deal)

3. Sch The Complete Cisco VPN Configuration Guide (Tc gi: Richard

SVTH: Ng Hong Tun - GVHD: Nguyn Hu Chn Thnh

Page 49