6794801 Cau Hinh VPN IPSec Tren Thiet Bi Cisco

Cu Hnh IPSEC/VPN Trn Thit B Cisco

I. Tng Quan V VPN:

Trong thi i ngy nay, Internet pht trin mnh v mt m hnh cho n cng ngh, p ng cc nhu cu ca ngi s dng. Internet c thit k kt ni nhiu mng khc nhau v cho php thng tin chuyn n ngi s dng mt cch t do v nhanh chng m khng xem xt n my v mng m ngi s dng ang dng. lm c iu ny ngi ta s dng mt my tnh c bit gi l router kt ni cc LAN v WAN vi nhau. Cc my tnh kt ni vo Internet thng qua nh cung cp dch v (ISP-Internet Service Provider), cn mt giao thc chung l TCP/IP. iu m k thut cn tip tc phi gii quyt l nng lc truyn thng ca cc mng vin thng cng cng. Vi Internet, nhng dch v nh gio dc t xa, mua hng trc tuyn, t vn y t, v rt nhiu iu khc tr thnh hin thc.Tuy nhin, do Internet c phm vi ton cu v khng mt t chc, chnh ph c th no qun l nn rt kh khn trong

vic bo mt v an ton d liu cng nh trong vic qun l cc dch v. T ngi ta a ra mt m hnh mng mi nhm tho mn nhng yu cu trn m vn c th tn dng li nhng c s h tng hin c ca Internet, chnh l m hnh mng ring o (Virtual Private Network - VPN). Vi m hnh mi ny, ngi ta khng phi u t thm nhiu v c s h tng m cc tnh nng nh bo mt, tin cy vn m bo, ng thi c th qun l ring c s hot ng ca mng ny. VPN cho php ngi s dng lm vic ti nh, trn ng i hay cc vn phng chi nhnh c th kt ni an ton n my ch ca t chc mnh bng c s h tng c cung cp bi mng cng cng.[5] N c th m bo an ton thng tin gia cc i l, ngi cung cp, v cc i tc kinh doanh vi nhau trong mi trng truyn thng rng ln. Trong nhiu trng hp VPN cng ging nh WAN (Wide Area Network), tuy nhin c tnh quyt nh ca VPN l chng c th dng mng cng cng nh Internet m m bo tnh ring t v tit kim hn nhiu.

1. nh Ngha VPN:

VPN c hiu n gin nh l s m rng ca mt mng ring (private network) thng qua cc mng cng cng. V cn bn, mi VPN l mt mng ring r s dng mt mng chung (thng l internet) kt ni cng vi cc site (cc mng ring l) hay nhiu ngi s dng t xa. Thay cho vic s dng bi mt kt ni thc, chuyn dng nh ng leased line, mi VPN s dng cc kt ni o c dn ng qua Internet t mng ring ca cc cng ty ti cc site hay cc nhn vin t xa. c th gi v nhn d liu thng qua mng cng cng m vn bo m tnh an tan v bo mt VPN cung cp cc c ch m ha d liu trn ng truyn to ra mt ng ng bo mt gia ni nhn v ni gi (Tunnel) ging nh mt kt ni point-to-point trn mng ring. c th to ra mt ng ng bo mt , d liu phi c m ha hay che giu i ch cung cp phn u gi d liu (header) l thng tin v ng i cho php n c th i n ch thng qua mng cng cng mt cch nhanh chng. D lu c m ha mt cch cn thn do nu cc packet b bt li trn ng truyn cng cng cng khng th c c ni dung v khng c kha gii m. Lin kt vi d liu c m ha v ng gi c gi l kt ni VPN. Cc ng kt ni VPN thng c gi l ng ng VPN (VPN Tunnel).

2. Li ch ca VPN:

VPN cung cp nhiu c tnh hn so vi nhng mng truyn thng v nhng mng mng leased-line.Nhng li ch u tin bao gm:

Chi ph thp hn nhng mng ring: VPN c th gim chi ph khi truyn ti 20-40% so vi nhng mng thuc mng leased-line v gim vic chi ph truy cp t xa t 60-80%.

Tnh linh hot cho kh nng kinh t trn Internet: VPN vn c tnh linh hot v c th leo thang nhng kin trc mng hn l nhng mng c in, bng cch n c th hot ng kinh doanh nhanh chng v chi ph mt cch hiu qu cho vic kt ni m rng. Theo cch ny VPN c th d dng kt ni hoc ngt kt ni t xa ca nhng vn phng, nhng v tr ngoi quc t,nhng ngi truyn thng, nhng ngi dng in thoi di ng, nhng ngi hot ng kinh doanh bn ngoi nh nhng yu cu kinh doanh i hi.

n gin ha nhng gnh nng.

Nhng cu trc mng ng, v th gim vic qun l nhng gnh nng: S dng mt giao thc Internet backbone loi tr nhng PVC tnh hp vi kt ni hng nhng giao thc nh l Frame Rely v ATM. Tng tnh bo mt: cc d liu quan trng s c che giu i vi nhng ngi

khng c quyn truy cp v cho php truy cp i vi nhng ngi dng c quyn truy cp.

H tr cc giao thc mn thng dng nht hin nay nh TCP/IP

Bo mt a ch IP: bi v thng tin c gi i trn VPN c m ha do cc i ch bn trong mng ring c che giu v ch s dng cc a ch bn ngoi Internet.

3. Cc thnh phn cn thit to kt ni VPN:

- User Authentication: cung cp c ch chng thc ngi dng, ch cho php ngi dng hp l kt ni v truy cp h thng VPN.

- Address Management: cung cp a ch IP hp l cho ngi dng sau khi gia nhp

h thng VPN c th truy cp ti nguyn trn mng ni b.

- Data Encryption: cung cp gii php m ho d liu trong qu trnh truyn nhm bo m tnh ring t v ton vn d liu.

- Key Management: cung cp gii php qun l cc kho dng cho qu trnh m ho v gii m d liu.

4. Cc thnh phn chnh to nn VPN Cisco:

a. Cisco VPN Router: s dng phn mm Cisco IOS, IPSec h tr cho vic bo mt trong VPN. VPN tI u ha cc router nh l n by ang tn tI s u t ca Cisco. Hiu qu nht trong cc mng WAN hn hp.

b. Cisco Secure PIX FIREWALL: a ra s la chn khc ca cng kt nI VPN khi bo mt nhm ring t trong VPN.

c. Cisco VPN Concentrator series: a ra nhng tnh nng mnh trong vic iu khin truy cp t xa v tng thch vI dng site-to-site VPN. C giao din qun l d s dng v mt VPN client.

d. Cisco Secure VPN Client : VPN client cho php bo mt vic truy cp t xa tI router Cisco v Pix Firewalls v n l mt chng trnh chy trn h iu hnh Window.

e. Cisco Secure Intrusion Detection System(CSIDS) v Cisco Secure Scanner thng c s dng gim st v kim tra cc vn bo mt trong VPN.

f. Cisco Secure Policy Manager and Cisco Works 2000 cung cp vic qun l h thng VPN rng ln.

5. Cc giao thc VPN:

Cc giao thc to nn c ch ng ng bo mt cho VPN l L2TP, Cisco GRE v IPSec.

a. L2TP:

- Trc khi xut hin chun L2TP (thng 8 nm 1999), Cisco s dng Layer 2 Forwarding (L2F) nh l giao thc chun to kt ni VPN. L2TP ra i sau vi nhng tnh nng c tch hp t L2F.

- L2TP l dng kt hp ca Cisco L2F v Mircosoft Point-to-Point Tunneling Protocol (PPTP). Microsoft h tr chun PPTP v L2TP trong cc phin bn WindowNT v 2000

- L2TP c s dng to kt ni c lp, a giao thc cho mng ring o quay s (Virtual Private Dail-up Network). L2TP cho php ngi dng c th kt ni thng qua cc chnh sch bo mt ca cng ty (security policies) to VPN hay VPDN nh l s m rng ca mng ni b cng ty.

- L2TP khng cung cp m ha.

- L2TP l s kt hp ca PPP(giao thc Point-to-Point) vi giao thc L2F(Layer 2 Forwarding) ca Cisco do rt hiu qu trong kt ni mng dial, ADSL, v cc mng truy cp t xa khc. Giao thc m rng ny s dng PPP cho php truy cp VPN bi nhng ngI s dng t xa.

b. GRE:

- y l a giao thc truyn thng ng gi IP, CLNP v tt c c gi d liu bn trong ng ng IP (IP tunnel)

- Vi GRE Tunnel, Cisco router s ng gi cho mi v tr mt giao thc c trng ch nh trong gi IP header, to mt ng kt ni o (virtual point-to-point) ti Cisco router cn n. V khi gi d liu n ch IP header s c m ra

- Bng vic kt ni nhiu mng con vi cc giao thc khc nhau trong mi trng c mt giao thc chnh. GRE tunneling cho php cc giao thc khc c th thun li trong vic nh tuyn cho gi IP.

c. IPSec:

- IPSec l s la chn cho vic bo mt trn VPN. IPSec l mt khung bao gm bo mt d liu (data confidentiality), tnh tan vn ca d liu (integrity) v vic chng thc d liu.

- IPSec cung cp dch v bo mt s dng KDE cho php tha thun cc giao thc v thut tan trn nn chnh sch cc b (group policy) v sinh ra cc kha bo m ha v chng thc c s dng trong IPSec.

d. Point to Point Tunneling Protocol (PPTP):

- c s dng trn cc my client chy HH Microsoft for NT4.0 v Windows 95+ . Giao thc ny c s dng m ha d liu lu thng trn Mng LAN. Ging

nh giao thc NETBEUI v IPX trong mt packet gI ln Internet. PPTP da trn chun RSA RC4 v h tr bI s m ha 40-bit hoc 128-bit.

- N khng c pht trin trn dng kt nI LAN-to-LAN v gii hn 255 kt ni tI 1 server ch c mt ng hm VPN trn mt kt ni. N khng cung cp s m ha cho cc cng vic ln nhng n d ci t v trin khai v l mt giI php truy cp t xa ch c th lm c trn mng MS. Giao thc ny th c dng tt trong Window 2000. Layer 2 Tunneling Protocol thuc v IPSec.

6. Thit lp mt kt ni VPN:

a. My VPN cn kt ni (VPN client) to kt nt VPN (VPN Connection) ti my ch cung cp dch v VPN (VPN Server) thng qua kt ni Internet.

b. My ch cung cp dch v VPN tr li kt ni ti

c. My ch cung cp dch v VPN chng thc cho kt ni v cp php cho kt ni

d. Bt u trao i d liu gia my cn kt ni VPN v mng cng ty

7. Cc dng kt ni VPN:

a. Remote Access VPNs :

Remote Access VPNs cho php truy cp bt c lc no bng Remote, mobile, v cc thit b truyn thng ca nhn vin cc chi nhnh kt ni n ti nguyn mng ca t chc.

Remote Access VPN m t vic cc ngi dng xa s dng cc phn mm VPN truy cp vo mng Intranet ca cng ty thng qua gateway hoc VPN concentrator (bn cht l mt server). V l do ny, gii php ny thng c gi l client/server. Trong gii php ny, cc ngi dng thng thng s dng cc cng ngh WAN truyn thng to li cc tunnel v mng HO ca h.

Mt hng pht trin kh mi trong remote access VPN l dng wireless VPN, trong mt nhn vin c th truy cp v mng ca h thng qua kt ni khng dy. Trong thit k ny, cc kt ni khng dy cn phi kt ni v mt trm wireless (wireless terminal) v sau v mng ca cng ty. Trong c hai trng hp, phn mm client trn my PC u cho php khi to cc kt ni bo mt, cn c gi l tunnel.

Mt phn quan trng ca thit k ny l vic thit k qu trnh xc thc ban u nhm m bo l yu cu c xut pht t mt ngun tin cy. Thng th giai on ban u ny da trn cng mt chnh sch v bo mt ca cng ty. Chnh sch ny bao

gm: qui trnh (procedure), k thut, server (such as Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access Control System Plus [TACACS+]).

Mt s thnh phn chnh :

- Remote Access Server (RAS) : c t ti trung tm c nhim v xc nhn v chng nhn cc yu cu gi ti.

- Quay s kt ni n trung tm, iu ny s lm gim chi ph cho mt s yu cu kh xa so vi trung tm.

- H tr cho nhng ngi c nhim v cu hnh, bo tr v qun l RAS v h tr truy cp t xa bi ngi dng.

Figure 1-2: The non-VPN remote access setup.

- Bng vic trin khai Remote Access VPNs, nhng ngi dng t xa hoc cc chi nhnh vn phng ch cn ci t mt kt ni cc b n nh cung cp dch v ISP hoc ISPs POP v kt ni n ti nguyn thng qua Internet. Thng tin Remote Access Setup c m t bi hnh v sau :

Figure 1-3: The Remote Access VPN setup

Nh bn c th suy ra t hnh 1-3, thun li chnh ca Remote Access VPNs : - S cn thit ca RAS v vic kt hp vi modem c loi tr.

- S cn thit h tr cho ngi dung c nhn c loi tr bi v kt ni t xa c to iu kin thun li bi ISP

- Vic quay s t nhng khong cch xa c loi tr , thay vo , nhng kt ni vi khong cch xa s c thay th bi cc kt ni cc b.

- Gim gi thnh chi ph cho cc kt ni vi khong cch xa.

- Do y l mt kt ni mang tnh cc b, do vy tc ni kt s cao hn so vi kt ni trc tip n nhng khong cch xa.

- VPNs cung cp kh nng truy cp n trung tm tt hn bi v n h tr dch v truy cp mc ti thiu nht cho d c s tng nhanh chng cc kt ni ng thi n mng.

Ngoi nhng thun li trn, VPNs cng tn ti mt s bt li khc nh : - Remote Access VPNs cng khng bo m c cht lng phc v.

- Kh nng mt d liu l rt cao, thm na l cc phn on ca gi d liu c th i ra ngoi v b tht thot.

- Do phc tp ca thut ton m ho, protocol overhead tng ng k, iu ny gy kh khn cho qu trnh xc nhn. Thm vo , vic nn d liu IP v PPP-based din ra v cng chm chp v ti t.

- Do phi truyn d liu thng qua Internet, nn khi trao i cc d liu ln nh cc gi d liu truyn thng, phim nh, m thanh s rt chm.

b. Site - To Site (Lan To - Lan):

- Site-to-site VPN(Lan-to-Lan VPN):c p dng ci t mng t mt v tr ny kt nI tI mng ca mt v tr khc thng qua VPN. Trong hon cnh ny th vic chng thc ban u gia cc thit b mng c giao cho ngi s dng. Ni m c mt kt nI VPN c thit lp gia chng. Khi cc thit b ny ng vai tr nh l mt gateway, v m bo rng vic lu thng c d tnh trc cho cc site khc. Cc router v Firewall tng thch vI VPN, v cc b tp trung VPN chuyn dng u cung cp chc nng ny.

- Lan-to-Lan VPN c th c xem nh l intranet VPN hoc extranet VPN(xem xt v mt chnh sch qun l). Nu chng ta xem xt dI gc chng thc n c th c xem nh l mt intranet VPN, ngc lI chng c xem nh l mt extranet VPN. Tnh cht ch trong vic truy cp gia cc site c th c iu khin bi c hai(intranet v extranet VPN) theo cc site tng ng ca chng. Gii php Site to site

VPN khng l mt remote access VPN nhng n c thm vo y v tnh cht hon thin ca n.

- S phn bit gia remote access VPN v Lan to Lan VPN ch n thun mang tnh cht tng trng v xa hn l n c cung cp cho mc ch tho lun. V d nh l cc thit b VPN da trn phn cng mI(Router cisco 3002 chng hn) y phn loI c, chng ta phI p dng c hai cch, bI v harware-based client c th xut hin nu mt thit b ang truy cp vo mng. Mc d mt mng c th c nhiu thit b VPN ang vn hnh. Mt v d khc nh l ch m rng ca giI php Ez VPN bng cch dng router 806 v 17xx.

- Lan-to-Lan VPN l s kt nI hai mng ring l thng qua mt ng hm bo mt. ng hm bo mt ny c th s dng cc giao thc PPTP, L2TP, hoc IPSec, mc ch ca Lan-to-Lan VPN l kt nI hai mng khng c ng nI lI vI nhau, khng c vic tha hip tch hp, chng thc, s cn mt ca d liu. bn c th thit lp mt Lan-to-Lan VPN thng qua s kt hp ca cc thit b VPN Concentrators, Routers, and Firewalls.

- Kt nI Lan-to-Lan c thit k to mt kt nI mng trc tip, hiu qu bt chp khong cch vt l gia chng. C th kt nI ny lun chuyn thng qua internet hoc mt mng khng c tin cy.Bn phI m bo vn bo mt bng cch s dng s m ha d liu trn tt c cc gi d liu ang lun chuyn gia cc mng .

1. Intranet VPNs:

Figure 1-4: The intranet setup using WAN backbone

- Intranet VPNs c s dng kt ni n cc chi nhnh vn phng ca t chc n Corperate Intranet (backbone router) s dng campus router, xem hnh bn di :

- Theo m hnh bn trn s rt tn chi ph do phi s dng 2 router thit lp c mng, thm vo , vic trin khai, bo tr v qun l mng Intranet Backbone s rt tn km cn ty thuc vo lng lu thng trn mng i trn n v phm vi a l ca ton b mng Intranet.

- gii quyt vn trn, s tn km ca WAN backbone c thay th bi cc kt ni Internet vi chi ph thp, iu ny c th mt lng chi ph ng k ca vic trin khai mng Intranet, xem hnh bn di :

Figure 1-5: The intranet setup based on VPN.

Nhng thun li chnh ca Intranet setup da trn VPN theo hnh 1-5 :

- Hiu qu chi ph hn do gim s lng router c s dng theo m hnh WAN backbone

- Gim thiu ng k s lng h tr yu cu ngi dng c nhn qua ton cu, cc trm mt s remote site khc nhau.

- Bi v Internet hot ng nh mt kt ni trung gian, n d dng cung cp nhng kt ni mi ngang hng.

- Kt ni nhanh hn v tt hn do v bn cht kt ni n nh cung cp dch v, loi b vn v khong cch xa v thm na gip t chc gim thiu chi ph cho vic thc hin Intranet.

Nhng bt li chnh kt hp vi cch gii quyt :

- Bi v d liu vn cn tunnel trong sut qu trnh chia s trn mng cng cng-Internet-v nhng nguy c tn cng, nh tn cng bng t chi dch v (denial-of-service), vn cn l mt mi e do an ton thng tin.

- Kh nng mt d liu trong lc di chuyn thng tin cng vn rt cao.

- Trong mt s trng hp, nht l khi d liu l loi high-end, nh cc tp tin mulltimedia, vic trao i d liu s rt chm chp do c truyn thng qua Internet.

- Do l kt ni da trn Internet, nn tnh hiu qu khng lin tc, thng xuyn, v QoS cng khng c m bo.

2. Extranet VPNs:

- Khng ging nh Intranet v Remote Access-based, Extranet khng hon ton cch li t bn ngoi (outer-world), Extranet cho php truy cp nhng ti nguyn mng cn thit ca cc i tc kinh doanh, chng hn nh khch hng, nh cung cp, i tc nhng ngi gi vai tr quan trng trong t chc.

Figure 1-6: The traditional extranet setup.

- Nh hnh trn, mng Extranet rt tn km do c nhiu on mng ring bit trn Intranet kt hp li vi nhau to ra mt Extranet. iu ny lm cho kh trin khai v qun l do c nhiu mng, ng thi cng kh khn cho c nhn lm cng vic bo tr v qun tr. Thm na l mng Extranet s d m rng do iu ny s lm ri tung ton b mng Intranet v c th nh hng n cc kt ni bn ngoi mng. S c nhng vn bn gp phi bt thnh lnh khi kt ni mt Intranet vo mt mng Extranet. Trin khai v thit k mt mng Extranet c th l mt cn c mng ca cc nh thit k v qun tr mng.

Figure 1-7: The Extranet VPN setup

Mt s thun li ca Extranet :

- Do hot ng trn mi trng Internet, bn c th la chn nh phn phi khi la chn v a ra phng php gii quyt tu theo nhu cu ca t chc.- Bi v mt phn Internet-connectivity c bo tr bi nh cung cp (ISP) nn cng gim chi ph bo tr khi thu nhn vin bo tr.- D dng trin khai, qun l v chnh sa thng tin.

Mt s bt li ca Extranet :

- S e da v tnh an ton, nh b tn cng bng t chi dch v vn cn tn ti.

- Tng thm nguy him s xm nhp i vi t chc trn Extranet.

- Do da trn Internet nn khi d liu l cc loi high-end data th vic trao i din ra chm chp.

- Do da trn Internet, QoS(Quality of Service) cng khng c bo m thng xuyn.

II. Tm Hiu V Giao Thc IPSec:

- Thut ng IPSec l mt t vit tt ca thut Internet Protocol Security. N c quan h ti mt s b giao thc (AH, ESP, FIP-140-1, v mt s chun khc) c pht trin bi Internet Engineering Task Force (IETF). Mc ch chnh ca vic pht trin IPSec l cung cp mt c cu bo mt tng 3 (Network layer) ca m hnh OSI, nh hnh 6-1.

Figure 6-1: The position of IPSec in the OSI model.

- Mi giao tip trong mt mng trn c s IP u da trn cc giao thc IP. Do , khi mt c ch bo mt cao c tch hp vi giao thc IP, ton b mng c bo mt bi v cc giao tip u i qua tng 3. ( l l do tai sao IPSec c pht trin giao thc tng 3 thay v tng 2).

- IPSec VPN dng cc dch v c nh ngha trong IPSec m bo tnh ton vn d liu, tnh nht qun, tnh b mt v xc thc ca truyn d liu trn mt h tng mng cng cng.

- Ngoi ra,vi IPSec tt c cc ng dng ang chy tng ng dng ca m hnh OSI u c lp trn tng 3 khi nh tuyn d liu t ngun n ch. Bi v IPSec c tch hp cht ch vi IP, nn nhng ng dng c th dng cc dch v k tha tnh nng bo mt m khng cn phi c s thay i ln lao no. Cng ging IP, IPSec trong sut vi ngi dng cui, l ngi m khng cn quan tm n c ch bo mt m rng lin tc ng sau mt chui cc hot ng.

- IPSec hot ng da trn m hnh ngang hng (peer-to-peer) hn l m hnh client/server. Security Association (SA) l mt qui c gia hai bn trong thc y cc trao i gia hai bn giao tip. Mi bn giao tip (c th l thit b, phn mm) phi thng nht vi nhau v cc chnh sch hoc cc qui tc bng cch s d tm cc chnh sch ny vi i tc tm nng ca n. C hai kiu SA: ISAKMP SA (cn c bit n vi tn gi l IKE SAs) v IPSec SA.

- Security Associations (SAs) l mt khi nim c bn ca b giao thc IPSec. SA l mt kt ni lun l theo mt phng hng duy nht gia hai thc th s dng cc dch v IPSec.

Cc giao thc xc nhn, cc kha, v cc thut ton Phng thc v cc kha cho cc thut ton xc nhn c dng bi cc

giao thc Authentication Header (AH) hay Encapsulation Security Payload (ESP) ca b IPSec

Thut ton m ha v gii m v cc kha. Thng tin lin quan kha, nh khong thi gian thay i hay khong thi

gian lm ti ca cc kha. Thng tin lin quan n chnh bn thn SA bao gm a ch ngun SA v

khong thi gian lm ti. Cch dng v kch thc ca bt k s ng b m ha dng, nu c.

Figure 6-2: A generic representation of the three fields of an IPSec SA.

Nh hnh 6-2, IPSec SA gm c 3 trng : - SPI (Security Parameter Index). y l mt trng 32 bit dng nhn dng giao

thc bo mt, c nh ngha bi trng Security protocol, trong b IPSec ang dng. SPI c mang theo nh l mt phn u ca giao thc bo mt v thng c chn bi h thng ch trong sut qu trnh tha thun ca SA.

- Destination IP address. y l a ch IP ca nt ch. Mc d n c th l a ch broadcast, unicast, hay multicast, nhng c ch qun l hin ti ca SA ch c nh ngha cho h thng unicast.

- Security protocol. Phn ny m t giao thc bo mt IPSec, c th l AH hoc ESP.

- Ch thch :

Broadcasts c ngha cho tt c h thng thuc cng mt mng hoc mng con. Cn multicasts gi n nhiu (nhng khng phi tt c) nt ca mt mng hoc mng con cho sn. Unicast c ngha cho 1 nt ch n duy nht. Bi v bn cht theo mt chiu duy nht ca SA, cho nn 2 SA phi c nh ngha cho hai bn thng tin u cui, mt cho mi hng. Ngoi ra, SA c th cung cp cc dch v bo mt cho mt phin VPN c bo v bi AH hoc ESP. Do vy, nu mt phin cn bo v kp bi c hai AH v ESP, 2 SA phi c nh ngha cho mi hng. Vic thit lp ny ca SA c gi l SA bundle.

Mt IPSec SA dng 2 c s d liu. Security Association Database (SAD) nm gi thng tin lin quan n mi SA. Thng tin ny bao gm thut ton kha, thi gian sng ca SA, v chui s tun t. C s d liu thc hai ca IPSec SA, Security Policy Database (SPD), nm gi thng tin v cc dch v bo mt km theo vi mt danh sch th t chnh sch cc im vo v ra. Ging nh firewall rules v packet filters, nhng im truy cp ny nh ngha lu lng no c x l v lu lng no b t chi theo tng chun ca IPSec.

B IPSec a ra 3 kh nng chnh bao gm : - Tnh xc nhn v Tnh nguyn vn d liu (Authentication and data

integrity). IPSec cung cp mt c ch mnh m xc nhn tnh cht xc thc ca ngi gi v kim chng bt k s sa i khng c bo v trc ca ni dung gi d liu bi ngi nhn. Cc giao thc IPSec a ra kh nng bo v mnh chng li cc dng tn cng gi mo, nh hi v t chi dch v.

- S cn mt (Confidentiality). Cc giao thc IPSec m ha d liu bng cch s dng k thut m ha cao cp, gip ngn cn ngi cha chng thc truy cp d liu

trn ng i ca n. IPSec cng dng c ch to hm n a ch IP ca nt ngun (ngi gi) v nt ch (ngi nhn) t nhng k nghe ln.

- Qun l kha (Key management). IPSec dng mt giao thc th ba, Internet Key Exchange (IKE), tha thun cc giao thc bao mt v cc thut ton m ha trc v trong sut phin giao dch. Mt phn quan trng na, IPSec phn phi v kim tra cc kha m v cp nht nhng kha khi c yu cu.

- Hai tnh nng u tin ca b IPSec, authentication and data integrity, v confidentiality, c cung cp bi hai giao thc chnh ca trong b giao thc IPSec. Nhng giao thc ny bao gm Authentication Header (AH) v Encapsulating Security Payload (ESP).

- Tnh nng th ba, key management, nm trong b giao thc khc, c b IPSec chp nhn bi n l mt dch v qun l kha mnh. Giao thc ny l IKE.

- SAs trong IPSec hin ti c trin khai bng 2 ch l ch Transport v ch Tunnel c m t hnh 6-7. C AH v ESP c th lm vic vi mt trong hai ch ny.

Figure 6-7: The two IPSec modes.

Transport Mode :

- Transport mode bo v giao thc tng trn v cc ng dng. Trong Transport mode, phn IPSec header c chn vo gia phn IP header v phn header ca giao thc tng trn, nh hnh m t bn di, AH v ESP s c t sau IP header nguyn thy. V vy ch c ti (IP payload) l c m ha v IP header ban u l c gi nguyn vn. Transport mode c th c dng khi c hai host h tr IPSec. Ch transport ny c thun li l ch thm vo vi bytes cho mi packets v n cng cho php cc thit b trn mng thy c a ch ch cui cng ca gi. Kh nng ny cho

php cc tc v x l c bit trn cc mng trung gian da trn cc thng tin trong IP header. Tuy nhin cc thng tin Layer 4 s b m ha, lm gii hn kh nng kim tra ca gi.

Figure 6-8: IPSec Transport modea generic representation.

Figure 6-9: AH Transport mode.

Figure 6-10: ESP Transport mode.

- Transport mode thiu mt qu trnh x l phn u, do n nhanh hn. Tuy nhin, n khng hiu qu trong trng hp ESP c kh nng khng xc nhn m cng khng m ha phn u IP.

Tunnel Mode :

- Khng ging Transport mode, Tunnel mode bo v ton b gi d liu. Ton b gi d liu IP c ng gi trong mt gi d liu IP khc v mt IPSec header c chn vo gia phn u nguyn bn v phn u mi ca IP.Ton b gi IP ban u s b ng gi bi AH hoc ESP v mt IP header mi s c bao bc xung quanh gi d liu. Ton b cc gi IP s c m ha v tr thnh d liu mi ca gi IP mi. Ch ny cho php nhng thit b mng, chng hn nh router, hot ng nh mt IPSec proxy thc hin chc nng m ha thay cho host. Router ngun s m ha cc packets v chuyn chng dc theo tunnel. Router ch s gii m gi IP ban u v chuyn n v h thng cui. V vy header mi s c a ch ngun chnh l gateway.

- Vi tunnel hot ng gia hai security gateway, a ch ngun v ch c th c m ha. Tunnel mode c dng khi mt trong hai u ca kt ni IPSec l security gateway v a ch ch tht s pha sau cc gateway khng c h tr IPSec

Figure 6-11: IPSec Tunnel modea generic representation.

- Trong AH Tunnel mode, phn u mi (AH) c chn vo gia phn header mi v phn header nguyn bn, nh hnh bn di.

Figure 6-12: AH Tunnel mode.

Figure 6-13: ESP Tunnel mode.

- IKE SA l qu trnh hai chiu v cung cp mt knh giao tip bo mt gia hai bn. Thut ng hai chiu c ngha l khi c thit lp, mi bn c th khi to ch QuickMode, Informational v NewGroupMode. IKE SA c nhn ra bi cc cookies ca bn khi to, c theo sau bi cc cookies ca tr li ca pha i tc. Th t cc cookies c thit lp bi phase 1 s tip tc ch ra IKE SA, bt chp chiu ca n. Chc nng ch yu ca IKE l thit lp v duy tr cc SA. Cc thuc tnh sau y l mc ti thiu phi c thng nht gia hai bn nh l mt phn ca ISAKMP (Internet Security Association and Key Management Protocol) SA:

Thut gii m ha Thut gii bm c dng Phng thc xc thc s dng Thng tin v nhm v gii thut DH

- IKE thc hin qu trnh d tm, qu trnh xc thc, qun l v trao i kha. IKE s d tm ra c mt hp ng gia hai u cui IPSec v sau SA s theo di tt c cc thnh phn ca mt phin lm vic IPSec. Sau khi d tm thnh cng, cc thng s SA hp l s c lu tr trong c s d liu ca SA.

- Thun li chnh ca IKE bao gm: IKE khng phi l mt cng ngh c lp, do n c th dng vi bt k

c ch bo mt no. C ch IKE, mc d khng nhanh, nhng hiu qu cao b v mt lng ln

nhng hip hi bo mt tha thun vi nhau vi mt vi thng ip kh t. IKE Phases

- Giai on I v II l hai giai on to nn phin lm vic da trn IKE, hnh 6-14 trnh by mt s c im chung ca hai giai on. Trong mt phin lm vic IKE, n

gi s c mt knh bo mt c thit lp sn. Knh bo mt ny phi c thit lp trc khi c bt k tha thun no xy ra.

Figure 6-14: The two IKE phasesPhase I and Phase II.

Giai on I ca IKE - Giai on I ca IKE u tin xc nhn cc im thng tin, v sau thit lp mt

knh bo mt cho s thit lp SA. Tip , cc bn thng tin tha thun mt ISAKMP SA ng ln nhau, bao gm cc thut ton m ha, hm bm, v cc phng php xc nhn bo v m kha.

- Sau khi c ch m ha v hm bm c ng trn, mt kha chi s b mt c pht sinh. Theo sau l nhng thng tin c dng pht sinh kha b mt :

Gi tr Diffie-Hellman SPI ca ISAKMP SA dng cookies S ngu nhin known as nonces (used for signing purposes)

- Nu hai bn ng s dng phng php xc nhn da trn public key, chng cng cn trao i IDs. Sau khi trao i cc thng tin cn thit, c hai bn pht sinh nhng key ring ca chnh mnh s dng chng chia s b mt. Theo cch ny, nhng kha m ha c pht sinh m khng cn thc s trao i bt k kha no thng qua mng.

Giai on II ca IKE - Trong khi giai on I tha thun thit lp SA cho ISAKMP, giai on II gii

quyt bng vic thit lp SAs cho IPSec. Trong giai on ny, SAs dng nhiu dch v khc nhau tha thun. C ch xc nhn, hm bm, v thut ton m ha bo v gi d liu IPSec tip theo (s dng AH v ESP) di hnh thc mt phn ca giai on SA.

- S tha thun ca giai on xy ra thng xuyn hn giai on I. in hnh, s tha thun c th lp li sau 4-5 pht. S thay i thng xuyn cc m kha ngn cn cc hacker b gy nhng kha ny v sau l ni dung ca gi d liu.

- Tng qut, mt phin lm vic giai on II tng ng vi mt phin lmvic n ca giai on I. Tuy nhin, nhiu s thay i giai on II cng c th c h tr bi mt trng hp n giai on I. iu ny lm qua trnh giao dch chm chp ca IKE t ra tng i nhanh hn.

- Oakley l mt trong s cc giao thc ca IKE. Oakley is one of the protocols on which IKE is based. Oakley ln lt nh ngha 4 ch ph bin IKE.

IKE Modes

4 ch IKE ph bin thng c trin khai : Ch chnh (Main mode) Ch linh hot (Aggressive mode) Ch nhanh (Quick mode) Ch nhm mi (New Group mode)

Main Mode

- Main mode xc nhn v bo v tnh ng nht ca cc bn c lin quan trong qua trnh giao dch. Trong ch ny, 6 thng ip c trao i gia cc im:

2 thng ip u tin dng tha thun chnh sch bo mt cho s thay i.

2 thng ip k tip phc v thay i cc kha Diffie-Hellman v nonces. Nhng kha sau ny thc hin mt vai tro quan trng trong c ch m ha.

Hai thng ip cui cng ca ch ny dng xc nhn cc bn giao dch vi s gip ca ch k, cc hm bm, v tu chn vi chng nhn.

Hnh 6-15 m t qu trnh giao dch trong ch IKE.

Aggressive Mode

- Aggressive mode v bn cht ging Main mode. Ch khc nhau thay v main mode c 6 thng ip th cht ny ch c 3 thng ip c trao i. Do , Aggressive mode nhanh hn mai mode. Cc thng ip bao gm :

Thng ip u tin dng a ra chnh sch bo mt, pass data cho kha chnh, v trao i nonces cho vic k v xc minh tip theo.

Thng ip k tip hi p li cho thng tin u tin. N xc thc ngi nhn v hon thnh chnh sch bo mt bng cc kha.

Thng ip cui cng dng xc nhn ngi gi (hoc b khi to ca phin lm vic).

Figure 6-16: Message exchange in IKE Aggressive mode.

C Main mode v Aggressive mode u thuc giai on I. Quick Mode

- Ch th ba ca IKE, Quick mode, l ch trong giai on II. N dng tha thun SA cho cc dch v bo mt IPSec. Ngoi ra, Quick mode cng c th pht sinh kha chnh mi. Nu chnh sch ca Perfect Forward Secrecy (PFS) c tha thun trong giai on I, mt s thay i hon ton Diffie-Hellman key c khi to. Mt khc, kha mi c pht sinh bng cc gi tr bm.

Figure 6-17: Message exchange in IKE Quick mode, which belongs to Phase II.

New Group Mode

- New Group mode c dng tha thun mt private group mi nhm to iu kin trao i Diffie-Hellman key c d dng. Hnh 6-18 m t New Group mode. Mc d ch ny c thc hin sau giai on I, nhng n khng thuc giai on II.

Figure 6-18: Message exchange in IKE New Group mode.

- Ngoi 4 ch IKE ph bin trn, cn c thm Informational mode. Ch ny kt hp vi qu trnh thay ca giai on II v SAs. Ch ny cung cp cho cc bn c lin quan mt s thng tin thm, xut pht t nhng tht bi trong qu trnh tha thun. V d, nu vic gii m tht bi ti ngi nhn hoc ch k khng c xc minh thnh cng, Informational mode c dng thng bo cho cc bn khc bit.

III. Tng Quan H iu Hnh Cisco IOS: 1. Kin trc h thng: - Ging nh l 1 my tnh, router c 1 CPU c kh nng x l cc cu lnh da

trn nn tng ca router. Hai v d v b x l m Cisco dng l Motorola 68030 v Orion/R4600. Phn mm Cisco IOS chy trn Router i hi CPU hay b vi x l gii quyt vic nh tuyn v bc cu, qun l bng nh tuyn v mt vi chc nng khc ca h thng. CPU phi truy cp vo d liu trong b nh gii quyt cc vn hay ly cc cu lnh.

- C 4 loi b nh thng dng trn mt Router ca Cisco l - ROM : l b nh tng qut trn mt con chip hoc nhiu con. N cn c th

nm trn bng mch b vi x l ca router. N ch c ngha l d liu khng th ghi ln trn n. Phn mm u tin chy trn mt router Cisco c gi l bootstrap software v thng c lu trong ROM. Bootstrap software c gi khi router khi ng.

- Flash : b nh Flash nm trn bng mch SIMM nhng n c th c m rng bng cch s dng th PCMCIA (c th tho ri). B nh flash hu ht c s dng lu tr mt hay nhiu bn sao ca phn mm Cisco IOS. Cc file cu hnh hay thng tin h thng cng c th c sao chp ln flash. vi h thng gn y, b nh flash cn c s dng gi bootstrap software.

- Flash memory cha Cisco IOS software image. i vi mt s loi, Flash memory c th cha cc file cu hnh hay boot image. Ty theo loi m Flash memory c th l EPROMs, single in-line memory (SIMM) module hay Flash memory card:

- Internal Flash memory:

o Internal Flash memory thng cha system image. o Mt s loi router c t 2 Flash memory tr ln di dng single in-line

memory modules (SIMM). Nu nh SIMM c 2 bank th c gi l dual-bank Flash memory. Cc bank ny c th c phn thnh nhiu phn logic nh

- Bootflash:

o Bootflash thng cha boot image. o Bootflash i khi cha ROM Monitor.

- Flash memory PC card hay PCMCIA card:

- Flash memory card dng gn vo Personal Computer Memory Card - International Association (PCMCIA) slot. Card ny dng cha system image,

boot image v file cu hnh. - Cc loi router sau c PCMCIA slot:

o Cisco 1600 series router: 01 PCMCIA slot.

o Cisco 3600 series router: 02 PCMCIA slots.

o Cisco 7200 series Network Processing Engine (NPE): 02 PCMCIA slots o Cisco 7000 RSP700 card v 7500 series Route Switch Processor (RSP) card

cha 02 PCMCIA slots. - RAM : l b nh rt nhanh nhng n lm mt thng tin khi h thng khi

ng li. N c s dng trong my PC lu cc ng dng ang chy v d liu. Trn router, RAM c s gi cc bng ca h iu hnh IOS v lm b m. RAM l b nh c bn c s dng cho nhu cu lu tr cc h iu hnh

- ROM monitor, cung cp giao din cho ngi s dung khi router khng tm thy cc file image khng ph hp.

- Boot image, gip router boot khi khng tm thy IOS image hp l trn flash memory.

- NVRAM : Trn router, NVRAM c s dng lu tr cu hnh khi ng. y l file cu hnh m IOS c khi router khi ng. N l b nh cc k nhanh v lin tc khi khi ng li.

- Mc d CPU v b nh i hi mt s thnh phn chy h iu hnh IOS, router cn phi c cc interface khc nhau cho php chuyn tip cc packet. Cc interface nhn vo v xut ra cc kt ni n router mang theo d liu cn thit n router hay switch. Cc loi interface thng dng l Ethernet v Serial. Tng t nh l cc phn mm driver trn my tnh vi cng parallel v cng USB, IOS cng c cc driver ca thit b h tr cho cc loi interface khc nhau.

- Tt c cc router ca Cisco c mt cng console cung cp mt kt ni serial khng ng b EIA/TIA-232. Cng console c th c kt ni ti my tnh thng qua kt ni serial lm tng truy cp u cui ti router. Hu ht cc router u c cng auxiliary, n tng t nh cng console nhng c trng hn, c dng cho kt ni modem qun l router t xa.

- VD: xem mn hnh console ca mt router 3640 khi ng. Ch b x l, interface v thng tin b nh c lit k

Cisco 3640 Router Console Output at Startup

System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Copyright (c) 1999 by Cisco Systems, Inc. C3600 processor with 98304 Kbytes of main memory

Main memory is configured to 64 bit mode with parity disabled program load complete, entry point: 0x80008000, size: 0xa8d168

Self decompressing the image : ##################################################################################################################### [OK]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-IS-M), Version 12.2(10), RELEASE SOFTWARE (fc2) Copyright (c) 1986-2002 by Cisco Systems, Inc. Compiled Mon 06-May-02 23:23 by pwade

Image text-base: 0x60008930, data-base: 0x610D2000

cisco 3640 (R4700) processor (revision 0x00) with 94208K/4096K bytes of memory.

Processor board ID 17746964

R4700 CPU at 100Mhz, Implementation 33, Rev 1.0

Bridging software.

X.25 software, Version 3.0.0.

SuperLAT software (copyright 1990 by Meridian Technology Corp). 5 Ethernet/IEEE 802.3 interface(s) 1 Serial network interface(s) DRAM configuration is 64 bits wide with parity disabled.

125K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write) 16384K bytes of processor board PCMCIA Slot0 flash (Read/Write)

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]:

- Khi mt router mi khi ng ln u, IOS s chy tin trnh t ng ci t v ngi s dng c nhc tr li 1 vi cu hi. Sau IOS s cu hnh h thng da trn nhng thng tin nhn c. Sau khi hon tt vic ci t, cu hnh thng s dng nht c chnh sa bng cch dng giao din cu lnh (CLI). Cn c mt s cch khc cu hnh router bao gm HTTP v cc ng dng qun tr mng.

2. Cisco IOS CLI:

- Cisco c 3 mode lnh, vi tng mode s c quyn truy cp ti nhng b lnh khc nhau

- User mode: y l mode u tin m ngi s dng truy cp vo sau khi ng nhp vo router. User mode c th c nhn ra bi k hiu > ngay sau tn router. Mode ny cho php ngi dng ch thc thi c mt s cu lnh c bn chng hn nh xem trng thi ca h thng. H thng khng th c cu hnh hay khi ng li mode ny.

- Privileged mode: mode ny cho php ngi dng xem cu hnh ca h thng, khi ng li h thng v i vo mode cu hnh. N cng cho php thc thi tt c cc cu lnh user mode. Privileged mode c th c nhn ra bi k hiu # ngay sau tn router. Ngi s dng s g cu lnh enable cho IOS bit l h mun i vo Privileged mode t User mode. Nu enable password hay enabel secret password c ci t, ngui s dng cn phi g vo ng mt khu th mi c quyn truy cp vo privileged mode. Enable secret password s dng phng thc m ho mnh hn khi n c lu tr trong cu hnh, do vy n an ton hn. Privileged mode cho php ngi s dng lm bt c g trn router, v vy nn s dng cn thn. thot khi privileged mode, ngi s dng thc thi cu lnh disable.

- Configuration mode: mode ny cho php ngi s dng chnh sa cu hnh ang chy. i vo configuration mode, g cu lnh configure terminal t privileged mode. Configuration mode c nhiu mode nh khc nhau, bt u vi global configuration mode, n c th c nhn ra bi k hiu (config)# ngay sau tn router. Cc mode nh trong configuration mode thay i tu thuc vo bn mun cu hnh ci g, t bn trong ngoc s thay i. Chng hn khi bn mun vo mode interface, k hiu s thay i thnh (config-if)# ngay sau tn router. thot khi configuration mode, ngi s dng c th g end hay nhn t hp phm Ctrl-Z

- Ch cc mode, tu vo tnh hung c th m cu lnh ? ti cc v tr s hin th ln cc cu lnh c th c cng mc. K hiu ? cng c th s dng gia cu lnh xem cc tu chn phc tp ca cu lnh. Example 4-2 hin th cch s dng cu lnh ? vi tng mode

- VD: Using Context-Sensitive Help

Router>?

Exec commands:

access-enable Create a temporary Access-List entry

access-profile Apply user-profile to interface

clear Reset functions

- Bc tip theo s hng dn bn s dng cu lnh thay i mode, xem cu hnh h thng v cu hnh password. Mn hnh CLI ca mt router 3640 ang chy h iu hnh Cisco IOS c hin th.

- Bc 1: Vo enable mode bng cch g enable v nhn phm Enter Router> enable

Router#

- Bc 2: xem phin bn ca h iu hnh IOS ang chy, g lnh show version

Router# show version

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-IS-M), Version 12.2(10), RELEASE SOFTWARE (fc2) Copyright (c) 1986-2002 by Cisco Systems, Inc. Compiled Mon 06-May-02 23:23 by pwade

Image text-base: 0x60008930, data-base: 0x610D2000

ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE

(fc1) Router uptime is 47 minutes

System returned to ROM by reload

System image file is "slot0:c3640-is-mz.122-10.bin"

cisco 3640 (R4700) processor (revision 0x00) with 94208K/4096K bytes of memory.

Processor board ID 17746964

R4700 CPU at 100Mhz, Implementation 33, Rev 1.0

Bridging software.

X.25 software, Version 3.0.0.

SuperLAT software (copyright 1990 by Meridian Technology Corp). 5 Ethernet/IEEE 802.3 interface(s) 1 Serial network interface(s) DRAM configuration is 64 bits wide with parity disabled.

125K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write) 16384K bytes of processor board PCMCIA Slot0 flash (Read/Write) Configuration register is 0x2002

- T mn hnh hin th trn cho ta thy, router ny ang chy h iu hnh Cisco IOS phin bn 12.2(10) v bn sao ca n c lu trong th nh Flash PCMCIA trong slot 0

- Bc 3: Tip theo, cu hnh tn router thnh IOS. Vo configuration mode bng cch g lnh configure terminal

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# hostname IOS IOS(config)#

- Ch rng k hiu s chuyn ngay thnh IOS sau khi bn g cu lnh hostname. Tt c cc thay cu hnh trong Cisco IOS s thc thi ngay lp tc

- Bc 4: Tip theo, bn cn t enable password v enable secret password. Enable secret password c lu tr bng cch dng thut ton m ho rt mnh v c ghi ln enable password nu n c cu hnh

IOS(config)# enable password cisco IOS(config)# enable secret san-fran

IOS(config)# exit IOS#

- vo enable mode bn cn g mt khu l san-fran. Cu lnh exit s a bn quay li 1 mc trong cu hnh hay thot khi mode con hin ti

- Bc 5: Sau khi cu hnh tn router v ci t password, bn c th xem cu hnh ang chy

IOS# show running-config

Building configuration...

Current configuration : 743 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname IOS

!

enable secret 5 $1$IP7a$HClNetI.hpRdox84d.FYU.

enable password cisco

!

ip subnet-zero

!

call rsvp-sync

!

interface Ethernet0/0

no ip address

shutdown

half-duplex

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!


no ip address

shutdown

half-duplex

!


no ip address

shutdown

half-duplex

!


no ip address

shutdown

half-duplex

!


no ip address

shutdown

half-duplex

!

ip classless

ip http server

ip pim bidir-enable

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

!

end

- Bc 6: Mn hnh sau khi g show running-config s hin th cu hnh hin thi ang hot ng trong h thng, tuy nhin cu hnh ny s mt nu nh h thng khi ng li. lu cu hnh vo NVRAM, bn chc chn phi g lnh

IOS# copy running-config startup-config

Destination filename [startup-config]?

Building configuration...

[OK]

- Bc 7: xem cu hnh c lu trong NVRAM, bn dng lnh show startup-config

- Trong chui cc bc trn, ch interface Ethernet v serial c hin th trong file cu hnh. Mi interface cn c nhng thng s chc chn nh s ng gi v a ch c ci t trc khi interface c th s dng mt cch ng n. Thm vo , nh tyn IP v bc cu cn phi c cu hnh. Tham kho vic ci t Cisco IOS v hng dn cu hnh ti www.cisco.com cho phin bn phn mm ca bn tham kho thm v tt c cc tu chn cu hnh c th c v hng dn chi tit.

- Mt vi cu lnh thng dng qun l h thng

Cisco IOS Command Miu t

show interface Hin th trng thi hin ti v chi tit cu hnh cho tt c cc interface trong h thng

show processes cpu Hin th vic s dng CPU v cc tin trnh ang chy trong h thng

show buffers Xem c bao nhiu buffers ang c cp pht hin thi v s hot ng cho vic chuyn tip cc packet

show memory Xem c bao nhiu b nh c cp pht cho cc chc nng khc ca h thng v vic s dng b nh

show diag Hin th chi tit cc th nh trong h thng

show ip route Hin th bng IP route ang s dng

show arp Hin th a ch MAC nh x t a ch IP ang dng trong bng ARP

3.

IV. Qui Trnh Cu Hnh 4 Bc IPSec/VPN Trn Cisco IOS: - Ta c th cu hnh IPSec trn VPN qua 4 bc sau y:

1. Chun b cho IKE v IPSec 2. Cu hnh cho IKE 3. Cu hnh cho IPSec Cu hnh dng m ha cho gi d liu

Crypto ipsec transform-set Cu hnh thi gian tn ti ca gi d liu v cc ty chn bo mt khc

Crypto ipsec sercurity-association lifetime To crytoACLs bng danh sch truy cp m rng (Extended Access

List) Crypto map

Cu hnh IPSec crypto maps p dng cc crypto maps vo cc cng giao tip (interfaces)

Crypto map map-name

4. Kim tra li vic thc hin IPSec A. Cu hnh cho m ha d liu:

- Sau y bn s cu hnh Cisco IOS IPSec bng cch s dng chnh sch bo mt IPSec (IPSec Security Policy) nh ngha cc cc chnh sch bo mt IPSec (transform set).

- Chnh sch bo mt IPSec (transform set) l s kt hp cc cu hnh IPSec transform ring r c nh ngha v thit k cho cc chnh sch bo mt lu thng trn mng. Trong sut qu trnh trao i ISAKMP IPSec SA nu xy ra li trong qu trnh IKE Phase 2 quick mode, th hai bn s s dng transform set ring cho vic bo v d liu ring ca mnh trn ng truyn. Transform set l s kt hp ca cc nhn t sau:

C ch cho vic chng thc: chnh sch AH C ch cho vic m ha: chnh sch ESP Ch IPSec (phng tin truyn thng cng vi ng hm bo mt)

- Transform set bng vi vic kt hp cc AH transform, ESP transform v ch IPSec (hoc c ch ng hm bo mt hoc ch phng tin truyn thng). Transform set gii hn t mt cho ti hai ESP transform v mt AH transform. nh

ngha Transform set bng cu lnh cryto ipsec transform-set ch gobal mode. V xo cc ci t transform set dng lnh dng no.

- C php ca lnh v cc tham s truyn vo nh sau: crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

- Cc tham s ca lnh crypto ipsec transform-set

Tham s ngha

transform-set-name Ch nh tn ca Transform c to hay c thay i

transform1, transform2, transform3 Ch t 3 transform tr ln. Nhng transform c nh ngha cho giao thc bo mt IPSec (IPSec Security Protocol) v thut tan

- Bn c th cu hnh nhiu transform set v ch r mt hay nhiu transform set trong mc crypto map. nh ngha cc transform set trong mc crypto map c s dng trong trao i IPSec SA bo v d liu c inh ngha bi ACL ca mc crypto map. Trong sut qu trnh trao i, c hai bn s tm kim cc transform set ging nhau c hai phi. Khi m cc transform set c tm thy, n s c s dng bo v d liu trn ng truyn nh l mt phn ca cc IPSec Sa c 2 pha.

- Khi m ISAKMP khng c s dng thit lp cc Sa, mt transform set ring r s c s dng. Transform set s khng c trao i.

- Thay i cu hnh Transform set: B1: Xa cc tranform set t crypto map B2: Xa cc transform set trong ch cu hnh gobal mode B3: Cu hnh li transform set vi nhng thay i B4: Gn transform set vi crypto map B5: Xa c s d liu SA (SA database) B6: Theo di cc trao i SA v chc chn n hat ng tt

- Cu hnh cho vic trao i transform:

- Tranform set c trao i trong sut ch quick mode trong IKE Phase 2 l nhng cc transform set m bn cu hnh u tin s dng. Bn c th cu hnh nhiu transform set v c th ch ra mt hay nhiu transform set trong mc crypto map. Cu hnh transform set t nhng bo mt thng thng nh nht ging nh trong chnh sch bo mt ca bn. Nhng transform set c nh ngha trong mc crypto map c s dng trong trao i IPSec SA bo v d liu c nh ngha bi ACL ca mc crypto map.

- Trong sut qu trnh trao i mi bn s tm kim cc transform set ging nhau c hai bn nh minh ha hnh trn. Cc transform set ca Router A c so snh vi mt transform set ca Router B v c tip tc nh th. Router A transform set 10, 20, 30 c so snh vi transform set 40 ca Router B. Nu m khng tr v kt qu ng th tt c cc transform set ca Router A sau s c so snh vi transform set tip theo ca Router B. Cui cng transform set 30 ca Router A ging vi transform set 60 ca Router B. Khi m transform set c tm thy, n s c chn v p dng cho

vic bo v ng truyn nh l mt phn ca IPSec SA ca c hai pha. IPSec mi bn s chp nhn mt transform duy nht c chn cho mi SA.

B. Cu hnh thi gian tn ti ca IPSec trong qu trnh trao i: - IPSec SA c nh ngha l thi gian tn ti ca IPSec SA trc khi thc hin

li qu trnh trao i tip theo. Cisco IOS h tr gi tr thi gian tn ti c th p dng ln tt c cc crypto map. Gi tr ca global lifetime c th c ghi vi nhng mc trong crypto map.

- Bn c th thay i gi tr thi gian tn ti ca IPSec SA bng cu lnh crypto ipsec security-association lifetime ch global configuration mode. tr v gi tr mc nh ban u s dng dng cu lnh no. Cu trc v cc tham s ca cu lnh c nh ngha nh sau:

cryto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

Cu lnh Tham s

seconds seconds Ch nh khang thi gian tn ti ca IPSec SA. Mc nh l 3600 giy (mt gi)

kilobytes kilobytes Ch nh dung lng trong lu thng IPSec gia 2 bn s dng a SA trc khi SA ht hn. Gi tr mc nh 4,608,000 KB

- Cisco khuyn co bn nn s dng cc gi tr mc nh. Bn thn thi gian tn ti ca mi IPSec SA c th c cu hnh bng cch s dng crypto map.

- nh ngha Crypto Access Lists:

-Crypto access list (Crypto ACLs) c s dng nh ngha nhng lu thng (traffic) no c s dng hay kho s dng IPSec.

- Crypto ACLs thc hin cc chc nng sau: Outbound: Chn nhng traffic c bo v bi IPSec. Nhng traffic cn li

s c gi dng khng m ha. Inbound: Nu c yu cu th inbound access list c th to lc ra v lai

b nhng traffic kho c bo v bi IPSec. C. To cryto ACLs bng danh sch truy cp m rng (Extends access list):

- Cryto ACLs c nh ngha bo v nhng d liu c truyn ti trn mng. Danh sach truy cp m rng (Extended IP ACLs) s chn nhng lung d liu (IP traffic) m ha bng cch s dng cc giao thc truyn ti (protocol), a ch IP (IP address), mng (network), mng con (subnet) v cng dch v (port). Mc d c php ACL v extended IP ACLs l ging nhau, ngha l ch c s khc bit cht t trong crypto ACLs. l cho php (permit) ch nhng gi d liu nh du mi c m ha v t chi (deny) vi nhng gi d liu c nh du mi khng c m ha. Crypto ACLs hat ng tng t nh extendeds IP ACL l ch p dng trn nhng lung d liu i ra (outbound traffic) trn mt interface.

- C php cu lnh v cc tham s c nh ngha cho dng c bn ca danh sch extended IP ACL nh sau:

access-list access-list-number { permit | deny } protocol source Source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]

Access-list access-list-number command

Tham S

Permit Tt c cc lung d liu (traffic IP)s c nh du c bo v bng cryto phi s dng chnh sch bo mt (policy) lit k cho ph hp vi cc mc trong crypto map (crypto map entry)

Deny Cho bit nhng lung d liu (traffic) t router no ti router no l an tan

Source and destination l nhng mng (network), mng con (subnet) hoc l my trm (host)

- Ghi ch: Mc d cu trc ACL l khng i nhng v ngha c khc so vi cryto ACLs. l ch cho php (permit) nhng gi d liu c nh du mi c m ha v t chi (deny) nhng gi d liu c nh du khng c m ha.

- Bt c lung d liu no n (traffic inbound) khng c bo v s c nh du permit trong crypto ACL ca mc crypto map ging nh IPSec s hy b gi tin . Gi tin b hy b bi v lung d liu c bo v bng IPSec.

- Nu bn thc s mun d liu ti ni nhn l s kt hp ca ch mt dng bo mt IPSec (ch chng thc-authentication) v nhng d liu khc ti ni nhn l s kt hp ca nhiu dng bo mt khc (c chng thc v m ha) th bn phi to hai crypto ACLs khc nhau nh ngha hai dng ca d liu gi i. Hai ACLs khc nhau s c s dng trong nhng mc crypto map khc nhau ca nhng IPSec policy khc nhau.

- Ch : Cisco khuyn co bn nn trnh vic s dng t kha any nhng a ch ni gi v ch ti. Cu lnh permit any any rt d xy ra li bi v tt c cc

lung d liu gi i (outbound traffic) s c bo v v tt c s c g ti ni nhn ph hp trong crypto map entry. Sau tt c d liu gi ti (inbound packet) m thiu s bo v ca IPSec s b b i, bao gm c cc gi d liu cho giao thc nh tuyn (routing protocol), NTP, echo, echo response v nhiu ci khc.

- Phi gii hn nhng ci cn thit khi m nh ngha nhng gi d liu c bo mt trong cryptoACLs. Nu cn phi s dng t kha any trong cu lnh permit, cn phi m u cu lnh vi mt chui cc cu lnh deny lc cc lung d liu i ra m bn khng mun bo v.

D. Cu hnh IPSec crypto maps: E. p dng cc crypto maps vo cc cng giao tip (interfaces):

V. Cch Thc Truy Cp Vo Thit B Mng (Telnet/SNMP):

VI.

.

Documents

6794801 Cau Hinh VPN IPSec Tren Thiet Bi Cisco