BO CO TTTN

IPSec VPN

L IM

Ngy nay v i s bng n c a ngnh cng ngh thng tin em l i cho chng ta nhi u i u m i m , t o cho m i quan h cng vi c trong x h i ngy cng ti n l i hn, cho php cc nhn vin lm vi c m t cch hi u qu t i nh v cho php m t doanh nghi p k t n i m t cch an ton t i cc i l c a h cng cc hng h p tc. Cng ngh khng ng ng pht tri n v lun gp ph n c i thi n c s h t ng m ng c a chng ta. Gp ph n b o m cho cng vi c c a chng ta c an ton hn. M t trong nh ng cng ngh m hi n nay c cc doanh nghi p, cc cng ty, cc hng thng m i, hi n nay u s d ng ph bi n, l cng ngh Virtual Private Network (VPN). Cng ngh m ng ring o m r ng ph m vi c a cc m ng LAN (Local Area Network) m khng c n b t k ng dy no. Ti nguyn trung tm c th k t n i n t nhi u ngu n nn ti t ki m c chi ph v th i gian . Trong v n b o m an ninh gi a cc m ng l v n c n quan tm nh t hi n nay. M t trong nh ng gi i php m b o tnh b o m t c a m ng VPN l IPSec. Tuy cng ngh ny khng ph i l cn m i nhng n c ng d ng r t r ng ri trong nhi u doanh nghi p, cng ty, Giao th c IPSec cho php vi c truy n t i d li u c m ho an ton qua m ng cng c ng. Trong bi th c t p ny, em th o lu n v cng ngh IPSec, m t cng ngh kh ph bi n b o m an ninh trong m ng VPN m nhi u ni, nhi u cng ty tri n khai. V ki n th c v kinh nghi m cn h n ch , nn khng trnh kh i nh ng sai st trong bi bo co ny. R t mong c s ng gp ki n c a cc th y c v cc b n.

SVTT : Vi Th Mu

BO CO TTTN

IPSec VPN

L I C M N
hon thnh t t qu trnh th c t p, em nh n c nhi u s ng gp c a cc th y trong VnPro v cc b n. c bi t em mu n g i l i c m n n : Xin c m n th y ng Quang Minh Ban Gim c Trung Tm VnPro . Chnh nh s ng ti p nh n c a th y t o i u ki n cho em c c h i h c t p ngoi th c t . C m n th y ch d y cho em phong cch s ng n tc phong lm vi c em chu n b cho cng vi c sau ny. C m n th y nh h ng cho em hon thnh t t trong th i gian th c t p. Xin c m n cc anh phng k thu t h t lng nhi t tnh cung c p thi t b em hon thnh t t cc bi Lab trong qu trnh th c t p. Xin c m n ton th cng ty VnPro t o cho em mi tr ng th c t p t t. Cu i cng xin g i l i c m n n cc th y c trong b mn i n T Vi n Thng tr ng i h c giao thng V n t i Tp.H Ch Minh gip cho em c c h i c th c t p trong mi tr ng th c t . Trn Tr ng Vi Th Mu

SVTT : Vi Th Mu

BO CO TTTN

IPSec VPN

NH N XT C A N V TH C T P
----------o0o-------H tn sinh vin : VI TH MU MSSV : DV03035 L p: DV03 Kho h c : 2003 - 2008 Th i gian th c t p : 6 tu n T : 03 / 03 / 2008 n 11 / 04 / 2008 n v th c t p : Trung tm tin h c VNPRO. 149/1D, Ung Vn Khim, Ph ng 25, Qu n Bnh Th nh, Tp.HCM ti th c t p : Tm hi u v Tri n khai IPSec trong Virtual Private Network GV h ng d n : Th y ng Quang Minh .......................................................................................................................................... Nh n xt c a n v th c t p : .......................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... Tp.HCM, ngy thng nm 2008 Ban Gim c Gio vin h ng d n

.
SVTT : Vi Th Mu

Th y ng Quang Minh 3

BO CO TTTN

IPSec VPN

NH N XT C A B

MN I N T

VI N THNG

----------o0o-------H tn sinh vin : VI TH MU M s sinh vin : DV03035 L p: DV03 Kho h c : 2003 - 2008 Th i gian th c t p : 6 tu n T : 03 / 03 / 2008 n 11 / 04 / 2008 n v th c t p : Trung tm tin h c VNPRO. 149/1D, Ung Vn Khim, Ph ng 25, Qu n Bnh Th nh, Tp.HCM ti th c t p : Tm hi u v Tri n khai IPSec trong Virtual Private Network GV h ng d n : Th y V Nguyn Sn .......................................................................................................................................... Nh n xt c a b mn TVT : ........................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... .......................................................................................................................................... Tp.HCM, ngy thng nm 2008 Gio vin Sinh vin

Vi Th Mu .

SVTT : Vi Th Mu

BO CO TTTN

IPSec VPN

NH T K TH C T P
Tu n 1 : Ngy 3/3 8/3/2008

Tm hi u l thuy t v th c hnh bi lab c b n : Th c hi n c u hnh trn 2 Router, t o 1 knh Private gi a 2 m ng Lan c a 2 Router qua m t mi tr ng Public Config a GRE Tunnel to a Remote 15/03/2008 vi t bo co Tm hi u l thuy t v PKI + th c hnh Lab v site-to-site VPN dng CA th c hi n trn 3 Router Tu n 3 : T 18/03 19/03 23/03/2008 20/03/2008 : b n vi c gia nh 28/03/2008 Tu n 2 : T 10/03

Th c hnh Lab PKI Th c hnh Lab Dynamic Multipoint VPN vi t bo co 04/04/2008 Tm hi u v CA Server Th c hnh Lab dng windows server 2003 lm CAServer 11/04/2008 Tm hi u l thuy t Vi t bo co

Tu n 4 : T 24/03

Tu n 5 : T 31/03

Tu n 6 : T 07/04

SVTT : Vi Th Mu

BO CO TTTN

IPSec VPN

M CL C
PH N 1 : L THUY T ................................................................................................ 8 CHNG I : GI I THI U V M NG RING O ....................................................... 8 I. Gi i Thi u ...................................................................................................... 8 II. Phn Lo i VPN ............................................................................................... 8 1. Phn lo i ...................................................................................... 8 2. VPN i v i doanh nghi p ........................................................... 9 3. cng ngh VPN v m hnh OSI ................................................ 14 CHNG II : CNG NGH IP SECURITY ................................................................ 17 I. Tm Hi u V Giao Th c IPSec ...................................................................... 17 1. Khi v IPSec ............................................................................ 17 2. C ch ho t ng c a giao th c IPSec ....................................... 17 3. C ch ho t ng c a IKE ......................................................... 19 II. C Ch Ho t ng C a Giao th c AH v ESP ............................................. 19 1. Khi qut ................................................................................... 19 2. T ng quan v AH v ESP Header .............................................. 20 3. Authentication Header ............................................................... 20 4. Encapsulation Security Payload ................................................. 24 5. Cc Mode chnh c a giao th c IPSec ......................................... 29 CHNG III : PUBLIC KEY INFRASTRUCTURE ................................................... 33 I. T ng Quan v PKI ........................................................................................ 33 II. Cc Thnh Ph n c a PKI .............................................................................. 33 1. Cc thnh ph n v a PKI ..................................................... 33 2. M c ch v ch c nng c a PKI ......................................... 34 III. C S H T ng C a PKI ............................................................................... 35 1. Cc b c m ho ............................................................... 35 2. Cc b c ki m tra .............................................................. 36 CHNG IV : DYNAMIC MULTIPOINT VIRTUAL PRIVATE NETWORK........... 37 I. Khi Qut V DMVPN.................................................................................. 37 1. DMVPN l g? ............................................................................ 37 2. u i m c a DMVPN ............................................................... 37 3. Cng ngh s d ng trong DMVPN ............................................. 38 4. Ho t ng c a DMVPN.............................................................. 38 5. nh tuy n v i DMVPN ............................................................. 38 6. DMVPN Phase .......................................................................... 39 II. C u Hnh DMVPN ....................................................................................... 41 1. C u hnh IPSec .......................................................................... 41 2. C u hnh mGRE Hub ................................................................. 41 3. C u hnh mGRE Spoke .............................................................. 42 III. Next Hop Resolution Protocol ...................................................................... 42 1. Tng tc NHRP v NBMA ....................................................... 42 2. L i ch c a NHRP cho NBMA ................................................... 43 3. Next Hop Server Resolution ...................................................... 43 4. NHRP s d ng v i DMVPN....................................................... 44 5. S ng k NHRP....................................................................... 45

SVTT : Vi Th Mu

BO CO TTTN

IPSec VPN

PH N II : TH C HNH ........................................................................................... 46 1. Th c hnh bi lab c b n .............................................................................. 46 2. C u hnh Site-to-Site dng Windows Server 2003 lm CAServer .................. 48 3. Th c hnh lab c u hnh DMVPN .................................................................. 68

SVTT : Vi Th Mu

BO CO TTTN

IPSec VPN

PH N 1 : L THUY T CHNG I : GI I THI U V M NG RING O

I. Gi i Thi u :
VPN (Virtual Private Network) l cng ngh cung c p m t phng th c giao ti p an ton gi a cc m ng ring d a vo k thu t g i l tunneling t o ra m t m ng ring trn n n Internet. V b n ch t, y l qu trnh t ton b gi tin vo trong m t l p header ch a thng tin nh tuy n c th truy n qua m ng trung gian. VPN l m t m ng ring s d ng m t m ng chung k t n i cng v i cc site (cc m ng ring l ) hay nhi u ng i s d ng t xa. Thay cho vi c s d ng m t k t n i th c, chuyn d ng nh ng leased line, m i VPN s d ng cc k t n i o c d n qua ng internet t m ng ring c a cng ty t i cc site c a cc nhn vin t xa. M t phng php chung c tm th y trong VPN l : Generic Routing Encapsulation (GRE). Giao th c m ho nh tuy n GRE cung c p c c u ng gi giao th c gi tin (Passenger Protocol) truy n i trn giao th c truy n t i (Carrier Protocol). N bao g m thng tin v lo i gi tin ang m ha v thng tin v k t n i gi a my ch v i my khch. II. Phn lo i VPN: 1. Phn lo i VPN bao g m: VPN cho cc nh doanh nghi p VPN i v i cc nh cung c p d ch v Cng ngh VPN v m hnh OSI IPSec v security associations IPSec mode v Protocol

Sau y l cng ngh VPN v m hnh OSI:

SVTT : Vi Th Mu

BO CO TTTN
OSI Model Layer

IPSec VPN
VPN Technology

Layer 7, Application

Secure HTTP (HTTPS), S/MIME , PGP

Layer 6, Presentaion

N/A

Layer 5, Session

N/A

Layer 4, Transport

SSL and TLS SOCKS, SSH IPSEC Deployment, MPLS VPNs

VPDN-PPTP, L2TP, L2F ATM Cell Encryptors, Frame-Relay Frame Encryptors Optical Bulk Encryptors Radio Frequency (RF) Encryptors

Layer 3, Network

Layer 2, datalink

Layer 1, physical

Figure 2-1: cng ngh VPN v m hnh OSI 2. VPN i v i cc nh doanh nghip: i v i cc nh doanh nghi p, VPN cung c p cc k t n i c tri n khai trn h t ng m ng cng c ng. gi i php VPN g m 3 lo i chnh: Remote Access VPN Site-to-Site VPN Extranet VPN a. Remote Access VPN: Remote Access cn c g i l Dial-up ring o (VPDN) l m t k t n i ng i dng- n-LAN, th ng l nhu c u c a m t t ch c c nhi u nhn vin c n lin h v i m ng ring c a mnh t r t nhi u a di m xa. V d nh cng ty mu n thi t l p m t VPN l n n m t nh cung c p d ch v doanh nghi p (ESP). Doanh nghi p ny t o ra m t my ch truy c p m ng (NAS) v cung c p cho nh ng ng i s d ng xa m t ph n m m my khch cho my tnh c a h . sau , ng i s d ng c th g i m t s mi n ph lin h v i NAS v dng ph n m m VPN my khch truy c p vo m ng ring c a cng ty. Lo i VPN ny cho php cc k t n i an ton, c m t m.
SVTT : Vi Th Mu

BO CO TTTN

IPSec VPN

Figure 2-2: Remote Access VPN M t s thnh ph n chnh: - Remote Access Server (RAS): c t t i trung tm c nhi m v xc nh n v ch ng nh n cc yu c u g i t i. - Quay s k t n i n trung tm, i u ny s lm gi m chi ph cho m t s yu c u kh xa so v i trung tm. - h tr cho nh ng ng i c nhi m v c u hnh, b o tr v qu n l RAS v h tr truy c p t xa b i ng i dng. - b ng vi c tri n khai Remote Access VPNs, nh ng ng i dng t xa ho c cc chi nhnh vn phng ch c n t m t k t n i c c b n nh cung c p d ch v ISP ho c ISPs POP v k t n i n ti nguyn thng qua internet. Thng tin Remote Access Setup c m t b i hnh sau:

SVTT : Vi Th Mu

10

BO CO TTTN

IPSec VPN

Figure 2-3: Remote Access VPN setup Thu n l i c a Remote Access VPN: - S c n thi t h tr cho ng i dng c nhn c lo i tr b i v k t n i t xa c t o i u ki n thu n l i b i ISP. - Vi c quay s nhanh t nh ng kho ng cch xa c lo i tr , thay vo s l cc k t n i c c b . - Gi m gi thnh chi ph cho cc k t n i v i kho ng cch xa. - Do y l m t k t n i mang tnh c c b , do t c k t n i s cao hn so v i k t n i tr c ti p n nh ng kho ng cch xa. - VPNs cung c p kh nng truy c p n trung tm t t hn b i v n h tr d ch v truy c p m c t i thi u nh t cho d c s tng nhanh chng cc k t n i ng th i n m ng. M t s b t l i c a VPNs: Remote Access VPNs cng khng m b o c ch t l ng ph c v . kh nng m t d li u l r t cao, hn n a cc phn o n c a gi d li u c th i ra ngoi v b th t thot. Do ph c t p c a thu t ton m ha, protocol overhead tng ng k i u ny gy kh khn cho qu trnh xc nh n. Thm vo , vi c nn d li u IP x y ra ch m. Do ph i truy n d li u thng qua internet, nn khi trao i cc d li u l n th s r t ch m.

b. VPN site-to-site l vi c s d ng m t m dnh ring cho nhi u ng i k t n i nhi u i m c nh v i nhau thng qua m t m ng cng c ng nh Internet. Lo i ny c th d a trn Intranet ho c Extranet. Lo i d a trn Intranet: n u m t cng ty c vi a i m t xa mu n tham gia vo m t m ng ring duy nh t, h c th t o ra m t VPN intranet (VPN n i b ) n i LAN v i LAN. Lo i d a 11

SVTT : Vi Th Mu

BO CO TTTN

IPSec VPN

trn Extranet: khi m t cng ty c m i quan h m t thi t v i m t cng ty khc (v d nh : i tc cung c p, khch hng ), h c th xy d ng m t VPN extranet (VPN m r ng) k t n i LAN v i LAN nhi u t ch c khc nhau c th lm vi c trn m t mi tr ng chung.

Site 1

Site 6

Site 2

Site 5

Site 3

Site 4

Figure 2-4: k t n i cc doanh nghi p qua m ng cng c ng LAN-to-LAN VPN l s k t n i hai m ng ring l thng qua m t ng h m b o m t. ng h m b o m t ny c th s d ng cc giao th c PPTP, L2TP, ho c IPsec. M c ch chnh c a LAN-to-LAN l k t n i hai m ng khng c ng n i l i v i nhau, khng c vi c th a hi p tch h p, ch ng th c, s c n m t c a d li u K t n i Lan-to-Lan c thi t k t o m t k t n i m ng tr c ti p, hi u qu b t ch p kho ng cch gi a chng.

c. Extranet: Extranet cho php truy c p nh ng ti nguyn m ng c n thi t c a cc i tc kinh doanh: ch ng h n nh khch hng, nh cung c p, i tc c a nh ng ng i gi vai tr quan tr ng trong t ch c

SVTT : Vi Th Mu

12

BO CO TTTN

IPSec VPN

Corporate network

Supplier Network1

Supplier Network2

Supplier Network3

supplier1

supplier2

supplier3

Figure 2-5: The traditional Extranet setup T m hnh trn ta th y: m ng Extranet r t t n km do c nhi u o n m ng ring bi t trn Intranet k t h p l i v i nhau t o ra m t Extranet kh tri n khai do c nhi u m ng, ng th i cng kh khn cho c nhn lm cng vi c b o tr v qu n tr .

Figure 2-6: The Extranet VPN setup

SVTT : Vi Th Mu

13

BO CO TTTN Thu n l i c a Extranet : D tri n khai, qu n l v ch nh s a thng tin. Gi m chi ph b o tr.

IPSec VPN

M t s b t l i c a Extranet: s e d a v tnh an ton, nh b t n cng b ng t ch i d ch v v n cn t n t i. Tng thm nguy hi m s xm nh p i v i t ch c trn Extranet. Do d a trn Internet nn khi d li u l cc lo i high-end data th vi c trao i di n ra ch m ch p. Quality of Service (QoS) cng khng c m b o th ng xuyn.

3. Cng ngh VPN v m hnh OSI Giao th c t o nn c ch ng ng b o m t cho VPN l: L2TP , cisco GRE v IPSec. a. L2TP: - l s k t h p c a PPTP ( Point-to-Point Tunneling Protocol ) v L2F ( giao th c Layer 2 Forwarding ) c a cisco. Do r t hi u qu trong k t n i m ng dial, ADSL v cc m ng truy c p t xa khc. Cng gi ng nh PPP, L2TP ng gi d li u thnh cc frame ppp v sau truy n nh ng frame ny qua m ng tr c backbone. Tuy nhin, n cng khc v i PPTP l L2TP s d ng giao th c UDP nh l m t phng php ng gi cho tunnel v user data. - L2TP khng cung c p m ha. Do c n ph i d a vo m t giao th c m b o tin c y. Nh v y, L2TP b sung s bao g m c IPSec.

L2TP bao g m 2 thnh ph n chnh: L2TP Access Concentrator v L2TP Network Server . o L2TP Access Concentrator (LAC): i di n l client side c a h th ng m ng v tiu bi u trn cc b ph n c a switch gi a remote dial-up nodes v access server gi i h n phin inbound ppp qua chuy n m ch ISDN v PSTN. Khi cc host t i u xa b t u v hon thnh k t n i PPP trn NAS th LAC server c xem nh l 1 proxy kh i u c a L2TP control v tunnel data n LNS t i m ng cng ty. o L2TP Network Server (LNS): i di n l server side c a VPDN. N ho t ng m ng doanh nghi p nh v hon thnh ng ng d

SVTT : Vi Th Mu

14

BO CO TTTN

IPSec VPN

li u t LAC. Khi cc user k t n i n LAC , nh ng k t n i ny l a k t n i c th a hi p qua tunnel i n LNS.

Figure 2-7: L2TP tunnel negotiation Tc d ng c a L2TP trong vi c s d ng control messages v data packets nh sau: o L2TP control messages tho thu n thi t l p v duy tr tunnel. Control messages thi t l p tunnel IDs cho cc k t n i m i trong kho ng th i gian tunnel t n t i. L2TP control messages c b t u t port ngu n v c forward n UDP port ch 1701. o L2TP payload packets tunnel data hi n c trong h th ng m ng. khi d li u qua ng ng t LAC n NAS v i m t dy IP, n s ng gi theo L2TP header. D ng format c a L2TP c c u trc nh sau:

Figure 2-8: D ng c u trc c a L2TP b. GRE

Figure2- 9: ng gi theo giao th c GRE y l giao th c truy n thng ng gi IP, CLNP v t t c cc gi d li u bn trong ng ng IP. v i GRE tunnel, Cisco router s ng gi cho m i v tr m t giao th c c trng ch nh trong gi IP header, t o m t ng k t n i o ( virtual pointto-point) t i cisco router c n n. v khi gi d li u n ch IP header s c m ra.

SVTT : Vi Th Mu

15

BO CO TTTN -

IPSec VPN

B ng vi c k t n i nhi u m ng con v i cc giao th c khc nhau trong mi tr ng c m t giao th c chnh. GRE tunneling cho php cc giao th c khc c th thu n l i trong vi c nh tuy n trong gi IP.

c. IPsec
Enterprise network

Figure 2-10: L2TP/IPsec VPN gi a remote v m ng doanh nghi p

remote network

Figure 2-11: L2TP/IPsec VPN gi a cc m ng l s l a ch n cho vi c b o m t trn VPN. IPsec l m t khung bao g m b o m t d li u (data confidentiality), tnh ton v n c a d li u (integrity) v vi c ch ng th c d li u. IPsec cung c p d ch v b o m t s d ng KDE cho php th a thu n cc giao th c v thu t ton trn n n chnh sch c c b (group policy) v sinh ra cc kho b o m t m ho v ch ng th c c s d ng trong IPsec.

SVTT : Vi Th Mu

16

Enterprise network

BO CO TTTN

IPSec VPN

CHNG II : CNG NGH IP SECURITY

I. TM HI U V GIAO TH C IPSec 1. khi qut v IPSec IPSec l s t p h p c a cc chu n m c thi t l p m b o s c n m t d li u, m b o tnh ton v n d li u, v ch ng th c d li u gi a cc thi t b tham gia VPN. Cc thi t b ny c th l cc host ho c l cc security gateway (routers, firewalls, VPN concentrator, ...) ho c l gi a 1 host v gateway nh trong tr ng h p remote access VPNs. IPSec b o v a lu ng d li u gi a cc peers , v 1 gateway c th h tr ng th i nhi u lu ng d li u. IPSec ho t ng l p m ng v s d ng giao thc Internet Key Exchange (IKE) tho thu n cc giao th c gi a cc bn tham gia v IPSec s pht kho m ha v xc th c dng. Cc giao th c chnh s d ng trong IPSec: - IP Security Protocol (IPSec) o Authentication Header (AH) o Encapsulation Security Protocol (ESP) - Message Encryption o Data Encryption Standard (DES) o Triple DES (3DES) - Message Integrity (Hash) Functions o Hash-based Message Authentication Code (HMAC) o Message Digest 5 (MD5) o Secure Hash Algorithm-1 (SHA-1) - Peer Authentication o Rivest, Shamir, and Adelman (RSA) Digital Signutures o RSA Encrypted Nonces - Key Management o Diffie-Hellman (D-H) o Certificate Authority (CA) - Security Association o Internet Exchange Key (IKE) o Internet Security Association and Key Management Protocol (ISAKMP) 2. C Ch Ho t ng C a Giao Th c IPSec: Hi n nay giao th c IPSec c s d ng r t ph bi n v trong nhi u qu trnh. Ta c th thi t l p cc VPNs m khng c n bi t nhi u v giao th c ny. Nhng cc k t qu s r t l n x n khng c t t. Do , cc yu c u c n thi t c a ra tr c khi th c hi n c u hnh IPSec bao g m cc b c sau: B1: Thi t l p chnh sch IKE

SVTT : Vi Th Mu

17

BO CO TTTN

IPSec VPN

Chnh sch ny ph i c c u hnh gi ng nhau cho c hai bn tham gia VPN. N c gi i h n bao g m cc chnh sch: - Phng php pht Key (Key distribution method) : c u hnh th cng ho c c u hnh cho CA cung c p - Phng php xc th c (Authentication method) : ph n l n c xc nh b ng phng php pht key . thng th ng s d ng phng php pre-share keys - a ch IP v tn c a cc bn tham gia (IP address and hostname of peers ) : IP c n c bi t xc nh cc bn tham gia, v qu n l danh sch truy c p trn thi t b cc bn tham gia bi t c thng tin l n nhau. c u hnh IPSec trn thi t b ph i y tn mi n (FQDN) nh c u hnh trn a ch IP. - Cc tham s chnh sch IKE (IKE policy parameters) : cc tham s c thi t l p trn phase 1 c a IKE. Chnh sch IKE bao g m cc thng s sau : o Thu t ton m ho : DES/3DES o Thu t ton hash : MD5/SHA-1 o Phng php xc th c : preshared, RSA encryption, RSA signature o Key trao i : D-H Group 1/ D-H Group 2 o th i gian t n t i IKE SA : m c nh l 86400 giy B2 : Thi t l p chnh sch IPSec : tin c y c a IPSec v kh nng xc th c c ng d ng p traffic bi t thng qua gi a cc bn. Ta c th g i t t c traffic qua IPSec tunnel, nhng c th kh t c h t ch t l ng, do ta nn ch n nh ng chnh sch c n p qua IPSec tunnel. Khi ta ch n th c thi IPSec tunnel, c hai u cu i ph i th c hi n cc chnh sch gi ng nhau. Cc chnh sch cho IPSec bao g m : - IPSec Protocol : AH ho c ESP - Authentication : MD5 ho c SHA-1 - Encryption : DES ho c 3DES - Transform or Transform set : ah-sha-hmac esp-3des esp-md5-hmac ho c k t h p m t trong cc gi i thu t ny. - Identify traffic to be protected : giao th c, ngu n, ch v port - SA establishment : c u hnh th cng ho c ho c c u hnh IKE B3: Ki m tra c u hnh hi n hnh Th c hi n ki m tra c u hnh IPSec hi n c trn thi t b trnh tnh tr ng cc thng s c u hnh i l p nhau. B4 : Ki m tra m ng tr c IPSec : ta th c hi n ki m tra b ng cch : th c hi n ping n cc thi t b c c u hnh IPSec. B5 : Cc giao th c v cc Port ho t ng trong IPSec :

SVTT : Vi Th Mu

18

BO CO TTTN -

IPSec VPN

UDP port 500 : ISAKMP, c nh n bi t b i t kho isakmp Giao th c s 50 : dng trong giao th c ESP, c nh n bi t b i t kho esp Giao th c s 51 : dng trong giao th c AH, c nh n bi t b i t kho ahp.

3. C ch ho t ng c a IKE IKE c ch c nng trao i Key gi c cc thi t b tham gia VPN v trao i chnh sch an ninh gi a cc thi t b v t ng th a thu n cc chnh sch an ninh gi a cc thi t b tham gia. Tr c khi trao i knh truy n key thi t l p knh truy n o, IPSec s xc th c xem mnh ang trao i v i ai. Trong qu trnh trao i Key IKE dng thu t ton m ho b t i x ng g m: Public Key v private Key b o v vi c trao i key gi a cc thi t b tham gia VPN. V sau trao i chnh sch an ninh gi a cc thi t b . Nh ng chnh sch an ninh trn cc thi t b g i l Security Association (SA). Do , cc thi t b trong qu trnh IKE s trao i v i nhau t t c nh ng SA m n c. V gi a cc thi t b ny t tm ra cho mnh nh ng SA ph h p v i nh t.
1

Router A connects to Router B

Router A

Router B

Router A Transforms
2

Router B Transforms 1. Encryption = AES 192 HMAC = MD5 Authentication = pre-share keys Diffe-Hellman group = 2 Lifetime 86400 2. Encryption = AES 256 HMAC = SHA 1 Authentication = pre-share keys Diffe-Hellman group = 2 Lifetime 86400

1. Encryption = AES 256 HMAC = SHA 1 Authentication = pre-share keys Diffe-Hellman group = 2 Lifetime 86400 2. Encryption = AES 192 HMAC = SHA 1 Authentication = pre-share keys Diffe-Hellman group = 2 Lifetime 86400

II. C ch ho t ng c a giao th c AH v ESP 1. Khi qut : Giao th c ESP v giao th c AH l hai giao th c chnh trong vi c m ho v xc th c d li u. - ESP s d ng IP Protocol number l 50 (ESP c ng gi b i giao th c IP v tr ng protocol trong IP l 50) - AH s d ng IP Protocol number l 51 ( AH c ng gi b i giao th c IP v tr ng protocol trong IP l 51)
SVTT : Vi Th Mu

19

BO CO TTTN

IPSec VPN

B giao th c IPSec ho t ng trn 2 mode chnh : Tunnel Mode v Transports Mode. - Khi giao th c IPSec ho t ng Tunnel Mode th sau khi ng gi d li u, giao th c ESP m ho ton b Payload, frame Header, IP Header th n s thm m t IP Header m i vo gi tin tr c khi forward i. - Khi giao th c IPSec ho t ng Transport Mode th IP Header v n c gi nguyn v lc ny giao th c ESP s chn vo gi a Payload v IP Header c a gi tin. 2. T ng quan v ESP Header v AH Header

FiguFigure 3-1: AH Tunnel Mode Packet

FiguFigure 3-2: ESP Tunnel Mode Packet - Trong tr ng h p dng giao th c ESP : th giao th c ny s lm cng vi c m ha (encryption), xc th c (authentication), b o m tnh ton v n d li u ( integrity protection). Sau khi ng gi xong b ng ESP, m i thng tin v m ho v gi i m s n m trong ESP Header. - Cc thu t ton m ho s d ng trong giao th c nh : DES, 3DES, AES - cc thu t ton hash nh : MD5 ho c SHA-1 - Trong tr ng h p dng giao th c AH : th AH ch lm cng vi c xc th c (Authentication), v m b o tnh ton v n d li u. Giao th c AH khng c tnh nng m ho d li u. 3. Authentication Header (AH) AH l m t trong nh ng giao th c b o m t, cung c p tnh nng m b o ton v n packet headers v data, xc th c ngu n g c d li u. N c th tu ch n cung c p d ch v replay protection v access protection. AH khng m ho b t k ph n no c a cc gi tin. Trong phin b n u c a IPSec, giao th c ESP ch c th cung c p m ho, khng xc th c. Do , ng i ta k t h p giao th c AH v ESP v i nhau cung c p s c n m t v m b o ton v n d li u cho thng tin. a. AH Mode AH c hai mode : Transport v Tunnel. Trong Tunnel mode, AH t o 1 IP Header m i cho m i gi tin Trong Transport mode, AH khng t o IP Header m i Trong c u trc IPSec m s d ng gateway , a ch th t c a IP ngu n v ch c a cc gi tin ph i thay i thnh a ch IP c a gateway. V trong Transport
SVTT : Vi Th Mu

20

BO CO TTTN

IPSec VPN

Mode khng thay i IP Header ngu n ho c t o m t IP Header m i, Transport Mode th ng s d ng trong c u trc host-to-host. AH cung c p tnh nng m b o tnh ton v n cho ton b gi tin, b t k mode no c s d ng .

Figure 3-3: AH Tunnel Mode Packet

Figure 3-4: AH Transport Mode Packet b. AH xc th c v m b o tnh ton v n d li u

SVTT : Vi Th Mu

21

BO CO TTTN

IPSec VPN

B1: AH s em gi d li u (packet ) bao g m : Payload + IP Header + Key cho ch y qua gi i thu t Hash 1 chi u v cho ra 1 chu i s . v chu i s ny s c gn vo AH Header. B2: AH Header ny s c chn vo gi a Payload v IP Header v chuy n sang pha bn kia. B3: Router ch sau khi nh n c gi tin ny bao g m : IP Header + AH Header + Payload s c cho qua gi i thu t Hash m t l n n a cho ra m t chu i s . B4: so snh chu i s n v a t o ra v chu i s c a n n u gi ng nhau th n ch p nh n gi tin . C. AH Header

Figure 3-5 : AH Header Next Header : Tr ng ny di 8 bits , ch a ch s giao th c IP. Trong Tunnel Mode, Payload l gi tin IP , gi tr Next Header c ci t l 4. Trong Transport Mode , Payload lun l giao th c Transport-Layer. N u giao th c l p Transport l TCP th tr ng giao th c trong IP l 6. N u giao th c l p transport l UDP th tr ng giao th c trong IP l 17. Payload Length : Tr ng ny ch a chi u di c a AH Header. Reserved : gi tr ny c dnh s d ng trong tng lai ( cho n th i i m ny n c bi u th b ng cc ch s 0). Security parameter Index (SPI) : m i u cu i c a m i k t n i IPSec tu ch n gi tr SPI. Ho t ng ny ch c dng nh n d ng cho k t n i. Bn nh n s d ng gi tr SPI cng v i a ch IP ch v lo i giao th c IPSec (tr ng h p ny l AH) xc nh chnh sch SA c dng cho gi tin (C ngha l giao th c IPSec v cc thu t ton no c dng p cho gi tin). Sequence Number : ch s ny tng ln 1 cho m i AH datagram khi m t host g i c lin quan n chnh sch SA. Gi tr b t u c a b m l 1. chu i s ny khng bao gi cho php ghi ln l 0. v khi host g i yu c u ki m tra m n khng b ghi v n s tho thu n chnh sch SA m i n u SA ny c thi t l p. Host nh n s dng chu i s pht hi n replayed datagrams. N u ki m tra bn pha host nh n, bn nh n c th ni cho bn g i bi t r ng bn nh n khng ki m tra chu i s , nhng i h i n ph i lun c trong bn g i tng v g i chu i s . Authentication Data: Tr ng ny ch a k t qu c a gi tr Integrity Check Value (ICV). Tr ng ny lun l b i c a 32-bit (t ) v ph i c m vo n u chi u di c a ICV trong cc bytes cha y. 22

SVTT : Vi Th Mu

BO CO TTTN

IPSec VPN

d. Ho t ng c a giao th c AH H ng t t nh t hi u AH lm vi c nh th no, ta s xem v phn tch cc gi tin AH.

Figure 3-6: Sample AH Transport Mode Packet. Hnh trn cho th y cc thnh ph n c a gi tin AH th t s . M i section c a AH Packet g m : Ethernet header , IP header , AH header v Payload. D a trn cc tr ng c a ph n AH mode, ta th y y l gi tin Transport Mode v n ch ch a IP Header. Trong tr ng h p ny, payload ch a ICMP echo request (hay l Ping). Ping g c ch a chu i m u t c miu t trong gi tin tng d n b i gi tr Hex ( vd : 61, 62, 63). Sau khi giao th c AH c applied, ICMP Payload khng thay i. V AH ch cung c p d ch v m b o ton v n d li u, khng m ho.

Figure 3-7 : AH Header Fields from Sample Packet.

SVTT : Vi Th Mu

23

BO CO TTTN

IPSec VPN

Cc tr ng trong AH Header t 4 gi tin u tin trong AH session gi a host A v host B. Cc tr ng trong header u tin ch l nhn, p ng trong vi c nh n d ng AH mode. - SPI : host A s d ng gi tr s Hex cdb59934 cho SPI trong c cc gi tin c a n. Trong khi host B s d ng gi tr s Hex a6b32c00 cho SPI trong c cc gi tin. i u ny ph n nh c r ng k t n i AH th t s g m hai thnh ph n k t n i m t chi u. - Sequence Number : c hai host b t u thi t l p ch s b ng 1, v c hai tng ln l 2 cho gi tin th hai c a chng. - Authentication information : Xc th c ( m b o ton v n ) thng tin , l m t keyed hash d a trn h u nh t t c cc bytes trong gi tin. e. AH version 3 M t chu n m i c a AH l Version 3, phin b n c pht tri n d a trn phin b n phc th o. Tnh nng khc nhau gi a Version 2 v Version 3 l m i quan h th y u cc qu n tr vin IPSec v ng i dng - m t vi s thay i n SPI, v tu ch n ch s di hn. chu n phc th o version 3 cng ch n m t chu n phc th o khc r ng li t k thu t ton m ho yu c u cho AH. B n phc th o u nhi m h tr cho HMAC-SHA1-96, gi i thi u thu t ton h tr m nh hn l AES-XCBC-MAC96, v cng gi i thi u thu t ton : HMAC-MD5-96. f. AH Summary AH cung c p d ch v m b o ton v n cho t t c cc header v data gi tin. Ngo i tr m t s tr ng IP Header m nh tuy n thay i trong chuy n ti p. AH bao g m a ch ngu n v a ch ch trong d ch v m b o ton v n. AH th ng khng tng thch v i NAT. Hi n nay, h u h t IPSec b sung h tr phin b n th hai c a IPSec m ESP c th cung c p d ch cc v m b o ton v n d li u qua s xc th c. AH cung c p m t l i ch m ESP khng c, l : m b o ton v n cho outermost IP Header.

4. Encapsulaton Secutity Payload (ESP) ESP l giao th c b o m t chnh th hai. Trong phin b n u c a IPSec , ESP chi cung c p m ho cho packet payload data. Khi c n, giao th c AH cung c p d ch v m b o ton v n. Trong phin b n th hai c a IPSec, ESP tr nn m m d o hn. N c th th c hi n xc th c cung c p d ch v m b o ton v n, m c d khng h tr cho outermost IP header. S m ho c a ESP c th b v hi u ho qua thu t ton m ho Null ESP algorithm. Do , ESP c th cung c p ch m ho; m ho v m b o ton v n d li u; ho c ch m b o ton v n d li u. a. ESP Mode ESP c hai mode : Transport Mode v Tunnel Mode.
SVTT : Vi Th Mu

24

BO CO TTTN

IPSec VPN

Trong Tunnel Mode : ESP t o m t IP Header m i cho m i gi tin. IP Header m i li t kt cc u cu i c a ESP Tunnel ( nh hai IPSec gateway) ngu n v ch c a gi tin. V Tunnel mode c th dng v i t t c 3 m hnh c u trc VPN.

Figure 3-8: ESP Tunnel Mode Packet ESP Tunnel Mode c s d ng th ng xuyn nhanh hn ESP Transport Mode. Trong Tunnel Mode, ESP dng IP header g c thay v t o m t IP header m i. Trong Transport Mode, ESP c th ch m ho v/ho c b o m tnh ton v n n i dung gi tin v m t s cc thnh ph n ESP, nhng khng c v i IP header. Giao th c AH, ESP trong Transport mode th ng s d ng trong c u trc host-tohost. Trong Transport mode khng tng thch v i NAT.

Figure 3-9: ESP Transport Mode Packet

SVTT : Vi Th Mu

25

BO CO TTTN b. ESP Packet Fields

IPSec VPN

Figure 3-10: ESP Packet Fields ESP thm m t header v Trailer vo xung quanh n i dung c a m i gi tin. ESP Header c c u thnh b i hai tr ng : SPI v Sequence Number. - SPI (32 bits) : m i u cu i c a m i kt n i IPSec c tu ch n gi tr SPI. Pha nh n s d ng gi tr SPI v i a ch IP ch v giao th c IPSec xc nh chnh sch SA duy nh t m n c p cho gi tin. - Sequence Number : thng c dng cung c p d ch v anti-replay. Khi SA c thi t l p, ch s ny c kh i u v 0. Tr c khi m i gi tin c g i, ch s ny lun tng ln 1 v c t trong ESP header. ch c ch n r ng s khng c gi tin no c cng nh n, th ch s ny khng c php ghi ln b ng 0. Ngay khi ch s 232-1 c s d ng , m t SA m i v kha xc th c c thi t l p. Ph n k ti p c a gi tin l Payload, n c t o b i Payload data ( c m ho) v IV khng c m ho). Gi tr c a IV trong su t qu trnh m ho l khc nhau trong m i gi tin. ph n th ba c a gi tin l ESP Trailer, n ch a t nh t l hai tr ng. - Padding ( 0-255 bytes) : c thm vo cho kch th c c a m i gi tin. - Pad length: chi u di c a Padding - Next header : Trong Tunnel mode, Payload l gi tin IP, gi tr Next Header c ci t l 4 cho IP-in-IP. Trong Transport mode, Payload lun l giao th c l p 4. N u giao th c l p 4 l TCP th tr ng giao th c trong IP l 6, giao th c l p 4 l UDP th tr ng giao th c IP l 17. M i ESP Trailer ch a m t gi tr Next Header. - Authentication data : tr ng ny ch a gi tr Integrity Check Value (ICV) cho gi tin ESP. ICV c tnh ln ton b gi tin ESP cng nh n cho tr ng d li u xc th c c a n. ICV b t u trn ranh gi i 4-byte v ph i l b i s c a 32-bit (n v t ).

SVTT : Vi Th Mu

26

BO CO TTTN C. Qu trnh m ho v ho t ng c a giao th c ESP

IPSec VPN

ESP s d ng m t m i x ng cung c p s m t ho d li u cho cc gi tin IPSec. Cho nn, k t n i c a c hai u cu i u c b o v b i m ho ESP th hai bn ph i s d ng key gi ng nhau m i m ho v gi i m c gi tin . Khi m t u cu i m ho d li u, n s chia d li u thnh cc block nh , v sau th c hi n thao tc m ho nhi u l n s d ng cc block d li u v key. Thu t ton m ho ho t ng trong chi u ny c xem nh blocks cipher algorithms. Khi m t u cu i khc nh n c d li u m ho, n th c hi n gi i m s d ng key gi ng nhau v qu trnh th c hi n tng t , nhng trong b c ny ng c v i thao tc m ho. V d : ESP s d ng thu t ton m ho l AES-Cipher Block Chaining (AESCBC), AES Counter Mode (AES-CTR), v Triple DES ( 3DES). Khi so snh v i gi tin AH , gi tin ESP c d ng gi ng v i gi tin AH. chu i m u t c th xc nh c trong AH-protected Payload nhng khng xc nh c trong ESP-protected payload, v trong ESP n c m ho. Gi tin ESP c ch a 5 o n : Ethernet Header , IP Header, ESP Header, Encrypted Data (Payload v ESP Trailer), v (option) authentication information . D li u c m ho khng th xc nh c d gi tin truy n trong Transport Mode hay Tunnel Mode. Tuy nhin, v IP Header khng c m ho, tr ng giao th c IP trong Header v n pht hi n c giao th c dng cho Payload ( trong tr ng h p ny l ESP).

Figure 3-11: ESP Packet Capture

SVTT : Vi Th Mu

27

BO CO TTTN

IPSec VPN

Figure 3-12: ESP Header Fields from Sample Packets Hnh trn cho th y, cc tr ng ESP Header t 4 gi tin u trong ESP session gi a host A v host B . Cc tr ng SPI v Sequence Number trong ESP lm vi c m t chi u nh chng th c hi n trong AH . M i host s d ng m t gi tr SPI khc nhau cho cc gi tin c a n, tng thch v i k t n i ESP g m hai thnh ph n k t n i m t chi u. C hai host cng b t u thi t l p sequence number l 1, v s tng d n ln l 2 cho gi tin th hai. d. ESP Version 3 M t chu n m i cho ESP l phin b n 3, m t phin b n v a c b sung, c d a trn chu n phc th o. Tm ra c ch c nng chnh cho th y s khc nhau gi a version 2 v version 3 , bao g m nh ng i u sau : - Chu n ESP version 2 i h i ESP b sung h tr ESP ch s d ng cho m ho (khng c tnh nng b o v ton v n d li u). Do , chu n ESP version 3 c a ra nh m h tr cho s l a ch n ny. - ESP c th dng chu i s di hn, gi ng v i chu n AH version 3. - ESP version 3 h tr trong vi c s d ng k t h p cc thu t ton ( EAS Counter v i CBC-MAC [EAS-CMC]. Nh v y k t qu m ho v tnh b o v ton v n d li u t c s nhanh hn l s d ng tch r i thu t ton. e. ESP Summary Trong Tunnel Mode, ESP cung c p s m ho v s m b o an ton cho ng gi IP Packet, cng xc th c t t gi ng nh c a ESP Header , ESP c th tng thch v i NAT. Trong Transport Mode, ESP cung c p s m ho v m b o an ton cho Payload c a gi tin IP , cng m b o an ton t t gi ng nh c a ESP Header. Transport Mode th khng tng thch v i NAT. ESP Tunnel Mode th ng s d ng ph bi n trong IPSec , v n m ho IP Header g c, n c th gi u a ch source v des th t c a gi tin. ESP cng c th thm v t m vo gi tin. ESP th ng c dng cung c p cho m ho ho c m b o an ton ( ho c c hai ).

SVTT : Vi Th Mu

28

BO CO TTTN 5. Cc mode chnh c a giao th c IPSec: a. Transport Mode : -

IPSec VPN

Transport mode b o v giao th c t ng trn v cc ng d ng. Trong transport mode, ph n IPSec header c chn vo gi a ph n IP header v ph n header c a giao th c t ng trn. v v y, ch c t i (IP payload) l c m ha v IP header ban u l c gi nguyn v n. Transport mode c th c dng khi c hai host h tr IPSec.

Figure 3-13: IPSec Transport-mode a generic representation Transport mode c dng b o m t k t n i gi a hai host: ho t ng c a ESP trong Transport mode c s d ng b o v thng tin gi a hai host c nh. B o v cc giao th c l p trn c a IP datagram.

Figure 3-14: Transport Mode Tunnel Trong Transport Mode, AH header c chn vo trong IP datagram sau IP header v cc tu ch n.

Figure 3-15: Transport Mode Packet ch transport ny c thu n l i l ch thm vo vi bytes cho m i packets v n cng cho php cc thi t b trn m ng th y c a ch ch cu i cng c a gi. 29

SVTT : Vi Th Mu

BO CO TTTN b. Tunnel mode :

10.0.1.0/24 10.0.2.0/24

IPSec VPN

Figure 3-16: A Tunne Mode AH Tunnel

Host A1 1 Host A2 2 250 GW A 1.1.1.1 Host A3 3

...

Host An n

Network A: 10.0.1.0/24

WAN

2.2.2.2 GW B 250 1 Host B1 2 Host B2 3 Host B3

Network B: 10.0.2.0/24 m

...

Host Bm

Figure 3-17 : An ESP Tunnel Mode VPN khng gi ng nh transport mode, Tunnel mode b o v ton b gi d li u. Ton b gi d li u IP c ng gi trong m t gi d li u IP khc. V m t IPSec header c chn vo gi a ph n u nguyn b n v ph n u m i c a IP .

SVTT : Vi Th Mu

30

BO CO TTTN

IPSec VPN

Figure 3-18: IPSec Tunnel Mode a generic representation Ton b gi IP ban u s b ng gi b i AH ho c ESP v m t IP header m i s c bao b c xung quanh gi d li u. Ton b gi IP s c m ho v tr thnh d li u m i c a gi IP m i. ch ny cho php cc thi t b m ng, ch ng h n nh Router, ho t ng nh m t IPSec proxy th c hi n ch c nng m ha thay cho host. Router ngu n s m ha cc packets v truy n chng d c theo tunnel. Router ch s gi i m gi IP ban u v chuy n n v h th ng cu i. - v i tunnel ho t ng gi a hai security gateway, a ch ngu n v ch c th c m ha. V d : Lu ng gi tin c g i t host A2 n host B3: -

Figure 3-19: Packet Flow from Host A2 to Host B3

SVTT : Vi Th Mu

31

BO CO TTTN -

IPSec VPN

Gi s r ng host A2 g i TCP segment n host B3. IP datagram r i kh i host A2 i n host B3. khi IP datagram r i kh i host A2, n c a ch ngu n l 10.0.1.2 v a ch ch l 10.0.2.3. Tr ng giao th c trong IP header l 6 (ch r ng giao th c l p d i l TCP). Host A2 c default route n GWA ho c nh tuy n n m ng 10.0.2.0/24 v i GWA l next hop, th datagram c nh tuy n n GWA. Khi datagram n GWA, gateway ki m tra SPD c a n v thng bo n ch r chnh sch b t k datagram t m ng 10.0.1.0/24 n m ng 10.0.2.0/24 nn c ng gi v i mode-tunnel ESP v g i n GWB t i 2.2.2.2. Sau khi GWA ng gi IP datagram, IP header bn ngoi c a ch ngu n 1.1.1.1 (GWA) v a ch ch 2.2.2.2 (GWB). tr ng giao th c c a IP header bn ngoi l 50 ( ch r giao th c ESP c dng). Tr ng giao th c c a gi tin ESP l 4 ( ch ra gi tin ESP ang ng gi IP datagram). V IP header bn trong khng thay i. Khi ng gi IP datagram n t i GWB, gateway th y r ng n ch a gi tin ESP v xc th c l i v key m ho t SA thch h p, th c hi n ki m tra xc th c v gi i m ESP Payload. IP header bn ngoi, ESP header v Trailer, v ICV c tch ra kh i, v IP datagram bn trong c forward n ch c a n (10.0.2.3).

B ng so snh gi a giao th c AH v ESP Security Layer-3 IP protocol number Provides for data integrity Provides for data authentication Provides for data encryption Protects against data replay attacks Works with NAT Works with PAT Protects the IP packet Protects only the data AH 51 yes Yes No yes No No yes No ESP 50 Yes yes Yes yes yes No No yes

SVTT : Vi Th Mu

32

BO CO TTTN

IPSec VPN

CHNG III: PUBLIC KEY INFRASTRUCTURE

I. T ng quan v PKI Public Key Infrastructure (PKI) l m t c ch cho m t bn th ba (th ng l nh cung c p ch ng th c s ) cung c p v xc th c nh danh cc bn tham gia vo qu trnh trao i thng tin. C ch ny cng cho php gn cho m i ng i s d ng trong h th ng m t c p public/private. Cc qu trnh ny th ng c th c hi n b i m t ph n m m t t i trung tm v cc ph n m m khc t i cc a i m c a ng i dng. Kho cng khai th ng c phn ph i trong ch ng th c kha cng khai hay Public Key Infrastructure. Khi ni m h t ng kho cng khai (PKI) th ng c dng ch ton b h th ng bao g m c nh cung c p ch ng th c s (CA) cng cc c ch lin quan ng th i v i ton b vi c s d ng cc thu t ton m ho cng khai trong trao i thng tin. Tuy nhin ph n sau c bao g m khng hon ton chnh xc b i v cc c ch trong PKI khng nh t thi t s d ng cc thu t ton m ho cng khai. II. Cc thnh ph n c a PKI 1. Cc thnh ph n c a PKI PKIs d a vo m t thi t b m t m b o m cc kho cng khai c qu n l an ton. Cc thi t b ny khng ho t ng cng lc c th c hi n cc hm m ng r ng c lin quan n vi c qu n l phn ph i kho, bao g m cc thnh ph n sau: - ch ng th c v ng k m t m u cu i - ki m tra tnh ton v n c a kho cng khai - ch ng th c yu c u trong qu trnh b o qu n cc kho cng khai - b m t c p pht kho cng c ng - hu b kho cng khai khi n khng c gi tr di - duy tr vi c thu h i cc thng tin v kho cng c ng (CRL) v phn b thng tin (thng qua CRL c p pht ho c p ng n Online Certificate Status Protocol [OCSP] messages). - m b o an ton v l n c a kho. Public Keys Certificates : M c tiu c a vi c trao i kho b t i x ng l pht m t cch an ton kho cng khai t ng i g i (m ho) n ng i nh n (gi i m). PKI h tr t o i u ki n cho vi c trao i kho an ton m b o xc th c cc bn trao i v i nhau. Public key Certificate c pht b i Certificate Authority(CA ). CA pht public key certificate cho p ng m t m u cu i th u cu i u tin ph i ng k v i CA. Qu trnh ng k g m: s ng k, s kch ho t, v s ch ng nh n c a m t m u cu i v i PKI (CAs v RAs). Qu trnh ng k nh sau: o m t m u cu i ng k v i CA ho c RA. Trong qu trnh ng k, m t m u cu i a ra cch nh n bi t n CA. CA s xc th c u cu i, pht public key n u cu i .
SVTT : Vi Th Mu

33

BO CO TTTN

IPSec VPN

o cc u cu i b t u kh i t o phase b ng cch t o ra m t public/private keypair v public key c a keypair c chuy n n CA. o CA vi t m t hi u ln public key certificate cng v i private key t o m t public key certificate cho m t m u cu i. o Lc ny cc m t m u cu i c th yu c u public key certificate t m t m u cu i khc. Chng c th s d ng CAs public key gi i m public key certificate thu c kho thch h p. Registration Authorities: Trong nhi u tr ng h p, CA s cung c p t t c cc d ch v c n thi t c a PKI qu n l cc public key bn trong m ng. Tuy nhin c nhi u tr ng h p CA c th u nhi m lm cng vi c c a RA. m t s ch c nng m CA c th u nhi m thay th cho RA nh: o ki m tra m t m u cu i th ng k public key v i CA c private key m c dng k t h p v i public key. o Pht public/private keypairs c dng kh i t o phase c a qu trnh ng k. o xc nh n cc thng s c a public key. o pht gin ti p cc certificate Revocation List (CRL). Certificate Authorities : CA dng c p pht ch ng nh n, xc th c PKI clients, v khi c n thi t thu h i l i ch ng nh n. CA i di n cho ngu n tin c y chnh c a PKI. V CA l y u t duy nh t trong PKI m c th pht Public Key Certificates n cc m t m u cu i. CA cng lun p ng cho vi c duy tr CRL v ph c v cc lo i nh: CRL Issuer. PKI khng ph i ch c 1 CA m PKI c th thi t l p nhi u CAs. CAs gip thi t l p cho vi c nh n d ng c a cc th c th giao ti p v i nhau c ng n. CAs khng ch ch ng cho PKI client m cn cho nh ng CAs khc b ng cch c p pht nh ng ch ng nh n s n chng. Nh ng CAs ch ng nh n l n l t c th ch ng nh n cho nh ng CAs khc cho n khi m i th c th c th u nhi m cho nh ng th c th khc c lin quan trong qu trnh giao d ch. 2. M c tiu v cc ch c nng c a PKI PKI cho php nh ng ng i tham gia xc th c l n nhau v s d ng cc thng tin t cc ch ng th c kho cng khai m t m ho v gi i m thng tin trong qu trnh trao i. PKI cho php cc giao d ch i n t c di n ra m b o tnh b m t, ton v v xc th c l n nhau m khng c n trao i cc thng tin b o m t t tr c. M c tiu chnh c a PKI l cung c p kho cng khai v xc nh m i lin h gi a kho v nh d ng ng i dng. Nh v y, ng i dng c th s d ng trong m t s ng d ng nh : - M ho Email ho c xc th c ng i g i Email - M ho ho c ch ng th c vn b n - Xc th c ng i dng ng d ng

SVTT : Vi Th Mu

34

BO CO TTTN -

IPSec VPN

Cc giao th c truy n thng an ton : trao i b ng kho b t i x ng, m ho b ng kho i x ng. PKI bao g m cc thnh ph n sau y: - Pht sinh m t c p kho ring v kho chung cho PKI client - T o v xc nh n ch k i n t - c p pht ch ng nh o ng i dng - nh d u nh ng kho c p pht v b o tr qu trnh s d ng c a m i kho - H y b nh ng ng k sai v h t h n - Xc nh n PKI client 3. M c ch c a PKI PKI c s d ng v i cc m c ch : - M ho: gi b m t thng tin v ch c ng i c kho b m t m i gi i m c. - T o ch k s : cho php ki m tra m t vn b n c ph i c t o v i m t kho b m t no hay khng. - Tho thu n kho: cho php thi t l p kho dng trao i thng tin b o m t gi a 2 bn. III. C s h t ng c a PKI 1. Cc b c m ho:

B c 1: dng gi i thu t bm thay i thng i p c n truy n i. k t qu ta c m t message digest. Dng gi i thu t MD5 (message digest 5) ta c digest c chi u di 128 bit, dng gi i thu t SHA (Secure Hash Algorithm) ta c chi u di 160 bit. B c 2: s d ng kha private key c a ng i g i m ha message digest thu c b c 1. Thng th ng b c ny dng gi i thu t RSA ( hay DSA, RC2, 3DES, ). K t qu thu c g i l digital signature c a thng i p ban u. B c 3: s d ng public key c a ng i nh n m ho nh ng thng tin c n g i i. B c 4: G p digital signature vo message c m ho v g i i. Nh v y sau khi k nh n digital signature vo message c m ho, m i s thay i trn message s b pht hi n trong giai o n
SVTT : Vi Th Mu

35

BO CO TTTN

IPSec VPN

ki m tra. Ngoi ra, vi c k nh n ny m b o ng i nh tin t ng message ny xu t pht t ng i g i ch khng ph i l ai khc. 2. Cc b c ki m tra: B c 1: ng i nh n dng private key c a mnh gi i m thng tin nh n c g m 2 ph n: ph n message v ph n ch k ng i g i. B c 2: dng public key c a ng i g i (kho ny c thng bo n m i ng i ) gi i m ch k s c a message, ta c message digest. B c 3: dng gi i thu t MD5 ( ho c SHA) bm message nh km ta c message digest. B c 4: So snh k t qu thu c b c 2 v 3 n u trng nhau, ta k t lu n message ny khng b thay i trong qu trnh truy n v message ny l c a ng i g i.

SVTT : Vi Th Mu

36

BO CO TTTN CHNG IV: NETWORK DYNAMIC MULTIPOINT VIRTUAL

IPSec VPN PRIVATE

I. KHI QUT V DMVPN 1. DMVPN l g ? Dynamic Multipoint Virtual Private Network (DMVPN) l s k t h p c a cc cng ngh : IPSec, mGRE, v NHRP. cc cng ngh ny k t h p l i cho php c tri n khai IPSec trong m ng ring o m t cch d dng. 2. u i m c a DMVPN Khi ta c c u trc m ng v i nhi u site v t o m ho tunnel gi a m i site v i nhau, ta thi t l p c: [n(n-1)] /2 tunnels v d : nh hnh d i ta c 3 tunnel

ta c [n(n-1)/2] = 6 tunnels

SVTT : Vi Th Mu

37

BO CO TTTN

IPSec VPN

3. Cc cng ngh s d ng IPSec (Internet Protocol SECurity) Giao th c cho php b o v s thay i c a cc gi tin t i l p IP. D a trn kho cng khai trn mode Tunnel , n i dung v tiu c a gi tin c m ho. c hai u c b o v mGRE (Generic Routing Encapsulation) Giao th c truy n trn tunnel, ng gi cc lo i gi tin thnh 1 lo i l n trong IP tunnels. Sau t o Point-to-Point virtual k t n i v i cc Router xa trong c u trc m ng IP. NHRP (Next Hop Resolution Protocol) Giao th c c s d ng b i cc Router pht hi n MAC address c a cc Router khc v host khc. 4. Ho t ng c a DMVPN DMVPN l gi i php ph n m m c a h i u hnh cisco. DMVPN d a vo 2 cng ngh c a cisco th nghi m : - Next Hop Resolution Protocol (NHRP) o HUB duy tr c s d li u c a a ch th c c a t t c spoke m i spoke ng k a ch th c c a n khi n kh i ng. Sau cc spoke yu c u c s d li u trong NHRP cho a ch th c c a cc spoke ch m xy d ng tunnel tr c ti p. o Multipoint GRE Tunnel Interface Cho php 1 interface GRE h tr nhi u IPSec tunnels Kch th c n gi n v c u hnh ph c t p - DMVPN khng lm thay i cc chu n c a IPSec VPN tunnel, nhng n thay i c u hnh c a chng. - Cc spoke c 1 IPSec tunnel c nh n Hub, nhng khng c n cc spoke. Cc spoke c xem nh l client c a NHRP server. - Khi 1 spoke c n g i gi tin n ch (private) m ng c p d i trn spoke khc, n yu c u NHRP c p cc a ch th c c a spoke ch. - n y spoke ngu n c th kh i t o 1 dynamic IPSec tunnel n spoke ch. - Tunnel t spoke-to-spoke c xy d ng qua mGRE tunnel 5. nh tuy n v i DMVPN nh tuy n ng c yu c u qua tunnel Hub-to-spoke. Spoke h c t t c cc m ng ring trn cc spoke khc v Hub thng qua c p nh t t b ng nh tuy n c g i b i Hub. IP next-hop cho 1 m ng spoke l interface tunnel cho spoke. Cc giao th c nh tuy n c dng: o Enhanced Interior Gateway Routing Protocol (EIGRP) o Open Shortest Path First (OSPF) o Border Gateway Protocol (BGP) 38

SVTT : Vi Th Mu

BO CO TTTN o Routing Information Protocol (RIP) 6. DMVPN Phase

IPSec VPN

o Phase 1 : Tnh nng c a Hub v Spoke o Phase 2 : Tnh nng c a spoke-to-spoke o Phase 3 : Kh nng thay i spoke-to-spoke quy m cc m ng c m r ng . IPSec + GRE i v i DMVPN phase 1 Hub-to-Spoke Tnh nng : - T t c lu l ng i qua ph i thng qua Hub - Tri n khai d dng - Files c u hnh Hub nh u i m c a DMVPN phase 1 - Hub v spoke c u hnh n gi n v nh g n - H tr Multicast traffic t Hub n cc spoke - H tr a ch cho cc spoke m t cch linh ng phase 2: Trong phase 2 NHRP kh i ng NHC-to-NHS tunnel v giao th c nh tuy n ng th ng c s d ng pht thng tin nh tuy n t t c cc m ng m Hub c v t t c cc spoke. Cc thng tin ny l : ip next hop c a spoke ch v h tr ring m ng ch. Khi 1 gi tin c forward n s t i outbound interface v ip next hop t b ng nh tuy n m u . N u interface NHRP l interface outbound n s tm NHRP mapping vo IP next hop . N u khng c s trng kh p c a b ng NHRP mapping, th NHRP c kch kh i g i NHRP resolution request n thng tin mapping ( a ch IP next hop n a ch v t l layer). NHRP registration reply packet ch a thng tin mapping ny v khi thng tin ny c nh n cc spoke s cung c p y thng tin ng gi d li u chnh xc g i tr c ti p n spoke u xa qua c s h t ng m ng. Phase 3: NHRP kh i ng NHC v NHS tunnel v giao th c nh tuy n ng c dng pht thng tin nh tuy n c a t t c cc m ng m t t c cc spoke c n Hub. Sau hub s g i l i b ng thng tin nh tuy n ny n cc spoke, nhng trong tr ng h p ny hub c th t ng k t l i thng tin nh tuy n . N s t IP next hop c a t t c cc m ng ch n NHS (hub). i u ny lm gi m l ng thng tin trong b ng giao th c nh tuy n c n phn ph i t Hub n cc spoke, gi m vi c c p nh t giao th c nh tuy n ang ch y trn hub. Khi data packet c forward, n s t i outbound interface v ip next hop t b ng nh tuy n m u nh p vo. N u interface NHRP l interface outbound th n s tm mapping NHRP vo IP next hop . Trong tr ng h p

SVTT : Vi Th Mu

39

BO CO TTTN

IPSec VPN

ny IP next hop s c hub coi nh l NHRP mapping (n ci 1 tunnel v i hub) , cc spoke s ch g i data packet n Hub. Hub nh n c data packet v n ki m tra b ng nh tuy n. V data packet ny c tr nh t tr c cho m ng bn c nh cc spoke khc n s forward ra kh i interface NHRP n next hop v h ng spoke. T i y, hub pht hi n packet n v g i n ra kh i interface NHRP. C ngha l data packet chi m t nh t 2 hop trong m ng NHRP v do ng ny thng qua hub khng ph i l 1 ng t i u . Cho nn hub g i tr c ti p l i thng i p NHRP n spoke. Thng i p pht l i tr c ti p ny l thng tin g i n spoke v IP gi tin ch m thng i p pht l i ny kch kh i NHRP. Khi spoke nh n c NHRP c pht l i, n s t o v g i NHRP resolution request cho d li u IP ch t thng i p NHRP c g i l i . NHRP resolution request s forward n spoke u xa cc d ch v m ng cho IP ch. Spoke u xa s pht NHRP resolution reply v i a ch NBMA c a n v ton b subnet (t b ng nh tuy n c a n) ph h p v i a ch IP d li u ch t gi tin NHRP resolution request. Spoke u xa sau s g i NHRP resolution reply tr c ti p tr l i spoke n i b . n th i i m ny y thng tin cho data traffic c g i tr c ti p qua spoke-to-spoke m ng d n v a c t o. B ng nh tuy n IP v nh tuy n c h c b i h ng c a hub l quan tr ng khi xy d ng tunnel spoke-to-spoke. Do kh nng c a NHS (cc hub) l t i h n cho tnh nng c a m ng NHRP . khi ch c 1 hub m hub b down, spoke xo ng i m n h c c t b ng nh tuy n c a hub. b i v n b m t hub gi ng nh m t i routing neighbor. Tuy nhin, spoke khng xo b t k tunnels spoke-to-spoke (NHRP mapping) m v n cn ho t ng. M c d tunnel spoke-to-spoke v n cn nhng n khng c s d ng v trong b ng nh tuy n khng cn ng i no n m ng ch n a. Trong qu trnh b sung thm , Khi b ng nh tuy n a vo b xo khng c kch ho t n NHRP. k t qu l NHRP s timeout, khi hub s b down. Trong phase 2 n u x y ra v n nh tuy n trong b ng nh tuy n (c th l nh tuy n tnh) v i chnh xc IP next hop th spoke v n c th dng spoke-to-spoke tunnel ngay c khi hub b down. NHRP s kh c th lm ti NHRP mapping a vo v NHRP resolution yu c u ho c c n p ng i qua hub. Trong phase 3, ta ch c n nh tuy n ra interface tunnel, khng c n ph i chnh xc IP next hop ( NHRP b qua IP next-hop trong phase 3). NHRP c kh nng lm ti NHRP mapping . V NHRP resolution yu c u ho c p ng s i qua tr c ti p spoke-to-spoke tunnel. N u ta c 2 (ho c nhi u hn) NHS Hub trong 1 m ng NBMA (1 mGRE, frame-relay , ho c ATM interface) , sau khi hub u tin b down, spoke Router s lo i b ng i t b ng nh tuy n m n h c c t hub ny, nhng n s h c t cc router tng t (c metric cao hn) t hub th hai. Lc ny nh tuy n s c thi t l p ngay. Do lu l ng spoke-to-spoke

SVTT : Vi Th Mu

40

BO CO TTTN s ti p t c i qua spoke-spoke tunnel, v n khng b u tin. II. C u hnh DMVPN 1. C u hnh IPSec :

IPSec VPN nh h ng b i hub

B1: c u hnh crypto ipsec profiel name ch ra tn c a IPSec profile Router(config)# crypto ipsec profile vpnprof B2: set transform-set transform-set-name ch ra lo i transform set no c dng v i IPSec. Router(config-crypto-map)#set transform-set trans2 B3: set identity xc nh transform-set Router(config-crypto-map)# set identity B4: set security association lifetime {seconds second /kilobytes kilobytes} xc nh th i gian c a t n t i c a SA. Router(config-crypto-map)# set security lifetime seconds 1800 B5: set pfs [group 1/ group 2] Router(config-crypto-map)# set pfs group 2 ci t h s m ho 2. C u hnh mGRE HUB B1: interface tunnel number c u hnh tunnel interface Router(config)# interface tunnel 5 B2: ip address ip-address mask [secondary] t o a ch c a tunnel Router(config-if) ip address 10.0.0.2 255.255.255.0 B3: ip mtu bytes xc nh s bytes t i a truy n trong m t frame Router(config-if)# ip mtu 1416 c u hnh chu i xc th c cho interface dng B4: ip nhrp authentication string NHRP Router(config-if)# ip nhrp authentication donttell B5: ip nhrp map hub-tunnel-ip-address hub physical-ip-address map gi a a ch tunnel v a chi v t l c a Hub Router(config-if)# ip nhrp 10.0.0.1 172.17.0.1 B6: ip nhrp map multicast hub-physical-ip-address kch ho t giao th c nh tuy n gi a spoke v hub, g i gi tin multicast n hub. Router(config-if)# ip nhrp map multicast 172.17.0.1 B7: ip nhrp nhs hub-ip-tunnel-ip-address c u hnh hub nh l NHRP nexthop server Router(config-if)# ip nhrp nhs 10.0.0.1 B8: tunnel key key-number kch ho t ID key cho tunnel interface Router(config-if)# tunnel key 1000 B9: tunnel mode gre multipoint thi t l p ch ng gi t i mGRE cho tunnel interface Router(config-if)# tunntel mode gre multipoint B10: tunnel protection ipsec profile name gn tunnel interface vo IPSec profile.
SVTT : Vi Th Mu

41

BO CO TTTN Router(config-if)# tunnel protection ipsec profile vpnprof 3. C u hnh mGRE Spoke B1: interface tunnel number Router(config)# interface tunnel 5 B2: ip address ip-address mask [secondary] Router(config-if) ip address 10.0.0.2 255.255.255.0 B3: ip mtu bytes Router(config-if)# ip mtu 1416 B4: ip nhrp authentication string Router(config-if)# ip nhrp authentication donttell B5: ip nhrp map hub-tunnel-ip-address hub physical-ip-address Router(config-if)# ip nhrp 10.0.0.1 172.17.0.1 B6: ip nhrp map multicast hub-physical-ip-address Router(config-if)# ip nhrp map multicast 172.17.0.1 B7: ip nhrp nhs hub-tunnel-ip-address Router(config-if)# ip nhrp nhs 10.0.0.1 B8: ip nhrp network-id number kch ho t NHRP trn interface Router(config- if)# ip nhrp network-id 99 B9 : tunnel source { ip-address/type number } Router(config- if)# tunnel source ethernet 0 B10: tunnel key key-number Router(config-if)# tunnel key 1000 B11: tunnel mode gre multipoint Router(config-if)# tunntel mode gre multipoint or tunnel destination hub-physical-ip-address Router(config-if)# tunnel destination 172.17.0.1 B12: tunnel protection ipsec profile name Router(config-if)# tunnel protection ipsec profile vpnprof III. Next Hop Resolution Protocol 1. Tng tc NHRP v m ng NBMA

IPSec VPN

NHRP l giao th c gi ng giao th c ARP (giao th c phn gi i a ch ) m lm gi m nh ng v n m ng NBMA. V i NHRP, cc h th ng h c a ch NBMA c a cc h th ng khc c c nh n m ng NBMA m t cch linh ng. Cho php cc m ng ny thng tr c ti p v i nhau m traffic c dng khng c n qua hop trung gian. Hai ch c nng c a NHRP h tr cho cc m ng NBMA : - Giao th c NHRP gi ng nh giao th c phn gi i a ch cho php Next Hop Clients (NHCs) c ng k m t cch linh ng v i Next Hop Servers (NHSs). i u ny cho php NHCs c n i n m ng NBMA m khng c n thay i c u hnh trn NHSs, c bi t l trong tr ng h p NHCs c a
SVTT : Vi Th Mu

42

BO CO TTTN

IPSec VPN

ch IP v t l ng ho c l Router c Network Address Translation (NAT) s lm thay i a ch IP v t l. Trong cc tr ng h p ny n khng th c u hnh l i c logical Virtual Private Network (VPN IP) n physical (NBMA IP) mapping cho NHC trn NHS. Ch c nng ny c g i l s ng k NHRP. NHRP l m t giao th c phn gi i cho php m t NHC client (Spoke) nh v logical VPN IP n NBMA IP mapping cho NHC client khc (spoke) trong cng m ng NBMA. N u khng c s nh v ny, cc gi tin IP ang i t cc host c a m t spoke ny n cc host c a m t spoke khc s i qua h ng c a NHS (hub). i u ny s lm tng s s d ng bng thng c a hub v CPU cho vi c x l cc gi tin ny. y th ng c g i l hairpinning. V i NHRP, cc h th ng h c a ch NBMA c a cc h th ng khc c c nh n m ng NBMA m t cch linh ng , cho php cc m ng thng tr c ti p v i nhau m traffic c dng khng c n qua hop trung gian. i u ny lm gi m t i trn hop trung gian (NHS) v c th tng bng thng t ng c a m ng NBMA c l n hn bng thng c a hub. 2. L i ch c a NHRP cho NBMA.

Router, Access Server, v cc host c th s d ng NHRP tm a ch c a cc Router v cc host khc k t n i n m ng NBMA. Ring m ng NBMA l i l c c u hnh v i nhi u m ng h p l i cung c p y cc k t n i cho cc l p m ng. Nh trong cc c u hnh, cc gi tin c th t o m t vi hops qua m ng NBMA tr c khi n t i u ra Router (m ng ch g n nh t Router). m ng NBMA c coi l NonBroadcast v n khng h tr Broadcasting (vd: m t m ng IP mGRE tunnel) ho c Broadcasting qu t n km (vd: SMDS Broadcast group qu l n). NRP cung c p gi ng nh giao th c ARP gi m cc v n m ng NBMA. V i NHRP, cc h th ng h c a ch c a cc h th ng khc c c nh n m ng NBMA m t cch linh ng, cho php cc h th ng ny thng tr c ti p v i nhau m traffic c dng khng c n qua hop trung gian.

3. Next Hop Server Selection NHRP resolution request i qua m t ho c nhi u hop (hubs) trong m ng con NBMA hub-to-spoke tr c khi pht p ng n tr m c n n. M i tr m (g m tr m ngu n l a ch n NHS ln c n n forward request. NHS ch n phng php i n hnh th c hi n nh tuy n d a trn a ch ch l p m ng c a NHRP request. NHRP resolution request cu i cng n tr m ni m pht NHRP resolution reply. Tr m p ng ny a ra tr l i s d ng a ch ch t trong gi tin NHRP xc nh ni c n g i reply. Hinh d i y minh h a cho 4 Router k t n i n m ng NBMA

SVTT : Vi Th Mu

43

BO CO TTTN

IPSec VPN

Trong m ng l IP c a cc Router c n thi t cho cc Router thng l n nhau b ng cch t o IP cc gi tin tunneling trong IP cc gi tin tunnels GRE. Cc router h tr k t n i IP tunnel (xem hop 1, hop 2 v hop 3 trong hnh). Khi router A th forward IP gi tin t host ngu n n host ch, NHRP c kch kh i. Thay cho host ngu n, router A g i NHRP resolution request packet c ng gi trong GRE IP packet, m theo trn hnh th 3 hop qua m ng n Router D k t n i n host ch . sau khi router A nh n NHRP resolution reply, Router A xc nh r ng router D l NBMA IP next hop, v router A s g i subsequence data IP packet cu i n router D trong GRE IP next hop. v i NHRP, NBMA next hop c xc nh, host ngu n cng b t u g i d li u gi tin n ch (khng k t n i qua NBMA nh IP GRE v SMDS) ho c thi t l p 1 VC o k t n i n ch. k t n i ny c c u hnh v i p ng bng thng v ch t l ng d ch v cho k t n i nh h ng m ng NBMA nh : frame relay, ATM, ho c DMVPN m IPSec m ho ngang hng ph i c thi t l p.

4. NHRP s d ng v i DMVPN (NHRP Used with a DMVPN ) NHRP th ng thu n ti n cho vi c xy d ng VPN. VPN bao g m : m ng o layer 3 c xy d ng trn n n layer 3 m ng th c t . c u trc m ta s d ng qua VPN l c l p i v i m ng l p trn v cc giao th c m ta ch y qua hon ton c l p v i n. m ng VPN (DMVPN) d a trn GRE logical tunnel m c th c b o v b ng cch thm vo IPSec m ho GRE IP tunnels. k t n i n m ng NBMA l m t hay nhi u tr m m NHRP th c hi n v c xem nh l NHSs v NHCs. t t c cc Router ch y h i u hnh cisco 44

SVTT : Vi Th Mu

BO CO TTTN

IPSec VPN

phin b n 10.3 ho c phin b n sau ny c th c NHRP th c hi n, v v y cc router c th ho t ng nh NHSs ho c NHCs. N n t ng c a DMVPN (GRE IP + IPSec ) m NHRP s d ng c n ch y phin b n 12.3 (9), 12.3 (8), ho c l phin b n v sau ny. 5. S ng k NHRP (NHRP Registration)

Qu trnh ng k NHRP c g i t NHCs n NHSs m i l n 1/3 kho ng th i gian holdtime (ip nhrp holdtime value), trong tr ng h p ng k c g i th i gian timeout th l nh ip nhrp registration timeout value c c u hnh. N u qu trnh NHRP ng k khng nh n c b i NHRP registration request, th NHRP registration request s truy n l i t i 1, 2, 4, 8, 16, 32, v 64 giy. Sau chu i s ny b t u pht qua 1 l n n a. NHSs c cng khai n u qu trnh ng k NHRP reply khng nh n c sau 3 l n truy n l i (7 giy), v NHRP resolution packets s khng c g i n a. Qu trnh ng k s ti p t c c g i trong cc kho ng th i gian 0, 1, 2, 4, 8, 16, 32, 64 nh m thm d NHS n khi NHRP registration reply c nh n. Qu trnh NHRP registration reply c nh n cng s m, NHS c cng khai cng nhanh. NHRP registration reply b t u l i vi c g i m i l n 1/3 kho ng th i gian holdtime ho c c u hnh gi tr trong l nh ip nhrp registration timeout, v NHRP registration request c g i l i . Dng l nh show ip nhrp nhs { detail } ki m tra tr ng thi c a NHRP NHSs.

SVTT : Vi Th Mu

45

BO CO TTTN PH N II : TH C HNH 1. Bi th c hnh lab c b n : C u hnh GRE Tunnel to a Remote Site

IPSec VPN

Cc b c ti n hnh c u hnh GRE Tunnel: B c 1 : c u hnh cho cc Router ping c thng nhau: i v i Router P: Router#config terminal Router(config)#hostname RP RP(config)#interface f0/1 RP(config-if)#ip address 172.30.1.2 255.255.255.0 RP(config-if)#no shut RP(config-if)#exit RP(config)#int f0/0 RP(config-if)#ip address 10.0.1.2 255.255.255.0 RP(config-if)#no shut RP(config-if)#exit RP(config)#ip route 0.0.0.0 0.0.0.0 172.30.1.1 i v i Router Q Router#config terminal Router(config)hostname RQ RQ(config)# int f0/1

SVTT : Vi Th Mu

46

BO CO TTTN RQ(config-if)#ip address 172.30.6.2 255.255.255.0 RQ(config-if)#no shut RQ(config-if)#exit RQ(config)int f0/0 RQ(config-if)#ip add 10.0.6.2 255.255.255.0 RQ(config-if)#no shut RQ(config-if)#exit RQ(config) ip route 0.0.0.0 0.0.0.0 172.30.6.1 B c 2: c u hnh interface tunnel i v i Router P RP(config)# interface tunnel 0 RP(config-if)# ip address 172.16.1.1 255.255.255.0 RP(config-if)# tunnel source 172.30.1.2 RP(config-if)# tunnel destination 172.30.6.2 RP(config-if)# no shut RP(config-if)#exit i v i Router Q RQ(config)#interface tunnel 0 RQ(config-if)# ip address 172.61.1.6 255.255.255.0 RQ(config-if)# tunnel source 172.30.6.2 RQ(config-if)#tunnel destination 172.30.1.2 RQ(config-if)#no shut RQ(config-if)#exit B c 3: c u hnh static route RP(config)# ip route 10.0.6.0 255.255.255.0 tunnel 0 RQ(config)# ip route 10.0.1.0 255.255.255.0 tunnel 0 RP(config)#exit th c hi n ki m tra t a ch PC c a RP l 10.0.1.12 v PC c a RQ l 10.0.6.12 Th c hi n ping n 10.0.6.12 t 10.0.1.12 k t qu ping thnh cng

IPSec VPN

SVTT : Vi Th Mu

47

BO CO TTTN

IPSec VPN

ki m tra ho t ng RP#show run hostname RP interface Tunnel0 ip address 172.16.1.1 255.255.255.0 tunnel source 172.30.1.2 tunnel destination 172.30.6.2 ! interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 172.30.1.2 255.255.255.0 duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 172.30.1.1 ip route 10.0.6.0 255.255.255.0 Tunnel0 ! RQ#show run hostname RQ ! interface Tunnel0 ip address 172.61.1.6 255.255.255.0 tunnel source 172.30.6.2 tunnel destination 172.30.1.2 ! interface FastEthernet0/0
SVTT : Vi Th Mu

48

BO CO TTTN ip address 10.0.6.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 172.30.6.2 255.255.255.0 duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 172.30.6.1 ip route 10.0.1.0 255.255.255.0 Tunnel0 ! ki m tra interface tunnel: RP#show interface tunnel 0

IPSec VPN

SVTT : Vi Th Mu

49

BO CO TTTN

IPSec VPN

2. Th c hnh bi Lab c u hnh Windows server 2003 lm CA Server M hnh nh sau:

Cc thi t b bao g m: 2 Router 2800, 1 Switch 3550, 1 Windows server 2003 Client 1: Router#config terminal Router(config)#hostname client1 Client1(config)# interface f0/1 Client1(config-if)# ip address 172.30.2.2 255.255.255.0 Client1(config-if)# no shut Client1(config-if)# exit Client1(config)# interface f0/1 Client1(config-if)# ip address 192.168.1.2 255.255.255.0 Client1(config-if)# no shut Client1(config-if)# exit # c u hnh domain name cho Router Client1(config)# ip domain-name cisco.com Client1(config)# ip host caserver 172.30.1.2 # c u hnh trustpoint Client1(config)# crypto ca trustpoint CA Client1(ca-trustpoint)# enrollment url http://172.30.1.2/certsrv/mscep/mscep.dll Client1(ca-trustpoint)# subject-name cn=client1@vnpro.org Client1(ca-trustpoint)# exit Client1(config)# crypto ca authenticate CA #c u hnh VPN Client1(config)# crypto isakmp policy 10
SVTT : Vi Th Mu

50

BO CO TTTN

IPSec VPN

Client1(config-isakmp)# hash md5 Client1(config-isakmp)# exit Client1(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac Client1(config-crypto-trans)# exit Client1(config)# crypto map mymap 10 ipsec-isakmp Client1(config-crypto-map)# set peer 172.30.3.2 Client1(config-crypto-map)# set transform-set myset Client1(config-crypto-map)# match address 101 Client1(config-crypto-map)# exit Client1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 # p crypto map vo c ng Client1(config)# interface f0/1 Client1(config-if)# crypto map mymap Client1(config-if)# exit Client1(config)# Client 2: Router#config terminal Router(config)#hostname client1 Client2(config)# interface f0/1 Client2(config-if)# ip address 172.30.3.2 255.255.255.0 Client2(config-if)# no shut Client2(config-if)# exit Client2(config)# interface f0/1 Client2(config-if)# ip address 192.168.2.2 255.255.255.0 Client2(config-if)# no shut Client2(config-if)# exit # c u hnh domain name cho Router Client2(config)# ip domain-name cisco.com Client2(config)# ip host caserver 172.30.1.2 # c u hnh trustpoint Client2(config)# crypto ca trustpoint CA Client2(ca-trustpoint)# enrollment url http://172.30.1.2/certsrv/mscep/mscep.dll Client2(ca-trustpoint)# subject-name cn=client1@vnpro.org Client2(ca-trustpoint)# exit Client2(config)# crypto ca authenticate CA #c u hnh VPN Client2(config)# crypto isakmp policy 10 Client2(config-isakmp)# hash md5 Client2(config-isakmp)# exit Client2(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac Client2(config-crypto-trans)# exit Client2(config)# crypto map mymap 10 ipsec-isakmp Client2(config-crypto-map)# set peer 172.30.2.2 Client2(config-crypto-map)# set transform-set myset
SVTT : Vi Th Mu

51

BO CO TTTN

IPSec VPN

Client2(config-crypto-map)# match address 101 Client2(config-crypto-map)# exit Client2(config)# access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 # p crypto map vo c ng Client2(config)# interface f0/1 Client2(config-if)# crypto map mymap Client2(config-if)# exit Client2(config)# C u hnh CAServer : Cc b c c u hnh Windows server 2003 lm CA xy d ng 1 CA ta lm nh sau: B c1: ci t d ch v IIS ci c d ch v CA tr n windowns server 2003 ta c n c IIS : 1. vo start--> control panel-->add or remove programs 2. Trong add or remove programs, nh n add/remove windowns components 3. nh n vo application server (nhng khng tch vo ch n)

ch n detail 4. Tch vo Internet Information Service (IIS)

SVTT : Vi Th Mu

52

BO CO TTTN

IPSec VPN

5. Nh n Next

finish hon thnh ci t

B c 2: ci t d ch v CA 1. vo start-->control panel--> add or remove program 2. trong m c add or remove program, nh n add/remove windowns components 3. Tch vo o certificates services

SVTT : Vi Th Mu

53

BO CO TTTN

IPSec VPN

4. lc ny nh n c thong bo v vi c khng thay i tn my tnh ch n yes

5. Trong CA type --> ch n Stand-alone root CA -->next

SVTT : Vi Th Mu

54

BO CO TTTN

IPSec VPN

6. Trong m c Common name for this CA, nh p vo tn my tnh ang ci t gi s ang ci trn my C0111

7. m c nh ni lu tr database v log file c a CA

nh n Next

SVTT : Vi Th Mu

55

BO CO TTTN

IPSec VPN

8. sau khi nh n Next ta nh n c thng bo ph i d ng Internet Information Service ch n Yes

9. sau khi nh n Yes xu t hi n yu c u File I386 OK

ch n th m c c ch a file I386

SVTT : Vi Th Mu

56

BO CO TTTN

IPSec VPN

10. Trong qu trnh hon thnh ci t, nh n c thng bo

ch n Yes

11. Nh n finish hon thnh ci t

SVTT : Vi Th Mu

57

BO CO TTTN

IPSec VPN

B c 3: hon thnh c CA, ta ci thm ph n SCEP 11. Nh n finish hon thnh ci t

2. sau click Next

ch n use the local system account

SVTT : Vi Th Mu

58

BO CO TTTN

IPSec VPN

3. Nh n Next

v b ch n require SCEP challenge Phrase to enroll

4. Nh n Next

ch n Yes v i n thng tin

SVTT : Vi Th Mu

59

BO CO TTTN

IPSec VPN

5. Nh n Next

finish hon thnh

KI m tra ho t ng: Th c hi n i v i client1 : Client1# show run Building configuration... Current configuration : 3484 bytes ! ! Last configuration change at 17:39:57 UTC Tue Apr 1 2008 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname client1 ! boot-start-marker boot-end-marker ! no aaa new-model ! ip cef ! ip domain name cisco.com
SVTT : Vi Th Mu

60

BO CO TTTN ip host caserver 172.30.1.2 ! multilink bundle-name authenticated ! ! voice-card 0 no dspfarm ! crypto pki trustpoint CA enrollment mode ra enrollment url http://172.30.1.2:80/certsrv/mscep/mscep.dll subject-name cn=client2@vnpro.org revocation-check none ! crypto pki certificate chain CA certificate ca 2AE3AB73C8740484449E6747E831C315

IPSec VPN

3082035E 30820246 A0030201 0202102A E3AB73C8 74048444 9E6747E8 31C31530 0D06092A 864886F7 0D010105 0500300D 310B3009 06035504 03130243 41301E17 0D303830 34303131 30303733 305A170D 31333034 30313130 31373039 5A300D31 0B300906 03550403 13024341 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00CBA99B 66BE2E13 686D17E1 78F65707 ED7FC5BB 8B185DFC ACB0528C 98E34EA1 D8740992 3BCA5499 0F4560D0 FC812612 86F32EE4 BE2C9F25 8B1E1559 48105CF4 2BA982F1 25796414 F2B0C807 6E674F3C 26570EE5 6F3B8050 8A9F2B04 950053E5 F5E89D83 3F845E55 B8FC417A 7E928666 93DE60C0 16B17729 AF9D47C2 B2F38BC9 5A0A9BDC 8F082F5D 9E1A1C52 F38E527C D3675A51 172C6B22 8D50D782 CD7DFF60 0894C803 D4E383E1 59512FFD A94B6A1B 0E20D5FF 19AFDBBA 19557ECE BD6AD9C7 3A291286 6BB769E2 732C4077 4DC8C494 03EC5B28 BD54E9F7 A99FBD6F 1C16D9F5 250F6130 3E84A20A A3DDBB0F 047B83E8 3FE45FE8 088B6F2E 61846DBE 97DD7FAA 73020301 0001A381 B93081B6 300B0603 551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 14ED3F97 C57AB992 26BAFC48 4E7BD3C9 E85BF544 0A306506 03551D1F 045E305C 305AA058 A0568628 68747470 3A2F2F74 6F2D7A6E 6A6E346F 36726F30 34682F43

SVTT : Vi Th Mu

61

BO CO TTTN

IPSec VPN

65727445 6E726F6C 6C2F4341 2E63726C 862A6669 6C653A2F 2F5C5C74 6F2D7A6E 6A6E346F 36726F30 34685C43 65727445 6E726F6C 6C5C4341 2E63726C 30100609 2B060104 01823715 01040302 0100300D 06092A86 4886F70D 01010505 00038201 01001E07 FB20C734 7FD7D5F4 C2164304 CCBC2F51 3F3D7DBA DBAD3574 C2825357 942BD488 4B83150F 434DC673 164E5819 F508E271 EBF9F4CC 57775094 7C9A1D60 44CE7B0B EC0498CD 96487BF9 8611577C F82DAE85 9FFC14B6 825706BA 0B3B0A9E C9DA0A44 F02C2657 D3299546 46F9B79B 24005242 23177BA1 B368EA26 9FF33103 5C25436D 89439014 41158A39 D527AEF0 327EDA5B 2D58179B C4845291 7346E26B D15CEEE0 54FEC609 E6AC91A1 81391F7F C1C89D2A 62DDFFE5 A160B233 ED3AC12D 109FF62E 6A753A64 821EDE52 CB4CEBE2 EBCC9E76 1C67E1E2 771EACBA 1588B9CF FFD5FEBA 12336A71 8A8FD10C 4FA62140 31476CD7 AAFF8529 E76E9AE8 A0BA5E50 0112

quit ! ! crypto isakmp policy 10 hash md5 ! crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 172.30.3.2 set transform-set myset match address 150 ! interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 172.30.2.2 255.255.255.0 duplex auto speed auto crypto map mymap ! interface Serial0/1/0 no ip address
SVTT : Vi Th Mu

62

BO CO TTTN

IPSec VPN

shutdown clock rate 2000000 ! ip route 0.0.0.0 0.0.0.0 172.30.2.1 ! ip http server no ip http secure-server ! access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! control-plane ! ! line con 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 no login ! scheduler allocate 20000 1000 ! end Th c hi n i v i client2 Client2# show run Building configuration... Current configuration : 5774 bytes ! ! Last configuration change at 17:23:41 UTC Tue Apr 1 2008 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname client2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef !
SVTT : Vi Th Mu

63

BO CO TTTN ip domain name cisco.com ip host caserver 172.30.1.2 ! ! voice-card 0 ! crypto pki trustpoint CA enrollment mode ra enrollment url http://172.30.1.2:80/certsrv/mscep/mscep.dll subject-name cn=client1@vnpro.org revocation-check none ! crypto pki certificate chain CA certificate 618FFBFC000000000004

IPSec VPN

308203C4 308202AC A0030201 02020A61 8FFBFC00 00000000 04300D06 092A8648 86F70D01 01050500 300D310B 30090603 55040313 02434130 1E170D30 38303430 31313031 3031335A 170D3039 30343031 31303230 31335A30 3E312030 1E06092A 864886F7 0D010902 1311636C 69656E74 322E6369 73636F2E 636F6D31 1A301806 03550403 1411636C 69656E74 3140766E 70726F2E 6F726730 5C300D06 092A8648 86F70D01 01010500 034B0030 48024100 A480B3CC 2C27F772 EB3411DB 2E7A8330 F4FBF6BE 235F7BEC AFD201A0 CD47A95F 7F12D3F1 0BF60369 02F58108 2A5EFB2F 6BD89DF6 45ADF27D AE5D40B9 6D53A193 02030100 01A38201 BB308201 B7300B06 03551D0F 04040302 05A0301D 0603551D 0E041604 14CF2761 D9851558 F31FF702 235D9E31 5CEF87CF 71301F06 03551D23 04183016 8014ED3F 97C57AB9 9226BAFC 484E7BD3 C9E85BF5 440A3065 0603551D 1F045E30 5C305AA0 58A05686 28687474 703A2F2F 746F2D7A 6E6A6E34 6F36726F 3034682F 43657274 456E726F 6C6C2F43 412E6372 6C862A66 696C653A 2F2F5C5C 746F2D7A 6E6A6E34 6F36726F 3034685C 43657274 456E726F 6C6C5C43 412E6372 6C30819E 06082B06 01050507 01010481 9130818E 30440608 2B060105 05073002 86386874 74703A2F 2F746F2D 7A6E6A6E 346F3672 6F303468 2F436572 74456E72 6F6C6C2F 746F2D7A 6E6A6E34 6F36726F 3034685F 43412E63 72743046 06082B06 01050507 3002863A 66696C65 3A2F2F5C

SVTT : Vi Th Mu

64

BO CO TTTN

IPSec VPN

5C746F2D 7A6E6A6E 346F3672 6F303468 5C436572 74456E72 6F6C6C5C 746F2D7A 6E6A6E34 6F36726F 3034685F 43412E63 7274301F 0603551D 110101FF 04153013 8211636C 69656E74 322E6369 73636F2E 636F6D30 3F06092B 06010401 82371402 04321E30 00490050 00530045 00430049 006E0074 00650072 006D0065 00640069 00610074 0065004F 00660066 006C0069 006E0065 300D0609 2A864886 F70D0101 05050003 82010100 31B97667 A8E4D0D6 B4F5083D C552F2DD 1E7E08B3 FBC46B10 8D4C4F96 04C77623 BF17A57B 5AE15975 234A64FF 1FBD376B 2D39D4B0 7C2F2187 F4F545AB E8ED233B CA13AB1E 23025DF7 98CD8222 E82E0FB8 72EEA354 FB841224 4A954CC6 598A15B6 45BB7AF6 2B88279F 0F18C771 E18D5C39 AEF719FC 036B19B3 0ADFFEE5 E896497C 520A7D64 B3FFD626 3C54AABD 523459B1 47E59401 AF4415E2 37A80E47 BE957700 392EAD42 EBE82BF2 B03F1875 33D91B6C 5C40FF8E 4C606499 A4B8B173 47CE6653 DA897A58 1C5A8514 699A793F 95147CE5 E4036BC3 FCF0E795 6B758C4D EC6FB390 60AE43B1 393B6CF9 B9D959AB 09B94067 102991D6 69640739 2AEEF189 780A64DF

quit certificate ca 2AE3AB73C8740484449E6747E831C315

3082035E 30820246 A0030201 0202102A E3AB73C8 74048444 9E6747E8 31C31530 0D06092A 864886F7 0D010105 0500300D 310B3009 06035504 03130243 41301E17 0D303830 34303131 30303733 305A170D 31333034 30313130 31373039 5A300D31 0B300906 03550403 13024341 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00CBA99B 66BE2E13 686D17E1 78F65707 ED7FC5BB 8B185DFC ACB0528C 98E34EA1 D8740992 3BCA5499 0F4560D0 FC812612 86F32EE4 BE2C9F25 8B1E1559 48105CF4 2BA982F1 25796414 F2B0C807 6E674F3C 26570EE5 6F3B8050 8A9F2B04 950053E5 F5E89D83 3F845E55 B8FC417A 7E928666 93DE60C0 16B17729 AF9D47C2 B2F38BC9 5A0A9BDC 8F082F5D 9E1A1C52 F38E527C D3675A51 172C6B22 8D50D782 CD7DFF60 0894C803 D4E383E1 59512FFD A94B6A1B 0E20D5FF 19AFDBBA 19557ECE BD6AD9C7 3A291286 6BB769E2 732C4077 4DC8C494 03EC5B28 SVTT : Vi Th Mu

65

BO CO TTTN

IPSec VPN

BD54E9F7 A99FBD6F 1C16D9F5 250F6130 3E84A20A A3DDBB0F 047B83E8 3FE45FE8 088B6F2E 61846DBE 97DD7FAA 73020301 0001A381 B93081B6 300B0603 551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 14ED3F97 C57AB992 26BAFC48 4E7BD3C9 E85BF544 0A306506 03551D1F 045E305C 305AA058 A0568628 68747470 3A2F2F74 6F2D7A6E 6A6E346F 36726F30 34682F43 65727445 6E726F6C 6C2F4341 2E63726C 862A6669 6C653A2F 2F5C5C74 6F2D7A6E 6A6E346F 36726F30 34685C43 65727445 6E726F6C 6C5C4341 2E63726C 30100609 2B060104 01823715 01040302 0100300D 06092A86 4886F70D 01010505 00038201 01001E07 FB20C734 7FD7D5F4 C2164304 CCBC2F51 3F3D7DBA DBAD3574 C2825357 942BD488 4B83150F 434DC673 164E5819 F508E271 EBF9F4CC 57775094 7C9A1D60 44CE7B0B EC0498CD 96487BF9 8611577C F82DAE85 9FFC14B6 825706BA 0B3B0A9E C9DA0A44 F02C2657 D3299546 46F9B79B 24005242 23177BA1 B368EA26 9FF33103 5C25436D 89439014 41158A39 D527AEF0 327EDA5B 2D58179B C4845291 7346E26B D15CEEE0 54FEC609 E6AC91A1 81391F7F C1C89D2A 62DDFFE5 A160B233 ED3AC12D 109FF62E 6A753A64 821EDE52 CB4CEBE2 EBCC9E76 1C67E1E2 771EACBA 1588B9CF FFD5FEBA 12336A71 8A8FD10C 4FA62140 31476CD7 AAFF8529 E76E9AE8 A0BA5E50 0112

quit ! ! crypto isakmp policy 10 hash md5 ! crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 172.30.2.2 set transform-set myset match address 150 ! ! interface FastEthernet0/0 ip address 192.168.2.2 255.255.255.0 duplex auto
SVTT : Vi Th Mu

66

BO CO TTTN

IPSec VPN

speed auto ! interface FastEthernet0/1 ip address 172.30.3.2 255.255.255.0 duplex auto speed auto crypto map mymap ! interface Serial0/1/0 no ip address shutdown no fair-queue clock rate 2000000 ! ip route 0.0.0.0 0.0.0.0 172.30.3.1 ! ! ip http server no ip http secure-server ! access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ! control-plane ! ! line con 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 no login ! scheduler allocate 20000 1000 end client2# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 618FFBFC000000000004 Certificate Usage: General Purpose Issuer: cn=CA Subject: Name: client2.cisco.com cn=client1@vnpro.org
SVTT : Vi Th Mu

67

BO CO TTTN hostname=client2.cisco.com CRL Distribution Points: http://to-znjn4o6ro04h/CertEnroll/CA.crl Validity Date: start date: 10:10:13 UTC Apr 1 2008 end date: 10:20:13 UTC Apr 1 2009 Associated Trustpoints: CA

IPSec VPN

CA Certificate Status: Available Certificate Serial Number: 2AE3AB73C8740484449E6747E831C315 Certificate Usage: Signature Issuer: cn=CA Subject: cn=CA CRL Distribution Points: http://to-znjn4o6ro04h/CertEnroll/CA.crl Validity Date: start date: 10:07:30 UTC Apr 1 2008 end date: 10:17:09 UTC Apr 1 2013 Associated Trustpoints: CA Th c hi n Ping t PC 2 n PC 1 ki m tra k t n i:

k t qu l 2 PC k t n i c v i nhau.

SVTT : Vi Th Mu

68

BO CO TTTN 3. Th c hnh bi Lab v DMVPN

IPSec VPN

Cc b c th c hi n cho c u hnh: B c 1 : C u hnh cho cc Router th y nhau Spoke 1: Router#config terminal Router(config)# hostname Spoke1 Spoke1(config)# interface f0/0 Spoke1(config-if)# ip address 172.30.1.1 255.255.255.0 Spoke1(config-if)# no shutdown Spoke1(config-if)# exit Spoke1(config)# interface f0/1 Spoke1(config-if)# ip address 192.168.1.1 255.255.255.0 Spoke1(config-if)# no shutdown Spoke1(config-if)# exit Spoke1(config)# ip route 0.0.0.0 0.0.0.0 172.30.1.2 Spoke 2: Router# config terminal Router(config)# hostname Spoke2 Spoke2(config)# interface f0/0 Spoke2(config-if)# ip address 172.30.3.1 255.255.255.0 Spoke2(config-if)# no shutdown Spoke2(config-if)# exit
SVTT : Vi Th Mu

69

BO CO TTTN Spoke2(config)# interface f0/1 Spoke2(config-if)# ip address 192.168.2.1 255.255.255.0 Spoke2(config-if)# no shutdown Spoke2(config-if)# exit Spoke2(config)# ip route 0.0.0.0 0.0.0.0 172.30.3.2 HUB Router#config terminal Router(config)# hostname Hub Hub(config)# interface f0/0 Hub(config-if)# ip address 172.30.2.1 255.255.255.0 Hub(config-if)# no shutdown Hub(config-if)# exit Hub(config)# interface loop back 0 Hub(config-if)# ip address 192.168.0.1 255.255.255.0 Hub(config-if)# no shutdown Hub(config-if)# exit Hub(config)# ip route 0.0.0.0 0.0.0.0 172.30.2.2 Th c hi n c u hnh i v i Spoke1 B c 2: c u hnh phase 1 cho Spoke1 Spoke1(config)# crypto isakmp enable Spoke1(config)# crypto isakmp policy 1 Spoke1(config-isakmp)# authentication pre-share Spoke1(config-isakmp)# hash md5 Spoke1(config-isakmp)# exit Spoke1(config)# crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0 B c 3: c u hnh dmvpn cho Spoke1 Spoke1(config)# interface tunnel 0 Spoke1(config-if)# ip address 10.0.0.2 255.255.255.0 Spoke1(config-if)# ip mtu 1400 Spoke1(config-if)# ip nhrp authentication cisco47 Spoke1(config-if)# ip nhrp map 10.0.0.1 172.30.2.1 Spoke1(config-if)# ip nhrp hold-time 600 Spoke1(config-if)# ip nhs 10.0.0.1 Spoke1(config-if)# no ip next-hop-self eigrp 1 Spoke1(config-if)# ip map multicast 172.30.2.1 Spoke1(config-if)# ip nhrp network-id 100 Spoke1(config-if)# tunnel source f0/0 Spoke1(config-if)# tunnel key 1000 Spoke1(config-if)# tunnel mode gre multipoint Spoke1(config-if)# tunnel protection ipsec profile dmvpn

IPSec VPN

SVTT : Vi Th Mu

70

BO CO TTTN

IPSec VPN

B c 4: c u hnh phase 2 cho Spoke1 Spoke1(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac Spoke1(config)# crypto map dmvpn local-address f0/0 Spoke1(config)# crypto map dmvpn 10 ipsec-isakmp Spoke1(config-crypto-map)# set peer 172.30.2.1 Spoke1(config-crypto-map)# set security-association level per-host Spoke1(config-crypto-map)# set transform-set myset Spoke1(config-crypto-map)# match address 101 Spoke1(config-crypto-map)# exit Spoke1(config)# access-list 101 permit gre 172.30.1.0 0.0.0.255 host 172.30.2.1 B c 5: nh tuy n dng giao th c EIGRP Spoke1(config)# router eigrp 1 Spoke1(config-router)# network 10.0.0.0 0.0.0.255 Spoke1(config-router)# network 192.168.1.0 0.0.0.255 Spoke1(config-router)# no auto-summary Th c hi n c u hnh i v i Spoke2 B c 2: c u hnh phase 1 cho Spoke2 Spoke2(config)# crypto isakmp enable Spoke2(config)# crypto isakmp policy 1 Spoke2(config-isakmp)# authentication pre-share Spoke2(config-isakmp)# hash md5 Spoke2(config-isakmp)# exit Spoke2(config)# crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0 B c 3: c u hnh dmvpn cho Spoke2 Spoke2(config)# interface tunnel 0 Spoke2(config-if)# ip address 10.0.0.3 255.255.255.0 Spoke2(config-if)# ip mtu 1400 Spoke2(config-if)# ip nhrp authentication cisco47 Spoke2(config-if)# ip nhrp map 10.0.0.1 172.30.2.1 Spoke2(config-if)# ip nhrp hold-time 600 Spoke2(config-if)# ip nhs 10.0.0.1 Spoke2(config-if)# no ip next-hop-self eigrp 1 Spoke2(config-if)# ip map multicast 172.30.2.1 Spoke2(config-if)# ip nhrp network-id 100 Spoke2(config-if)# tunnel source f0/0 Spoke2(config-if)# tunnel key 1000 Spoke2(config-if)# tunnel mode gre multipoint Spoke2(config-if)# tunnel protection ipsec profile dmvpn
SVTT : Vi Th Mu

71

BO CO TTTN

IPSec VPN

B c 4: c u hnh phase 2 cho spoke2 Spoke2(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac Spoke2(config)# crypto map dmvpn local-address f0/0 Spoke2(config)# crypto map dmvpn 10 ipsec-isakmp Spoke2(config-crypto-map)# set peer 172.30.2.1 Spoke2(config-crypto-map)# set security-association level per-host Spoke2(config-crypto-map)# set transform-set myset Spoke2(config-crypto-map)# match address 101 Spoke2(config-crypto-map)# exit Spoke2(config)# access-list 101 permit gre 172.30.3.0 0.0.0.255 host 172.30.2.1 B c 5: nh tuy n dng giao th c EIGRP Spoke2(config)# router eigrp 1 Spoke2(config-router)# network 10.0.0.0 0.0.0.255 Spoke2(config-router)# network 192.168.2.0 0.0.0.255 Spoke2(config-router)# no auto-summary Th c hi n c u hnh cho HUB Router(config)# hostname Hub Hub(config)# crypto isakmp enable Hub(config)# crypto isakmp policy 1 Hub(config-isakmp)# authentication pre-share Hub(config-isakmp)# hash md5 Hub(config-isakmp)# exit Hub(config)# crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0 Hub(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac # t o IPSec profile Hub(config)# crypto ipsec profile dmvpn Hub(config-profile)# set transform-set myset Hub(config)# interface tunnel 0 # c u hnh dmvpn Hub(config-if)# ip address 10.0.0.1 255.255.255.0 Hub(config-if)# ip mtu 1400 Hub(config-if)# ip nhrp authentication cisco47 Hub(config-if)# ip nhrp multicast dynamic Hub(config-if)# ip nhrp hold-time 600 Hub(config-if)# tunnel source f0/0 Hub(config-if)# tunnel mode gre multipoint Hub(config-if)# tunnel key 1000 Hub(config-if)# tunnel protection ipsec profile dmvpn
SVTT : Vi Th Mu

72

BO CO TTTN Hub(config-if)# exit Hub(config)# interface f0/1 Hub(config-if)# ip address 192.168.0.1 255.255.255.0 Hub(config-if)# no shutdown Hub(config-if)# exit Hub(config)# interface f0/0 Hub(config-if)# ip address 172.30.2.1 255.255.255.0 Hub(config-if)# no shutdown Hub(config-if)# exit # nh tuy n dng giao th c EIGRP Hub(config)# router eigrp 1 Hub(config-router)# network 10.0.0.0 0.0.0.255 Hub(config-router)# network 192.168.0.0 0.0.0.255 Hub(config-router)# no auto-summary Ki m tra k t qu Th c hi n ping t PC1 n PC2

IPSec VPN

Th c hi n Ping t PC1 n 192.168.0.1

SVTT : Vi Th Mu

73

BO CO TTTN

IPSec VPN

SVTT : Vi Th Mu

74