Current location - Quotes Website - Signature design - Cisco IPSec basic command
Cisco IPSec basic command
First, some basic commands of IPSec.

R 1 (configuration) #crypto?

Dynamic Mapping Specifies a dynamic encryption mapping template.

//Create or modify a dynamic encryption mapping table.

Ipsec configuring IPSEC policy

//Create IPSec security policy

ISAKMP configuration isakmp policy

//Create IKE policy

Key long-term key operations

//Generate an encryption key for the router's SSH encryption session. Followed by the numerical value, which is the key modulus size, and the unit is bit.

Mapping input encryption mapping

//Create or modify a universal encryption mapping table.

Router (Configuration) # Encrypted Dynamic Mapping?

WORD dynamic encryption mapping template tag

//WORD is the name of the dynamic encryption mapping table.

Router (Configuration) # Encrypted ipsec?

Security association security association parameters

//ipsec security association lifetime can be specified in the map without configuration.

Transform-set defines transformations and settings.

//Define the ipsec transform set (a feasible combination of security protocols and algorithms)

Router (configuration) #crypto isakmp?

The client sets the client configuration policy.

//Establish an address pool

Enable enable ISAKMP

//Start the IKE policy, which is started by default.

Remote peer's key set pre-shared key

//Set the key

Policy sets the policy for ISAKMP protection suite.

//Set the priority of IKE policy.

Router (Configuration) # Encryption Key?

Generate generate a new key

//Generate a new key

Return to zero remove key

//Remove the key

Router (Configuration) # Encryption Map?

WORD encryption mapping label

//WORD is the name of the mapping table.

Second, some important orders.

Router (Configuration) # Encrypt isakmp Policy?

& lt 1- 10000 & gt; Priority of protection suite

//Set the IKE policy, followed by the number 1- 10000, which represents the priority of the policy.

Router (configuration) # cryptoisakmp policy100//Enter IKE policy configuration mode to make the following configuration.

Router (config-isakmp)# encryption? //Set the' encryption method, which has the following three types.

3des triple key triple des

Aes AES-advanced encryption standard

DESDESDES-Data encryption standard (56-bit key).

Router (config-isakmp)#hash? //The adopted hash algorithm MD5 is 160 bits and sha is 128 bits.

Md5 message digest 5

Sha secure hash standard

Router (config-isakmp) # authenticates pre-sharing//adopts the authentication mode of pre-* * sharing key.

Router (configuration -isakmp)# group? //Specify the number of digits of the key. The lower the number, the higher the security, but the slower the encryption speed.

1 Diffie-Herman Group

2 Diffie-Herman Group 2

5 Diffie-Herman Group 5

Router (config-isakmp)# lifetime? //Specify the security association lifetime, which is 60-86400 seconds.

& lt60-86400 > life cycle (seconds)

Router (Configuration) # Encrypt isakmp Key * * * Address XXX. XXX.XXX.XXX

//Set the key exchanged by IKE, * * * indicates the key composition, and xxx.xxx.xxx indicates the IP address of the other party.

Router (Configuration) # Encrypted ipsec Transform Set zx?

//Set the IPsec exchange set, and set the encryption method and authentication method. Zx is the name of the exchange set, which can be set by yourself. The names of both ends can be different, but other parameters should be consistent.

Ah-md5-hmac AH-HMAC-MD5 transformation

A-Sha -hmac A -HMAC- Sha transformation

Esp-3des ESP transformation using 3DES(EDE) cipher (168 bits)

Esp-aes esp conversion using AES cipher

Esp-des ESP conversion using des password (56 bits)

Esp-md5-hmac ESP conversion using HMAC-MD5 authentication.

Esp-sha-hmac ESP transformation using hmac sand authentication

Example: router (config) # cryptoIPSec transform-set zxep-desep-MD5-hmac.

Router (configuration) # crypto map map_zx 100 ipsec-isakmp

//Create a cryptographic mapping table named zx, which can be customized and has a priority of 100 (optional range: 1-65535). If there are multiple tables, the smaller the number, the higher the priority.

Router (configure crypto map) # Match address? //Use ACL to define encrypted communication.

& lt 100- 199 & gt; IP access list number

WORD access list name

Router (configure crypto map) #set?

Peer-to-peer allowed encryption/decryption peers. //Identifies the IP address of another router.

Pfs specifies pfs settings//Specify the key length defined above, that is, group.

Security-association security association parameter//specifies the lifetime of the security association.

Transform-set specifies the list of transform sets in priority order.

//Specify the IPSEC exchange set used by the crypto map.

Router (configuration -if)# crypto map zx

//Enter the specified interface of the router and apply the encryption map to the interface, where zx is the name of the encryption map.

Third, a configuration experiment.

Experimental topology diagram:

Configuration on 1 R 1。

Router & gt enables

Router # Configure Terminal

Enter configuration commands, one per line. It ends with cntl/z.

Router (Configuration) # Hostname R 1

//Configure IKE policy

R 1 (Configuration) # Encryption isakmp enabled

R 1 (Configuration) # Encrypted isakmp policy 100

R 1 (configuration -isakmp)# encryption des

R 1 (configuration -isakmp)# Hash md5

R 1 (configuration -isakmp)# authentication pre-sharing

R 1 (configuration -isakmp)# group 1

R 1 (configuration -isakmp)# Lifetime 86400

R 1 (configuration -isakmp)# Exit

//Configure IKE key

R 1 (configuration) #crypto isakmp key 123456 address10.1.2

//Create IPSec exchange set

R 1 (configuration) # encrypted ipsec transform set zxep-desesp-MD5-hmac

//Create a map encryption map

R 1 (configuration) # encryption map zx_map 100 ipsec-isakmp

R 1 (configure encryption mapping) # Match address11

R 1 (configure crypto map) # Set peer10.1.2

R 1 (configure crypto map) #set transform-set zx

R 1 (configure encryption mapping) # Set the security association lifetime seconds of 86400.

R 1 (configure crypto map) # Set pfs group 1

R 1 (configure crypto map) # Exit

//configure ACL

R 1 (Configuration) # Access List11Allowed IP192.168.1.100.0.0

//Apply the crypto map to the interface

R 1 (configuration) # interface s 1/0

R 1 (configuration -if)# encryption map zx_map

2.2. Configuration on R2

The configuration is basically the same as that of R 1, only the following commands need to be modified:

R 1 (configuration) #crypto isakmp key 123456 address10.1.1

R 1 (configure crypto map) # Set peer10.1.1

R 1 (Configuration) # Access List11Allowed IP192.168.2.10 0.0.255/

3. Experimental debugging.

Use the following commands on R 1 and R2 respectively to view the configuration information.

R 1 # shows encrypted ipsec?

Sa IPSEC SA table

Transform set encryption transform set

R 1 # shows encrypted isakmp?

Policy displays ISAKMP protection suite policy.

Sa shows ISAKMP security association

Fourth, related knowledge points.

Symmetric encryption or private key encryption: encryption and decryption use the same private key.

des

3DES-3 triple data encryption standard

AES-advanced encryption standard

Some technologies provide authentication:

MAC message authentication code

Message authentication code based on HMAC hash

MD5 and SHA are hash functions that provide authentication.

Symmetric encryption is used for large-capacity data because asymmetric encryption stations use a lot of cpu resources.

Asymmetric or public key encryption:

RSA Rivest-Chamil-Adelman

Encrypt with public key and decrypt with private key. The public key is public, but only the owner of the private key can decrypt it.

Two commonly used hash algorithms:

HMAC-MD5 uses * * bits of 128 to share the private key.

HMAC- Sha-1 Use the private key of 160 bits.

ESP protocol: It is used to provide confidentiality, data source verification, connectionless integrity and anti-replay services, and limit the confidentiality of traffic by preventing traffic analysis. These services were selected when the SA was established and implemented.

Encryption is done by DES or 3DES algorithm. Optional authentication and data integrity are provided by HMAC, keyed SHA-I or MD5.

IKE-internet key exchange: provide IPSEC peer experience certificate, negotiate IPSEC key and negotiate IPSEC security association.

Components that implement IKE

1: DES, 3des is used for encryption.

2. Diffie-Hellman encryption protocol based on public key * * * allows the other party to establish a public key * * * key on an insecure channel, which is used to establish a session key in IKE. Group 1 means 768 bits, and group 2 means 1024 bits.

3: MD5, SHA-Hash algorithm for verifying packets. RAS signature encryption system based on public key

Related articles
  • Public security accepts reporting requirements
  • Review opinions of the project unit
  • Does it matter that apktool signature failed to get the updated version number?
  • Horror movie about corpse makeup
  • When nokia5320 installs software, unsigned software cannot be installed. Please check the software installation settings in Application Manager.
  • Personality signature of beautiful girl
  • Are Guo Qilin and Degang Guo on good terms?
  • A Tmall flagship store can sell several brands
  • 520 activity plan
  • Tina's personal life

    • copyright 2024 Quotes Website All rights reserved