I- Gii thiu v c ch hot ng ca b giao thc IPSec 1.

Giao thc Ipsec Ipsec c 3 tng giao thc chnh - Internet Key Exchange ( IKE ) : Gip cho cc thit b tham gia VPN trao i vi nhau v thng tin an ninh nh m ha th no ? M ha bng thut ton g ? Bao lu m ha 1 ln . IKE c tc dng t ng tha thun cc chnh sch an ninh gia cc thit b tham gia VPN . Do IKE gip cho Ipsec c th p dng cho cc h thng mng m hnh ln . Trong qu trnh trao i key IKE dng thut ton m ha bt i xng gm b Public key v Private Key bo v vic trao i key gia cc thit b tham gia VPN . - Encapsulation Security Payload (ESP) : C tc dng xc thc ( authentication ) , m ha ( encrytion ) v m bo tnh trn vn d liu ( securing of data ) . y l giao thc c dng ph bin trong vic thit lp IPSec . - Authentication Header ( AH ) : C tc dng xc thc , AH th thng t c s dng v n c trong giao thc ESP 2. Ipsec c 2 dng l : - Transports mode : D liu (Layer4 Payload) c m ha s nm trong ESP header v ESP s chn vo gia Layer 2 header v layer 3 header - Tunnel mode : D liu s c m ha v ng gi thnh 1 IP Header mi vi source v des IP mi . IPSec c nhng phng php m ha nh DES (Data Encrution Standard) , 3DES , AES (Advance Encrytion Standar) IPSec c nhng phng php xc thc nh HMAC , MD5 , SHA-1 3. Trc khi trao i key thit lp 1 knh truyn o (VPN-Ipsec) IPSEC s lm nhim v l xc thc xem mnh ang trao i vi ai ? Cc phng php Peer Authentication : - Username password - OTP (One time password) - Biometric (Xc thc bng sinh hc) - Preshared keys - Digital certificate (ch k s) phng php ny thng c dng trong chnh ph in t . 4. C ch hat ng ca Internet Key Exchange ( IKE ) Nh ni trn giao thc IKE s c chc nng trao i key gia cc thit b tham gia VPN v trao i chnh sch an ninh gia cc thit b . V nu khng c giao thc ny th ngi qun tr phi cu hnh th cng . V nhng chnh sch an ninh trn nhng thit b ny c gi l SA (Security Associate) Do cc thit b trong qu trnh IKE s trao i vi nhau tt c nhng SA m n c . V gia cc thit b ny s t tm ra cho mnh nhng SA ph hp vi i tc nht Nhng key c trao i trong qu trnh IKE cng c m ha v nhng key ny s thay i theo thi gian (generate key) trnh tnh trng bruteforce ca Attacker . V doi y l cc giao thc xc thc cng nh m ha key trong qu trnh IKE Oakley (Tham khao thm trn RFC 2412) , ISAKMP (RFC 2408) , Skeme . Giao thc IKE s dng UDP port 500 5. Cc giai on hot ng ca IKE (IKE Phases) - IKE Phases 1 (Bt buc xy ra trong qu trnh IKE) Bc 1 : Xc thc gia cc thit b tham gia VPN (Authentication the peers) Bc 2 : Trao i cc SA V Phases 1 ny c 2 ch hot ng l Main mode (Cn 6 mess hon thnh cc bc 1&2) v Aggressive mode (Cn 3 mess n hon thnh cc bc 1&2) - IKE Phases 1.5 (Khng bt buc) Giao on ny c tc dng cp pht a ch IP LAN , DNS thng qua DHCP v xc thc User (Authentication User ) . Giao thc c gi trong qu trnh ny l Xauth (Extended Authentication) - IKE Phases 2 (Bt buc phi xy ra ) Sau khi tri qua Phase 1& 1.5 lc ny gia cc thit b c y cc thng tin v nhau nh chnh sch m ha , xc thc ( SA ) v key . V nh IKE th gia cc thit b xy dng c 1 knh truyn o an ninh .

n y gia cc thit b li tip tc trao i cho nhau 1 SA khc ( mi ngi ch khc ny ) . Ci SA c trao i lc ny l chnh sch ca giao thc Ipsec (chnh sch an ninh ng gi d liu ) n khc vi SA ca giao thc IKE ( lm th no xy dng 1 knh an ton ) . Ci SA ca Ipsec ny n s trao i vi nhau vic m ha ng gi d liu theo ESP hay AH , n hot ng theo dng tunel mode hay transports mode , thi gian m ha l bao lu ? . y l m ha d liu ch khng cn l m ha trao i kha (key) nh din ra trong qu trnh IKE . n lc ny nu mun trao i vi ai th n s trao i SA IPSec vi ngi v d liu c gi trn ng truyn c m ha da vo SA Ipsec ny Vy l trong phn 5 ti trnh by 3 bc chnh to ra 1 knh truyn o an ninh (VPN Ipsec) 6 .Cc chc nng khc ca IKE gip cho IKE hot ng ti u hn bao gm: - Dead peer detection ( DPD ) and Cisco IOS keepalives l nhng chc nng b m thi gian . Ngha l sau khi 2 thit b to c VPN IPsec vi nhau ri th n s thng xuyn gi cho nhau gi keepalives kim tra tnh trng ca i tc . Mc ch chnh pht hin hng hc ca cc thit b . Thng thng cc gi keepalives s gi mi 10s - H tr chc nng NAT-Traversal : Chc nng ny c ngha l nu trn ng truyn t A ti B nu c nhng thit b NAT or PAT ng gia th lc ny IPSec nu hot ng ch tunel mode v enable chc nng NAT- Trasersal s vn chuyn gi tin i c bnh thng . Ti sao IPSec ch hot ng tunel mode m khng hot ng tranports mode th ti s gii thch k trong nhng on sau . Lu : Chc nng NAT-T bt u c Cisco h tr t phin bn IOS Release 122.2(13)T Ti sao phi h tr chc nng NAT-T th cc packet mi tip tc i c ? Cc bn ch phn trn ti trnh by . Khi thc hin qu trnh m ha bng ESP th lc ny cc source IP , port v destination IP, port u c m ha v nm gn tron ESP Header . Nh vy khi tt c cc thng tin IP v Port b m ha th knh truyn IPSec khng th din ra qu trnh NAT . Do NAT Traversal ra i trong qu trnh hot ng ca IKE nhm pht hin v h tr NAT cho Ipsec . Cc d liu s khng b ng gi trc tip bi giao thc IP m n s ng gi thng qua giao thc UDP . V lc ny cc thng tin v IP v Port s nm trong gi UDP ny . - Chc nng Mode Configuration : Chc nng ny c tc dng pushing cc chnh sch bo mt cng nh thng tin v IP , DNS , Gateway cho ngi dng di ng khi h quay VPN vo h thng . Ngoi ra Cisco c cung cp gii php cho vic ny l Easy VPN . Nhng trong phm vi bi ny ti s khng i su v vn ny . - Chc nng cui cng IKE h tr m ti mun gii thiu vi cc bn l Xauth ( Ti gii thiu s trong phares 1.5 ) Xauth s cho php phng thc AAA (Authentication , Authorization , Accounting) hot ng i vi vic xc thc user . Cc bn cng nn lu phn ny . Xauth khng ln IKE m vic xc thc ca giao thc Xauth ny l xc thc ngi dng ch khng phi qu trnh xc thc din ra trong Phares 1 Nh vy trong phn I ti gii thiu c ch hot ng ca VPN Ipsec v i su vo b giao thc u tin l IKE . Trong cc phn k tip ti s trnh by k hn v c ch hot ng ca ESP v AH . Sau l cu hnh Router trong 1 s c th . Hy vng bi vit ny s gip cc bn hiu hn phn no v giao thc IP Sec v cch thit lp VPN Ipsec s c trnh by cc phn k tip ......

II- C ch hot ng ca 2 protocol ESP v AH B giao thc Ipsec th ngoi IKE cn c ESP v AH l 2 giao thc chnh trong vic m ha&xc thc d liu . 1. Khi qut ESP s dng IP protocol number l 50 (ESP c ng gi bi giao thc IP v trng protocol trong IP l 50 ) AH s dng IP protocol number l 51 (AH c ng gi bi giao thc IP v trng protocol trong IP l 51 ) B giao thc Ipsec hot ng trn 2 mode chnh l Tunel Mode v Transport Mode - Tunel Mode Khi b giao thc Ipsec hot ng mode ny th sau khi ng gi d liu v giao thc ESP m ha ton b payload , frame header , ip header th n s thm 1 IP header mi v gi packet trc khi forward i . - Transports Mode Khi b giao thc Ipsec hot ng mode ny th IP header vn c gi nguyn v lc ny giao thc ESP s chn vo gia payload v IP header ca gi tin . Giao thc ny rt hay c s dng khi nhng ngi qun tr mng c to thm 1 tunnel GRE (Generic Routing Encapsulation) . Cn tunnel GRE l g ti s gii thch trong mt TUT khc . Tt c gi tin c m ha bi Ipsec u l kha i xng (symetric key) 2. Tng quan ESP v AH Header

y l hnh minh ha vic ng gi d liu bng 2 protocol Esp v AH . Trn cng l gi d liu nguyn thy bao gm Data v Ip Header . - Nu s dng giao thc ESP : Th giao thc ESP s lm cng vic l m ha ( encryption ) , xc thc ( authentication ) , bo m tnh trn vn ca d liu ( Securing of data ) . Sau khi ng gi xong bng ESP mi thng tin v m ha v gii m s nm trong ESP Header . Cc thut ton m ha bao gm DES , 3DES , AES Cc thut ton xc thc bao gm MD5 hoc SHA-1 ESP cn cung cp tnh nng anti-relay bo v cc gi tin b ghi ln n. - Nu s dng giao thc AH Th giao thc AH ch lm cng vic xc thc ( authentication ) v bo m tnh trn vn d liu . Giao thc AH khng c chc nng m ha d liu . Do AH t c dng trong IPSec v n khng m bo tnh an ninh . 3 . AH xc thc v m bo tnh trn vn d liu Di y l hnh minh ha v c ch xc thc ca giao th AH

Bc th 1 : Giao thc AH s em gi d liu ( packet ) bao gm payload + Ip header + Key Cho chy qua 1 gii thut gi l gii thut Hash v cho ra 1 chui s . Cc bn nh y l gii thut 1 chiu , ngha l t gi d liu + key = chui s . Nhng t chui s khng th hash ra = d liu + key V chui s ny s uc gn vo AH header . Bc th 2 : AH Header ny s c chn vo gia Payload v Ip Header v chuyn sang pha bn kia . ng nhin cc bn cng nh cho rng vic truyn ti gi d liu ny ang chy trn 1 tunel m trc qu trnh IKE sau khi trao i kha to ra . Bc th 3 : Router ch sau khi nhn c gi tin ny bao gm IP header + AH header + Payload s c chy qua gii thut Hash 1 ln na cho ra 1 chui s . Bc th 4 : So snh chui s n va to ra v chui s ca n nu ging nhau th n s chp nhn gi tin . Nu trong qu trnh truyn gi d liu 1 attacker sniff ni tin v chnh sa n dn n vic gi tin b thay i v kch c , ni dung th khi i qua qu trnh hash s cho ra 1 chui s khc chui s ban u m router ch ang c . Do gi tin s b drop Thut ton hash bao gm MD5 v SHA-1 V trong trong hp ny IPSec ang chy ch trasports mode . 4 . Giao thc ESP Pha di y l c ch m ha gi d liu bng giao thc ESP

Esp l giao thc

h tr c xc thc v m ha . Pha trn l gi d liu ban u v ESP s dng 1 ci key m ha ton b d liu ban u . V trng hp trn l Ipsec ang chy ch Tunel mode nn ngoi ESP header ra n s sinh ra 1 Ip Header mi khng b m ha c th truyn i trong mng Internet . Nh vy trong phn ny ti gii thiu vi cc bn v c ch hot ng ca 2 protocol ESP v AH . Cc bn lu qu trnh xc thc v m ha ca ESP v AH ch din ra sau khi qu trnh IKE han thnh. chng ny ti khng mun i su vo phn tch cc thut ton m ha v mc ch ca ti trong TUT ny l trnh by cho cc bn hiu c ch hot ng ca IPSEC v cch cu hnh IPSEC VPN trn Router Cisco .

M hnh: [[ROUTER R1]] s1/0 = R2 s1/0 # Cng Serial s1/0 ca Router R1 ni vi s1/0 ca R2 [[router R2]] model = 7200 s1/1 = R3 s1/1 # Cng Serial S1/1 ca Router R2 ni vi S1/1 ca R3 [[router R3]] model = 7200

Trc khi i vo chi tit cu hnh ca 3 Router ti a ra 1 v d c th cc bn d hnh dung. Chng ta c 3 chi nhnh gm HN (R1) , N (R2) v HCM (R3) . Vic trao i d liu gia cc TP ny din ra thng xuyn v lin tc. Tt c d liu c truyn t N vo HCM l nhng d liu quan trng v yu cu t ra l khi d liu chy trn ng truyn t N v HCM phi c m ha v bo v. Trong m hnh lab ny. Ti s cu hnh VPN IPSEC chy trn on t serial 1/1 ca Router 2 ti Serial 1/1 ca Router 3. Ngha l khi c lung d liu chy trn link ny nu ng peer -1- th c ch VPN s bt u hot ng. Trc tin l cu hnh Router 1 ( HN ). Trong con Router ny th khng c g ng ch trong vn VPN/IPSEC . Nhng ti cng s gii thch thm 1 s vn cc bn d nm bt. Phn gii thch s l ch mu c in m Config Router R1 H Ni R1#sh run Building configuration... Current configuration : 3499 bytes version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname R1 boot-start-marker boot-end-marker enable secret 5 $1$NOsH$dzAiUg0rigA/wHkPJZB/b0 no aaa new-model ip cef multilink bundle-name authenticated

crypto pki trustpoint TP-self-signed-4294967295 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4294967295 revocation-check none rsakeypair TP-self-signed-4294967295 crypto pki certificate chain TP-self-signed-4294967295

certificate self-signed 01 3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34323934 39363732 3935301E 170D3037 30343034 32323332 30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32393439 36373239 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B306 EE726C90 E705F165 B464DDA4 314014FA 38DA1020 120AB79E CB3B9AD8 B76B2262 2FAE5208 21C20A01 4304984C 34C0ED37 DD02AF87 99FC8B86 DBCD42FF B08CF30C B3C19056 50DC2B37 5E7769F2 AB8F8CE4 464DF6BE BB725A97 29A9E629 A323D36D E01FC307 4C61F961 C0AC5C83 3134CFE4 3FD2347A 289F21DC E0F7ED40 D9B30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603 551D1104 06300482 02523130 1F060355 1D230418 30168014 DE1009DC 2F7D3708 04170326 E5336218 6052B3D3 301D0603 551D0E04 160414DE 1009DC2F 7D370804 170326E5 33621860 52B3D330 0D06092A 864886F7 0D010104 05000381 81009463 996F4CA7 6DC06475 AF297485 5A715D4B AE4DB018 13F79AD0 33227310 8DACCC44 1EB897F9 82F41311 7E178D1B 903197F6 5082C822 9BE373DA 5743BE8E 6E68A90E 081C6CF4 BD3ED8D3 C7E4DAF8 10325062 8B1A8A43 80886D42 EFD18E26 3B854D05 969B748B 4F084A4A 1031AA22 7684BBE0 846DA565 AC257813 0AD2B5F9 42A0 quit interface Loopback0 ip address 192.168.1.1 255.255.255.0 interface Loopback1 ip address 192.168.2.1 255.255.255.0 interface Loopback2 ip address 192.168.3.1 255.255.255.0 interface FastEthernet0/0 ip address 10.10.1.146 255.255.255.0 duplex full interface Serial1/0 ip address 10.0.0.1 255.255.255.0 ip ospf authentication message-digest \\ Trong khi routing bng OSPF ti c authentication gia cc neighbor bng key l thang ip ospf message-digest-key 1 md5 thang no fair-queue serial restart-delay 0 clock rate 64000

router eigrp 1 network 192.168.1.0 network 192.168.2.0 network 192.168.3.0 auto-summary router ospf 1 \\ Gia 3 Router ca 3 min ti dung c ch OSPF routing. V tt c c ni vo Area0 log-adjacency-changes summary-address 192.168.0.0 255.255.0.0 redistribute eigrp 1 subnets network 10.0.0.0 0.0.0.255 area 0 ip http server

ip http secure-server logging alarm informational control-plane gatekeeper shutdown banner motd ^C Retrict Area . This is ASBR . Routing OSPF1 + EIGRP1 ^C line con 0 exec-timeout 0 0 password cisco login stopbits 1 Config Router 2 Nng R2 version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname R2 boot-start-marker boot-end-marker enable secret 5 $1$zFeK$NJjHyf.rQkLWZf88tT21R. no aaa new-model ip cef

multilink bundle-name authenticated crypto isakmp policy 1 \\ Chng ta ang bt u to policy cho qu trnh IKE m ti gii thch trong 2 chng trc encr aes \\ Chng ta s m ha bng AES authentication pre-share \\ Xc thc bng pre-share key group 2 crypto isakmp key 6 cisco address 11.0.0.2 \\ V key trao i gia 2 u Nng v HCM l cisco . IP 11.0.0.2 chnh l IP ca Serial 1/1 HCM hay cn gi l peer ca Router Nng. Vic xc nh peer ny l v cng quan trng v ngi qun tr phi bit c mc ch chng ta ang nh giao tip vi ai v qu trnh VPN s xy ra khi d liu i t u ti u.

crypto ipsec transform-set R2 esp-aes esp-sha-hmac \\ n thi im ny chng ta xong phn thit lp cc chnh sch trong qu trnh IKE. Trong command ny chng ta ang tin hnh khi to policy cho qu trnh ng gi d liu. y l nhng chnh sch m chng ta quy nh cho vic gi d liu s c bao bc bi c ch m ha g. crypto map VPN_TO_R3 10 ipsec-isakmp \\ Command ny l thao tc chng ta chnh thc thng bo cho Router N

apply cc chnh sch khi to qu trnh IKE set peer 11.0.0.2 \\ V i tng thit lp qu trnh VPN/IPSEC ny l IP 11.0.0.2 ca Router HCM set transform-set R2 \\ Chnh thc apply policy ca c ch IPSEC match address 101 \\ Apply lung traffic c m ha. V lung traffic c m ha ny chng ta s to ra n bng 1 Access List interface Loopback0 ip address 172.0.0.1 255.255.255.0 interface Loopback1 ip address 172.0.2.1 255.255.255.0 interface Loopback2 ip address 172.0.3.1 255.255.255.0 interface FastEthernet0/0 no ip address shutdown duplex half interface Serial1/0 ip address 10.0.0.2 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 thang serial restart-delay 0 interface Serial1/1 ip address 11.0.0.1 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 2 md5 thang serial restart-delay 0 clock rate 64000 crypto map VPN_TO_R3

router eigrp 1 network 172.0.0.0 0.0.0.255 network 172.0.2.0 0.0.0.255 network 172.0.3.0 0.0.0.255 auto-summary router ospf 1 log-adjacency-changes summary-address 192.168.0.0 255.255.0.0 not-advertise summary-address 172.0.0.0 255.255.0.0 redistribute eigrp 1 subnets network 10.0.0.0 0.0.0.255 area 0 network 11.0.0.0 0.0.0.255 area 0 no ip http server no ip http secure-server

logging alarm informational access-list 101 permit ip 10.0.0.0 0.0.255.255 210.245.0.0 0.0.255.255 \\ Khi thc hin command ny chng ta ang to ra b lut bao gm nhng range IP s c VPN v m ha bi IP SEC.

V Access list 101 ny chng ta apply vo Router bng lnh match address 101 pha trn. Thao tc to ra Access List ny cc bn nn lm trc khi Apply cc chnh sch VPN IPSEC v Router. ngha ca command ny l ti mun Router hiu rng tt c nhng traffic no c a ch IP l 10.0.x.x subnet mask 255.255.0.0 khi mun i ti range 210.245.x.x subnetmask l 255.255.0.0 u phi chui qua VPN v c IPSEC bao bc.

control-plane

gatekeeper shutdown banner motd ^C Retrict Area . This's ASBRs Router . EIGRP1 + OSPF1 ^C line con 0 password cisco login stopbits 1 line aux 0 stopbits 1 line vty 0 4 login

end R2#

Cn vi Router 3 th cc bn nhn v suy lun tng t nh Router 2

Config Router 3 HCM Building configuration... Current configuration : 1829 bytes version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname R3 boot-start-marker boot-end-marker

no aaa new-model ip cef

multilink bundle-name authenticated crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key 6 cisco address 11.0.0.1

crypto ipsec transform-set R3 esp-aes esp-sha-hmac crypto map VPN_TO_R2 10 ipsec-isakmp set peer 11.0.0.1 set transform-set R3 match address 101

interface Loopback0 ip address 210.245.31.130 255.255.255.255 interface FastEthernet0/0 no ip address shutdown duplex half interface Serial1/0 no ip address shutdown no fair-queue serial restart-delay 0 interface Serial1/1 ip address 11.0.0.2 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 2 md5 thang serial restart-delay 0 crypto map VPN_TO_R2

router ospf 1 log-adjacency-changes network 11.0.0.0 0.0.0.255 area 0 network 210.245.0.0 0.0.255.255 area 0 no ip http server no ip http secure-server

logging alarm informational access-list 101 permit ip 210.245.0.0 0.0.255.255 10.0.0.0 0.0.0.255 control-plane

gatekeeper shutdown banner motd ^C Retric Area .^C line con 0 exec-timeout 0 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 login

End -1- peer Ch nhng u , i tng lin h trc tip vi Router

Ti sao IPSec ch hot ng tunel mode m khng hot ng tranports mode th ti s gii thch k trong nhng on sau Bn k chu c k bi vit ri. Tm li l nh vy: B giao thc Ipsec hot ng trn 2 mode chnh l Tunel Mode v Transport Mode - Tunel Mode Khi b giao thc Ipsec hot ng mode ny th sau khi ng gi d liu v giao thc ESP m ha ton b payload , frame header , ip header th n s thm 1 IP header mi v gi packet trc khi forward i . - Transports Mode Khi b giao thc Ipsec hot ng mode ny th IP header vn c gi nguyn v lc ny giao thc ESP s chn vo gia payload v IP header ca gi tin . Giao thc ny rt hay c s dng khi nhng ngi qun tr mng c to thm 1 tunnel GRE (Generic Routing Encapsulation) NAT-Traversal : Chc nng ny c ngha l nu trn ng truyn t A ti B nu c nhng thit b NAT or PAT ng gia th lc ny IPSec nu hot ng ch tunel mode v enable chc nng NAT- Trasersal s vn chuyn gi tin i c bnh thng . Ti sao phi h tr chc nng NAT-T th cc packet mi tip tc i c ? Khi thc hin qu trnh m ha bng ESP th lc ny cc source IP , port v destination IP, port u c m ha v nm gn tron ESP Header . Nh vy khi tt c cc thng tin IP v Port b m ha th knh truyn IPSec khng th din ra qu trnh NAT . Do NAT Traversal ra i trong qu trnh hot ng ca IKE nhm pht hin v h tr NAT cho Ipsec . Cc d liu s khng b ng gi trc tip bi giao thc IP m n s ng gi thng qua giao thc UDP . V lc ny cc thng tin v IP v Port s nm trong gi UDP ny . Bn c k li s hiu c cu tr li..