Ly Thuyet IPSEC

BO CO TTTN
IPSec VPN
LI M U
Ngy nay vi s bng n ca ngnh cng ngh thng tin em li cho chng ta
nhiu iu mi m, to cho mi quan h cng vic trong x hi ngy cng tin li
hn, cho php cc nhn vin lm vic mt cch hiu qu ti nh v cho php mt
doanh nghip kt ni mt cch an ton ti cc i l ca h cng cc hng hp tc.
Cng ngh khng ngng pht trin v lun gp phn ci thin c s h tng mng
ca chng ta. Gp phn bo m cho cng vic ca chng ta c an ton hn.
Mt trong nhng cng ngh m hin nay c cc doanh nghip, cc cng ty, cc
hng thng mi, hin nay u s dng ph bin, l cng ngh Virtual
Private Network (VPN). Cng ngh mng ring o m rng phm vi ca cc
mng LAN (Local Area Network) m khng cn bt k ng dy no. Ti nguyn
trung tm c th kt ni n t nhiu ngun nn tit kim c chi ph v thi
gian .
Trong vn bo m an ninh gia cc mng l vn cn quan tm nht hin
nay. Mt trong nhng gii php m bo tnh bo mt ca mng VPN l IPSec.
Tuy cng ngh ny khng phi l cn mi nhng n c ng dng rt rng ri
trong nhiu doanh nghip, cng ty, Giao thc IPSec cho php vic truyn ti d
liu c m ho an ton qua mng cng cng.
Trong bi thc tp ny, em tho lun v cng ngh IPSec, mt cng ngh kh ph
bin bo m an ninh trong mng VPN m nhiu ni, nhiu cng ty trin
khai.
V kin thc v kinh nghim cn hn ch, nn khng trnh khi nhng sai st
trong bi bo co ny. Rt mong c s ng gp kin ca cc thy c v cc
bn.
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
LI CM N
hon thnh tt qu trnh thc tp, em nhn c
nhiu s ng gp ca cc thy trong VnPro v cc bn.
c bit em mun gi li cm n n :
Xin cm n thy ng Quang Minh Ban Gim c
Trung Tm VnPro . Chnh nh s ng tip nhn ca
thy to iu kin cho em c c hi hc tp ngoi thc
t. Cm n thy ch dy cho em phong cch sng n
tc phong lm vic em chun b cho cng vic sau ny.
Cm n thy nh hng cho em hon thnh tt trong
thi gian thc tp.
Xin cm n cc anh phng k thut ht lng nhit tnh
cung cp thit b em hon thnh tt cc bi Lab trong
qu trnh thc tp.
Xin cm n ton th cng ty VnPro to cho em mi
trng thc tp tt.
Cui cng xin gi li cm n n cc thy c trong b mn
in T Vin Thng trng i hc giao thng Vn ti
Tp.H Ch Minh gip cho em c c hi c thc tp
trong mi trng thc t.
Trn Trng
Vi Th Mu
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
NHN XT CA N V THC TP
----------o0o-------H tn sinh vin : VI TH MU
MSSV :
DV03035
Lp :
DV03
Kho hc : 2003 - 2008
Thi gian thc tp : 6 tun
T :
03 / 03 / 2008 n 11 / 04 / 2008
n v thc tp : Trung tm tin hc VNPRO.
149/1D, Ung Vn Khim, Phng 25, Qun Bnh Thnh,
Tp.HCM
ti thc tp :
Tm hiu v Trin khai IPSec trong Virtual Private Network
GV hng dn : Thy ng Quang Minh
..........................................................................................................................................
Nhn xt ca n v thc tp : ..........................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
Tp.HCM, ngy thng nm 2008
Ban Gim c
Gio vin hng dn
.
SVTT : Vi Th Mu
Thy ng Quang Minh

3
BO CO TTTN
IPSec VPN
NHN XT CA B MN IN T VIN THNG

----------o0o-------H tn sinh vin : VI TH MU
M s sinh vin : DV03035
Lp :
DV03
Kho hc :
2003 - 2008
Thi gian thc tp : 6 tun
T :
03 / 03 / 2008 n 11 / 04 / 2008
n v thc tp : Trung tm tin hc VNPRO.
149/1D, Ung Vn Khim, Phng 25, Qun Bnh Thnh,
Tp.HCM
ti thc tp :
Tm hiu v Trin khai IPSec trong Virtual Private Network
GV hng dn :
Thy V Nguyn Sn
..........................................................................................................................................
Nhn xt ca b mn TVT : ...........................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
Tp.HCM, ngy thng nm 2008
Gio vin
Sinh vin
Vi Th Mu
.
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
NHT K THC TP
Tun 1 : Ngy 3/3 8/3/2008
Tm hiu l thuyt v thc hnh bi lab c bn :
-
Thc hin cu hnh trn 2 Router, to 1 knh Private gia 2 mng Lan ca 2
Router qua mt mi trng Public
Config a GRE Tunnel to a Remote
Tun 2 : T 10/03 15/03/2008

-
vit bo co
Tm hiu l thuyt v PKI + thc hnh Lab v site-to-site VPN dng CA

thc hin trn 3 Router
Tun 3 : T 18/03 23/03/2008

-
19/03 20/03/2008 : bn vic gia nh
Thc hnh Lab PKI
Tun 4 : T 24/03 28/03/2008

-
Thc hnh Lab Dynamic Multipoint VPN
vit bo co
Tun 5 : T 31/03 04/04/2008

-
Tm hiu v CA Server
Thc hnh Lab dng windows server 2003 lm CAServer
Tun 6 : T 07/04 11/04/2008

-
Tm hiu l thuyt
Vit bo co
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
MC LC
PHN 1 : L THUYT ................................................................................................ 8
CHNG I : GII THIU V MNG RING O ....................................................... 8
I.
Gii Thiu ...................................................................................................... 8
II.
Phn Loi VPN ............................................................................................... 8
1. Phn loi ...................................................................................... 8
2. VPN i vi doanh nghip ........................................................... 9
3. cng ngh VPN v m hnh OSI ................................................ 14
CHNG II : CNG NGH IP SECURITY ................................................................ 17
I.
Tm Hiu V Giao Thc IPSec ...................................................................... 17
1. Khi v IPSec ............................................................................ 17
2. C ch hot ng ca giao thc IPSec ....................................... 17
3. C ch hot ng ca IKE ......................................................... 19
II.
C Ch Hot ng Ca Giao thc AH v ESP ............................................. 19
1. Khi qut ................................................................................... 19
2. Tng quan v AH v ESP Header .............................................. 20
3. Authentication Header ............................................................... 20
4. Encapsulation Security Payload ................................................. 24
5. Cc Mode chnh ca giao thc IPSec ......................................... 29
CHNG III : PUBLIC KEY INFRASTRUCTURE ................................................... 33
I.
Tng Quan v PKI ........................................................................................ 33
II.
Cc Thnh Phn ca PKI .............................................................................. 33
1. Cc thnh phn va PKI ..................................................... 33
2. Mc ch v chc nng ca PKI ......................................... 34
III.
C S H Tng Ca PKI ............................................................................... 35
1. Cc bc m ho ............................................................... 35
2. Cc bc kim tra .............................................................. 36
CHNG IV : DYNAMIC MULTIPOINT VIRTUAL PRIVATE NETWORK........... 37
I.
Khi Qut V DMVPN.................................................................................. 37
1. DMVPN l g? ............................................................................ 37
2. u im ca DMVPN ............................................................... 37
3. Cng ngh s dng trong DMVPN ............................................. 38
4. Hot ng ca DMVPN.............................................................. 38
5. nh tuyn vi DMVPN ............................................................. 38
6. DMVPN Phase .......................................................................... 39
II.
Cu Hnh DMVPN ....................................................................................... 41
1. Cu hnh IPSec .......................................................................... 41
2. Cu hnh mGRE Hub ................................................................. 41
3. Cu hnh mGRE Spoke .............................................................. 42
III.
Next Hop Resolution Protocol ...................................................................... 42
1. Tng tc NHRP v NBMA ....................................................... 42
2. Li ch ca NHRP cho NBMA ................................................... 43
3. Next Hop Server Resolution ...................................................... 43
4. NHRP s dng vi DMVPN....................................................... 44
5. S ng k NHRP....................................................................... 45
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
PHN II : THC HNH ........................................................................................... 46

1.
Thc hnh bi lab c bn .............................................................................. 46
2.
Cu hnh Site-to-Site dng Windows Server 2003 lm CAServer .................. 48
3.
Thc hnh lab cu hnh DMVPN .................................................................. 68
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
PHN 1 : L THUYT
CHNG I : GII THIU V MNG RING O
I. Gii Thiu :
VPN (Virtual Private Network) l cng ngh cung cp mt phng thc giao tip
an ton gia cc mng ring da vo k thut gi l tunneling to ra mt mng
ring trn nn Internet. V bn cht, y l qu trnh t ton b gi tin vo trong
mt lp header cha thng tin nh tuyn c th truyn qua mng trung gian.
VPN l mt mng ring s dng mt mng chung kt ni cng vi cc site (cc
mng ring l) hay nhiu ngi s dng t xa. Thay cho vic s dng mt kt ni
thc, chuyn dng nh ng leased line, mi VPN s dng cc kt ni o c
dn qua ng internet t mng ring ca cng ty ti cc site ca cc nhn vin t
xa.
Mt phng php chung c tm thy trong VPN l : Generic Routing
Encapsulation (GRE). Giao thc m ho nh tuyn GRE cung cp c cu ng
gi giao thc gi tin (Passenger Protocol) truyn i trn giao thc truyn ti
(Carrier Protocol). N bao gm thng tin v loi gi tin ang m ha v thng tin
v kt ni gia my ch vi my khch.
II. Phn loi VPN:
1. Phn loi VPN bao gm:
VPN cho cc nh doanh nghip
VPN i vi cc nh cung cp dch v
Cng ngh VPN v m hnh OSI
IPSec v security associations
IPSec mode v Protocol
Sau y l cng ngh VPN v m hnh OSI:
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
OSI Model Layer
VPN Technology
Layer 7, Application
Secure HTTP (HTTPS),

S/MIME , PGP
Layer 6, Presentaion
N/A
Layer 5, Session
N/A
Layer 4, Transport
SSL and TLS

SOCKS, SSH
Layer 3, Network
IPSEC Deployment,
MPLS VPNs
Layer 2, datalink
VPDN-PPTP, L2TP, L2F

ATM Cell Encryptors,
Frame-Relay Frame
Encryptors
Layer 1, physical
Optical Bulk Encryptors

Radio Frequency (RF)
Encryptors
Figure 2-1: cng ngh VPN v m hnh OSI

2. VPN i vi cc nh doanh nghip:
i vi cc nh doanh nghip, VPN cung cp cc kt ni c trin khai trn h
tng mng cng cng.
gii php VPN gm 3 loi chnh:
Remote Access VPN
Site-to-Site VPN
Extranet VPN
a. Remote Access VPN:
Remote Access cn c gi l Dial-up ring o (VPDN) l mt kt ni ngi
dng-n-LAN, thng l nhu cu ca mt t chc c nhiu nhn vin cn lin
h vi mng ring ca mnh t rt nhiu a dim xa. V d nh cng ty
mun thit lp mt VPN ln n mt nh cung cp dch v doanh nghip
(ESP). Doanh nghip ny to ra mt my ch truy cp mng (NAS) v cung
cp cho nhng ngi s dng xa mt phn mm my khch cho my tnh ca
h. sau , ngi s dng c th gi mt s min ph lin h vi NAS v
dng phn mm VPN my khch truy cp vo mng ring ca cng ty. Loi
VPN ny cho php cc kt ni an ton, c mt m.
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
Figure 2-2: Remote Access VPN

Mt s thnh phn chnh:
- Remote Access Server (RAS): c t ti trung tm c nhim v xc nhn
v chng nhn cc yu cu gi ti.
- Quay s kt ni n trung tm, iu ny s lm gim chi ph cho mt s yu
cu kh xa so vi trung tm.
- h tr cho nhng ngi c nhim v cu hnh, bo tr v qun l RAS v h
tr truy cp t xa bi ngi dng.
- bng vic trin khai Remote Access VPNs, nhng ngi dng t xa hoc cc
chi nhnh vn phng ch cn t mt kt ni cc b n nh cung cp dch v
ISP hoc ISPs POP v kt ni n ti nguyn thng qua internet.
Thng tin Remote Access Setup c m t bi hnh sau:
SVTT : Vi Th Mu
10
BO CO TTTN
IPSec VPN
Figure 2-3: Remote Access VPN setup

Thun li ca Remote Access VPN:
- S cn thit h tr cho ngi dng c nhn c loi tr bi v kt ni t xa
c to iu kin thun li bi ISP.
- Vic quay s nhanh t nhng khong cch xa c loi tr, thay vo s l
cc kt ni cc b.
- Gim gi thnh chi ph cho cc kt ni vi khong cch xa.
- Do y l mt kt ni mang tnh cc b, do tc kt ni s cao hn so
vi kt ni trc tip n nhng khong cch xa.
- VPNs cung cp kh nng truy cp n trung tm tt hn bi v n h tr
dch v truy cp mc ti thiu nht cho d c s tng nhanh chng cc kt
ni ng thi n mng.
Mt s bt li ca VPNs:
-
Remote Access VPNs cng khng m bo c cht lng phc v.

kh nng mt d liu l rt cao, hn na cc phn on ca gi d liu c
th i ra ngoi v b tht thot.
Do phc tp ca thut ton m ha, protocol overhead tng ng k
iu ny gy kh khn cho qu trnh xc nhn. Thm vo , vic nn d
liu IP xy ra chm.
Do phi truyn d liu thng qua internet, nn khi trao i cc d liu ln
th s rt chm.
b. VPN site-to-site
-
l vic s dng mt m dnh ring cho nhiu ngi kt ni nhiu im

c nh vi nhau thng qua mt mng cng cng nh Internet. Loi ny c
th da trn Intranet hoc Extranet. Loi da trn Intranet: nu mt cng ty
c vi a im t xa mun tham gia vo mt mng ring duy nht, h c
th to ra mt VPN intranet (VPN ni b) ni LAN vi LAN. Loi da
SVTT : Vi Th Mu
11
BO CO TTTN
IPSec VPN
trn Extranet: khi mt cng ty c mi quan h mt thit vi mt cng ty

khc (v d nh : i tc cung cp, khch hng ), h c th xy dng mt
VPN extranet (VPN m rng) kt ni LAN vi LAN nhiu t chc khc
nhau c th lm vic trn mt mi trng chung.
Site 1
Site 6
Site 2
Site 5
Site 3
Site 4
Figure 2-4: kt ni cc doanh nghip qua mng cng cng

-
LAN-to-LAN VPN l s kt ni hai mng ring l thng qua mt ng

hm bo mt. ng hm bo mt ny c th s dng cc giao thc PPTP,
L2TP, hoc IPsec. Mc ch chnh ca LAN-to-LAN l kt ni hai mng
khng c ng ni li vi nhau, khng c vic tha hip tch hp, chng
thc, s cn mt ca d liu
Kt ni Lan-to-Lan c thit k to mt kt ni mng trc tip, hiu
qu bt chp khong cch gia chng.
c. Extranet:
-
Extranet cho php truy cp nhng ti nguyn mng cn thit ca cc i tc

kinh doanh: chng hn nh khch hng, nh cung cp, i tc ca nhng
ngi gi vai tr quan trng trong t chc
SVTT : Vi Th Mu
12
BO CO TTTN
IPSec VPN
Corporate
network
Supplier
Network1
supplier1
Supplier
Network2
Supplier
Network3
supplier2
supplier3
Figure 2-5: The traditional Extranet setup

T m hnh trn ta thy: mng Extranet rt tn km do c nhiu on mng ring
bit trn Intranet kt hp li vi nhau to ra mt Extranet kh trin khai do c
nhiu mng, ng thi cng kh khn cho c nhn lm cng vic bo tr v qun
tr.
Figure 2-6: The Extranet VPN setup

SVTT : Vi Th Mu
13
BO CO TTTN
IPSec VPN
Thun li ca Extranet :
-
D trin khai, qun l v chnh sa thng tin.

Gim chi ph bo tr.
Mt s bt li ca Extranet:
-
s e da v tnh an ton, nh b tn cng bng t chi dch v vn cn tn

ti.
Tng thm nguy him s xm nhp i vi t chc trn Extranet.
Do da trn Internet nn khi d liu l cc loi high-end data th vic trao
i din ra chm chp.
Quality of Service (QoS) cng khng c m bo thng xuyn.
3. Cng ngh VPN v m hnh OSI

Giao thc to nn c ch ng ng bo mt cho VPN l: L2TP , cisco GRE v
IPSec.
a. L2TP:
- l s kt hp ca PPTP ( Point-to-Point Tunneling Protocol ) v L2F ( giao
thc Layer 2 Forwarding ) ca cisco. Do rt hiu qu trong kt ni mng
dial, ADSL v cc mng truy cp t xa khc. Cng ging nh PPP, L2TP
ng gi d liu thnh cc frame ppp v sau truyn nhng frame ny qua
mng trc backbone. Tuy nhin, n cng khc vi PPTP l L2TP s dng
giao thc UDP nh l mt phng php ng gi cho tunnel v user data.
- L2TP khng cung cp m ha. Do cn phi da vo mt giao thc
m bo tin cy. Nh vy, L2TP b sung s bao gm c IPSec.
L2TP bao gm 2 thnh phn chnh: L2TP Access Concentrator v L2TP

Network Server .
o L2TP Access Concentrator (LAC): i din l client side ca h
thng mng v tiu biu trn cc b phn ca switch gia remote
dial-up nodes v access server gii hn phin inbound ppp qua
chuyn mch ISDN v PSTN. Khi cc host ti u xa bt u v
hon thnh kt ni PPP trn NAS th LAC server c xem nh l 1
proxy khi u ca L2TP control v tunnel data n LNS ti mng
cng ty.
o L2TP Network Server (LNS): i din l server side ca VPDN. N
hot ng mng doanh nghip nh v hon thnh ng ng d
SVTT : Vi Th Mu
14
BO CO TTTN
IPSec VPN
liu t LAC. Khi cc user kt ni n LAC , nhng kt ni ny l a

kt ni c tha hip qua tunnel i n LNS.
Figure 2-7: L2TP tunnel negotiation

Tc dng ca L2TP trong vic s dng control messages v data packets
nh sau:
o L2TP control messages tho thun thit lp v duy tr tunnel.
Control messages thit lp tunnel IDs cho cc kt ni mi trong
khong thi gian tunnel tn ti. L2TP control messages c bt u
t port ngun v c forward n UDP port ch 1701.
o L2TP payload packets tunnel data hin c trong h thng mng. khi
d liu qua ng ng t LAC n NAS vi mt dy IP, n s ng
gi theo L2TP header. Dng format ca L2TP c cu trc nh sau:
Figure 2-8: Dng cu trc ca L2TP

b. GRE
Figure2- 9: ng gi theo giao thc GRE

-
y l giao thc truyn thng ng gi IP, CLNP v tt c cc gi d liu

bn trong ng ng IP.
vi GRE tunnel, Cisco router s ng gi cho mi v tr mt giao thc c
trng ch nh trong gi IP header, to mt ng kt ni o ( virtual pointto-point) ti cisco router cn n. v khi gi d liu n ch IP header s
c m ra.
SVTT : Vi Th Mu
15
BO CO TTTN
-
IPSec VPN
Bng vic kt ni nhiu mng con vi cc giao thc khc nhau trong mi
trng c mt giao thc chnh. GRE tunneling cho php cc giao thc khc
c th thun li trong vic nh tuyn trong gi IP.
Enterprise network
c. IPsec
Enterprise network
remote network
Figure 2-10: L2TP/IPsec VPN gia remote v mng doanh nghip
Figure 2-11: L2TP/IPsec VPN gia cc mng

-
l s la chn cho vic bo mt trn VPN. IPsec l mt khung bao gm bo

mt d liu (data confidentiality), tnh ton vn ca d liu (integrity) v
vic chng thc d liu.
IPsec cung cp dch v bo mt s dng KDE cho php tha thun cc giao
thc v thut ton trn nn chnh sch cc b (group policy) v sinh ra cc
kho bo mt m ho v chng thc c s dng trong IPsec.
SVTT : Vi Th Mu
16
BO CO TTTN
IPSec VPN
CHNG II : CNG NGH IP SECURITY

I. TM HIU V GIAO THC IPSec
1. khi qut v IPSec
IPSec l s tp hp ca cc chun m c thit lp m bo s cn mt d
liu, m bo tnh ton vn d liu, v chng thc d liu gia cc thit b tham
gia VPN. Cc thit b ny c th l cc host hoc l cc security gateway (routers,
firewalls, VPN concentrator, ...) hoc l gia 1 host v gateway nh trong trng
hp remote access VPNs. IPSec bo v a lung d liu gia cc peers , v 1
gateway c th h tr ng thi nhiu lung d liu.
IPSec hot ng lp mng v s dng giao thc Internet Key Exchange (IKE)
tho thun cc giao thc gia cc bn tham gia v IPSec s pht kho m ha v
xc thc dng.
Cc giao thc chnh s dng trong IPSec:
- IP Security Protocol (IPSec)
o Authentication Header (AH)
o Encapsulation Security Protocol (ESP)
- Message Encryption
o Data Encryption Standard (DES)
o Triple DES (3DES)
- Message Integrity (Hash) Functions
o Hash-based Message Authentication Code (HMAC)
o Message Digest 5 (MD5)
o Secure Hash Algorithm-1 (SHA-1)
- Peer Authentication
o Rivest, Shamir, and Adelman (RSA) Digital Signutures
o RSA Encrypted Nonces
- Key Management
o Diffie-Hellman (D-H)
o Certificate Authority (CA)
- Security Association
o Internet Exchange Key (IKE)
o Internet Security Association and Key Management Protocol
(ISAKMP)
2. C Ch Hot ng Ca Giao Thc IPSec:
Hin nay giao thc IPSec c s dng rt ph bin v trong nhiu qu trnh. Ta
c th thit lp cc VPNs m khng cn bit nhiu v giao thc ny. Nhng cc
kt qu s rt ln xn khng c tt. Do , cc yu cu cn thit c a ra
trc khi thc hin cu hnh IPSec bao gm cc bc sau:
B1: Thit lp chnh sch IKE
SVTT : Vi Th Mu
17
BO CO TTTN
IPSec VPN
Chnh sch ny phi c cu hnh ging nhau cho c hai bn tham gia VPN. N
c gii hn bao gm cc chnh sch:
- Phng php pht Key (Key distribution method) : cu hnh th cng
hoc cu hnh cho CA cung cp
- Phng php xc thc (Authentication method) : phn ln c xc
nh bng phng php pht key . thng thng s dng phng php
pre-share keys
- a ch IP v tn ca cc bn tham gia (IP address and hostname of
peers ) : IP cn c bit xc nh cc bn tham gia, v qun l danh
sch truy cp trn thit b cc bn tham gia bit c thng tin ln
nhau. cu hnh IPSec trn thit b phi y tn min (FQDN) nh cu
hnh trn a ch IP.
- Cc tham s chnh sch IKE (IKE policy parameters) : cc tham s c
thit lp trn phase 1 ca IKE. Chnh sch IKE bao gm cc thng s
sau :
o Thut ton m ho : DES/3DES
o Thut ton hash : MD5/SHA-1
o Phng php xc thc : preshared, RSA encryption, RSA
signature
o Key trao i : D-H Group 1/ D-H Group 2
o thi gian tn ti IKE SA : mc nh l 86400 giy
B2 : Thit lp chnh sch IPSec :
tin cy ca IPSec v kh nng xc thc c ng dng p traffic bit
thng qua gia cc bn. Ta c th gi tt c traffic qua IPSec tunnel, nhng c th
kh t c ht cht lng, do ta nn chn nhng chnh sch cn p qua IPSec
tunnel. Khi ta chn thc thi IPSec tunnel, c hai u cui phi thc hin cc chnh
sch ging nhau. Cc chnh sch cho IPSec bao gm :
- IPSec Protocol : AH hoc ESP
- Authentication : MD5 hoc SHA-1
- Encryption : DES hoc 3DES
- Transform or Transform set : ah-sha-hmac esp-3des esp-md5-hmac hoc
kt hp mt trong cc gii thut ny.
- Identify traffic to be protected : giao thc, ngun, ch v port
- SA establishment : cu hnh th cng hoc hoc cu hnh IKE
B3: Kim tra cu hnh hin hnh
Thc hin kim tra cu hnh IPSec hin c trn thit b trnh tnh trng cc
thng s cu hnh i lp nhau.
B4 : Kim tra mng trc IPSec : ta thc hin kim tra bng cch : thc hin ping
n cc thit b c cu hnh IPSec.
B5 : Cc giao thc v cc Port hot ng trong IPSec :
SVTT : Vi Th Mu
18
BO CO TTTN
-
IPSec VPN
UDP port 500 : ISAKMP, c nhn bit bi t kho isakmp

Giao thc s 50 : dng trong giao thc ESP, c nhn bit bi t kho
esp
Giao thc s 51 : dng trong giao thc AH, c nhn bit bi t kho
ahp.
3. C ch hot ng ca IKE
IKE c chc nng trao i Key gic cc thit b tham gia VPN v trao i
chnh sch an ninh gia cc thit b v t ng tha thun cc chnh sch an
ninh gia cc thit b tham gia.
Trc khi trao i knh truyn key thit lp knh truyn o, IPSec s xc
thc xem mnh ang trao i vi ai.
Trong qu trnh trao i Key IKE dng thut ton m ho bt i xng gm:
Public Key v private Key bo v vic trao i key gia cc thit b tham
gia VPN.
V sau trao i chnh sch an ninh gia cc thit b. Nhng chnh sch an
ninh trn cc thit b gi l Security Association (SA).
Do , cc thit b trong qu trnh IKE s trao i vi nhau tt c nhng SA m
n c. V gia cc thit b ny t tm ra cho mnh nhng SA ph hp vi nht.
1
Router A connects to Router B
Router A
Router B
Router B Transforms
Router A Transforms
2
1. Encryption = AES 256

HMAC = SHA 1
Authentication = pre-share keys
Diffe-Hellman group = 2
Lifetime 86400

HMAC = MD5
Lifetime 86400
HMAC = SHA 1
Lifetime 86400

HMAC = SHA 1
Lifetime 86400
II. C ch hot ng ca giao thc AH v ESP

1. Khi qut :
Giao thc ESP v giao thc AH l hai giao thc chnh trong vic m ho v
xc thc d liu.
- ESP s dng IP Protocol number l 50 (ESP c ng gi bi giao thc IP
v trng protocol trong IP l 50)
- AH s dng IP Protocol number l 51 ( AH c ng gi bi giao thc IP v
trng protocol trong IP l 51)
SVTT : Vi Th Mu
19
BO CO TTTN
IPSec VPN
B giao thc IPSec hot ng trn 2 mode chnh : Tunnel Mode v Transports
Mode.
- Khi giao thc IPSec hot ng Tunnel Mode th sau khi ng gi d
liu, giao thc ESP m ho ton b Payload, frame Header, IP Header
th n s thm mt IP Header mi vo gi tin trc khi forward i.
- Khi giao thc IPSec hot ng Transport Mode th IP Header vn
c gi nguyn v lc ny giao thc ESP s chn vo gia Payload v
IP Header ca gi tin.
2. Tng quan v ESP Header v AH Header
FiguFigure 3-1: AH Tunnel Mode Packet
FiguFigure 3-2: ESP Tunnel Mode Packet

- Trong trng hp dng giao thc ESP : th giao thc ny s lm cng vic m
ha (encryption), xc thc (authentication), bo m tnh ton vn d liu (
integrity protection). Sau khi ng gi xong bng ESP, mi thng tin v m
ho v gii m s nm trong ESP Header.
- Cc thut ton m ho s dng trong giao thc nh : DES, 3DES, AES
- cc thut ton hash nh : MD5 hoc SHA-1
- Trong trng hp dng giao thc AH : th AH ch lm cng vic xc thc
(Authentication), v m bo tnh ton vn d liu. Giao thc AH khng c
tnh nng m ho d liu.
3. Authentication Header (AH)
AH l mt trong nhng giao thc bo mt, cung cp tnh nng m bo ton vn
packet headers v data, xc thc ngun gc d liu. N c th tu chn cung cp
dch v replay protection v access protection. AH khng m ho bt k phn no
ca cc gi tin. Trong phin bn u ca IPSec, giao thc ESP ch c th cung cp
m ho, khng xc thc. Do , ngi ta kt hp giao thc AH v ESP vi nhau
cung cp s cn mt v m bo ton vn d liu cho thng tin.
a. AH Mode
AH c hai mode : Transport v Tunnel.
Trong Tunnel mode, AH to 1 IP Header mi cho mi gi tin
Trong Transport mode, AH khng to IP Header mi
Trong cu trc IPSec m s dng gateway , a ch tht ca IP ngun v ch
ca cc gi tin phi thay i thnh a ch IP ca gateway. V trong Transport
SVTT : Vi Th Mu
20
BO CO TTTN
IPSec VPN
Mode khng thay i IP Header ngun hoc to mt IP Header mi, Transport

Mode thng s dng trong cu trc host-to-host.
AH cung cp tnh nng m bo tnh ton vn cho ton b gi tin, bt k mode
no c s dng .
Figure 3-3: AH Tunnel Mode Packet
Figure 3-4: AH Transport Mode Packet

b. AH xc thc v m bo tnh ton vn d liu
SVTT : Vi Th Mu
21
BO CO TTTN
IPSec VPN
B1: AH s em gi d liu (packet ) bao gm : Payload + IP Header + Key cho

chy qua gii thut Hash 1 chiu v cho ra 1 chui s. v chui s ny s c gn
vo AH Header.
B2: AH Header ny s c chn vo gia Payload v IP Header v chuyn sang
pha bn kia.
B3: Router ch sau khi nhn c gi tin ny bao gm : IP Header + AH Header
+ Payload s c cho qua gii thut Hash mt ln na cho ra mt chui s.
B4: so snh chui s n va to ra v chui s ca n nu ging nhau th n chp
nhn gi tin .
C. AH Header
Figure 3-5 : AH Header

-
Next Header : Trng ny di 8 bits , cha ch s giao thc IP. Trong

Tunnel Mode, Payload l gi tin IP , gi tr Next Header c ci t l 4.
Trong Transport Mode , Payload lun l giao thc Transport-Layer. Nu
giao thc lp Transport l TCP th trng giao thc trong IP l 6. Nu giao
thc lp transport l UDP th trng giao thc trong IP l 17.
Payload Length : Trng ny cha chiu di ca AH Header.
Reserved : gi tr ny c dnh s dng trong tng lai ( cho n thi
im ny n c biu th bng cc ch s 0).
Security parameter Index (SPI) : mi u cui ca mi kt ni IPSec tu
chn gi tr SPI. Hot ng ny ch c dng nhn dng cho kt ni.
Bn nhn s dng gi tr SPI cng vi a ch IP ch v loi giao thc
IPSec (trng hp ny l AH) xc nh chnh sch SA c dng cho
gi tin (C ngha l giao thc IPSec v cc thut ton no c dng p
cho gi tin).
Sequence Number : ch s ny tng ln 1 cho mi AH datagram khi mt
host gi c lin quan n chnh sch SA. Gi tr bt u ca b m l 1.
chui s ny khng bao gi cho php ghi ln l 0. v khi host gi yu cu
kim tra m n khng b ghi v n s tho thun chnh sch SA mi nu
SA ny c thit lp. Host nhn s dng chui s pht hin replayed
datagrams. Nu kim tra bn pha host nhn, bn nhn c th ni cho bn
gi bit rng bn nhn khng kim tra chui s, nhng i hi n phi lun
c trong bn gi tng v gi chui s.
Authentication Data: Trng ny cha kt qu ca gi tr Integrity Check
Value (ICV). Trng ny lun l bi ca 32-bit (t) v phi c m vo
nu chiu di ca ICV trong cc bytes cha y.
SVTT : Vi Th Mu
22
BO CO TTTN
IPSec VPN
d. Hot ng ca giao thc AH

-
Hng tt nht hiu AH lm vic nh th no, ta s xem v phn tch cc

gi tin AH.
Figure 3-6: Sample AH Transport Mode Packet.

Hnh trn cho thy cc thnh phn ca gi tin AH tht s. Mi section ca AH
Packet gm : Ethernet header , IP header , AH header v Payload. Da trn cc
trng ca phn AH mode, ta thy y l gi tin Transport Mode v n ch cha
IP Header. Trong trng hp ny, payload cha ICMP echo request (hay l Ping).
Ping gc cha chui mu t c miu t trong gi tin tng dn bi gi tr Hex (
vd : 61, 62, 63). Sau khi giao thc AH c applied, ICMP Payload khng thay
i. V AH ch cung cp dch v m bo ton vn d liu, khng m ho.
Figure 3-7 : AH Header Fields from Sample Packet.
SVTT : Vi Th Mu
23
BO CO TTTN
IPSec VPN
Cc trng trong AH Header t 4 gi tin u tin trong AH session gia host A v

host B. Cc trng trong header u tin ch l nhn, p ng trong vic nhn
dng AH mode.
- SPI : host A s dng gi tr s Hex cdb59934 cho SPI trong c cc gi tin
ca n. Trong khi host B s dng gi tr s Hex a6b32c00 cho SPI trong
c cc gi tin. iu ny phn nh c rng kt ni AH tht s gm hai
thnh phn kt ni mt chiu.
- Sequence Number : c hai host bt u thit lp ch s bng 1, v c hai
tng ln l 2 cho gi tin th hai ca chng.
- Authentication information : Xc thc (m bo ton vn ) thng tin , l
mt keyed hash da trn hu nh tt c cc bytes trong gi tin.
e. AH version 3
Mt chun mi ca AH l Version 3, phin bn c pht trin da trn phin
bn phc tho. Tnh nng khc nhau gia Version 2 v Version 3 l mi quan
h th yu cc qun tr vin IPSec v ngi dng - mt vi s thay i n
SPI, v tu chn ch s di hn.
chun phc tho version 3 cng ch n mt chun phc tho khc rng lit k
thut ton m ho yu cu cho AH. Bn phc tho u nhim h tr cho
HMAC-SHA1-96, gii thiu thut ton h tr mnh hn l AES-XCBC-MAC96, v cng gii thiu thut ton : HMAC-MD5-96.
f. AH Summary
-
AH cung cp dch v m bo ton vn cho tt c cc header v data gi

tin. Ngoi tr mt s trng IP Header m nh tuyn thay i trong chuyn
tip.
AH bao gm a ch ngun v a ch ch trong dch v m bo ton vn.
AH thng khng tng thch vi NAT.
Hin nay, hu ht IPSec b sung h tr phin bn th hai ca IPSec m ESP
c th cung cp dch cc v m bo ton vn d liu qua s xc thc.
AH cung cp mt li ch m ESP khng c, l : m bo ton vn cho
outermost IP Header.
4. Encapsulaton Secutity Payload (ESP)

ESP l giao thc bo mt chnh th hai. Trong phin bn u ca IPSec , ESP chi
cung cp m ho cho packet payload data. Khi cn, giao thc AH cung cp dch v
m bo ton vn. Trong phin bn th hai ca IPSec, ESP tr nn mm do hn.
N c th thc hin xc thc cung cp dch v m bo ton vn, mc d khng
h tr cho outermost IP header. S m ho ca ESP c th b v hiu ho qua thut
ton m ho Null ESP algorithm. Do , ESP c th cung cp ch m ho; m ho
v m bo ton vn d liu; hoc ch m bo ton vn d liu.
a. ESP Mode
ESP c hai mode : Transport Mode v Tunnel Mode.
SVTT : Vi Th Mu
24
BO CO TTTN
IPSec VPN
Trong Tunnel Mode : ESP to mt IP Header mi cho mi gi tin. IP Header mi

lit kt cc u cui ca ESP Tunnel ( nh hai IPSec gateway) ngun v ch ca
gi tin. V Tunnel mode c th dng vi tt c 3 m hnh cu trc VPN.
Figure 3-8: ESP Tunnel Mode Packet

ESP Tunnel Mode c s dng thng xuyn nhanh hn ESP Transport Mode.
Trong Tunnel Mode, ESP dng IP header gc thay v to mt IP header mi.
Trong Transport Mode, ESP c th ch m ho v/hoc bo m tnh ton vn ni
dung gi tin v mt s cc thnh phn ESP, nhng khng c vi IP header.
Giao thc AH, ESP trong Transport mode thng s dng trong cu trc host-tohost. Trong Transport mode khng tng thch vi NAT.
Figure 3-9: ESP Transport Mode Packet
SVTT : Vi Th Mu
25
BO CO TTTN
IPSec VPN
b. ESP Packet Fields
Figure 3-10: ESP Packet Fields

ESP thm mt header v Trailer vo xung quanh ni dung ca mi gi tin. ESP
Header c cu thnh bi hai trng : SPI v Sequence Number.
- SPI (32 bits) : mi u cui ca mi kt ni IPSec c tu chn gi tr
SPI. Pha nhn s dng gi tr SPI vi a ch IP ch v giao thc IPSec
xc nh chnh sch SA duy nht m n c p cho gi tin.
- Sequence Number : thng c dng cung cp dch v anti-replay. Khi
SA c thit lp, ch s ny c khi u v 0. Trc khi mi gi tin
c gi, ch s ny lun tng ln 1 v c t trong ESP header. chc
chn rng s khng c gi tin no c cng nhn, th ch s ny khng
c php ghi ln bng 0. Ngay khi ch s 232-1 c s dng , mt SA mi
v kha xc thc c thit lp.
Phn k tip ca gi tin l Payload, n c to bi Payload data (c m ho) v
IV khng c m ho). Gi tr ca IV trong sut qu trnh m ho l khc nhau
trong mi gi tin.
phn th ba ca gi tin l ESP Trailer, n cha t nht l hai trng.
- Padding ( 0-255 bytes) : c thm vo cho kch thc ca mi gi tin.
- Pad length: chiu di ca Padding
- Next header : Trong Tunnel mode, Payload l gi tin IP, gi tr Next Header
c ci t l 4 cho IP-in-IP. Trong Transport mode, Payload lun l giao
thc lp 4. Nu giao thc lp 4 l TCP th trng giao thc trong IP l 6,
giao thc lp 4 l UDP th trng giao thc IP l 17. Mi ESP Trailer cha
mt gi tr Next Header.
- Authentication data : trng ny cha gi tr Integrity Check Value (ICV)
cho gi tin ESP. ICV c tnh ln ton b gi tin ESP cng nhn cho
trng d liu xc thc ca n. ICV bt u trn ranh gii 4-byte v phi l
bi s ca 32-bit (n v t).
SVTT : Vi Th Mu
26
BO CO TTTN
IPSec VPN
C. Qu trnh m ho v hot ng ca giao thc ESP
ESP s dng mt m i xng cung cp s mt ho d liu cho cc gi tin

IPSec. Cho nn, kt ni ca c hai u cui u c bo v bi m ho ESP
th hai bn phi s dng key ging nhau mi m ho v gii m c gi tin .
Khi mt u cui m ho d liu, n s chia d liu thnh cc block nh, v sau
thc hin thao tc m ho nhiu ln s dng cc block d liu v key. Thut ton
m ho hot ng trong chiu ny c xem nh blocks cipher algorithms.
Khi mt u cui khc nhn c d liu m ho, n thc hin gii m s dng
key ging nhau v qu trnh thc hin tng t, nhng trong bc ny ngc vi
thao tc m ho.
V d : ESP s dng thut ton m ho l AES-Cipher Block Chaining (AESCBC), AES Counter Mode (AES-CTR), v Triple DES ( 3DES).
Khi so snh vi gi tin AH , gi tin ESP c dng ging vi gi tin AH. chui mu
t c th xc nh c trong AH-protected Payload nhng khng xc nh c
trong ESP-protected payload, v trong ESP n c m ho.
Gi tin ESP c cha 5 on : Ethernet Header , IP Header, ESP Header, Encrypted
Data (Payload v ESP Trailer), v (option) authentication information . D liu
c m ho khng th xc nh c d gi tin truyn trong Transport Mode hay
Tunnel Mode. Tuy nhin, v IP Header khng c m ho, trng giao thc IP
trong Header vn pht hin c giao thc dng cho Payload ( trong trng hp
ny l ESP).
Figure 3-11: ESP Packet Capture
SVTT : Vi Th Mu
27
BO CO TTTN
IPSec VPN
Figure 3-12: ESP Header Fields from Sample Packets

Hnh trn cho thy, cc trng ESP Header t 4 gi tin u trong ESP session gia
host A v host B . Cc trng SPI v Sequence Number trong ESP lm vic mt
chiu nh chng thc hin trong AH . Mi host s dng mt gi tr SPI khc
nhau cho cc gi tin ca n, tng thch vi kt ni ESP gm hai thnh phn kt
ni mt chiu.
C hai host cng bt u thit lp sequence number l 1, v s tng dn ln l 2
cho gi tin th hai.
d. ESP Version 3
Mt chun mi cho ESP l phin bn 3, mt phin bn va c b sung, c
da trn chun phc tho. Tm ra c chc nng chnh cho thy s khc nhau
gia version 2 v version 3 , bao gm nhng iu sau :
- Chun ESP version 2 i hi ESP b sung h tr ESP ch s dng cho
m ho (khng c tnh nng bo v ton vn d liu). Do , chun ESP
version 3 c a ra nhm h tr cho s la chn ny.
- ESP c th dng chui s di hn, ging vi chun AH version 3.
- ESP version 3 h tr trong vic s dng kt hp cc thut ton ( EAS
Counter vi CBC-MAC [EAS-CMC]. Nh vy kt qu m ho v tnh bo
v ton vn d liu t c s nhanh hn l s dng tch ri thut ton.
e. ESP Summary
-
Trong Tunnel Mode, ESP cung cp s m ho v s m bo an ton cho

ng gi IP Packet, cng xc thc tt ging nh ca ESP Header , ESP c
th tng thch vi NAT.
Trong Transport Mode, ESP cung cp s m ho v m bo an ton cho
Payload ca gi tin IP , cng m bo an ton tt ging nh ca ESP
Header. Transport Mode th khng tng thch vi NAT.
ESP Tunnel Mode thng s dng ph bin trong IPSec , v n m ho IP
Header gc, n c th giu a ch source v des tht ca gi tin. ESP cng
c th thm vt m vo gi tin.
ESP thng c dng cung cp cho m ho hoc m bo an ton (
hoc c hai ).
SVTT : Vi Th Mu
28
BO CO TTTN
IPSec VPN
5. Cc mode chnh ca giao thc IPSec:

a. Transport Mode :
-
Transport mode bo v giao thc tng trn v cc ng dng. Trong

transport mode, phn IPSec header c chn vo gia phn IP header v
phn header ca giao thc tng trn.
v vy, ch c ti (IP payload) l c m ha v IP header ban u l c
gi nguyn vn. Transport mode c th c dng khi c hai host h tr
IPSec.
Figure 3-13: IPSec Transport-mode a generic representation

Transport mode c dng bo mt kt ni gia hai host:
hot ng ca ESP trong Transport mode c s dng bo v thng tin
gia hai host c nh. Bo v cc giao thc lp trn ca IP datagram.
Figure 3-14: Transport Mode Tunnel

Trong Transport Mode, AH header c chn vo trong IP datagram sau IP
header v cc tu chn.
Figure 3-15: Transport Mode Packet

-
ch transport ny c thun li l ch thm vo vi bytes cho mi packets

v n cng cho php cc thit b trn mng thy c a ch ch cui cng
ca gi.
SVTT : Vi Th Mu
29
BO CO TTTN
IPSec VPN
10.0.2.0/24
10.0.1.0/24
b. Tunnel mode :
Figure 3-16: A Tunne Mode AH Tunnel

Host A1
1
Host A2
Host A3
...
Host An
n
Network A: 10.0.1.0/24
250
GW A
1.1.1.1
WAN
2.2.2.2
GW B
250
1
Host B1
Network B: 10.0.2.0/24
2
Host B2
3
Host B3
...
Host Bm
Figure 3-17 : An ESP Tunnel Mode VPN

-
khng ging nh transport mode, Tunnel mode bo v ton b gi d liu.

Ton b gi d liu IP c ng gi trong mt gi d liu IP khc. V mt
IPSec header c chn vo gia phn u nguyn bn v phn u mi
ca IP .
SVTT : Vi Th Mu
30
BO CO TTTN
IPSec VPN
Figure 3-18: IPSec Tunnel Mode a generic representation

-
Ton b gi IP ban u s b ng gi bi AH hoc ESP v mt IP header

mi s c bao bc xung quanh gi d liu. Ton b gi IP s c m
ho v tr thnh d liu mi ca gi IP mi. ch ny cho php cc thit
b mng, chng hn nh Router, hot ng nh mt IPSec proxy thc hin
chc nng m ha thay cho host. Router ngun s m ha cc packets v
truyn chng dc theo tunnel. Router ch s gii m gi IP ban u v
chuyn n v h thng cui.
- vi tunnel hot ng gia hai security gateway, a ch ngun v ch c th
c m ha.
V d : Lung gi tin c gi t host A2 n host B3:
Figure 3-19: Packet Flow from Host A2 to Host B3

SVTT : Vi Th Mu
31
BO CO TTTN
-
IPSec VPN
Gi s rng host A2 gi TCP segment n host B3. IP datagram ri khi

host A2 i n host B3. khi IP datagram ri khi host A2, n c a ch
ngun l 10.0.1.2 v a ch ch l 10.0.2.3. Trng giao thc trong IP
header l 6 (ch rng giao thc lp di l TCP). Host A2 c default route
n GWA hoc nh tuyn n mng 10.0.2.0/24 vi GWA l next hop, th
datagram c nh tuyn n GWA.
Khi datagram n GWA, gateway kim tra SPD ca n v thng bo n ch
r chnh sch bt k datagram t mng 10.0.1.0/24 n mng 10.0.2.0/24
nn c ng gi vi mode-tunnel ESP v gi n GWB ti 2.2.2.2. Sau
khi GWA ng gi IP datagram, IP header bn ngoi c a ch ngun
1.1.1.1 (GWA) v a ch ch 2.2.2.2 (GWB). trng giao thc ca IP
header bn ngoi l 50 ( ch r giao thc ESP c dng). Trng giao
thc ca gi tin ESP l 4 ( ch ra gi tin ESP ang ng gi IP datagram).
V IP header bn trong khng thay i.
Khi ng gi IP datagram n ti GWB, gateway thy rng n cha gi tin
ESP v xc thc li v key m ho t SA thch hp, thc hin kim tra xc
thc v gii m ESP Payload. IP header bn ngoi, ESP header v Trailer,
v ICV c tch ra khi, v IP datagram bn trong c forward n
ch ca n (10.0.2.3).
Bng so snh gia giao thc AH v ESP

Security
Layer-3 IP protocol number
Provides for data integrity
Provides for data authentication
Provides for data encryption
Protects against data replay attacks
Works with NAT
Works with PAT
Protects the IP packet
Protects only the data
SVTT : Vi Th Mu
AH
51
yes
Yes
No
yes
No
No
yes
No
32
ESP
50
Yes
yes
Yes
yes
yes
No
No
yes
BO CO TTTN
IPSec VPN
CHNG III: PUBLIC KEY INFRASTRUCTURE

I. Tng quan v PKI
Public Key Infrastructure (PKI) l mt c ch cho mt bn th ba (thng l
nh cung cp chng thc s ) cung cp v xc thc nh danh cc bn tham gia vo
qu trnh trao i thng tin. C ch ny cng cho php gn cho mi ngi s dng
trong h thng mt cp public/private. Cc qu trnh ny thng c thc hin
bi mt phn mm t ti trung tm v cc phn mm khc ti cc a im ca
ngi dng. Kho cng khai thng c phn phi trong chng thc kha cng
khai hay Public Key Infrastructure.
Khi nim h tng kho cng khai (PKI) thng c dng ch ton b h thng
bao gm c nh cung cp chng thc s (CA) cng cc c ch lin quan ng thi
vi ton b vic s dng cc thut ton m ho cng khai trong trao i thng tin.
Tuy nhin phn sau c bao gm khng hon ton chnh xc bi v cc c ch
trong PKI khng nht thit s dng cc thut ton m ho cng khai.
II. Cc thnh phn ca PKI
1. Cc thnh phn ca PKI
PKIs da vo mt thit b mt m bo m cc kho cng khai c qun l an
ton. Cc thit b ny khng hot ng cng lc c thc hin cc hm mng
rng c lin quan n vic qun l phn phi kho, bao gm cc thnh phn sau:
- chng thc v ng k mt m u cui
- kim tra tnh ton vn ca kho cng khai
- chng thc yu cu trong qu trnh bo qun cc kho cng khai
- b mt cp pht kho cng cng
- hu b kho cng khai khi n khng c gi tr di
- duy tr vic thu hi cc thng tin v kho cng cng (CRL) v phn b
thng tin (thng qua CRL cp pht hoc p ng n Online Certificate
Status Protocol [OCSP] messages).
- m bo an ton v ln ca kho.
Public Keys Certificates :
Mc tiu ca vic trao i kho bt i xng l pht mt cch an ton kho
cng khai t ngi gi (m ho) n ngi nhn (gii m). PKI h tr to
iu kin cho vic trao i kho an ton m bo xc thc cc bn trao
i vi nhau.
Public key Certificate c pht bi Certificate Authority(CA ). CA
pht public key certificate cho p ng mt m u cui th u cui u
tin phi ng k vi CA. Qu trnh ng k gm: s ng k, s kch hot,
v s chng nhn ca mt m u cui vi PKI (CAs v RAs). Qu trnh
ng k nh sau:
o mt m u cui ng k vi CA hoc RA. Trong qu trnh ng
k, mt m u cui a ra cch nhn bit n CA. CA s xc
thc u cui, pht public key n u cui .
SVTT : Vi Th Mu
33
BO CO TTTN
IPSec VPN
o cc u cui bt u khi to phase bng cch to ra mt

public/private keypair v public key ca keypair c chuyn
n CA.
o CA vit mt hiu ln public key certificate cng vi private key
to mt public key certificate cho mt m u cui.
o Lc ny cc mt m u cui c th yu cu public key certificate
t mt m u cui khc. Chng c th s dng CAs public key
gii m public key certificate thu c kho thch hp.
Registration Authorities:
Trong nhiu trng hp, CA s cung cp tt c cc dch v cn thit ca
PKI qun l cc public key bn trong mng. Tuy nhin c nhiu trng
hp CA c th u nhim lm cng vic ca RA. mt s chc nng m CA
c th u nhim thay th cho RA nh:
o kim tra mt m u cui th ng k public key vi CA c
private key m c dng kt hp vi public key.
o Pht public/private keypairs c dng khi to phase ca qu
trnh ng k.
o xc nhn cc thng s ca public key.
o pht gin tip cc certificate Revocation List (CRL).
Certificate Authorities :
CA dng cp pht chng nhn, xc thc PKI clients, v khi cn thit thu
hi li chng nhn.
CA i din cho ngun tin cy chnh ca PKI. V CA l yu t duy nht
trong PKI m c th pht Public Key Certificates n cc mt m u cui.
CA cng lun p ng cho vic duy tr CRL v phc v cc loi nh: CRL
Issuer. PKI khng phi ch c 1 CA m PKI c th thit lp nhiu CAs.
CAs gip thit lp cho vic nhn dng ca cc thc th giao tip vi nhau
c ng n. CAs khng ch chng cho PKI client m cn cho nhng
CAs khc bng cch cp pht nhng chng nhn s n chng. Nhng CAs
chng nhn ln lt c th chng nhn cho nhng CAs khc cho n khi
mi thc th c th u nhim cho nhng thc th khc c lin quan trong
qu trnh giao dch.
2. Mc tiu v cc chc nng ca PKI
PKI cho php nhng ngi tham gia xc thc ln nhau v s dng cc thng
tin t cc chng thc kho cng khai mt m ho v gii m thng tin trong
qu trnh trao i.
PKI cho php cc giao dch in t c din ra m bo tnh b mt, ton v
v xc thc ln nhau m khng cn trao i cc thng tin bo mt t trc.
Mc tiu chnh ca PKI l cung cp kho cng khai v xc nh mi lin h
gia kho v nh dng ngi dng. Nh vy, ngi dng c th s dng trong
mt s ng dng nh :
- M ho Email hoc xc thc ngi gi Email
- M ho hoc chng thc vn bn
- Xc thc ngi dng ng dng
SVTT : Vi Th Mu
34
BO CO TTTN
IPSec VPN
Cc giao thc truyn thng an ton : trao i bng kho bt i xng,

m ho bng kho i xng.
PKI bao gm cc thnh phn sau y:
- Pht sinh mt cp kho ring v kho chung cho PKI client
- To v xc nhn ch k in t
- cp pht chng nho ngi dng
- nh du nhng kho cp pht v bo tr qu trnh s dng ca mi
kho
- Hy b nhng ng k sai v ht hn
- Xc nhn PKI client
3. Mc ch ca PKI
PKI c s dng vi cc mc ch :
- M ho: gi b mt thng tin v ch c ngi c kho b mt mi gii m
c.
- To ch k s : cho php kim tra mt vn bn c phi c to vi
mt kho b mt no hay khng.
- Tho thun kho: cho php thit lp kho dng trao i thng tin bo
mt gia 2 bn.
III. C s h tng ca PKI
1. Cc bc m ho:
Bc 1:
dng gii thut bm thay i thng ip cn
truyn i. kt qu ta c mt message digest. Dng gii thut
MD5 (message digest 5) ta c digest c chiu di 128 bit, dng
gii thut SHA (Secure Hash Algorithm) ta c chiu di 160 bit.
Bc 2:
s dng kha private key ca ngi gi
m ha message digest thu c bc 1. Thng thng bc
ny dng gii thut RSA ( hay DSA, RC2, 3DES, ). Kt qu thu
c gi l digital signature ca thng ip ban u.
Bc 3:
s dng public key ca ngi nhn m
ho nhng thng tin cn gi i.
Bc 4:
Gp digital signature vo message c m ho v gi i. Nh
vy sau khi k nhn digital signature vo message c m
ho, mi s thay i trn message s b pht hin trong giai on
SVTT : Vi Th Mu
35
BO CO TTTN
IPSec VPN
kim tra. Ngoi ra, vic k nhn ny m bo ngi nh tin tng

message ny xut pht t ngi gi ch khng phi l ai khc.
2. Cc bc kim tra:
Bc 1:
ngi nhn dng private key ca mnh gii
m thng tin nhn c gm 2 phn: phn message v phn ch k
ngi gi.
Bc 2:
dng public key ca ngi gi (kho ny c
thng bo n mi ngi ) gii m ch k s ca message, ta c
message digest.
Bc 3:
dng gii thut MD5 ( hoc SHA) bm message nh
km ta c message digest.
Bc 4:
So snh kt qu thu c bc 2 v 3 nu trng nhau,
ta kt lun message ny khng b thay i trong qu trnh truyn v
message ny l ca ngi gi.
SVTT : Vi Th Mu
36
BO CO TTTN
CHNG IV:
NETWORK
IPSec VPN
DYNAMIC
MULTIPOINT
VIRTUAL
PRIVATE
I. KHI QUT V DMVPN

1. DMVPN l g ?
Dynamic Multipoint Virtual Private Network (DMVPN) l s kt hp ca cc
cng ngh: IPSec, mGRE, v NHRP. cc cng ngh ny kt hp li cho php c
trin khai IPSec trong mng ring o mt cch d dng.
2. u im ca DMVPN
Khi ta c cu trc mng vi nhiu site v to m ho tunnel gia mi site
vi nhau, ta thit lp c: [n(n-1)] /2 tunnels
v d: nh hnh di ta c 3 tunnel
ta c [n(n-1)/2] = 6 tunnels
SVTT : Vi Th Mu
37
BO CO TTTN
IPSec VPN
3. Cc cng ngh s dng

IPSec (Internet Protocol SECurity)
Giao thc cho php bo v s thay i ca cc gi tin ti lp IP. Da
trn kho cng khai trn mode Tunnel , ni dung v tiu ca gi tin
c m ho. c hai u c bo v
mGRE (Generic Routing Encapsulation)
Giao thc truyn trn tunnel, ng gi cc loi gi tin thnh 1 loi ln
trong IP tunnels. Sau to Point-to-Point virtual kt ni vi cc Router
xa trong cu trc mng IP.
NHRP (Next Hop Resolution Protocol)
Giao thc c s dng bi cc Router pht hin MAC address ca cc
Router khc v host khc.
4. Hot ng ca DMVPN
DMVPN l gii php phn mm ca h iu hnh cisco.
DMVPN da vo 2 cng ngh ca cisco th nghim :
- Next Hop Resolution Protocol (NHRP)
o HUB duy tr c s d liu ca a ch thc ca tt c spoke
mi spoke ng k a ch thc ca n khi n khi ng.
Sau cc spoke yu cu c s d liu trong NHRP cho
a ch thc ca cc spoke ch m xy dng tunnel trc
tip.
o Multipoint GRE Tunnel Interface
Cho php 1 interface GRE h tr nhiu IPSec tunnels
Kch thc n gin v cu hnh phc tp
- DMVPN khng lm thay i cc chun ca IPSec VPN tunnel, nhng
n thay i cu hnh ca chng.
- Cc spoke c 1 IPSec tunnel c nh n Hub, nhng khng c n cc
spoke. Cc spoke c xem nh l client ca NHRP server.
- Khi 1 spoke cn gi gi tin n ch (private) mng cp di trn spoke
khc, n yu cu NHRP cp cc a ch thc ca spoke ch.
- n y spoke ngun c th khi to 1 dynamic IPSec tunnel n spoke
ch.
- Tunnel t spoke-to-spoke c xy dng qua mGRE tunnel
5. nh tuyn vi DMVPN
-
nh tuyn ng c yu cu qua tunnel Hub-to-spoke.

Spoke hc tt c cc mng ring trn cc spoke khc v Hub thng qua
cp nht t bng nh tuyn c gi bi Hub.
IP next-hop cho 1 mng spoke l interface tunnel cho spoke.
Cc giao thc nh tuyn c dng:
o Enhanced Interior Gateway Routing Protocol (EIGRP)
o Open Shortest Path First (OSPF)
o Border Gateway Protocol (BGP)
SVTT : Vi Th Mu
38
BO CO TTTN
IPSec VPN
o Routing Information Protocol (RIP)

6. DMVPN Phase
o Phase 1 : Tnh nng ca Hub v Spoke
o Phase 2 : Tnh nng ca spoke-to-spoke
o Phase 3 : Kh nng thay i spoke-to-spoke quy m cc mng
c m rng .
IPSec + GRE i vi DMVPN phase 1
Hub-to-Spoke
Tnh nng :
- Tt c lu lng i qua phi thng qua Hub
- Trin khai d dng
- Files cu hnh Hub nh
u im ca DMVPN phase 1
- Hub v spoke cu hnh n gin v nh gn
- H tr Multicast traffic t Hub n cc spoke
- H tr a ch cho cc spoke mt cch linh ng
phase 2:
Trong phase 2 NHRP khi ng NHC-to-NHS tunnel v giao thc nh
tuyn ng thng c s dng pht thng tin nh tuyn tt c cc
mng m Hub c v tt c cc spoke. Cc thng tin ny l : ip next hop ca
spoke ch v h tr ring mng ch.
Khi 1 gi tin c forward n s ti outbound interface v ip next hop t
bng nh tuyn mu . Nu interface NHRP l interface outbound n s tm
NHRP mapping vo IP next hop . Nu khng c s trng khp ca bng
NHRP mapping, th NHRP c kch khi gi NHRP resolution request
n thng tin mapping (a ch IP next hop n a ch vt l layer). NHRP
registration reply packet cha thng tin mapping ny v khi thng tin ny
c nhn cc spoke s cung cp y thng tin ng gi d liu chnh
xc gi trc tip n spoke u xa qua c s h tng mng.
Phase 3:
NHRP khi ng NHC v NHS tunnel v giao thc nh tuyn ng c
dng pht thng tin nh tuyn ca tt c cc mng m tt c cc spoke
c n Hub. Sau hub s gi li bng thng tin nh tuyn ny n cc
spoke, nhng trong trng hp ny hub c th tng kt li thng tin nh
tuyn . N s t IP next hop ca tt c cc mng ch n NHS (hub). iu
ny lm gim lng thng tin trong bng giao thc nh tuyn cn phn
phi t Hub n cc spoke, gim vic cp nht giao thc nh tuyn ang
chy trn hub.
Khi data packet c forward, n s ti outbound interface v ip next hop
t bng nh tuyn mu nhp vo. Nu interface NHRP l interface
outbound th n s tm mapping NHRP vo IP next hop . Trong trng hp
SVTT : Vi Th Mu
39
BO CO TTTN
IPSec VPN
ny IP next hop s c hub coi nh l NHRP mapping (n ci 1 tunnel

vi hub) , cc spoke s ch gi data packet n Hub.
Hub nhn c data packet v n kim tra bng nh tuyn. V data packet
ny c tr nh t trc cho mng bn cnh cc spoke khc n s
forward ra khi interface NHRP n next hop v hng spoke. Ti y, hub
pht hin packet n v gi n ra khi interface NHRP. C ngha l data
packet chim t nht 2 hop trong mng NHRP v do ng ny thng
qua hub khng phi l 1 ng ti u . Cho nn hub gi trc tip li thng
ip NHRP n spoke. Thng ip pht li trc tip ny l thng tin gi
n spoke v IP gi tin ch m thng ip pht li ny kch khi NHRP.
Khi spoke nhn c NHRP c pht li, n s to v gi NHRP
resolution request cho d liu IP ch t thng ip NHRP c gi li .
NHRP resolution request s forward n spoke u xa cc dch v mng
cho IP ch.
Spoke u xa s pht NHRP resolution reply vi a ch NBMA ca n v
ton b subnet (t bng nh tuyn ca n) ph hp vi a ch IP d liu
ch t gi tin NHRP resolution request. Spoke u xa sau s gi NHRP
resolution reply trc tip tr li spoke ni b . n thi im ny y
thng tin cho data traffic c gi trc tip qua spoke-to-spoke m ng
dn va c to.
Bng nh tuyn IP v nh tuyn c hc bi hng ca hub l quan
trng khi xy dng tunnel spoke-to-spoke. Do kh nng ca NHS (cc
hub) l ti hn cho tnh nng ca mng NHRP . khi ch c 1 hub m hub
b down, spoke xo ng i m n hc c t bng nh tuyn ca hub.
bi v n b mt hub ging nh mt i routing neighbor. Tuy nhin, spoke
khng xo bt k tunnels spoke-to-spoke (NHRP mapping) m vn cn
hot ng. Mc d tunnel spoke-to-spoke vn cn nhng n khng c s
dng v trong bng nh tuyn khng cn ng i no n mng ch na.
Trong qu trnh b sung thm , Khi bng nh tuyn a vo b xo khng
c kch hot n NHRP. kt qu l NHRP s timeout, khi hub s b
down.
Trong phase 2 nu xy ra vn nh tuyn trong bng nh tuyn (c th l
nh tuyn tnh) vi chnh xc IP next hop th spoke vn c th dng
spoke-to-spoke tunnel ngay c khi hub b down. NHRP s kh c th lm
ti NHRP mapping a vo v NHRP resolution yu cu hoc cn p ng
i qua hub.
Trong phase 3, ta ch cn nh tuyn ra interface tunnel, khng cn phi
chnh xc IP next hop ( NHRP b qua IP next-hop trong phase 3). NHRP c
kh nng lm ti NHRP mapping . V NHRP resolution yu cu hoc p
ng s i qua trc tip spoke-to-spoke tunnel.
Nu ta c 2 (hoc nhiu hn) NHS Hub trong 1 mng NBMA (1 mGRE,
frame-relay , hoc ATM interface) , sau khi hub u tin b down, spoke
Router s loi b ng i t bng nh tuyn m n hc c t hub ny,
nhng n s hc t cc router tng t (c metric cao hn) t hub th hai.
Lc ny nh tuyn s c thit lp ngay. Do lu lng spoke-to-spoke
SVTT : Vi Th Mu
40
BO CO TTTN
IPSec VPN
s tip tc i qua spoke-spoke tunnel, v n khng b nh hng bi hub

u tin.
II. Cu hnh DMVPN
1. Cu hnh IPSec :
B1: cu hnh crypto ipsec profiel name ch ra tn ca IPSec profile
Router(config)# crypto ipsec profile vpnprof
B2: set transform-set transform-set-name ch ra loi transform set no
c dng vi IPSec.
Router(config-crypto-map)#set transform-set trans2
B3: set identity
xc nh transform-set
Router(config-crypto-map)# set identity
B4: set security association lifetime {seconds second /kilobytes kilobytes}
xc nh thi gian ca tn ti ca SA.
Router(config-crypto-map)# set security lifetime seconds 1800
B5: set pfs [group 1/ group 2]
Router(config-crypto-map)# set pfs group 2 ci t h s m ho
2. Cu hnh mGRE HUB
B1: interface tunnel number
cu hnh tunnel interface
Router(config)# interface tunnel 5
B2: ip address ip-address mask [secondary] to a ch ca tunnel
Router(config-if) ip address 10.0.0.2 255.255.255.0
B3: ip mtu bytes xc nh s bytes ti a truyn trong mt frame
Router(config-if)# ip mtu 1416
B4: ip nhrp authentication string cu hnh chui xc thc cho interface dng
NHRP
Router(config-if)# ip nhrp authentication donttell
B5: ip nhrp map hub-tunnel-ip-address hub physical-ip-address map gia
a ch tunnel v a chi vt l ca Hub
Router(config-if)# ip nhrp 10.0.0.1 172.17.0.1
B6: ip nhrp map multicast hub-physical-ip-address kch hot giao thc nh
tuyn gia spoke v hub, gi gi tin multicast n hub.
Router(config-if)# ip nhrp map multicast 172.17.0.1
B7: ip nhrp nhs hub-ip-tunnel-ip-address cu hnh hub nh l NHRP nexthop server
Router(config-if)# ip nhrp nhs 10.0.0.1
B8: tunnel key key-number kch hot ID key cho tunnel interface
Router(config-if)# tunnel key 1000
B9: tunnel mode gre multipoint thit lp ch ng gi ti mGRE cho
tunnel interface
Router(config-if)# tunntel mode gre multipoint
B10: tunnel protection ipsec profile name gn tunnel interface vo IPSec
profile.
SVTT : Vi Th Mu
41
BO CO TTTN
IPSec VPN
Router(config-if)# tunnel protection ipsec profile vpnprof

3. Cu hnh mGRE Spoke
B1: interface tunnel number
Router(config)# interface tunnel 5
B2: ip address ip-address mask [secondary]
Router(config-if) ip address 10.0.0.2 255.255.255.0
B3: ip mtu bytes
Router(config-if)# ip mtu 1416
B4: ip nhrp authentication string
Router(config-if)# ip nhrp authentication donttell
B5: ip nhrp map hub-tunnel-ip-address hub physical-ip-address
Router(config-if)# ip nhrp 10.0.0.1 172.17.0.1
B6: ip nhrp map multicast hub-physical-ip-address
Router(config-if)# ip nhrp map multicast 172.17.0.1
B7: ip nhrp nhs hub-tunnel-ip-address
Router(config-if)# ip nhrp nhs 10.0.0.1
B8: ip nhrp network-id number kch hot NHRP trn interface
Router(config- if)# ip nhrp network-id 99
B9 : tunnel source { ip-address/type number }
Router(config- if)# tunnel source ethernet 0
B10: tunnel key key-number
Router(config-if)# tunnel key 1000
B11: tunnel mode gre multipoint
Router(config-if)# tunntel mode gre multipoint
or
tunnel destination hub-physical-ip-address
Router(config-if)# tunnel destination 172.17.0.1
B12: tunnel protection ipsec profile name
Router(config-if)# tunnel protection ipsec profile vpnprof
III. Next Hop Resolution Protocol
1. Tng tc NHRP v mng NBMA
NHRP l giao thc ging giao thc ARP (giao thc phn gii a ch) m lm
gim nhng vn mng NBMA. Vi NHRP, cc h thng hc a ch
NBMA ca cc h thng khc c c nh n mng NBMA mt cch linh
ng. Cho php cc mng ny thng trc tip vi nhau m traffic c dng
khng cn qua hop trung gian.
Hai chc nng ca NHRP h tr cho cc mng NBMA :
- Giao thc NHRP ging nh giao thc phn gii a ch cho php Next Hop
Clients (NHCs) c ng k mt cch linh ng vi Next Hop Servers
(NHSs). iu ny cho php NHCs c ni n mng NBMA m khng
cn thay i cu hnh trn NHSs, c bit l trong trng hp NHCs c a
SVTT : Vi Th Mu
42
BO CO TTTN
IPSec VPN
ch IP vt l ng hoc l Router c Network Address Translation (NAT) s

lm thay i a ch IP vt l. Trong cc trng hp ny n khng th cu
hnh li c logical Virtual Private Network (VPN IP) n physical
(NBMA IP) mapping cho NHC trn NHS. Chc nng ny c gi l s
ng k NHRP.
NHRP l mt giao thc phn gii cho php mt NHC client (Spoke) nh
v logical VPN IP n NBMA IP mapping cho NHC client khc (spoke)
trong cng mng NBMA. Nu khng c s nh v ny, cc gi tin IP ang
i t cc host ca mt spoke ny n cc host ca mt spoke khc s i qua
hng ca NHS (hub). iu ny s lm tng s s dng bng thng ca hub
v CPU cho vic x l cc gi tin ny. y thng c gi l hairpinning. Vi NHRP, cc h thng hc a ch NBMA ca cc h thng khc
c c nh n mng NBMA mt cch linh ng , cho php cc mng
thng trc tip vi nhau m traffic c dng khng cn qua hop trung
gian. iu ny lm gim ti trn hop trung gian (NHS) v c th tng bng
thng tng ca mng NBMA c ln hn bng thng ca hub.
2. Li ch ca NHRP cho NBMA.
Router, Access Server, v cc host c th s dng NHRP tm a ch ca

cc Router v cc host khc kt ni n mng NBMA. Ring mng NBMA
li l c cu hnh vi nhiu mng hp li cung cp y cc kt
ni cho cc lp mng. Nh trong cc cu hnh, cc gi tin c th to mt vi
hops qua mng NBMA trc khi n ti u ra Router (mng ch gn nht
Router).
mng NBMA c coi l NonBroadcast v n khng h tr Broadcasting
(vd: mt mng IP mGRE tunnel) hoc Broadcasting qu tn km (vd:
SMDS Broadcast group qu ln).
NRP cung cp ging nh giao thc ARP gim cc vn mng NBMA.
Vi NHRP, cc h thng hc a ch ca cc h thng khc c c nh
n mng NBMA mt cch linh ng, cho php cc h thng ny thng
trc tip vi nhau m traffic c dng khng cn qua hop trung gian.
3. Next Hop Server Selection

NHRP resolution request i qua mt hoc nhiu hop (hubs) trong mng con
NBMA hub-to-spoke trc khi pht p ng n trm cn n. Mi trm (gm
trm ngun la chn NHS ln cn n forward request. NHS chn phng
php in hnh thc hin nh tuyn da trn a ch ch lp mng ca
NHRP request. NHRP resolution request cui cng n trm ni m pht
NHRP resolution reply. Trm p ng ny a ra tr li s dng a ch ch t
trong gi tin NHRP xc nh ni cn gi reply.
Hinh di y minh ha cho 4 Router kt ni n mng NBMA
SVTT : Vi Th Mu
43
BO CO TTTN
IPSec VPN
Trong mng l IP ca cc Router cn thit cho cc Router thng ln

nhau bng cch to IP cc gi tin tunneling trong IP cc gi tin tunnels
GRE. Cc router h tr kt ni IP tunnel (xem hop 1, hop 2 v hop 3 trong
hnh). Khi router A th forward IP gi tin t host ngun n host ch,
NHRP c kch khi. Thay cho host ngun, router A gi NHRP resolution
request packet c ng gi trong GRE IP packet, m theo trn hnh th 3
hop qua mng n Router D kt ni n host ch . sau khi router A nhn
NHRP resolution reply, Router A xc nh rng router D l NBMA IP next
hop, v router A s gi subsequence data IP packet cui n router D trong
GRE IP next hop.
vi NHRP, NBMA next hop c xc nh, host ngun cng bt u gi d
liu gi tin n ch (khng kt ni qua NBMA nh IP GRE v SMDS)
hoc thit lp 1 VC o kt ni n ch. kt ni ny c cu hnh vi p
ng bng thng v cht lng dch v cho kt ni nh hng mng NBMA
nh : frame relay, ATM, hoc DMVPN m IPSec m ho ngang hng phi
c thit lp.
4. NHRP s dng vi DMVPN (NHRP Used with a DMVPN )

-
NHRP thng thun tin cho vic xy dng VPN. VPN bao gm : mng o
layer 3 c xy dng trn nn layer 3 mng thc t. cu trc m ta s dng
qua VPN l c lp i vi mng lp trn v cc giao thc m ta chy qua
hon ton c lp vi n. mng VPN (DMVPN) da trn GRE logical
tunnel m c th c bo v bng cch thm vo IPSec m ho GRE IP
tunnels.
kt ni n mng NBMA l mt hay nhiu trm m NHRP thc hin v
c xem nh l NHSs v NHCs. tt c cc Router chy h iu hnh cisco
SVTT : Vi Th Mu
44
BO CO TTTN
IPSec VPN
phin bn 10.3 hoc phin bn sau ny c th c NHRP thc hin, v vy

cc router c th hot ng nh NHSs hoc NHCs. Nn tng ca DMVPN
(GRE IP + IPSec ) m NHRP s dng cn chy phin bn 12.3 (9), 12.3 (8),
hoc l phin bn v sau ny.
5. S ng k NHRP (NHRP Registration)
-
Qu trnh ng k NHRP c gi t NHCs n NHSs mi ln 1/3 khong

thi gian holdtime (ip nhrp holdtime value), trong trng hp ng k c
gi thi gian timeout th lnh ip nhrp registration timeout value c cu
hnh. Nu qu trnh NHRP ng k khng nhn c bi NHRP
registration request, th NHRP registration request s truyn li ti 1, 2, 4, 8,
16, 32, v 64 giy. Sau chui s ny bt u pht qua 1 ln na.
NHSs c cng khai nu qu trnh ng k NHRP reply khng nhn c
sau 3 ln truyn li (7 giy), v NHRP resolution packets s khng c gi
na. Qu trnh ng k s tip tc c gi trong cc khong thi gian 0, 1,
2, 4, 8, 16, 32, 64 nhm thm d NHS n khi NHRP registration reply
c nhn. Qu trnh NHRP registration reply c nhn cng sm, NHS
c cng khai cng nhanh. NHRP registration reply bt u li vic gi
mi ln 1/3 khong thi gian holdtime hoc cu hnh gi tr trong lnh ip
nhrp registration timeout, v NHRP registration request c gi li .
Dng lnh show ip nhrp nhs { detail } kim tra trng thi ca NHRP
NHSs.
SVTT : Vi Th Mu
45
BO CO TTTN
IPSec VPN
PHN II : THC HNH
1. Bi thc hnh lab c bn :

Cu hnh GRE Tunnel to a Remote Site
Cc bc tin hnh cu hnh GRE Tunnel:

Bc 1 :
cu hnh cho cc Router ping c thng nhau:
i vi Router P:
Router#config terminal
Router(config)#hostname RP
RP(config)#interface f0/1
RP(config-if)#ip address 172.30.1.2 255.255.255.0
RP(config-if)#no shut
RP(config-if)#exit
RP(config)#int f0/0
RP(config-if)#ip address 10.0.1.2 255.255.255.0
RP(config-if)#no shut
RP(config-if)#exit
RP(config)#ip route 0.0.0.0 0.0.0.0 172.30.1.1
i vi Router Q
Router(config)hostname RQ
RQ(config)# int f0/1
SVTT : Vi Th Mu
46
BO CO TTTN
IPSec VPN
RQ(config-if)#ip address 172.30.6.2 255.255.255.0

RQ(config-if)#no shut
RQ(config-if)#exit
RQ(config)int f0/0
RQ(config-if)#ip add 10.0.6.2 255.255.255.0
RQ(config-if)#exit
RQ(config) ip route 0.0.0.0 0.0.0.0 172.30.6.1
Bc 2:
cu hnh interface tunnel
i vi Router P
RP(config)# interface tunnel 0
RP(config-if)# ip address 172.16.1.1 255.255.255.0
RP(config-if)# tunnel source 172.30.1.2
RP(config-if)# tunnel destination 172.30.6.2
RP(config-if)# no shut
RP(config-if)#exit
i vi Router Q
RQ(config)#interface tunnel 0
RQ(config-if)# ip address 172.61.1.6 255.255.255.0
RQ(config-if)# tunnel source 172.30.6.2
RQ(config-if)#tunnel destination 172.30.1.2
RQ(config-if)#exit
Bc 3: cu hnh static route
RP(config)# ip route 10.0.6.0 255.255.255.0 tunnel 0
RQ(config)# ip route 10.0.1.0 255.255.255.0 tunnel 0
RP(config)#exit
thc hin kim tra
t a ch PC ca RP l 10.0.1.12 v PC ca RQ l 10.0.6.12
Thc hin ping n 10.0.6.12 t 10.0.1.12
kt qu ping thnh cng
SVTT : Vi Th Mu
47
BO CO TTTN
IPSec VPN
kim tra hot ng

RP#show run
hostname RP
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 172.30.1.2
tunnel destination 172.30.6.2
!
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
duplex auto
speed auto
!
ip address 172.30.1.2 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.1.1
ip route 10.0.6.0 255.255.255.0 Tunnel0
!
RQ#show run
hostname RQ
!
interface Tunnel0
ip address 172.61.1.6 255.255.255.0
tunnel source 172.30.6.2
tunnel destination 172.30.1.2
!
SVTT : Vi Th Mu
48
BO CO TTTN
IPSec VPN
ip address 10.0.6.2 255.255.255.0

duplex auto
speed auto
!
ip address 172.30.6.2 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.6.1
ip route 10.0.1.0 255.255.255.0 Tunnel0
!
kim tra interface tunnel:
RP#show interface tunnel 0
SVTT : Vi Th Mu
49
BO CO TTTN
IPSec VPN
2. Thc hnh bi Lab cu hnh Windows server 2003 lm CA Server

M hnh nh sau:
Cc thit b bao gm: 2 Router 2800, 1 Switch 3550, 1 Windows server 2003
Client 1:
Router(config)#hostname client1
Client1(config)# interface f0/1
Client1(config-if)# ip address 172.30.2.2 255.255.255.0
Client1(config-if)# no shut
Client1(config-if)# exit
# cu hnh domain name cho Router
Client1(config)# ip domain-name cisco.com
Client1(config)# ip host caserver 172.30.1.2
# cu hnh trustpoint
Client1(config)# crypto ca trustpoint CA
Client1(ca-trustpoint)# enrollment url http://172.30.1.2/certsrv/mscep/mscep.dll
Client1(ca-trustpoint)# subject-name cn=client1@vnpro.org
Client1(ca-trustpoint)# exit
Client1(config)# crypto ca authenticate CA
#cu hnh VPN
Client1(config)# crypto isakmp policy 10
SVTT : Vi Th Mu
50
BO CO TTTN
IPSec VPN
Client1(config-isakmp)# hash md5

Client1(config-isakmp)# exit
Client1(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac
Client1(config-crypto-trans)# exit
Client1(config)# crypto map mymap 10 ipsec-isakmp
Client1(config-crypto-map)# set peer 172.30.3.2
Client1(config-crypto-map)# set transform-set myset
Client1(config-crypto-map)# match address 101
Client1(config-crypto-map)# exit
Client1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0
0.0.0.255
# p crypto map vo cng
Client1(config-if)# crypto map mymap
Client1(config)#
Client 2:
Router(config)#hostname client1
# cu hnh domain name cho Router
Client2(config)# ip domain-name cisco.com
Client2(config)# ip host caserver 172.30.1.2
# cu hnh trustpoint
Client2(config)# crypto ca trustpoint CA
Client2(ca-trustpoint)# enrollment url http://172.30.1.2/certsrv/mscep/mscep.dll
Client2(ca-trustpoint)# subject-name cn=client1@vnpro.org
Client2(ca-trustpoint)# exit
Client2(config)# crypto ca authenticate CA
#cu hnh VPN
Client2(config)# crypto isakmp policy 10
Client2(config-isakmp)# hash md5
Client2(config-isakmp)# exit
Client2(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac
Client2(config-crypto-trans)# exit
Client2(config)# crypto map mymap 10 ipsec-isakmp
Client2(config-crypto-map)# set peer 172.30.2.2
Client2(config-crypto-map)# set transform-set myset
SVTT : Vi Th Mu
51
BO CO TTTN
IPSec VPN
Client2(config-crypto-map)# match address 101

Client2(config-crypto-map)# exit
Client2(config)# access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0
0.0.0.255
# p crypto map vo cng
Client2(config-if)# crypto map mymap
Client2(config)#
Cu hnh CAServer :
Cc bc cu hnh Windows server 2003 lm CA
xy dng 1 CA ta lm nh sau:
Bc1: ci t dch v IIS
ci c dch v CA tr n windowns server 2003 ta cn c IIS :
1. vo start--> control panel-->add or remove programs
2. Trong add or remove programs, nhn add/remove windowns components
3. nhn vo application server (nhng khng tch vo chn)
chn detail
4. Tch vo Internet Information Service (IIS)
SVTT : Vi Th Mu
52
BO CO TTTN
IPSec VPN
5. Nhn Next finish hon thnh ci t
Bc 2: ci t dch v CA
1. vo start-->control panel--> add or remove program
2. trong mc add or remove program, nhn add/remove windowns components
3. Tch vo o certificates services
SVTT : Vi Th Mu
53
BO CO TTTN
IPSec VPN
4. lc ny nhn c thong bo v vic khng thay i tn my tnh

chn yes
5. Trong CA type --> chn Stand-alone root CA -->next
SVTT : Vi Th Mu
54
BO CO TTTN
IPSec VPN
6. Trong mc Common name for this CA, nhp vo tn my tnh ang ci t

gi s ang ci trn my C0111
7. mc nh ni lu tr database v log file ca CA nhn Next
SVTT : Vi Th Mu
55
BO CO TTTN
IPSec VPN
8. sau khi nhn Next ta nhn c thng bo phi dng Internet Information
Service chn Yes
9. sau khi nhn Yes xut hin yu cu File I386 chn th mc c cha file I386
OK
SVTT : Vi Th Mu
56
BO CO TTTN
IPSec VPN
10. Trong qu trnh hon thnh ci t, nhn c thng bo chn Yes
11. Nhn finish hon thnh ci t
SVTT : Vi Th Mu
57
BO CO TTTN
IPSec VPN
Bc 3: hon thnh c CA, ta ci thm phn SCEP

11. Nhn finish hon thnh ci t
2. sau click Next chn use the local system account

SVTT : Vi Th Mu
58
BO CO TTTN
IPSec VPN
3. Nhn Next v b chn require SCEP challenge Phrase to enroll
4. Nhn Next chn Yes v in thng tin
SVTT : Vi Th Mu
59
BO CO TTTN
IPSec VPN
5. Nhn Next finish hon thnh

KIm tra hot ng:
Thc hin i vi client1 :
Client1# show run
Building configuration...
Current configuration : 3484 bytes
!
! Last configuration change at 17:39:57 UTC Tue Apr 1 2008
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname client1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip cef
!
ip domain name cisco.com
SVTT : Vi Th Mu
60
BO CO TTTN
IPSec VPN
ip host caserver 172.30.1.2

!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
crypto pki trustpoint CA
enrollment mode ra
enrollment url http://172.30.1.2:80/certsrv/mscep/mscep.dll
subject-name cn=client2@vnpro.org
revocation-check none
!
crypto pki certificate chain CA
certificate ca 2AE3AB73C8740484449E6747E831C315
3082035E 30820246 A0030201 0202102A E3AB73C8 74048444 9E6747E8
31C31530
0D06092A 864886F7 0D010105 0500300D 310B3009 06035504 03130243
41301E17
0D303830 34303131 30303733 305A170D 31333034 30313130 31373039
5A300D31
0B300906 03550403 13024341 30820122 300D0609 2A864886 F70D0101
01050003
82010F00 3082010A 02820101 00CBA99B 66BE2E13 686D17E1 78F65707
ED7FC5BB
8B185DFC ACB0528C 98E34EA1 D8740992 3BCA5499 0F4560D0 FC812612
86F32EE4
BE2C9F25 8B1E1559 48105CF4 2BA982F1 25796414 F2B0C807 6E674F3C
26570EE5
6F3B8050 8A9F2B04 950053E5 F5E89D83 3F845E55 B8FC417A 7E928666
93DE60C0
16B17729 AF9D47C2 B2F38BC9 5A0A9BDC 8F082F5D 9E1A1C52 F38E527C
D3675A51
172C6B22 8D50D782 CD7DFF60 0894C803 D4E383E1 59512FFD A94B6A1B
0E20D5FF
19AFDBBA 19557ECE BD6AD9C7 3A291286 6BB769E2 732C4077 4DC8C494
03EC5B28
BD54E9F7 A99FBD6F 1C16D9F5 250F6130 3E84A20A A3DDBB0F 047B83E8
3FE45FE8
088B6F2E 61846DBE 97DD7FAA 73020301 0001A381 B93081B6 300B0603
551D0F04
04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604
14ED3F97 C57AB992 26BAFC48 4E7BD3C9 E85BF544 0A306506 03551D1F
045E305C
305AA058 A0568628 68747470 3A2F2F74 6F2D7A6E 6A6E346F 36726F30
34682F43
SVTT : Vi Th Mu
61
BO CO TTTN
IPSec VPN
65727445 6E726F6C 6C2F4341 2E63726C 862A6669 6C653A2F 2F5C5C74

6F2D7A6E
6A6E346F 36726F30 34685C43 65727445 6E726F6C 6C5C4341 2E63726C
30100609
2B060104 01823715 01040302 0100300D 06092A86 4886F70D 01010505
00038201
01001E07 FB20C734 7FD7D5F4 C2164304 CCBC2F51 3F3D7DBA DBAD3574
C2825357
942BD488 4B83150F 434DC673 164E5819 F508E271 EBF9F4CC 57775094
7C9A1D60
44CE7B0B EC0498CD 96487BF9 8611577C F82DAE85 9FFC14B6 825706BA
0B3B0A9E
C9DA0A44 F02C2657 D3299546 46F9B79B 24005242 23177BA1 B368EA26
9FF33103
5C25436D 89439014 41158A39 D527AEF0 327EDA5B 2D58179B C4845291
7346E26B
D15CEEE0 54FEC609 E6AC91A1 81391F7F C1C89D2A 62DDFFE5 A160B233
ED3AC12D
109FF62E 6A753A64 821EDE52 CB4CEBE2 EBCC9E76 1C67E1E2 771EACBA
1588B9CF
FFD5FEBA 12336A71 8A8FD10C 4FA62140 31476CD7 AAFF8529 E76E9AE8
A0BA5E50 0112
quit
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 172.30.3.2
set transform-set myset
match address 150
!
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
ip address 172.30.2.2 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface Serial0/1/0
no ip address
SVTT : Vi Th Mu
62
BO CO TTTN
IPSec VPN
shutdown
clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 172.30.2.1
!
ip http server
no ip http secure-server
!
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
no login
!
scheduler allocate 20000 1000
!
end
Thc hin i vi client2
Client2# show run
Building configuration...
Current configuration : 5774 bytes
!
! Last configuration change at 17:23:41 UTC Tue Apr 1 2008
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname client2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
SVTT : Vi Th Mu
63
BO CO TTTN
IPSec VPN
ip domain name cisco.com

ip host caserver 172.30.1.2
!
!
voice-card 0
!
crypto pki trustpoint CA
enrollment mode ra
enrollment url http://172.30.1.2:80/certsrv/mscep/mscep.dll
subject-name cn=client1@vnpro.org
revocation-check none
!
crypto pki certificate chain CA
certificate 618FFBFC000000000004
308203C4 308202AC A0030201 02020A61 8FFBFC00 00000000 04300D06
092A8648
86F70D01 01050500 300D310B 30090603 55040313 02434130 1E170D30
38303430
31313031 3031335A 170D3039 30343031 31303230 31335A30 3E312030
1E06092A
864886F7 0D010902 1311636C 69656E74 322E6369 73636F2E 636F6D31
1A301806
03550403 1411636C 69656E74 3140766E 70726F2E 6F726730 5C300D06
092A8648
86F70D01 01010500 034B0030 48024100 A480B3CC 2C27F772 EB3411DB
2E7A8330
F4FBF6BE 235F7BEC AFD201A0 CD47A95F 7F12D3F1 0BF60369 02F58108
2A5EFB2F
6BD89DF6 45ADF27D AE5D40B9 6D53A193 02030100 01A38201 BB308201
B7300B06
03551D0F 04040302 05A0301D 0603551D 0E041604 14CF2761 D9851558
F31FF702
235D9E31 5CEF87CF 71301F06 03551D23 04183016 8014ED3F 97C57AB9
9226BAFC
484E7BD3 C9E85BF5 440A3065 0603551D 1F045E30 5C305AA0 58A05686
28687474
703A2F2F 746F2D7A 6E6A6E34 6F36726F 3034682F 43657274 456E726F
6C6C2F43
412E6372 6C862A66 696C653A 2F2F5C5C 746F2D7A 6E6A6E34 6F36726F
3034685C
43657274 456E726F 6C6C5C43 412E6372 6C30819E 06082B06 01050507
01010481
9130818E 30440608 2B060105 05073002 86386874 74703A2F 2F746F2D
7A6E6A6E
346F3672 6F303468 2F436572 74456E72 6F6C6C2F 746F2D7A 6E6A6E34
6F36726F
3034685F 43412E63 72743046 06082B06 01050507 3002863A 66696C65
3A2F2F5C
SVTT : Vi Th Mu
64
BO CO TTTN
IPSec VPN
5C746F2D 7A6E6A6E 346F3672 6F303468 5C436572 74456E72 6F6C6C5C

746F2D7A
6E6A6E34 6F36726F 3034685F 43412E63 7274301F 0603551D 110101FF
04153013
8211636C 69656E74 322E6369 73636F2E 636F6D30 3F06092B 06010401
82371402
04321E30 00490050 00530045 00430049 006E0074 00650072 006D0065 00640069
00610074 0065004F 00660066 006C0069 006E0065 300D0609 2A864886
F70D0101
05050003 82010100 31B97667 A8E4D0D6 B4F5083D C552F2DD 1E7E08B3
FBC46B10
8D4C4F96 04C77623 BF17A57B 5AE15975 234A64FF 1FBD376B 2D39D4B0
7C2F2187
F4F545AB E8ED233B CA13AB1E 23025DF7 98CD8222 E82E0FB8 72EEA354
FB841224
4A954CC6 598A15B6 45BB7AF6 2B88279F 0F18C771 E18D5C39 AEF719FC
036B19B3
0ADFFEE5 E896497C 520A7D64 B3FFD626 3C54AABD 523459B1 47E59401
AF4415E2
37A80E47 BE957700 392EAD42 EBE82BF2 B03F1875 33D91B6C 5C40FF8E
4C606499
A4B8B173 47CE6653 DA897A58 1C5A8514 699A793F 95147CE5 E4036BC3
FCF0E795
6B758C4D EC6FB390 60AE43B1 393B6CF9 B9D959AB 09B94067 102991D6
69640739
2AEEF189 780A64DF
quit
certificate ca 2AE3AB73C8740484449E6747E831C315
3082035E 30820246 A0030201 0202102A E3AB73C8 74048444 9E6747E8
31C31530
0D06092A 864886F7 0D010105 0500300D 310B3009 06035504 03130243
41301E17
0D303830 34303131 30303733 305A170D 31333034 30313130 31373039
5A300D31
0B300906 03550403 13024341 30820122 300D0609 2A864886 F70D0101
01050003
82010F00 3082010A 02820101 00CBA99B 66BE2E13 686D17E1 78F65707
ED7FC5BB
8B185DFC ACB0528C 98E34EA1 D8740992 3BCA5499 0F4560D0 FC812612
86F32EE4
BE2C9F25 8B1E1559 48105CF4 2BA982F1 25796414 F2B0C807 6E674F3C
26570EE5
6F3B8050 8A9F2B04 950053E5 F5E89D83 3F845E55 B8FC417A 7E928666
93DE60C0
16B17729 AF9D47C2 B2F38BC9 5A0A9BDC 8F082F5D 9E1A1C52 F38E527C
D3675A51
172C6B22 8D50D782 CD7DFF60 0894C803 D4E383E1 59512FFD A94B6A1B
0E20D5FF
19AFDBBA 19557ECE BD6AD9C7 3A291286 6BB769E2 732C4077 4DC8C494
03EC5B28
SVTT : Vi Th Mu
65
BO CO TTTN
IPSec VPN
BD54E9F7 A99FBD6F 1C16D9F5 250F6130 3E84A20A A3DDBB0F 047B83E8

3FE45FE8
088B6F2E 61846DBE 97DD7FAA 73020301 0001A381 B93081B6 300B0603
551D0F04
04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604
14ED3F97 C57AB992 26BAFC48 4E7BD3C9 E85BF544 0A306506 03551D1F
045E305C
305AA058 A0568628 68747470 3A2F2F74 6F2D7A6E 6A6E346F 36726F30
34682F43
65727445 6E726F6C 6C2F4341 2E63726C 862A6669 6C653A2F 2F5C5C74
6F2D7A6E
6A6E346F 36726F30 34685C43 65727445 6E726F6C 6C5C4341 2E63726C
30100609
2B060104 01823715 01040302 0100300D 06092A86 4886F70D 01010505
00038201
01001E07 FB20C734 7FD7D5F4 C2164304 CCBC2F51 3F3D7DBA DBAD3574
C2825357
942BD488 4B83150F 434DC673 164E5819 F508E271 EBF9F4CC 57775094
7C9A1D60
44CE7B0B EC0498CD 96487BF9 8611577C F82DAE85 9FFC14B6 825706BA
0B3B0A9E
C9DA0A44 F02C2657 D3299546 46F9B79B 24005242 23177BA1 B368EA26
9FF33103
5C25436D 89439014 41158A39 D527AEF0 327EDA5B 2D58179B C4845291
7346E26B
D15CEEE0 54FEC609 E6AC91A1 81391F7F C1C89D2A 62DDFFE5 A160B233
ED3AC12D
109FF62E 6A753A64 821EDE52 CB4CEBE2 EBCC9E76 1C67E1E2 771EACBA
1588B9CF
FFD5FEBA 12336A71 8A8FD10C 4FA62140 31476CD7 AAFF8529 E76E9AE8
A0BA5E50 0112
quit
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 172.30.2.2
set transform-set myset
match address 150
!
!
ip address 192.168.2.2 255.255.255.0
duplex auto
SVTT : Vi Th Mu
66
BO CO TTTN
IPSec VPN
speed auto
!
ip address 172.30.3.2 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 172.30.3.1
!
!
ip http server
no ip http secure-server
!
access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
no login
!
scheduler allocate 20000 1000
end
client2# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 618FFBFC000000000004
Certificate Usage: General Purpose
Issuer:
cn=CA
Subject:
Name: client2.cisco.com
cn=client1@vnpro.org
SVTT : Vi Th Mu
67
BO CO TTTN
IPSec VPN
hostname=client2.cisco.com
CRL Distribution Points:
http://to-znjn4o6ro04h/CertEnroll/CA.crl
Validity Date:
start date: 10:10:13 UTC Apr 1 2008
end date: 10:20:13 UTC Apr 1 2009
Associated Trustpoints: CA
CA Certificate
Status: Available
Certificate Serial Number: 2AE3AB73C8740484449E6747E831C315
Certificate Usage: Signature
Issuer:
cn=CA
Subject:
cn=CA
CRL Distribution Points:
http://to-znjn4o6ro04h/CertEnroll/CA.crl
Validity Date:
start date: 10:07:30 UTC Apr 1 2008
end date: 10:17:09 UTC Apr 1 2013
Associated Trustpoints: CA
Thc hin Ping t PC 2 n PC 1 kim tra kt ni:
kt
qu l 2 PC kt ni c vi nhau.
SVTT : Vi Th Mu
68
BO CO TTTN
IPSec VPN
3. Thc hnh bi Lab v DMVPN
Cc bc thc hin cho cu hnh:

Bc 1 : Cu hnh cho cc Router thy nhau
Spoke 1:
Router(config)# hostname Spoke1
Spoke1(config)# interface f0/0
Spoke1(config-if)# ip address 172.30.1.1 255.255.255.0
Spoke1(config-if)# no shutdown
Spoke1(config-if)# exit
Spoke1(config)# ip route 0.0.0.0 0.0.0.0 172.30.1.2
Spoke 2:
Router# config terminal
Router(config)# hostname Spoke2
SVTT : Vi Th Mu
69
BO CO TTTN
IPSec VPN

Spoke2(config)# ip route 0.0.0.0 0.0.0.0 172.30.3.2
HUB
Router(config)# hostname Hub
Hub(config)# interface f0/0
Hub(config-if)# ip address 172.30.2.1 255.255.255.0
Hub(config-if)# no shutdown
Hub(config-if)# exit
Hub(config)# interface loop back 0
Hub(config)# ip route 0.0.0.0 0.0.0.0 172.30.2.2
Thc hin cu hnh i vi Spoke1
Bc 2: cu hnh phase 1 cho Spoke1
Spoke1(config)# crypto isakmp enable
Spoke1(config)# crypto isakmp policy 1
Spoke1(config-isakmp)# authentication pre-share
Spoke1(config-isakmp)# hash md5
Spoke1(config-isakmp)# exit
Spoke1(config)# crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0
Bc 3: cu hnh dmvpn cho Spoke1
Spoke1(config)# interface tunnel 0
Spoke1(config-if)# ip mtu 1400
Spoke1(config-if)# ip nhrp authentication cisco47
Spoke1(config-if)# ip nhrp map 10.0.0.1 172.30.2.1
Spoke1(config-if)# ip nhrp hold-time 600
Spoke1(config-if)# ip nhs 10.0.0.1
Spoke1(config-if)# no ip next-hop-self eigrp 1
Spoke1(config-if)# ip map multicast 172.30.2.1
Spoke1(config-if)# ip nhrp network-id 100
Spoke1(config-if)# tunnel source f0/0
Spoke1(config-if)# tunnel key 1000
Spoke1(config-if)# tunnel mode gre multipoint
Spoke1(config-if)# tunnel protection ipsec profile dmvpn
SVTT : Vi Th Mu
70
BO CO TTTN
IPSec VPN

Spoke1(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac
Spoke1(config)# crypto map dmvpn local-address f0/0
Spoke1(config)# crypto map dmvpn 10 ipsec-isakmp
Spoke1(config-crypto-map)# set peer 172.30.2.1
Spoke1(config-crypto-map)# set security-association level per-host
Spoke1(config-crypto-map)# set transform-set myset
Spoke1(config-crypto-map)# match address 101
Spoke1(config-crypto-map)# exit
Spoke1(config)# access-list 101 permit gre 172.30.1.0 0.0.0.255 host 172.30.2.1
Bc 5: nh tuyn dng giao thc EIGRP
Spoke1(config)# router eigrp 1
Spoke1(config-router)# network 10.0.0.0 0.0.0.255
Spoke1(config-router)# no auto-summary
Thc hin cu hnh i vi Spoke2
Spoke2(config)# crypto isakmp enable
Spoke2(config)# crypto isakmp policy 1
Spoke2(config-isakmp)# authentication pre-share
Spoke2(config-isakmp)# hash md5
Spoke2(config-isakmp)# exit
Spoke2(config)# crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0
Bc 3: cu hnh dmvpn cho Spoke2
Spoke2(config)# interface tunnel 0
Spoke2(config-if)# ip mtu 1400
Spoke2(config-if)# ip nhrp authentication cisco47
Spoke2(config-if)# ip nhrp map 10.0.0.1 172.30.2.1
Spoke2(config-if)# ip nhrp hold-time 600
Spoke2(config-if)# ip nhs 10.0.0.1
Spoke2(config-if)# no ip next-hop-self eigrp 1
Spoke2(config-if)# ip map multicast 172.30.2.1
Spoke2(config-if)# ip nhrp network-id 100
Spoke2(config-if)# tunnel source f0/0
Spoke2(config-if)# tunnel key 1000
Spoke2(config-if)# tunnel mode gre multipoint
Spoke2(config-if)# tunnel protection ipsec profile dmvpn
SVTT : Vi Th Mu
71
BO CO TTTN
IPSec VPN
Bc 4: cu hnh phase 2 cho spoke2

Spoke2(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac
Spoke2(config)# crypto map dmvpn local-address f0/0
Spoke2(config)# crypto map dmvpn 10 ipsec-isakmp
Spoke2(config-crypto-map)# set peer 172.30.2.1
Spoke2(config-crypto-map)# set security-association level per-host
Spoke2(config-crypto-map)# set transform-set myset
Spoke2(config-crypto-map)# match address 101
Spoke2(config-crypto-map)# exit
Spoke2(config)# access-list 101 permit gre 172.30.3.0 0.0.0.255 host 172.30.2.1
Bc 5: nh tuyn dng giao thc EIGRP
Spoke2(config)# router eigrp 1
Spoke2(config-router)# no auto-summary
Thc hin cu hnh cho HUB
Router(config)# hostname Hub
Hub(config)# crypto isakmp enable
Hub(config)# crypto isakmp policy 1
Hub(config-isakmp)# authentication pre-share
Hub(config-isakmp)# hash md5
Hub(config-isakmp)# exit
Hub(config)# crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0
Hub(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac
# to IPSec profile
Hub(config)# crypto ipsec profile dmvpn
Hub(config-profile)# set transform-set myset
Hub(config)# interface tunnel 0
# cu hnh dmvpn
Hub(config-if)# ip mtu 1400
Hub(config-if)# ip nhrp authentication cisco47
Hub(config-if)# ip nhrp multicast dynamic
Hub(config-if)# ip nhrp hold-time 600
Hub(config-if)# tunnel source f0/0
Hub(config-if)# tunnel mode gre multipoint
Hub(config-if)# tunnel key 1000
Hub(config-if)# tunnel protection ipsec profile dmvpn
SVTT : Vi Th Mu
72
BO CO TTTN
IPSec VPN
# nh tuyn dng giao thc EIGRP
Hub(config)# router eigrp 1
Hub(config-router)# network 10.0.0.0 0.0.0.255
Hub(config-router)# network 192.168.0.0 0.0.0.255
Hub(config-router)# no auto-summary
Kim tra kt qu
Thc hin ping t PC1 n PC2
Thc hin Ping t PC1 n 192.168.0.1
SVTT : Vi Th Mu
73
BO CO TTTN
SVTT : Vi Th Mu
IPSec VPN
74

Ly Thuyet IPSEC

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ly Thuyet IPSEC

Uploaded by

Copyright:

Available Formats

BO CO TTTN

Gio vin hng dn

Thy ng Quang Minh

NHN XT CA B MN IN T VIN THNG

Config a GRE Tunnel to a Remote

Tun 2 : T 10/03 15/03/2008

Tm hiu l thuyt v PKI + thc hnh Lab v site-to-site VPN dng CA

Tun 3 : T 18/03 23/03/2008

19/03 20/03/2008 : bn vic gia nh

Thc hnh Lab PKI

Tun 4 : T 24/03 28/03/2008

Thc hnh Lab Dynamic Multipoint VPN

Tun 5 : T 31/03 04/04/2008

Thc hnh Lab dng windows server 2003 lm CAServer

Tun 6 : T 07/04 11/04/2008

PHN II : THC HNH ........................................................................................... 46

VPN cho cc nh doanh nghip

VPN i vi cc nh cung cp dch v

Cng ngh VPN v m hnh OSI

IPSec v security associations

IPSec mode v Protocol

Sau y l cng ngh VPN v m hnh OSI:

OSI Model Layer

Secure HTTP (HTTPS),

SSL and TLS

VPDN-PPTP, L2TP, L2F

Optical Bulk Encryptors

Figure 2-1: cng ngh VPN v m hnh OSI

Figure 2-2: Remote Access VPN

Figure 2-3: Remote Access VPN setup

Remote Access VPNs cng khng m bo c cht lng phc v.

l vic s dng mt m dnh ring cho nhiu ngi kt ni nhiu im

trn Extranet: khi mt cng ty c mi quan h mt thit vi mt cng ty

Figure 2-4: kt ni cc doanh nghip qua mng cng cng

LAN-to-LAN VPN l s kt ni hai mng ring l thng qua mt ng

Extranet cho php truy cp nhng ti nguyn mng cn thit ca cc i tc

Figure 2-5: The traditional Extranet setup

Figure 2-6: The Extranet VPN setup

D trin khai, qun l v chnh sa thng tin.

s e da v tnh an ton, nh b tn cng bng t chi dch v vn cn tn

3. Cng ngh VPN v m hnh OSI

L2TP bao gm 2 thnh phn chnh: L2TP Access Concentrator v L2TP

liu t LAC. Khi cc user kt ni n LAC , nhng kt ni ny l a

Figure 2-7: L2TP tunnel negotiation

Figure 2-8: Dng cu trc ca L2TP

Figure2- 9: ng gi theo giao thc GRE

y l giao thc truyn thng ng gi IP, CLNP v tt c cc gi d liu

Figure 2-10: L2TP/IPsec VPN gia remote v mng doanh nghip

Figure 2-11: L2TP/IPsec VPN gia cc mng

l s la chn cho vic bo mt trn VPN. IPsec l mt khung bao gm bo

CHNG II : CNG NGH IP SECURITY

UDP port 500 : ISAKMP, c nhn bit bi t kho isakmp

Router A connects to Router B

1. Encryption = AES 256

1. Encryption = AES 192

2. Encryption = AES 192

II. C ch hot ng ca giao thc AH v ESP

FiguFigure 3-1: AH Tunnel Mode Packet

FiguFigure 3-2: ESP Tunnel Mode Packet

Mode khng thay i IP Header ngun hoc to mt IP Header mi, Transport

Figure 3-3: AH Tunnel Mode Packet

Figure 3-4: AH Transport Mode Packet

B1: AH s em gi d liu (packet ) bao gm : Payload + IP Header + Key cho

Figure 3-5 : AH Header