Scribd Logo
Upload

Welcome to Scribd!

  • C Trên Thi: ấu Hình IPSEC/VPN ết Bị Cisco

    Uploaded by

    phathth
    28 views46 pages

    Original Title

    VPN

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views46 pages

    C Trên Thi: ấu Hình IPSEC/VPN ết Bị Cisco

    Uploaded by

    phathth

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 46

    C u Hnh IPSEC/VPN Trn Thi t B Cisco

    I. T ng Quan V VPN:
    Trong th i i ngy nay, Internet pht tri n m nh v m t m hnh cho n cng ngh , p ng cc nhu c u c a ng i s d ng. Internet c thi t k k tn i nhi u m ng khc nhau v cho php thng tin chuy n n ng i s d ng m t cch t do v nhanh chng m khng xem xt n my v m ng m ng i s d ng ang dng. lm c i u ny ng i ta s d ng m t my tnh c bi t g i l router k tn i cc LAN v WAN v i nhau. Cc my tnh k t n i vo Internet thng qua nh cung c p d ch v (ISP-Internet Service Provider), c n m t giao th c chung l TCP/IP. i u m k thu t cn ti p t c ph i gi i quy t l nng l c truy n thng c a cc m ng vi n thng cng c ng. V i Internet, nh ng d ch v nh gio d c t xa, mua hng tr c tuy n, t v n y t , v r t nhi u i u khc tr thnh hi n th c.Tuy nhin, do Internet c ph m vi ton c u v khng m t t ch c, chnh ph c th no qu n l nn r t kh khn trong

    vi c b o m t v an ton d li u cng nh trong vi c qu n l cc d ch v . T ng i ta a ra m t m hnh m ng m i nh m tho mn nh ng yu c u trn m v n c th t n d ng l i nh ng c s h t ng hi n c c a Internet, chnh l m hnh m ng ring o (Virtual Private Network - VPN). V i m hnh m i ny, ng i ta khng ph i u t thm nhi u v c s h t ng m cc tnh nng nh b o m t, tin c y v n m b o, ng th i c th qu n l ring c s ho t ng c a m ng ny. VPN cho php ng i s d ng lm vi c t i nh, trn ng i hay cc vn phng chi nhnh c th k t n i an ton n my ch c a t ch c mnh b ng c s h t ng c cung c p b i m ng cng c ng.[5] N c th m b o an ton thng tin gi a cc i l, ng i cung c p, v cc i tc kinh doanh v i nhau trong mi tr ng truy n thng r ng l n. Trong nhi u tr ng h p VPN cng gi ng nh WAN (Wide Area Network), tuy nhin c tnh quy t nh c a VPN l chng c th dng m ng cng c ng nh Internet m m b o tnh ring t v ti t ki m hn nhi u. 1. nh Ngha VPN:

    VPN c hi u n gi n nh l s m r ng c a m t m ng ring (private network) thng qua cc m ng cng c ng. V cn b n, m i VPN l m t m ng ring r s d ng m t m ng chung (th ng l internet) k t n i cng v i cc site (cc m ng ring l ) hay nhi u ng i s d ng t xa. Thay cho vi c s d ng b i m t k t n i th c, chuyn d ng nh ng leased line, m i VPN s d ng cc k t n i o c d n ng qua Internet t m ng ring c a cc cng ty t i cc site hay cc nhn vin t xa. c th g i v nh n d li u thng qua m ng cng c ng m v n b o m tnh an tan v b o m t VPN cung c p cc c ch m ha d li u trn ng truy n t o ra m t ng ng b o m t gi a ni nh n v ni g i (Tunnel) gi ng nh m t k t n i point-to-point trn m ng ring. c th t o ra m t ng ng b o m t , d li u ph i c m ha hay che gi u i ch cung c p ph n u gi d li u (header) l thng tin v ng i cho php n c th i n ch thng qua m ng cng c ng m t cch nhanh chng. D l u c m ha m t cch c n th n do n u cc packet b b t l i trn ng truy n cng c ng cng khng th c c n i dung v khng c kha gi i m. Lin k t v i d li u c m ha v ng gi c g i l k t n i VPN. Cc ng k t n i VPN th ng c g i l ng ng VPN (VPN Tunnel).

    2. L i ch c a VPN: VPN cung c p nhi u c tnh hn so v i nh ng m ng truy n th ng v nh ng m ng m ng leased-line.Nh ng l i ch u tin bao g m: Chi ph th p hn nh ng m ng ring: VPN c th gi m chi ph khi truy n t i 2040% so v i nh ng m ng thu c m ng leased-line v gi m vi c chi ph truy c p t xa t 60-80%. Tnh linh ho t cho kh nng kinh t trn Internet: VPN v n c tnh linh ho t v c th leo thang nh ng ki n trc m ng hn l nh ng m ng c i n, b ng cch n c th ho t ng kinh doanh nhanh chng v chi ph m t cch hi u qu cho vi c k t n i m r ng. Theo cch ny VPN c th d dng k t n i ho c ng t k t n i t xa c a nh ng vn phng, nh ng v tr ngoi qu c t ,nh ng ng i truy n thng, nh ng ng i dng i n tho i di ng, nh ng ng i ho t ng kinh doanh bn ngoi nh nh ng yu c u kinh doanh i h i. n gi n ha nh ng gnh n ng. Nh ng c u trc m ng ng, v th gi m vi c qu n l nh ng gnh n ng: S d ng m t giao th c Internet backbone lo i tr nh ng PVC tnh h p v i k t n i h ng nh ng giao th c nh l Frame Rely v ATM. Tng tnh b o m t: cc d li u quan tr ng s c che gi u i v i nh ng ng i khng c quy n truy c p v cho php truy c p i v i nh ng ng i dng c quy n truy c p.

    H tr cc giao th c m n thng d ng nh t hi n nay nh TCP/IP B o m t a ch IP: b i v thng tin c g i i trn VPN c m ha do cc i ch bn trong m ng ring c che gi u v ch s d ng cc a ch bn ngoi Internet. 3. Cc thnh ph n c n thi t t o k t n i VPN:

    - User Authentication: cung c p c ch ch ng th c ng i dng, ch cho php ng i dng h p l k t n i v truy c p h th ng VPN. - Address Management: cung c p h th ng VPN a ch IP h p l cho ng i dng sau khi gia nh p

    c th truy c p ti nguyn trn m ng n i b .

    - Data Encryption: cung c p gi i php m ho d li u trong qu trnh truy n nh m b o m tnh ring t v ton v n d li u. - Key Management: cung c p gi i php qu n l cc kho dng cho qu trnh m ho v gi i m d li u. 4. Cc thnh ph n chnh t o nn VPN Cisco: a. Cisco VPN Router: s d ng ph n m m Cisco IOS, IPSec h tr cho vi c b o m t trong VPN. VPN t I u ha cc router nh l n b y ang t n t I s u t c a Cisco. Hi u qu nh t trong cc m ng WAN h n h p. b. Cisco Secure PIX FIREWALL: a ra s l a ch n khc c a c ng k t n I VPN khi b o m t nhm ring t trong VPN. c. Cisco VPN Concentrator series: a ra nh ng tnh nng m nh trong vi c i u khi n truy c p t xa v tng thch v I d ng site-to-site VPN. C giao di n qu n l d s d ng v m t VPN client. d. Cisco Secure VPN Client : VPN client cho php b o m t vi c truy c p t xa t I router Cisco v Pix Firewalls v n l m t chng trnh ch y trn h i u hnh Window. e. Cisco Secure Intrusion Detection System(CSIDS) v Cisco Secure Scanner th ng c s d ng gim st v ki m tra cc v n b o m t trong VPN. f. Cisco Secure Policy Manager and Cisco Works 2000 cung c p vi c qu n l h th ng VPN r ng l n.

    5. Cc giao th c VPN: Cc giao th c v IPSec. a. L2TP: - Tr c khi xu t hi n chu n L2TP (thng 8 nm 1999), Cisco s d ng Layer 2 Forwarding (L2F) nh l giao th c chu n t o k t n i VPN. L2TP ra i sau v i nh ng tnh nng c tch h p t L2F. - L2TP l d ng k t h p c a Cisco L2F v Mircosoft Point-to-Point Tunneling Protocol (PPTP). Microsoft h tr chu n PPTP v L2TP trong cc phin b n WindowNT v 2000 - L2TP c s d ng t o k t n i c l p, a giao th c cho m ng ring o quay s (Virtual Private Dail-up Network). L2TP cho php ng i dng c th k t n i thng qua cc chnh sch b o m t c a cng ty (security policies) t o VPN hay VPDN nh l s m r ng c a m ng n i b cng ty. L2TP khng cung c p m ha. t o nn c ch ng ng b o m t cho VPN l L2TP, Cisco GRE

    - L2TP l s k t h p c a PPP(giao th c Point-to-Point) v i giao th c L2F(Layer 2 Forwarding) c a Cisco do r t hi u qu trong k t n i m ng dial, ADSL, v cc m ng truy c p t xa khc. Giao th c m r ng ny s d ng PPP cho php truy c p VPN b i nh ng ng I s d ng t xa.

    b. GRE: - y l a giao th c truy n thng ng gi IP, CLNP v t t c c gi d li u bn trong ng ng IP (IP tunnel) - V i GRE Tunnel, Cisco router s ng gi cho m i v tr m t giao th c c trng ch nh trong gi IP header, t o m t ng k t n i o (virtual point-to-point) t i Cisco router c n n. V khi gi d li u n ch IP header s c m ra - B ng vi c k t n i nhi u m ng con v i cc giao th c khc nhau trong mi tr ng c m t giao th c chnh. GRE tunneling cho php cc giao th c khc c th thu n l i trong vi c nh tuy n cho gi IP. c. IPSec:

    - IPSec l s l a ch n cho vi c b o m t trn VPN. IPSec l m t khung bao g m b o m t d li u (data confidentiality), tnh tan v n c a d li u (integrity) v vi c ch ng th c d li u. - IPSec cung c p d ch v b o m t s d ng KDE cho php th a thu n cc giao th c v thu t tan trn n n chnh sch c c b (group policy) v sinh ra cc kha b o m ha v ch ng th c c s d ng trong IPSec.

    d. Point to Point Tunneling Protocol (PPTP): - c s d ng tr n cc my client ch y H H Microsoft for NT4.0 v Windows 95+ . Giao th c ny c s d ng m ha d li u lu thng trn M ng LAN. Gi ng

    nh giao th c NETBEUI v IPX trong m t packet g I ln Internet. PPTP d a trn chu n RSA RC4 v h tr b I s m ha 40-bit ho c 128-bit.

    - N khng c pht tri n trn d ng k t n I LAN-to-LAN v gi i h n 255 k t n i t I 1 server ch c m t ng h m VPN trn m t k t n i. N khng cung c p s m ha cho cc cng vi c l n nhng n d ci t v tri n khai v l m t gi I php truy c p t xa ch c th lm c trn m ng MS. Giao th c ny th c dng t t trong Window 2000. Layer 2 Tunneling Protocol thu c v IPSec. 6. Thi t l p m t k t n i VPN: a. My VPN c n k t n i (VPN client) t o k t n t VPN (VPN Connection) t i my ch cung c p d ch v VPN (VPN Server) thng qua k t n i Internet. b. My ch cung c p d ch v VPN tr l i k t n i t i

    c. My ch cung c p d ch v VPN ch ng th c cho k t n i v c p php cho k t n i d. B t u trao i d li u gi a my c n k t n i VPN v m ng cng ty

    7. Cc d ng k t n i VPN: a. Remote Access VPNs : Remote Access VPNs cho php truy c p b t c lc no b ng Remote, mobile, v cc thi t b truy n thng c a nhn vin cc chi nhnh k t n i n ti nguyn m ng c a t ch c. Remote Access VPN m t vi c cc ng i dng xa s d ng cc ph n m m VPN truy c p vo m ng Intranet c a cng ty thng qua gateway ho c VPN concentrator (b n ch t l m t server). V l do ny, gi i php ny th ng c g i l client/server. Trong gi i php ny, cc ng i dng th ng th ng s d ng cc cng ngh WAN truy n th ng t o l i cc tunnel v m ng HO c a h . M t h ng pht tri n kh m i trong remote access VPN l dng wireless VPN, trong m t nhn vin c th truy c p v m ng c a h thng qua k t n i khng dy. Trong thi t k ny, cc k t n i khng dy c n ph i k t n i v m t tr m wireless (wireless terminal) v sau v m ng c a cng ty. Trong c hai tr ng h p, ph n m m client trn my PC u cho php kh i t o cc k t n i b o m t, cn c g i l tunnel. M t ph n quan tr ng c a thi t k ny l vi c thi t k qu trnh xc th c ban u nh m m b o l yu c u c xu t pht t m t ngu n tin c y. Th ng th giai o n ban u ny d a trn cng m t chnh sch v b o m t c a cng ty. Chnh sch ny bao

    g m: qui trnh (procedure), k thu t, server (such as Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access Control System Plus [TACACS+]). M t s thnh ph n chnh : - Remote Access Server (RAS) : c ch ng nh n cc yu c u g i t i. t t i trung tm c nhi m v xc nh n v

    - Quay s k t n i n trung tm, i u ny s lm gi m chi ph cho m t s yu c u kh xa so v i trung tm. - H tr cho nh ng ng i c nhi m v c u hnh, b o tr v qu n l RAS v h tr truy c p t xa b i ng i dng.

    Figure 1-2: The non-VPN remote access setup. - B ng vi c tri n khai Remote Access VPNs, nh ng ng i dng t xa ho c cc chi nhnh vn phng ch c n ci t m t k t n i c c b n nh cung c p d ch v ISP ho c ISPs POP v k t n i n ti nguyn thng qua Internet. Thng tin Remote Access Setup c m t b i hnh v sau :

    Figure 1-3: The Remote Access VPN setup Nh b n c th suy ra t hnh 1-3, thu n l i chnh c a Remote Access VPNs : - S c n thi t c a RAS v vi c k t h p v i modem c lo i tr . - S c n thi t h tr cho ng i dung c nhn c lo i tr b i v k t n i t xa c t o i u ki n thu n l i b i ISP - Vi c quay s t nh ng kho ng cch xa c lo i tr , thay vo , nh ng k t n i v i kho ng cch xa s c thay th b i cc k t n i c c b . - Gi m gi thnh chi ph cho cc k t n i v i kho ng cch xa. - Do y l m t k t n i mang tnh c c b , do v y t c k t n i tr c ti p n nh ng kho ng cch xa. n i k t s cao hn so v i

    - VPNs cung c p kh nng truy c p n trung tm t t hn b i v n h tr d ch v truy c p m c t i thi u nh t cho d c s tng nhanh chng cc k t n i ng th i n m ng. Ngoi nh ng thu n l i trn, VPNs cng t n t i m t s b t l i khc nh : - Remote Access VPNs cng khng b o m c ch t l ng ph c v .

    - Kh nng m t d li u l r t cao, thm n a l cc phn o n c a gi d li u c th i ra ngoi v b th t thot. - Do ph c t p c a thu t ton m ho, protocol overhead tng ng k , i u ny gy kh khn cho qu trnh xc nh n. Thm vo , vi c nn d li u IP v PPP-based di n ra v cng ch m ch p v t i t .

    - Do ph i truy n d li u thng qua Internet, nn khi trao


    gi d li u truy n thng, phim nh, m thanh s r t ch m. b. Site - To Site (Lan To - Lan):

    i cc d li u l n nh cc

    - Site-to-site VPN(Lan-to-Lan VPN): c p d ng ci t m ng t m t v tr ny k t n I t I m ng c a m t v tr khc thng qua VPN. Trong hon c nh ny th vi c ch ng th c ban u gi a cc thi t b m ng c giao cho ng i s d ng. Ni m c m t k t n I VPN c thi t l p gi a chng. Khi cc thi t b ny ng vai tr nh l m t gateway, v m b o r ng vi c lu thng c d tnh tr c cho cc site khc. Cc router v Firewall tng thch v I VPN, v cc b t p trung VPN chuyn d ng u cung c p ch c nng ny.

    - Lan-to-Lan VPN c th c xem nh l intranet VPN ho c extranet VPN(xem xt v m t chnh sch qu n l). N u chng ta xem xt d I gc ch ng th c n c th c xem nh l m t intranet VPN, ng c l I chng c xem nh l m t extranet VPN. Tnh ch t ch trong vi c truy c p gi a cc site c th c i u khi n b i c hai(intranet v extranet VPN) theo cc site tng ng c a chng. Gi i php Site to site

    VPN khng l m t remote access VPN nhng n c thm vo y v tnh ch t hon thi n c a n. - S phn bi t gi a remote access VPN v Lan to Lan VPN ch n thu n mang tnh ch t t ng trng v xa hn l n c cung c p cho m c ch th o lu n. V d nh l cc thi t b VPN d a trn ph n c ng m I(Router cisco 3002 ch ng h n) y phn lo I c, chng ta ph I p d ng c hai cch, b I v harware-based client c th xu t hi n n u m t thi t b ang truy c p vo m ng. M c d m t m ng c th c nhi u thi t b VPN ang v n hnh. M t v d khc nh l ch m r ng c a gi I php Ez VPN b ng cch dng router 806 v 17xx. - Lan-to-Lan VPN l s k t n I hai m ng ring l thng qua m t ng h m b o m t. ng h m b o m t ny c th s d ng cc giao th c PPTP, L2TP, ho c IPSec, m c ch c a Lan-to-Lan VPN l k t n I hai m ng khng c ng n I l I v I nhau, khng c vi c th a hi p tch h p, ch ng th c, s c n m t c a d li u. b n c th thi t l p m t Lan-to-Lan VPN thng qua s k t h p c a cc thi t b VPN Concentrators, Routers, and Firewalls. - K t n I Lan-to-Lan c thi t k t o m t k t n I m ng tr c ti p, hi u qu b t ch p kho ng cch v t l gi a chng. C th k t n I ny lun chuy n thng qua internet ho c m t m ng khng c tin c y.B n ph I m b o v n b o m t b ng cch s d ng s m ha d li u trn t t c cc gi d li u ang lun chuy n gi a cc m ng . 1. Intranet VPNs:

    Figure 1-4: The intranet setup using WAN backbone

    - Intranet VPNs c s d ng k t n i n cc chi nhnh vn phng c a t ch c n Corperate Intranet (backbone router) s d ng campus router, xem hnh bn d i : - Theo m hnh bn trn s r t t n chi ph do ph i s d ng 2 router thi t l p c m ng, thm vo , vi c tri n khai, b o tr v qu n l m ng Intranet Backbone s r t t n km cn ty thu c vo l ng lu thng trn m ng i trn n v ph m vi a l c a ton b m ng Intranet. - gi i quy t v n trn, s t n km c a WAN backbone c thay th b i cc k t n i Internet v i chi ph th p, i u ny c th m t l ng chi ph ng k c a vi c tri n khai m ng Intranet, xem hnh bn d i :

    Figure 1-5: The intranet setup based on VPN. Nh ng thu n l i chnh c a Intranet setup d a trn VPN theo hnh 1-5 : - Hi u qu chi ph hn do gi m s l ng router c s d ng theo m hnh WAN backbone - Gi m thi u ng k s l ng h tr yu c u ng i dng c nhn qua ton c u, cc tr m m t s remote site khc nhau.

    - B i v Internet ho t k t n i m i ngang hng.

    ng nh m t k t n i trung gian, n d dng cung c p nh ng

    - K t n i nhanh hn v t t hn do v b n ch t k t n i n nh cung c p d ch v , lo i b v n v kho ng cch xa v thm n a gip t ch c gi m thi u chi ph cho vi c th c hi n Intranet. Nh ng b t l i chnh k t h p v i cch gi i quy t : - B i v d li u v n cn tunnel trong su t qu trnh chia s trn m ng cng c ngInternet-v nh ng nguy c t n cng, nh t n cng b ng t ch i d ch v (denial-ofservice), v n cn l m t m i e do an ton thng tin. - Kh nng m t d li u trong lc di chuy n thng tin cng v n r t cao. - Trong m t s tr ng h p, nh t l khi d li u l lo i high-end, nh cc t p tin mulltimedia, vi c trao i d li u s r t ch m ch p do c truy n thng qua Internet. - Do l k t n i d a trn Internet, nn tnh hi u qu khng lin t c, th ng xuyn, v QoS cng khng c m b o. 2. Extranet VPNs: - Khng gi ng nh Intranet v Remote Access-based, Extranet khng hon ton cch li t bn ngoi (outer-world), Extranet cho php truy c p nh ng ti nguyn m ng c n thi t c a cc i tc kinh doanh, ch ng h n nh khch hng, nh cung c p, i tc nh ng ng i gi vai tr quan tr ng trong t ch c.

    Figure 1-6: The traditional extranet setup.

    - Nh hnh trn, m ng Extranet r t t n km do c nhi u o n m ng ring bi t trn Intranet k t h p l i v i nhau t o ra m t Extranet. i u ny lm cho kh tri n khai v qu n l do c nhi u m ng, ng th i cng kh khn cho c nhn lm cng vi c b o tr v qu n tr . Thm n a l m ng Extranet s d m r ng do i u ny s lm r i tung ton b m ng Intranet v c th nh h ng n cc k t n i bn ngoi m ng. S c nh ng v n b n g p ph i b t thnh lnh khi k t n i m t Intranet vo m t m ng Extranet. Tri n khai v thi t k m t m ng Extranet c th l m t cn c m ng c a cc nh thi t k v qu n tr m ng.

    Figure 1-7: The Extranet VPN setup M t s thu n l i c a Extranet : - Do ho t ng trn mi tr ng Internet, b n c th l a ch n nh phn ph i khi l a ch n v a ra phng php gi i quy t tu theo nhu c u c a t ch c.- B i v m t ph n Internet-connectivity c b o tr b i nh cung c p (ISP) nn cng gi m chi ph b o tr khi thu nhn vin b o tr.- D dng tri n khai, qu n l v ch nh s a thng tin. M t s b t l i c a Extranet : -S e d a v tnh an ton, nh b t n cng b ng t ch i d ch v v n cn t n t i. i v i t ch c trn Extranet. i di n

    - Tng thm nguy hi m s xm nh p

    - Do d a trn Internet nn khi d li u l cc lo i high-end data th vi c trao ra ch m ch p.

    - Do d a trn Internet, QoS(Quality of Service) cng khng c b o xuyn.

    m th ng

    II. Tm Hi u V Giao Th c IPSec:


    - Thu t ng IPSec l m t t vi t t t c a thu t Internet Protocol Security. N c quan h t i m t s b giao th c (AH, ESP, FIP-140-1, v m t s chu n khc) c pht tri n b i Internet Engineering Task Force (IETF). M c ch chnh c a vi c pht tri n IPSec l cung c p m t c c u b o m t t ng 3 (Network layer) c a m hnh OSI, nh hnh 6-1.

    Figure 6-1: The position of IPSec in the OSI model. - M i giao ti p trong m t m ng trn c s IP u d a trn cc giao th c IP. Do , khi m t c ch b o m t cao c tch h p v i giao th c IP, ton b m ng c b o m t b i v cc giao ti p u i qua t ng 3. ( l l do tai sao IPSec c pht tri n giao th c t ng 3 thay v t ng 2). - IPSec VPN dng cc d ch v c nh ngha trong IPSec m b o tnh ton v n d li u, tnh nh t qun, tnh b m t v xc th c c a truy n d li u trn m t h t ng m ng cng c ng.

    - Ngoi ra,v i IPSec t t c cc ng d ng ang ch y t ng ng d ng c a m hnh OSI u c l p trn t ng 3 khi nh tuy n d li u t ngu n n ch. B i v IPSec c tch h p ch t ch v i IP, nn nh ng ng d ng c th dng cc d ch v k th a tnh nng b o m t m khng c n ph i c s thay i l n lao no. Cng gi ng IP, IPSec trong su t v i ng i dng cu i, l ng i m khng c n quan tm n c ch b o m t m r ng lin t c ng sau m t chu i cc ho t ng. - IPSec ho t ng d a trn m hnh ngang hng (peer-to-peer) hn l m hnh client/server. Security Association (SA) l m t qui c gi a hai bn trong thc y cc trao i gi a hai bn giao ti p. M i bn giao ti p (c th l thi t b , ph n m m) ph i th ng nh t v i nhau v cc chnh sch ho c cc qui t c b ng cch s d tm cc chnh sch ny v i i tc tm nng c a n. C hai ki u SA: ISAKMP SA (cn c bi t n v i tn g i l IKE SAs) v IPSec SA. - Security Associations (SAs) l m t khi ni m c b n c a b giao th c IPSec. SA l m t k t n i lu n l theo m t phng h ng duy nh t gi a hai th c th s d ng cc d ch v IPSec. Phng th c v cc kha cho cc thu t ton xc nh n c dng b i cc giao th c Authentication Header (AH) hay Encapsulation Security Payload (ESP) c a b IPSec Thu t ton m ha v gi i m v cc kha. Thng tin lin quan kha, nh kho ng th i gian thay gian lm ti c a cc kha. Thng tin lin quan kho ng th i gian lm ti.

    Cc giao th c xc nh n, cc kha, v cc thu t ton

    i hay kho ng th i a ch ngu n SA v

    n chnh b n thn SA bao g m

    Cch dng v kch th c c a b t k s

    ng b m ha dng, n u c.

    Figure 6-2: A generic representation of the three fields of an IPSec SA.

    Nh hnh 6-2, IPSec SA g m c 3 tr ng : - SPI (Security Parameter Index). y l m t tr ng 32 bit dng nh n d ng giao th c b o m t, c nh ngha b i tr ng Security protocol, trong b IPSec ang dng. SPI c mang theo nh l m t ph n u c a giao th c b o m t v th ng c ch n b i h th ng ch trong su t qu trnh th a thu n c a SA. - Destination IP address. y l a ch IP c a nt ch. M c d n c th l a ch broadcast, unicast, hay multicast, nhng c ch qu n l hi n t i c a SA ch c nh ngha cho h th ng unicast. - Security protocol. Ph n ny m t giao th c b o m t IPSec, c th l AH ho c ESP. - Ch thch : Broadcasts c ngha cho t t c h th ng thu c cng m t m ng ho c m ng con. Cn multicasts g i n nhi u (nhng khng ph i tt c ) nt c a m t m ng ho c m ng con cho s n. Unicast c ngha cho 1 nt ch n duy nh t. B i v b n ch t theo m t chi u duy nh t c a SA, cho nn 2 SA ph i c nh ngha cho hai bn thng tin u cu i, m t cho m i h ng. Ngoi ra, SA c th cung c p cc d ch v b o m t cho m t phin VPN c b o v b i AH ho c ESP. Do v y, n u m t phin c n b o v kp b i c hai AH v ESP, 2 SA ph i c nh ngha cho m i h ng. Vi c thi t l p ny c a SA c g i l SA bundle. M t IPSec SA dng 2 c s d li u. Security Association Database (SAD) n m gi thng tin lin quan n m i SA. Thng tin ny bao g m thu t ton kha, th i gian s ng c a SA, v chu i s tu n t . C s d li u th c hai c a IPSec SA, Security Policy Database (SPD), n m gi thng tin v cc d ch v b o m t km theo v i m t danh sch th t chnh sch cc i m vo v ra. Gi ng nh firewall rules v packet filters, nh ng i m truy c p ny nh ngha lu l ng no c x l v lu l ng no b t ch i theo t ng chu n c a IPSec. B IPSec a ra 3 kh nng chnh bao g m : - Tnh xc nh n v Tnh nguyn v n d li u (Authentication and data integrity). IPSec cung c p m t c ch m nh m xc nh n tnh ch t xc th c c a ng i g i v ki m ch ng b t k s s a i khng c b o v tr c c a n i dung gi d li u b i ng i nh n. Cc giao th c IPSec a ra kh nng b o v m nh ch ng l i cc d ng t n cng gi m o, nh hi v t ch i d ch v . - S c n m t (Confidentiality). Cc giao th c IPSec m ha d li u b ng cch s d ng k thu t m ha cao c p, gip ngn c n ng i cha ch ng th c truy c p d li u

    trn ng i c a n. IPSec cng dng c ch t o h m n (ng i g i) v nt ch (ng i nh n) t nh ng k nghe ln.

    a ch IP c a nt ngu n

    - Qu n l kha (Key management). IPSec dng m t giao th c th ba, Internet Key Exchange (IKE), th a thu n cc giao th c bao m t v cc thu t ton m ha tr c v trong su t phin giao d ch. M t ph n quan tr ng n a, IPSec phn ph i v ki m tra cc kha m v c p nh t nh ng kha khi c yu c u. - Hai tnh nng u tin c a b IPSec, authentication and data integrity, v confidentiality, c cung c p b i hai giao th c chnh c a trong b giao th c IPSec. Nh ng giao th c ny bao g m Authentication Header (AH) v Encapsulating Security Payload (ESP). - Tnh nng th ba, key management, n m trong b giao th c khc, c b IPSec ch p nh n b i n l m t d ch v qu n l kha m nh. Giao th c ny l IKE. ch ch - SAs trong IPSec hi n t i c tri n khai b ng 2 ch l ch Transport v Tunnel c m t hnh 6-7. C AH v ESP c th lm vi c v i m t trong hai ny.

    Figure 6-7: The two IPSec modes.

    Transport Mode : - Transport mode b o v giao th c t ng trn v cc ng d ng. Trong Transport mode, ph n IPSec header c chn vo gi a ph n IP header v ph n header c a giao th c t ng trn, nh hnh m t bn d i, AH v ESP s c t sau IP header nguyn th y. V v y ch c t i (IP payload) l c m ha v IP header ban u l c gi nguyn v n. Transport mode c th c dng khi c hai host h tr IPSec. Ch transport ny c thu n l i l ch thm vo vi bytes cho m i packets v n cng cho php cc thi t b trn m ng th y c a ch ch cu i cng c a gi. Kh nng ny cho

    php cc tc v x l c bi t trn cc m ng trung gian d a trn cc thng tin trong IP header. Tuy nhin cc thng tin Layer 4 s b m ha, lm gi i h n kh nng ki m tra c a gi.

    Figure 6-8: IPSec Transport modea generic representation.

    Figure 6-9: AH Transport mode.

    Figure 6-10: ESP Transport mode.

    - Transport mode thi u m t qu trnh x l ph n u, do n nhanh hn. Tuy nhin, n khng hi u qu trong tr ng h p ESP c kh nng khng xc nh n m cng khng m ha ph n u IP. Tunnel Mode : - Khng gi ng Transport mode, Tunnel mode b o v ton b gi d li u. Ton b gi d li u IP c ng gi trong m t gi d li u IP khc v m t IPSec header c chn vo gi a ph n u nguyn b n v ph n u m i c a IP.Ton b gi IP ban u s b ng gi b i AH ho c ESP v m t IP header m i s c bao b c xung quanh gi d li u. Ton b cc gi IP s c m ha v tr thnh d li u m i c a gi IP m i. Ch ny cho php nh ng thi t b m ng, ch ng h n nh router, ho t ng nh m t IPSec proxy th c hi n ch c nng m ha thay cho host. Router ngu n s m ha cc packets v chuy n chng d c theo tunnel. Router ch s gi i m gi IP ban u v chuy n n v h th ng cu i. V v y header m i s c a ch ngu n chnh l gateway. - V i tunnel ho t ng gi a hai security gateway, a ch ngu n v ch c th c m ha. Tunnel mode c dng khi m t trong hai u c a k t n i IPSec l security gateway v a ch ch th t s pha sau cc gateway khng c h tr IPSec

    Figure 6-11: IPSec Tunnel modea generic representation. - Trong AH Tunnel mode, ph n u m i (AH) c chn vo gi a ph n header m i v ph n header nguyn b n, nh hnh bn d i.

    Figure 6-12: AH Tunnel mode.

    Figure 6-13: ESP Tunnel mode. - IKE SA l qu trnh hai chi u v cung c p m t knh giao ti p b o m t gi a hai bn. Thu t ng hai chi u c ngha l khi c thi t l p, m i bn c th kh i t o ch QuickMode, Informational v NewGroupMode. IKE SA c nh n ra b i cc cookies c a bn kh i t o, c theo sau b i cc cookies c a tr l i c a pha i tc. Th t cc cookies c thi t l p b i phase 1 s ti p t c ch ra IKE SA, b t ch p chi u c a n. Ch c nng ch y u c a IKE l thi t l p v duy tr cc SA. Cc thu c tnh sau y l m c t i thi u ph i c th ng nh t gi a hai bn nh l m t ph n c a ISAKMP (Internet Security Association and Key Management Protocol) SA: Thu t gi i m ha Thu t gi i bm c dng Phng th c xc th c s dng Thng tin v nhm v gi i thu t DH - IKE th c hi n qu trnh d tm, qu trnh xc th c, qu n l v trao i kha. IKE s d tm ra c m t h p ng gi a hai u cu i IPSec v sau SA s theo di t t c cc thnh ph n c a m t phin lm vi c IPSec. Sau khi d tm thnh cng, cc thng s SA h p l s c lu tr trong c s d li u c a SA. - Thu n l i chnh c a IKE bao g m: IKE khng ph i l m t cng ngh c l p, do n c th dng v i b t k c ch b o m t no. C ch IKE, m c d khng nhanh, nhng hi u qu cao b v m t l ng l n nh ng hi p h i b o m t th a thu n v i nhau v i m t vi thng i p kh t. IKE Phases - Giai o n I v II l hai giai o n t o nn phin lm vi c d a trn IKE, hnh 6-14 trnh by m t s c i m chung c a hai giai o n. Trong m t phin lm vi c IKE, n

    gi s c m t knh b o m t c thi t l p s n. Knh b o m t ny ph i c thi t l p tr c khi c b t k th a thu n no x y ra.

    Figure 6-14: The two IKE phasesPhase I and Phase II. Giai o n I c a IKE - Giai o n I c a IKE u tin xc nh n cc i m thng tin, v sau thi t l p m t knh b o m t cho s thi t l p SA. Ti p , cc bn thng tin th a thu n m t ISAKMP SA ng l n nhau, bao g m cc thu t ton m ha, hm bm, v cc phng php xc nh n b o v m kha. - Sau khi c ch m ha v hm bm c ng trn, m t kha chi s b m t c pht sinh. Theo sau l nh ng thng tin c dng pht sinh kha b m t : Gi tr Diffie-Hellman SPI c a ISAKMP SA d ng cookies

    S ng u nhin known as nonces (used for signing purposes) - N u hai bn ng s d ng phng php xc nh n d a trn public key, chng cng c n trao i IDs. Sau khi trao i cc thng tin c n thi t, c hai bn pht sinh nh ng key ring c a chnh mnh s d ng chng chia s b m t. Theo cch ny, nh ng kha m ha c pht sinh m khng c n th c s trao i b t k kha no thng qua m ng. Giai o n II c a IKE - Trong khi giai o n I th a thu n thi t l p SA cho ISAKMP, giai o n II gi i quy t b ng vi c thi t l p SAs cho IPSec. Trong giai o n ny, SAs dng nhi u d ch v khc nhau th a thu n. C ch xc nh n, hm bm, v thu t ton m ha b o v gi d li u IPSec ti p theo (s d ng AH v ESP) d i hnh th c m t ph n c a giai o n SA.

    - S th a thu n c a giai o n x y ra th ng xuyn hn giai o n I. i n hnh, s th a thu n c th l p l i sau 4-5 pht. S thay i th ng xuyn cc m kha ngn c n cc hacker b gy nh ng kha ny v sau l n i dung c a gi d li u. - T ng qut, m t phin lm vi c giai o n II tng ng v i m t phin lmvi c n c a giai o n I. Tuy nhin, nhi u s thay i giai o n II cng c th c h tr b i m t tr ng h p n giai o n I. i u ny lm qua trnh giao d ch ch m ch p c a IKE t ra tng i nhanh hn. - Oakley l m t trong s cc giao th c c a IKE. Oakley is one of the protocols on which IKE is based. Oakley l n l t nh ngha 4 ch ph bi n IKE. IKE Modes 4 ch IKE ph bi n th ng c tri n khai : chnh (Main mode) linh ho t (Aggressive mode) nhanh (Quick mode) nhm m i (New Group mode)

    Ch Ch Ch Ch Main Mode

    - Main mode xc nh n v b o v tnh ng nh t c a cc bn c lin quan trong qua trnh giao d ch. Trong ch ny, 6 thng i p c trao i gi a cc i m: 2 thng i p i. 2 thng i p k ti p ph c v thay i cc kha Diffie-Hellman v nonces. Nh ng kha sau ny th c hi n m t vai tro quan tr ng trong c ch m ha. Hai thng i p cu i cng c a ch ny dng xc nh n cc bn giao d ch v i s gip c a ch k, cc hm bm, v tu ch n v i ch ng nh n. Hnh 6-15 m t qu trnh giao d ch trong ch IKE. u tin dng th a thu n chnh sch b o m t cho s thay

    Aggressive Mode - Aggressive mode v b n ch t gi ng Main mode. Ch khc nhau thay v main mode c 6 thng i p th ch t ny ch c 3 thng i p c trao i. Do , Aggressive mode nhanh hn mai mode. Cc thng i p bao g m : Thng i p u tin dng a ra chnh sch b o m t, pass data cho kha chnh, v trao i nonces cho vi c k v xc minh ti p theo. Thng i p k ti p h i p l i cho thng tin nh n v hon thnh chnh sch b o m t b ng cc kha. Thng i p cu i cng dng phin lm vi c). u tin. N xc th c ng i

    xc nh n ng i g i (ho c b kh i t o c a

    Figure 6-16: Message exchange in IKE Aggressive mode. C Main mode v Aggressive mode Quick Mode - Ch th ba c a IKE, Quick mode, l ch trong giai o n II. N dng th a thu n SA cho cc d ch v b o m t IPSec. Ngoi ra, Quick mode cng c th pht sinh kha chnh m i. N u chnh sch c a Perfect Forward Secrecy (PFS) c th a thu n trong giai o n I, m t s thay i hon ton Diffie-Hellman key c kh i t o. M t khc, kha m i c pht sinh b ng cc gi tr bm. u thu c giai o n I.

    Figure 6-17: Message exchange in IKE Quick mode, which belongs to Phase II. New Group Mode - New Group mode c dng th a thu n m t private group m i nh m t o i u ki n trao i Diffie-Hellman key c d dng. Hnh 6-18 m t New Group mode. M c d ch ny c th c hi n sau giai o n I, nhng n khng thu c giai o n II.

    Figure 6-18: Message exchange in IKE New Group mode. - Ngoi 4 ch IKE ph bi n trn, cn c thm Informational mode. Ch ny k t h p v i qu trnh thay c a giai o n II v SAs. Ch ny cung c p cho cc bn c lin quan m t s thng tin thm, xu t pht t nh ng th t b i trong qu trnh th a thu n. V d , n u vi c gi i m th t b i t i ng i nh n ho c ch k khng c xc minh thnh cng, Informational mode c dng thng bo cho cc bn khc bi t.

    III. T ng Quan H
    1. Ki n trc h th ng:

    i u Hnh Cisco IOS:

    - Gi ng nh l 1 my tnh, router c 1 CPU c kh nng x l cc cu l nh d a trn n n t ng c a router. Hai v d v b x l m Cisco dng l Motorola 68030 v Orion/R4600. Ph n m m Cisco IOS ch y trn Router i h i CPU hay b vi x l gi i quy t vi c nh tuy n v b c c u, qu n l b ng nh tuy n v m t vi ch c nng khc c a h th ng. CPU ph i truy c p vo d li u trong b nh gi i quy t cc v n hay l y cc cu l nh. - C 4 lo i b nh th ng dng trn m t Router c a Cisco l - ROM : l b nh t ng qut trn m t con chip ho c nhi u con. N cn c th n m trn b ng m ch b vi x l c a router. N ch c ngh a l d li u khng th ghi ln trn n. Ph n m m u tin ch y trn m t router Cisco c g i l bootstrap software v th ng c lu trong ROM. Bootstrap software c g i khi router kh i ng. - Flash : b nh Flash n m trn b ng m ch SIMM nhng n c th c m r ng b ng cch s d ng th PCMCIA (c th tho r i). B nh flash h u h t c s d ng lu tr m t hay nhi u b n sao c a ph n m m Cisco IOS. Cc file c u hnh hay thng tin h th ng cng c th c sao chp ln flash. vi h th ng g n y, b nh flash cn c s d ng gi bootstrap software. - Flash memory ch a Cisco IOS software image. i v i m t s lo i, Flash memory c th ch a cc file c u hnh hay boot image. Ty theo lo i m Flash memory c th l EPROMs, single in-line memory (SIMM) module hay Flash memory card: - Internal Flash memory: o Internal Flash memory th ng ch a system image. o M t s lo i router c t 2 Flash memory tr ln d i d ng single in-line memory modules (SIMM). N u nh SIMM c 2 bank th c g i l dual-bank Flash memory. Cc bank ny c th c phn thnh nhi u ph n logic nh

    - Bootflash: o Bootflash th ng ch a boot image. o Bootflash i khi ch a ROM Monitor. - Flash memory PC card hay PCMCIA card: - Flash memory card dng g n vo Personal Computer Memory Card ch a system image,

    - International Association (PCMCIA) slot. Card ny dng boot image v file c u hnh. - Cc lo i router sau c PCMCIA slot: o Cisco 1600 series router: 01 PCMCIA slot. o Cisco 3600 series router: 02 PCMCIA slots.

    o Cisco 7200 series Network Processing Engine (NPE): 02 PCMCIA slots o Cisco 7000 RSP700 card v 7500 series Route Switch Processor (RSP) card ch a 02 PCMCIA slots. - RAM : l b nh r t nhanh nhng n lm m t thng tin khi h th ng kh i ng l i. N c s d ng trong my PC lu cc ng d ng ang ch y v d li u. Trn router, RAM c s gi cc b ng c a h i u hnh IOS v lm b m. RAM l b nh c b n c s d ng cho nhu c u lu tr cc h i u hnh - ROM monitor, cung c p giao di n cho ng i s dung khi router khng tm th y cc file image khng ph h p. - Boot image, gip router boot khi khng tm th y IOS image h p l trn flash memory. - NVRAM : Trn router, NVRAM c s d ng lu tr c u hnh kh i ng. y l file c u hnh m IOS c khi router kh i ng. N l b nh c c k nhanh v lin t c khi kh i ng l i. - M c d CPU v b nh i h i m t s thnh ph n ch y h i u hnh IOS, router c n ph i c cc interface khc nhau cho php chuy n ti p cc packet. Cc interface nh n vo v xu t ra cc k t n i n router mang theo d li u c n thi t n router hay switch. Cc lo i interface th ng dng l Ethernet v Serial. Tng t nh l cc ph n m m driver trn my tnh v i c ng parallel v c ng USB, IOS cng c cc driver c a thi t b h tr cho cc lo i interface khc nhau.

    - T t c cc router c a Cisco c m t c ng console cung c p m t k t n i serial khng ng b EIA/TIA-232. C ng console c th c k t n i t i my tnh thng qua k t n i serial lm tng truy c p u cu i t i router. H u h t cc router u c c ng auxiliary, n tng t nh c ng console nhng c trng hn, c dng cho k t n i modem qu n l router t xa. - VD: xem mn hnh console c a m t router 3640 kh i interface v thng tin b nh c li t k ng. Ch b x l,

    Cisco 3640 Router Console Output at Startup

    System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Copyright (c) 1999 by Cisco Systems, Inc. C3600 processor with 98304 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled program load complete, entry point: 0x80008000, size: 0xa8d168 Self decompressing the image : ################################################################## ################################################### [OK] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco Internetwork Operating System Software

    IOS (tm) 3600 Software (C3640-IS-M), Version 12.2(10), RELEASE SOFTWARE (fc2) Copyright (c) 1986-2002 by Cisco Systems, Inc. Compiled Mon 06-May-02 23:23 by pwade Image text-base: 0x60008930, data-base: 0x610D2000 cisco 3640 (R4700) processor (revision 0x00) with 94208K/4096K bytes of memory.

    Processor board ID 17746964 R4700 CPU at 100Mhz, Implementation 33, Rev 1.0 Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). 5 Ethernet/IEEE 802.3 interface(s) 1 Serial network interface(s) DRAM configuration is 64 bits wide with parity disabled. 125K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write) 16384K bytes of processor board PCMCIA Slot0 flash (Read/Write) --- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no]:

    - Khi m t router m i kh i ng l n u, IOS s ch y ti n trnh t ng ci t v ng i s d ng c nh c tr l i 1 vi cu h i. Sau IOS s c u hnh h th ng d a trn nh ng thng tin nh n c. Sau khi hon t t vi c ci t, c u hnh th ng s d ng nh t c ch nh s a b ng cch dng giao di n cu l nh (CLI). Cn c m t s cch khc c u hnh router bao g m HTTP v cc ng d ng qu n tr m ng.

    2. Cisco IOS CLI: - Cisco c 3 mode l nh, v i t ng mode s c quy n truy c p t i nh ng b l nh khc nhau - User mode: y l mode u tin m ng i s d ng truy c p vo sau khi ng nh p vo router. User mode c th c nh n ra b i k hi u > ngay sau tn router. Mode ny cho php ng i dng ch th c thi c m t s cu l nh c b n ch ng h n nh xem tr ng thi c a h th ng. H th ng khng th c c u hnh hay kh i ng l i mode ny. - Privileged mode: mode ny cho php ng i dng xem c u hnh c a h th ng, kh i ng l i h th ng v i vo mode c u hnh. N cng cho php th c thi t t c cc cu l nh user mode. Privileged mode c th c nh n ra b i k hi u # ngay sau tn router. Ng i s d ng s g cu l nh enable cho IOS bi t l h mu n i vo Privileged mode t User mode. N u enable password hay enabel secret password c ci t, ngu i s d ng c n ph i g vo ng m t kh u th m i c quy n truy c p vo privileged mode. Enable secret password s d ng phng th c m ho m nh hn khi n c lu tr trong c u hnh, do v y n an ton hn. Privileged mode cho php ng i s d ng lm b t c g trn router, v v y nn s d ng c n th n. thot kh i privileged mode, ng i s d ng th c thi cu l nh disable. - Configuration mode: mode ny cho php ng i s d ng ch nh s a c u hnh ang ch y. i vo configuration mode, g cu l nh configure terminal t privileged mode. Configuration mode c nhi u mode nh khc nhau, b t u v i global configuration mode, n c th c nh n ra b i k hi u (config)# ngay sau tn router. Cc mode nh trong configuration mode thay i tu thu c vo b n mu n c u hnh ci g, t bn trong ngo c s thay i. Ch ng h n khi b n mu n vo mode interface, k hi u s thay i thnh (config-if)# ngay sau tn router. thot kh i configuration mode, ng i s d ng c th g end hay nh n t h p phm Ctrl-Z - Ch cc mode, tu vo tnh hu ng c th m cu l nh ? t i cc v tr s hi n th ln cc cu l nh c th c cng m c. K hi u ? cng c th s d ng gi a cu l nh xem cc tu ch n ph c t p c a cu l nh. Example 4-2 hi n th cch s d ng cu l nh ? v i t ng mode

    - VD: Using Context-Sensitive Help Router>? Exec commands: access-enable Create a temporary Access-List entry

    access-profile Apply user-profile to interface clear Reset functions - B c ti p theo s h ng d n b n s d ng cu l nh thay i mode, xem c u hnh h th ng v c u hnh password. Mn hnh CLI c a m t router 3640 ang ch y h i u hnh Cisco IOS c hi n th . - B c 1: Vo enable mode b ng cch g enable v nh n phm Enter Router> enable Router# - B c 2: xem phin b n c a h version Router# show version Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-IS-M), Version 12.2(10), RELEASE SOFTWARE (fc2) Copyright (c) 1986-2002 by Cisco Systems, Inc. Compiled Mon 06-May-02 23:23 by pwade Image text-base: 0x60008930, data-base: 0x610D2000 ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Router uptime is 47 minutes System returned to ROM by reload System image file is "slot0:c3640-is-mz.122-10.bin" cisco 3640 (R4700) processor (revision 0x00) with 94208K/4096K bytes of memory. Processor board ID 17746964 i u hnh IOS ang ch y, g l nh show

    R4700 CPU at 100Mhz, Implementation 33, Rev 1.0 Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). 5 Ethernet/IEEE 802.3 interface(s) 1 Serial network interface(s) DRAM configuration is 64 bits wide with parity disabled. 125K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write) 16384K bytes of processor board PCMCIA Slot0 flash (Read/Write) Configuration register is 0x2002 - T mn hnh hi n th trn cho ta th y, router ny ang ch y h i u hnh Cisco IOS phin b n 12.2(10) v b n sao c a n c lu trong th nh Flash PCMCIA trong slot 0 - B c 3: Ti p theo, c u hnh tn router thnh IOS. Vo configuration mode b ng cch g l nh configure terminal Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# hostname IOS IOS(config)# - Ch r ng k hi u s chuy n ngay thnh IOS sau khi b n g cu l nh hostname. T t c cc thay c u hnh trong Cisco IOS s th c thi ngay l p t c - B c 4: Ti p theo, b n c n t enable password v enable secret password. Enable secret password c lu tr b ng cch dng thu t ton m ho r t m nh v c ghi ln enable password n u n c c u hnh IOS(config)# enable password cisco IOS(config)# enable secret san-fran

    IOS(config)# exit IOS# vo enable mode b n c n g m t kh u l san-fran. Cu l nh exit s quay l i 1 m c trong c u hnh hay thot kh i mode con hi n t i - B c 5: Sau khi c u hnh tn router v ci hnh ang ch y IOS# show running-config Building configuration... a b n

    t password, b n c th xem c u

    Current configuration : 743 bytes ! version 12.2

    service timestamps debug uptime service timestamps log uptime no service password-encryption

    ! hostname IOS ! enable secret 5 $1$IP7a$HClNetI.hpRdox84d.FYU. enable password cisco ! ip subnet-zero !

    call rsvp-sync ! interface Ethernet0/0 no ip address shutdown half-duplex ! interface Serial0/0 no ip address shutdown no fair-queue ! interface Ethernet2/0 no ip address shutdown half-duplex ! interface Ethernet2/1 no ip address shutdown half-duplex ! interface Ethernet2/2 no ip address

    shutdown half-duplex ! interface Ethernet2/3 no ip address shutdown half-duplex ! ip classless ip http server ip pim bidir-enable ! dial-peer cor custom ! line con 0 line aux 0 line vty 0 4 ! end - B c 6: Mn hnh sau khi g show running-config s hi n th c u hnh hi n th i ang ho t ng trong h th ng, tuy nhin c u hnh ny s m t n u nh h th ng kh i ng l i. lu c u hnh vo NVRAM, b n ch c ch n ph i g l nh IOS# copy running-config startup-config Destination filename [startup-config]? Building configuration...

    [OK] xem c u hnh c lu trong NVRAM, b n dng l nh show

    - B c 7: startup-config

    - Trong chu i cc b c trn, ch interface Ethernet v serial c hi n th trong file c u hnh. M i interface c n c nh ng thng s ch c ch n nh s ng gi v a ch c ci t tr c khi interface c th s d ng m t cch ng n. Thm vo , nh ty n IP v b c c u c n ph i c c u hnh. Tham kh o vi c ci t Cisco IOS v h ng d n c u hnh t i www.cisco.com cho phin b n ph n mm c a b n tham kh o thm v t t c cc tu ch n c u hnh c th c v h ng d n chi ti t. - M t vi cu l nh th ng dng qu n l h th ng

    Cisco IOS Command show interface

    Miu t Hi n th tr ng thi hi n t i v chi ti t c u hnh cho t t c cc interface trong h th ng Hi n th vi c s d ng CPU v cc ti n trnh ang ch y trong h th ng Xem c bao nhiu buffers ang c c p pht hi n th i v s ho t ng cho vi c chuy n ti p cc packet Xem c bao nhiu b nh c c p pht cho cc chc nng khc c a h th ng v vi c s d ng b nh Hi n th chi ti t cc th nh trong h th ng Hi n th b ng IP route ang s d ng Hi n th a ch MAC nh x t trong b ng ARP a ch IP ang dng

    show processes cpu

    show buffers

    show memory

    show diag show ip route show arp

    3.

    IV.

    Qui Trnh C u Hnh 4 B c IPSec/VPN Trn Cisco IOS:

    - Ta c th c u hnh IPSec trn VPN qua 4 b c sau y: 1. Chu n b cho IKE v IPSec 2. C u hnh cho IKE 3. C u hnh cho IPSec C u hnh d ng m ha cho gi d li u Crypto ipsec transform-set C u hnh th i gian t n t i c a gi d li u v cc ty ch n b o m t khc Crypto ipsec sercurity-association lifetime T o crytoACLs b ng danh sch truy c p m r ng (Extended Access List) Crypto map C u hnh IPSec crypto maps p d ng cc crypto maps vo cc c ng giao ti p (interfaces) Crypto map map-name 4. Ki m tra l i vi c th c hi n IPSec A. C u hnh cho m ha d li u: - Sau y b n s c u hnh Cisco IOS IPSec b ng cch s d ng chnh sch b o m t IPSec (IPSec Security Policy) nh ngha cc cc chnh sch b o m t IPSec (transform set).

    - Chnh sch b o m t IPSec (transform set) l s k t h p cc c u hnh IPSec transform ring r c nh ngha v thi t k cho cc chnh sch b o m t lu thng trn m ng. Trong su t qu trnh trao i ISAKMP IPSec SA n u x y ra l i trong qu trnh IKE Phase 2 quick mode, th hai bn s s d ng transform set ring cho vi c b o v d li u ring c a mnh trn ng truy n. Transform set l s k t h p c a cc nhn t sau: C ch cho vi c ch ng th c: chnh sch AH C ch cho vi c m ha: chnh sch ESP Ch IPSec (phng ti n truy n thng cng v i ng h m b o m t)

    - Transform set b ng v i vi c k t h p cc AH transform, ESP transform v ch IPSec (ho c c ch ng h m b o m t ho c ch phng ti n truy n thng). Transform set gi i h n t m t cho t i hai ESP transform v m t AH transform. nh

    ngha Transform set b ng cu l nh cryto ipsec transform-set xo cc ci t transform set dng l nh d ng no. - C php c a l nh v cc tham s truy n vo nh sau:

    ch

    gobal mode. V

    crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] - Cc tham s c a l nh crypto ipsec transform-set Tham s transform-set-name ngha Ch nh tn c a Transform c t o hay c thay i Ch t 3 transform tr ln. Nh ng transform c nh ngha cho giao th c b o m t IPSec (IPSec Security Protocol) v thu t tan

    transform1, transform2, transform3

    - Khi m ISAKMP khng c s d ng thi t l p cc Sa, m t transform set ring r s c s d ng. Transform set s khng c trao i. - Thay i c u hnh Transform set:

    - B n c th c u hnh nhi u transform set v ch r m t hay nhi u transform set trong m c crypto map. nh ngha cc transform set trong m c crypto map c s d ng trong trao i IPSec SA b o v d li u c inh ngha b i ACL c a m c crypto map. Trong su t qu trnh trao i, c hai bn s tm ki m cc transform set gi ng nhau c hai phi. Khi m cc transform set c tm th y, n s c s d ng b o v d li u trn ng truy n nh l m t ph n c a cc IPSec Sa c 2 pha.

    B1: Xa cc tranform set t crypto map B2: Xa cc transform set trong ch c u hnh gobal mode i

    B3: C u hnh l i transform set v i nh ng thay B4: Gn transform set v i crypto map B5: Xa c s d li u SA (SA database) B6: Theo di cc trao

    i SA v ch c ch n n h at

    ng t t

    - C u hnh cho vi c trao

    i transform:

    - Tranform set c trao i trong su t ch quick mode trong IKE Phase 2 l nh ng cc transform set m b n c u hnh u tin s d ng. B n c th c u hnh nhi u transform set v c th ch ra m t hay nhi u transform set trong m c crypto map. C u hnh transform set t nh ng b o m t thng th ng nh nh t gi ng nh trong chnh sch b o m t c a b n. Nh ng transform set c nh ngha trong m c crypto map c s d ng trong trao i IPSec SA b o v d li u c nh ngha b i ACL c a m c crypto map. - Trong su t qu trnh trao i m i bn s tm ki m cc transform set gi ng nhau c hai bn nh minh h a hnh trn. Cc transform set c a Router A c so snh v i m t transform set c a Router B v c ti p t c nh th . Router A transform set 10, 20, 30 c so snh v i transform set 40 c a Router B. N u m khng tr v k t qu ng th t t c cc transform set c a Router A sau s c so snh v i transform set ti p theo c a Router B. Cu i cng transform set 30 c a Router A gi ng v i transform set 60 c a Router B. Khi m transform set c tm th y, n s c ch n v p d ng cho

    vi c b o v ng truy n nh l m t ph n c a IPSec SA c a c hai pha. IPSec bn s ch p nh n m t transform duy nh t c ch n cho m i SA. B. C u hnh th i gian t n t i c a IPSec trong qu trnh trao i:

    m i

    - IPSec SA c nh ngha l th i gian t n t i c a IPSec SA tr c khi th c hi n l i qu trnh trao i ti p theo. Cisco IOS h tr gi tr th i gian t n t i c th p d ng ln t t c cc crypto map. Gi tr c a global lifetime c th c ghi v i nh ng m c trong crypto map.

    - B n c th thay i gi tr th i gian t n t i c a IPSec SA b ng cu l nh crypto ipsec security-association lifetime ch global configuration mode. tr v gi tr m c nh ban u s d ng d ng cu l nh no. C u trc v cc tham s c a cu l nh c nh ngha nh sau: cryto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

    Cu l nh seconds seconds

    Tham s Ch nh kh ang th i gian t n t i c a IPSec SA. M c 3600 giy (m t gi ) nh l

    kilobytes kilobytes Ch

    nh dung l ng trong lu thng IPSec gi a 2 bn s d ng a SA tr c khi SA h t h n. Gi tr m c nh 4,608,000 KB

    - Cisco khuy n co b n nn s d ng cc gi tr m c nh. B n thn th i gian t n t i c a m i IPSec SA c th c c u hnh b ng cch s d ng crypto map. nh ngha Crypto Access Lists:

    -Crypto access list (Crypto ACLs) c s d ng (traffic) no c s d ng hay kho s d ng IPSec.

    nh ngha nh ng lu thng

    - Crypto ACLs th c hi n cc ch c nng sau: cg i

    Outbound: Ch n nh ng traffic c b o v b i IPSec. Nh ng traffic cn l i


    d ng khng m ha. l c ra v l ai

    b nh ng traffic kho c b o v b i IPSec.

    Inbound: N u c yu c u th inbound access list c th t o

    C. T o cryto ACLs b ng danh sch truy c p m r ng (Extends access list): - Cryto ACLs c nh ngha b o v nh ng d li u c truy n t i trn m ng. Danh sach truy c p m r ng (Extended IP ACLs) s ch n nh ng lu ng d li u (IP traffic) m ha b ng cch s d ng cc giao th c truy n t i (protocol), a ch IP (IP address), m ng (network), m ng con (subnet) v c ng d ch v (port). M c d c php ACL v extended IP ACLs l gi ng nhau, ngha l ch c s khc bi t cht t trong crypto ACLs. l cho php (permit) ch nh ng gi d li u nh d u m i c m ha v t ch i (deny) v i nh ng gi d li u c nh d u m i khng c m ha. Crypto ACLs h at ng tng t nh extendeds IP ACL l ch p d ng trn nh ng lu ng d li u i ra (outbound traffic) trn m t interface.

    - C php cu l nh v cc tham s sch extended IP ACL nh sau: access-list

    nh ngha cho d ng c b n c a danh protocol source

    access-list-number { permit | deny }

    Source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] Access-list access-list-number command Permit Tham S

    T t c cc lu ng d li u (traffic IP)s c nh d u c b o v b ng cryto ph i s d ng chnh sch b o m t (policy) li t k cho ph h p v i cc m c trong crypto map (crypto map entry) Cho bi t nh ng lu ng d li u (traffic) t router no t i router no l an tan l nh ng m ng (network), m ng con (subnet) ho c l my tr m (host)

    Deny

    Source and destination

    - Ghi ch: M c d c u trc ACL l khng i nhng v ngha c khc so v i cryto ACLs. l ch cho php (permit) nh ng gi d li u c nh d u m i c m ha v t ch i (deny) nh ng gi d li u c nh d u khng c m ha.

    - B t c lu ng d li u no n (traffic inbound) khng c b o v s c nh d u permit trong crypto ACL c a m c crypto map gi ng nh IPSec s h y b gi tin . Gi tin b h y b b i v lu ng d li u c b o v b ng IPSec. - N u b n th c s mu n d li u t i ni nh n l s k t h p c a ch m t d ng b o m t IPSec (ch ch ng th c-authentication) v nh ng d li u khc t i ni nh n l s k t h p c a nhi u d ng b o m t khc (c ch ng th c v m ha) th b n ph i t o hai crypto ACLs khc nhau nh ngha hai d ng c a d li u g i i. Hai ACLs khc nhau s c s d ng trong nh ng m c crypto map khc nhau c a nh ng IPSec policy khc nhau.

    - Ch : Cisco khuy n co b n nn trnh vi c s d ng t kha any nh ng ch ni g i v ch t i. Cu l nh permit any any r t d x y ra l i b i v t t c cc

    lu ng d li u g i i (outbound traffic) s c b o v v t t c s c g t i ni nh n ph h p trong crypto map entry. Sau t t c d li u g i t i (inbound packet) m thi u s b o v c a IPSec s b b i, bao g m c cc gi d li u cho giao th c nh tuy n (routing protocol), NTP, echo, echo response v nhi u ci khc. - Ph i gi i h n nh ng ci c n thi t khi m nh ngha nh ng gi d li u c b o m t trong cryptoACLs. N u c n ph i s d ng t kha any trong cu l nh permit, c n ph i m u cu l nh v i m t chu i cc cu l nh deny l c cc lu ng d li u i ra m b n khng mu n b o v .

    D. C u hnh IPSec crypto maps: E. p d ng cc crypto maps vo cc c ng giao ti p (interfaces):

    V. VI.
    .

    Cch Th c Truy C p Vo Thi t B M ng (Telnet/SNMP):

    You might also like