You are on page 1of 57

TRNG CAO NG CNG NGH THNG TIN

HU NGH VIT HN KHOA KHOA HC MY TNH

BO CO
THC TP TT NGHIP

Tn:

Tm Hiu v Trin Khai


Ipsec Trong Virtual Private Network

Sinh vin thc hin: Lp: Cn b hng dn: n v thc tp:

Phan Anh Tun MM03C Nguyn c Vit Khi C.ty CP Trng Tn

Nng, thng 04 nm 2012

LI M U
1. L do chn ti Ngy nay vi s bng n ca ngnh cng ngh thng tin ni chung v mng internet ni ring em li cho chng ta nhiu iu mi m, cc mi quan h cng vic trong x hi ngy cng tin li hn, cho php cc nhn vin lm vic mt cch hiu qu ti nh v cho php mt doanh nghip kt ni mt cch an ton n cc i l ca h cng cc hng hp tc. Mt trong nhng cng ngh m hin nay c cc doanh nghip, cc cng ty, cc hng thng mi, s dng ph bin l Virtual Private Network (VPN). Da vo cng ngh VPN, khong cch a l khng cn l vn khi truy xut ti nguyn ni b, ngoi ra VPN cn gip tit kim nhiu chi ph v thi gian. Khi xy dng VPN, vn m bo an ninh gia cc mng l vn cn c quan tm nht. Mt trong nhng gii php m bo tnh bo mt ca mng VPN l IPSec. Tuy cng ngh ny khng phi l mi nhng n c p dng rt rng ri. Chnh nhng l do trn, em quyt nh chn ti Tm hiu v trin khai IPSec trong Virtual Private Network lm ti nghin cu thc tp ca mnh. 2. Mc tiu v nhim v nghin cu Mc tiu: gip cho ngi c c th nm bt c cch thc hot ng v tm quan trng ca IPSec i vi mng VPN Nhim v: Tm hiu l thuyt v IPSec, VPN Xy dng m hnh mng VPN c trin khai IPSec Thc hin trin khai m hnh mng trn Lab v thc t Phn tch tng hp nh gi h thng Ti u h thng i tng: Nghin cu v IPSec Phm vi nghin cu: Nghin cu p dng cho m hnh mng ca doanh nghip va v nh. 4. Nhng phng tin cng c c th trin khai Thit b mng Router Cisco

3. i tng v phm vi nghin cu -

5. Phng php nghin cu Thu thp ti liu Tm hiu trn cc ti liu hc tp v ti liu trn mng nh gi kt qu Tng hp v vit bo co Trin khai c cc m hnh VPN

6. D kin kt qu 7. ngha khoa hc v thc tin ngha khoa hc Ti liu gip cho ngi qun tr h thng mng c th xy dng c cc kt ni mng bo mt vi ngi dng t xa hoc cc chi nhnh cng ty xa. ngha thc tin: Gip cho h thng mang ca mt doanh nghip hay mt t chc kt ni vi cc h thng mng hay ngi dng t xa mt cch an ton, hiu qu, trnh lng ph ti nguyn. Trnh c cc nguy c mt mt d liu. 8. t tn ti Tm hiu v trin khai IPSec trong Virtual Private Network

CNG HA X HI CH NGHA VIT NAM c lp - T do - Hnh phc

PHIU NH GI
KT QU THC TP TT NGHIP CUI KHO CA SINH VIN KHA HC: 2009 - 2012
- H v tn sinh vin: - Ngy thng nm sinh: - Ni sinh: - Lp: CCMM03C - Ngnh o to: Phan Anh Tun 07/03/1991 Qung Tr Kha: 2009 2012 Mng My Tnh H o to: Cao ng

- Thi gian thc tp tt nghip: t ngy: 26/03/2012 n ngy: 04/05/2012 - Ti c quan: Cng ty c phn Trng Tn - Ni dung thc tp: + Kho st m hnh mng ca cng ty, cc thit b m cng s dng. + Tm hiu qun l h thng mng v cc ng dng c sn ca cng ty. + Cch cu hnh mt h thng mng hon chnh vi mt s thit b. 1. Nhn xt v chuyn mn: ........................................................................................................................................... ........................................................................................................................................... ........................................................................................................................................... 2. Nhn xt v thi , tinh thn trch nhim, chp hnh ni quy, quy ch ca c quan thc tp: ........................................................................................................................................... ........................................................................................................................................... ........................................................................................................................................... 3. Kt qu thc tp tt nghip: (chm theo thang im 10): .........................................

Nng, ngy ..thng .. nm 20. CN B HNG DN (K, ghi r h tn) C QUAN TIP NHN SINH VIN THC TP (K tn, ng du)

Tm hiu v trin khai IPSec trong Virtual Private Network

MC LC
PHN I: GII THIU V CNG TY C PHN TRNG TN ........................3 PHN II: TM HIU V TRIN KHAI IPSEC TRONG VIRTUAL PRIVATE NETWORK ....................................................................................................................4 CHNG I: L THUYT ...........................................................................................4 1. GII THIU V MNG RING O..............................................................4 1.1. Gii thiu.......................................................................................................4 1.2. Phn loi ........................................................................................................4 2. CNG NGH IP SECURITY .........................................................................13 2.1. Tim hiu v giao thc IPSec ......................................................................13 2.2. C ch hot ng ca giao thc AH v ESP ...........................................16 3. PUBLIC KEY INFRASTRUCTURE .............................................................31 3.1. Tng quan PKI ...........................................................................................31 3.2. Cc thnh phn ca PKI ...........................................................................32 3.3. C s h tng ca PKI ...............................................................................34 4. DYNAMIC MULTIPOINT VIRTUAL PRIVATE NETWORK ................36 4.1. Khi qut v DMVPN ................................................................................36 4.2. Next Hop Resolution Protocol ...................................................................40 CHNG II: THC HNH ......................................................................................44 1. M HNH CHUNG ..........................................................................................44 2. CU HNH ........................................................................................................44 3. KIM TRA ........................................................................................................49 KT LUN ..................................................................................................................52 TI LIU THAM KHO...........................................................................................53

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

MC LC HNH NH
Hnh 1. 1: Remote Access VPN ....................................................................................5 Hnh 1. 2: Remote Access VPN Setup ..........................................................................6 Hnh 1. 3: Kt ni cc doanh nghip qua mng cng cng ........................................7 Hnh 1. 4: The Traditional Extranet Setup .................................................................8 Hnh 1. 5: The Extranet VPN Setup ............................................................................9 Hnh 1. 6: VPN Model - OSI Model ...........................................................................10 Hnh 1. 7: L2TP Tunnel Negotiation .........................................................................11 Hnh 1. 8: L2TP Header ..............................................................................................12 Hnh 1. 9: ng gi theo giao thc GRE ...................................................................12 Hnh 1. 10: L2TP/IPSec VPN Remote Access ...........................................................12 Hnh 1. 11: L2TP/IPSec VPN Site to Site ..................................................................13

Hnh 2. 1: AH Tunnel Mode Packet...........................................................................17 Hnh 2. 2: ESP Tunnel Mode Packet .........................................................................17 Hnh 2. 3: AH Tunnel Mode Packet...........................................................................18 Hnh 2. 4: AH Transport Mode Packet .....................................................................18 Hnh 2. 5: AH Header .................................................................................................19 Hnh 2. 6: Sample AH Transport Mode Packet .......................................................20 Hnh 2. 7: AH Header Fields from Sample Packet ..................................................21 Hnh 2. 8: ESP Tunnel Mode Packet .........................................................................23 Hnh 2. 9: ESP Transport Mode Packet ....................................................................23 Hnh 2. 10: ESP Packet Fields ....................................................................................24 Hnh 2. 11: ESP Packet Capture ................................................................................26 Hnh 2. 12: ESP Header Fields from Sample Packets ..............................................26 Hnh 2. 13: IPSec Transport Mode ............................................................................27 Hnh 2. 14: Transport Mode Tunnel..........................................................................28 Hnh 2. 15: Transport Mode Packet ..........................................................................28 Hnh 2. 16: Tunnel Mode - AH Tunnel .....................................................................28 Hnh 2. 17: ESP Tunnel - Mode VPN ........................................................................29 Hnh 2. 18: IPSec Tunnel Mode .................................................................................29 Hnh 2. 19: Packet Flow from Host A2 to Host B3 ...................................................30 Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

PHN I: GII THIU V CNG TY C PHN TRNG TN


1. C QUAN THC TP Tn c quan: Cng ty c phn Trng Tn. a ch: 134 L Dun, Qun Hi Chu, Thnh ph Nng. Email: info@truongtan.edu.vn Website: www.truongtan.edu.vn S in thoi: 05113 867768

2. GII THIU CHUNG Tin thn l cng ty DTSCorp c tr s chnh ti Tp.HCM, thnh lp vo nm 2005, hot ng trong lnh vc t vn gii php CNTT, thit k v thi cng cc h thng mng, an ninh mng, cc ng dng CNTT cho cc doanh nghip. Thng 5 nm 2006 hp tc vi cng ty TNHH VSIC Informatics - cng ty 100% vn nc ngoi - u t v thnh lp chi nhnh cng ty TNHH VSIC Informatics ti Nng, hot ng chuyn v lnh vc o to CNTT. Thng 01 nm 2008: Mua li ton b chi nhnh cng ty TNHH VSIC Informatics ti Nng, tng vn iu l v i tn thnh TTG Training Center. T thi im c mt ti Nng nm 2006 VSIC Informatics (nay l TTG Training Center) tng bc khng nh v dn tr thnh mt trong nhng Trung tm o to Cng ngh mng my tnh hng u ti Nng ni ring v cc tnh min Trung ni chung. 3. Lnh vc hot ng: o to cng ngh thng tin cc chuyn ngnh nh: Qun tr mng, lp trnh web L ni t chc cc hi tho v cng ngh thng tin. Tr s chnh ti trung tm Tp Nng. Thit b chnh hng mi nht ca Cisco gm c Router Serial 2800 v Switch Serial 2900. Phng hc l thuyt rng, tin nghi, thoi mi theo chun Quc t. Phng LAB c kt ni mng tc cao. Phan Anh Tun 4. C s vt cht: -

Khoa: Khoa Hc My Tnh Lp MM03C

Tm hiu v trin khai IPSec trong Virtual Private Network

PHN II: TM HIU V TRIN KHAI IPSEC TRONG VIRTUAL PRIVATE NETWORK
CHNG I: L THUYT 1. GII THIU V MNG RING O 1.1. Gii thiu VPN (Virtual Private Network) l cng ngh cung cp mt phng thc giao tip an ton gia cc mng ring da vo k thut gi l tunneling to ra mt mng ring trn nn Internet. V bn cht, y l qu trnh t ton b gi tin vo trong mt lp header cha thng tin nh tuyn c th truyn qua mng trung gian. VPN l mt mng ring s dng mt mng chung kt ni cng vi cc site (cc mng ring l) hay nhiu ngi s dng t xa. Thay cho vic s dng mt c dn qua ng internet t mng ring ca cng ty ti cc site ca cc nhn vin t xa. Mt phng php chung c tm thy trong VPN l : Generic Routing Encapsulation (GRE). Giao thc m ho nh tuyn GRE cung cp c cu ng gi giao thc gi tin (Passenger Protocol) truyn i trn giao thc truyn ti (Carrier Protocol). N bao gm thng tin v loi gi tin ang m ha v thng tin v kt ni gia my ch vi my khch. 1.2. Phn loi 1.2.1. Phn loi VPN c phn ra lm cc loi nh sau: VPN dnh cho doanh nghip VPN i vi cc nh cung cp dch v Cng ngh VPN v m hnh OSI IPSec v Security Associations IPSec Mode v Protocol

1.2.2. VPN i vi doanh nghip i vi cc nh doanh nghip, VPN cung cp cc kt ni c trin khai trn h tng mng cng cng. Gii php VPN gm 3 loi chnh: Remote Access VPN Site-to-Site VPN Extranet VPN Phan Anh Tun

Khoa: Khoa Hc My Tnh Lp MM03C

Tm hiu v trin khai IPSec trong Virtual Private Network a. Remote Access VPN

Remote Access cn c gi l Dial-up ring o (VPDN) l mt kt ni ngi dng-n-LAN, thng l nhu cu ca mt t chc c nhiu nhn vin cn lin h vi mng ring ca mnh t rt nhiu a dim xa. V d nh cng ty mun thit lp mt VPN ln n mt nh cung cp dch v doanh nghip (ESP). Doanh nghip ny to ra mt my ch truy cp mng (NAS) v cung cp cho nhng ngi s dng xa mt phn mm my khch cho my tnh ca h. Sau , ngi s dng c th gi mt s min ph lin h vi NAS v dng phn mm VPN my khch truy cp vo mng ring ca cng ty. Loi VPN ny cho php cc kt ni an ton, c mt m.

Vn phng ti nh

POP Vn phng chnh Internet

Vn phng t xa

POP

Vn phng t xa

Nhn vin di ng

Hnh 1. 1: Remote Access VPN Mt s thnh phn chnh:


-

Remote Access Server (RAS): c t ti trung tm c nhim v xc nhn v chng nhn cc yu cu gi ti. Quay s kt ni trung tm, iu ny s lm gim chi ph cho mt s yu cu kh xa so vi trung tm.

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network


-

H tr cho nhng ngi c nhim v cu hnh, bo tr v qun l RAS v h tr truy cp t bi ngi dng. Bng vic trin khai Remote Access VPNs, nhng ngi dng t xa hoc cc chi nhnh vn phng ch cn t mt kt ni cc b n nh cung cp dch v ISP hoc ISPs POP v kt ni n ti nguyn thng qua internet.

Thng tin Remote Access Setup c m t bi hnh sau:


The Internet

Web Server

VPN

el Tunn

Remote User

VPN Tunnel
File Server Fire Wall VPN Server

VPN

Tunn el

Mobile User

Remote Access
Mail Server

Hnh 1. 2: Remote Access VPN Setup u im ca Remote Access VPN: S cn thit h tr cho ngi dng c nhn c loi tr bi v kt ni t xa c to iu kin thun li bi ISP. Vic quay s nhanh t nhng khong cch xa c loi tr, thay vo s l cc kt ni cc b. Gim gi thnh chi ph cho cc kt ni vi khong cch xa. Do y l mt kt ni mng mang tnh cc b, do tc kt ni s cao hn so vi kt ni trc tip n nhng khong cch xa. VPNs cung cp kh nng try cp n trung tm tt hn bi v n h tr dch v truy cp mc ti thiu nht cho d c s tng nhanh chng cc kt ni ng thi n mng. Mt s hn ch ca VPNs: Remote Access VPN cng khng m bo c cht lng phc v. Kh nng mt d liu l rt cao, hn na cc phn on ca gi d liu c th i ra ngoi v b tht thot. Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network -

Do phc tp ca thut ton m ha, protocol overhead tng ng k, iu ny gy kh khn cho qu trnh xc nhn. Thm vo , vic nn d liu IP xy ra chm. Do phi truyn thng qua internet, nn khi trao i cc d liu ln th s rt chm.

b. VPN Site-to-Site L vic s dng mt m dnh ring cho nhiu ngi kt ni nhiu im c nh vi nhau thng qua mt mng cng cng nh Internet. Loi ny c th da trn Intranet hoc Extranet. Loi da trn Intranet: nu mt cng ty c vi a im t xa mun tham gia vo mt mng ring duy nht, h c th to ra mt VPN intranet (VPN ni b) ni LAN vi LAN. Loi da trn Extranet: khi mt cng ty c mi quan h mt thit vi mt cng ty khc (v d nh: i tc cung cp, khch hng ), h c th xy dng mt VPN extranet (VPN m rng) kt ni LAN vi LAN nhiu t chc khc nhau c th lm vic trn mt mi trng chung.

Site 1

Internet

Site 4

Site 2

Site 3

Hnh 1. 3: Kt ni cc doanh nghip qua mng cng cng LAN-to-LAN VPN l s kt ni hai mng ring l thng qua mt ng Phan Anh Tun

Khoa: Khoa Hc My Tnh Lp MM03C

Tm hiu v trin khai IPSec trong Virtual Private Network

hm bo mt. ng hm bo mt ny c th s dng cc giao thc PPTP, L2TP, hoc IPsec. Mc ch chnh ca LAN-to-LAN l kt ni hai mng khng c ng ni li vi nhau, khng c vic tha hip tch hp, chng thc, s cn mt ca d liu. Kt ni Lan-to-Lan c thit k to mt kt ni mng trc tip, hiu qu bt chp khong cch gia chng. c. Extranet VPN Extranet cho php truy cp nhng ti nguyn mng cn thit ca cc i tc kinh doanh: chng hn nh khch hng, nh cung cp, i tc ca nhng ngi gi vai tr quan trng trong t chc

Copporate Network

Supplier Network 1

Supplier Network 2

Supplier Network 3

Supplier 1

Supplier 2

Supplier 3

Hnh 1. 4: The Traditional Extranet Setup T m hnh trn ta thy: mng Extranet rt tn km do c nhiu on mng ring bit trn Intranet kt hp li vi nhau to ra mt Extranet kh trin khai do c nhiu mng, ng thi cng kh khn cho c nhn lm cng vic bo tr v qun tr.

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

Copporate Network

Supplier Network

Supplier Network

Supplier Network

Hnh 1. 5: The Extranet VPN Setup Thun li ca Extranet: D trin khai, qun l v chnh sa thng tin Gim chi ph bo tr S e da v tnh an ton, nh b tn cng bng t chi dch v vn cn tn ti. Tng thm nguy him s xm nhp i vi t chc trn Extranet Do da trn Internet nn khi d liu l loi high-end data th vic trao i din ra chm chp. QoS cng khng c m bo thng xuyn.

Mt s hn ch ca Extranet: -

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network 1.2.3. Cng ngh VPN v m hnh OSI

10

Layer 7 Application Layer 6 Presentation Layer 5 - Session Layer 4 - Transport Layer 3 - Network

Secure HTTP (HTTPS), S/MIME, PGP N/A N/A SSL and TLS SOCKS, SSH IPSEC Deployment, MPLS VPNs VPDN-PPTP, L2TP, L2F ATM Cell Ecryptors, FrameRelay Frame Encryptors Optical Bulk Encryptors Radio Frequency (RF) Encryptors

Layer 2 Data Link

Layer 1 - Physical

Hnh 1. 6: VPN Model - OSI Model Giao thc to nn c ch ng ng bo mt cho VPN l: L2TP, Cisco GRE v IPSec. a. L2TP L s kt hp ca PPTP (Point-to-Point Tunneling Protocol) v L2F (giao thc Layer 2 Forwarding) ca Cisco. Do rt hiu qu trong kt ni mng Dial-up, ADSL v cc mng truy cp t xa khc. Cng ging nh PPP, L2TP ng gi d liu thnh cc frame ppp v sau truyn nhng frame ny qua mng trc backbone. Tuy nhin, n cng khc vi PPTP l L2TP s dng giao thc UDP nh l mt phng php ng gi cho tunnel v user data. L2TP khng cung cp m ha. Do cn phi da vo mt giao thc m bo tin cy. Nh vy, L2TP b sung s bao gm c IPSec

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network


IP L2TP PPP IP Payload New IP Header L2TP Message Header PPP Header Original IP Header Message Header

11

L2TP bao gm 2 thnh phn chnh: L2TP Access Concentrator v L2TP Network Server. o L2TP Access Concentrator (LAC): i din l client side ca h thng mng v tiu biu trn cc b phn ca switch gia remote dial-up nodes v access server gii hn phin inbound ppp qua chuyn mch ISDN v PSTN. Khi cc host ti u xa bt u v hon thnh kt ni PPP trn NAS th LAC server c xem nh l 1 proxy khi u ca L2TP control v tunnel data n LNS ti mng cng ty. o L2TP Network Server (LNS): i din l server side ca VPDN. N hot ng mng doanh nghip nh v hon thnh ng ng d liu t LAC. Khi cc User kt ni n LAC, nhng kt ni ny l a kt ni ng tha hip qua Tunnel i n LNS

Hnh 1. 7: L2TP Tunnel Negotiation Tc dng ca L2TP trong vic s dng control messages v data packets nh sau: Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

12

o L2TP control messages tho thun thit lp v duy tr tunnel. Control messages thit lp tunnel IDs cho cc kt ni mi trong khong thi gian tunnel tn ti. L2TP control messages c bt u t port ngun v c forward n UDP port ch 1701. o L2TP payload packets tunnel data hin c trong h thng mng. Khi d liu qua ng ng t LAC n NAS vi mt dy IP, n s ng gi theo L2TP header. Dng format ca L2TP c cu trc nh sau:
Data Link IP UDP L2TP PPP PPP Data Link Header Header Header Header Header Payload Trailer

Hnh 1. 8: L2TP Header b. GRE


Protocol Y Header GRE Header Protocol X Packet

Hnh 1. 9: ng gi theo giao thc GRE y l giao thc truyn thng ng gi IP, CLNP v tt c cc gi d liu bn trong ng ng IP. Vi GRE tunnel, Cisco router s ng gi cho mi v tr mt giao thc c trng ch nh trong gi IP header, to mt ng kt ni o ( virtual pointto-point) ti cisco router cn n. v khi gi d liu n ch IP header s c m ra. Bng vic kt ni nhiu mng con vi cc giao thc khc nhau trong mi trng c mt giao thc chnh. GRE tunneling cho php cc giao thc khc c th thun li trong vic nh tuyn trong gi IP. c. IPSec

L Remote A host C

Enter Prise network

Server

L2TP/IPSec Tunnel

LNS

Server

Hnh 1. 10: L2TP/IPSec VPN Remote Access

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network


Enter Prise network Enter Prise network

13

Host

Server

LAC

L2TP/IPSec Tunnel

LNS

Server

Host

Hnh 1. 11: L2TP/IPSec VPN Site to Site L s la chn cho vic bo mt trn VPN. IPsec l mt khung bao gm bo mt d liu (data confidentiality), tnh ton vn ca d liu (integrity) v vic chng thc d liu. IPsec cung cp dch v bo mt s dng KDE cho php tha thun cc giao thc v thut ton trn nn chnh sch cc b (group policy) v sinh ra cc kho bo mt m ho v chng thc c s dng trong IPsec. 2. CNG NGH IP SECURITY 2.1. Tim hiu v giao thc IPSec 2.1.1. Khi qut IPSec IPSec l s tp hp ca cc chun m c thit lp m bo s cn mt d liu, m bo tnh ton vn d liu, v chng thc d liu gia cc thit b tham gia VPN. Cc thit b ny c th l cc host hoc l cc security gateway (routers, firewalls, VPN concentrator,...) hoc l gia 1 host v gateway nh trong trng hp remote access VPNs. IPSec bo v a lung d liu gia cc peers, v 1 gateway c th h tr ng thi nhiu lung d liu. IPSec hot ng lp mng v s dng giao thc Internet Key Exchange (IKE) tho thun cc giao thc gia cc bn tham gia v IPSec s pht kho m ha v xc thc dng. Cc giao thc chnh s dng trong IPSec: IP Security Protocol (IPSec) o Authentication Header (AH) o Encapsulation Security Protocol (ESP) Message Encryption o Data Encryption Standard (DES) Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network o Triple DES (3DES) Message Integrity (Hash) Functions o Hash-based Message Authentication Code (HMAC) o Message Digest 5 (MD5) o Secure Hash Algorithm-1 (SHA-1) Peer Authentication o Rivest, Shamir, and Adelman (RSA) Digital Signutures o RSA Encrypted Nonces Key Management o Diffie-Hellman (D-H) o Certificate Authority (CA) Security Association o Internet Exchange Key (IKE)

14

o Internet Security Association and Key Management Protocol (ISAKMP) 2.1.2. C ch hot ng ca giao thc IPSec Hin nay giao thc IPSec c s dng rt ph bin v trong nhiu qu trnh. Ta c th thit lp cc VPNs m khng cn bit nhiu v giao thc ny. Nhng cc kt qu s rt ln xn khng c tt. Do , cc yu cu cn thit c a ra trc khi thc hin cu hnh IPSec bao gm cc bc sau: Bc 1: Thit lp chnh sch IKE Chnh sch ny phi c cu hnh ging nhau cho c hai bn tham gia VPN. N c gii hn bao gm cc chnh sch: Phng php pht Key (Key distribution method): cu hnh th cng hoc cu hnh cho CA cung cp. Phng php xc thc (Authentication method): phn ln c xc nh bng phng php pht key. Thng thng s dng phng php preshare keys. a ch IP v tn ca cc bn tham gia (IP address and hostname of peers): IP cn c bit xc nh cc bn tham gia, v qun l danh sch truy cp trn thit b cc bn tham gia bit c thng tin ln nhau. Cu hnh IPSec trn thit b phi y tn min (FQDN) nh cu Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network hnh trn a ch IP. -

15

Cc tham s chnh sch IKE (IKE policy parameters): cc tham s c thit lp trn phase 1 ca IKE. Chnh sch IKE bao gm cc thng s sau: o Thut ton m ho: DES/3DES o Thut ton hash: MD5/SHA-1 o Phng php xc thc: preshared, RSA encryption, RSA signature o Key trao i: D-H Group 1/ D-H Group 2 o Thi gian tn ti IKE SA: mc nh l 86400 giy

Bc 2: Thit lp chnh sch IPSec tin cy ca IPSec v kh nng xc thc c ng dng p traffic bit thng qua gia cc bn. Ta c th gi tt c traffic qua IPSec tunnel, nhng c th kh t c ht cht lng, do ta nn chn nhng chnh sch cn p qua IPSec tunnel. Khi ta chn thc thi IPSec tunnel, c hai u cui phi thc hin cc chnh sch ging nhau. Cc chnh sch cho IPSec bao gm: IPSec Protocol: AH hoc ESP Authentication: MD5 hoc SHA-1 Encryption : DES hoc 3DES Transform or Transform set: ah-sha-hmac esp-3des esp-md5-hmac hoc kt hp mt trong cc gii thut ny. Identify traffic to be protected: giao thc, ngun, ch v port SA establishment: cu hnh th cng hoc hoc cu hnh IKE

Bc 3: Kim tra cu hnh hin hnh Thc hin kim tra cu hnh IPSec hin c trn thit b trnh tnh trng cc thng s cu hnh i lp nhau. Bc 4: Kim tra mng trc IPSec Ta thc hin kim tra bng cch: thc hin ping n cc thit b c cu hnh IPSec. Bc 5: Cc giao thc v cc Port hot ng trong IPSec: UDP port 500: ISAKMP, c nhn bit bi t kho isakmp Giao thc s 50: dng trong giao thc ESP, c nhn bit bi t kho esp Giao thc s 51: dng trong giao thc AH, c nhn bit bi t kho ahp. Phan Anh Tun

Khoa: Khoa Hc My Tnh Lp MM03C

Tm hiu v trin khai IPSec trong Virtual Private Network 2.1.3. C ch hot ng ca IKE

16

IKE c chc nng trao i Key gic cc thit b tham gia VPN v trao i chnh sch an ninh gia cc thit b v t ng tha thun cc chnh sch an ninh gia cc thit b tham gia. Trc khi trao i knh truyn key thit lp knh truyn o, IPSec s xc thc xem mnh ang trao i vi ai. Trong qu trnh trao i Key IKE dng thut ton m ho bt i xng gm: Public Key v Private Key bo v vic trao i Key gia cc thit b tham gia VPN. V sau trao i chnh sch an ninh gia cc thit b. Nhng chnh sch an ninh trn cc thit b gi l Security Association (SA). Do , cc thit b trong qu trnh IKE s trao i vi nhau tt c nhng SA m n c. V gia cc thit b ny t tm ra cho mnh nhng SA ph hp vi nht.

1: Router A connects to Router B Router A Router A Transforms 1. Encryption = AES 256 HMAC=SHA 1 Authentication = pre-share keys Diffe-Hellman group = 2 Lifetime 86400 2. Encryption = AES 192 HMAC = SHA 1 Authentication = pre-share keys Diffe-Hellman group = 2 Lifetime 86400
2.2. C ch hot ng ca giao thc AH v ESP 2.2.1. Khi qut Giao thc ESP v giao thc AH l hai giao thc chnh trong vic m ho v xc thc d liu. ESP s dng IP Protocol number l 50 (ESP c ng gi bi giao thc IP v trng protocol trong IP l 50) Khoa: Khoa Hc My Tnh Lp MM03C

Router B Router B Transforms 1. Encryption = AES 192 HMAC = MD5 Authentication = pre-share keys Diffe-Hellman group = 2 Lifetime 86400 2. Encryption = AES 256 HMAC = SHA 1 Authentication = pre-share keys Diffe-Hellman group = 2 Lifetime 86400

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network v trng protocol trong IP l 51) B giao thc IPSec hot ng trn 2 mode chnh: Tunnel Mode v Transports Mode -

17

AH s dng IP Protocol number l 51 ( AH c ng gi bi giao thc IP

Khi giao thc IPSec hot ng Tunnel Mode th sau khi ng gi d liu, giao thc ESP m ho ton b Payload, frame Header, IP Header th n s thm mt IP Header mi vo gi tin trc khi forward i. Khi giao thc IPSec hot ng Transport Mode th IP Header vn c gi nguyn v lc ny giao thc ESP s chn vo gia Payload v IP Header ca gi tin.

2.2.2. AH v ESP Header


New IP Header AH Header Original IP Header Transport Application Protocol Header and Data

Authenticated (Integrity Protection)

Hnh 2. 1: AH Tunnel Mode Packet


New IP ESP Original Transport Application ESP Header Header IP Header Protocol Header and Data Trailer Encrypted Authenticated (Integrity Protection) ESP Authentication (Optional)

Hnh 2. 2: ESP Tunnel Mode Packet Trong trng hp dng giao thc ESP: th giao thc ny s lm cng vic m ha (encryption), xc thc (authentication), bo m tnh ton vn d liu ( integrity protection). Sau khi ng gi xong bng ESP, mi thng tin v m ho v gii m s nm trong ESP Header. Cc thut ton m ho s dng trong giao thc nh: DES, 3DES, AES. Cc thut ton hash nh: MD5 hoc SHA-1. Trong trng hp dng giao thc AH: th AH ch lm cng vic xc thc (Authentication), v m bo tnh ton vn d liu. Giao thc AH khng c tnh nng m ho d liu.

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network 2.2.3. Authentication Header

18

AH l mt trong nhng giao thc bo mt, cung cp tnh nng m bo ton vn packet headers v data, xc thc ngun gc d liu. N c th tu chn cung cp dch v replay protection v access protection. AH khng m ho bt k phn no ca cc gi tin. Trong phin bn u ca IPSec, giao thc ESP ch c th cung cp m ho, khng xc thc. Do , ngi ta kt hp giao thc AH v ESP vi nhau cung cp s cn mt v m bo ton vn d liu cho thng tin. a. AH Mode AH c hai mode: Transport v Tunnel. Trong Tunnel mode, AH to 1 IP Header mi cho mi gi tin Trong Transport mode, AH khng to IP Header mi Trong cu trc IPSec m s dng gateway, a ch tht ca IP ngun v ch ca cc gi tin phi thay i thnh a ch IP ca gateway. V trong Transport Mode khng thay i IP Header ngun hoc to mt IP Header mi, Transport Mode thng s dng trong cu trc host-to-host. AH cung cp tnh nng m bo tnh ton vn cho ton b gi tin, bt k mode no c s dng.

Hnh 2. 3: AH Tunnel Mode Packet

Hnh 2. 4: AH Transport Mode Packet

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network b. AH xc thc v m bo tnh ton vn d liu

19

Bc 1: AH s em gi d liu (packet ) bao gm: Payload + IP Header + Key cho chy qua gii thut Hash 1 chiu v cho ra 1 chui s. v chui s ny s c gn vo AH Header. Bc 2: AH Header ny s c chn vo gia Payload v IP Header v chuyn sang pha bn kia. Bc 3: Router ch sau khi nhn c gi tin ny bao gm: IP Header + AH Header + Payload s c cho qua gii thut Hash mt ln na cho ra mt chui s. Bc 4: So snh chui s n va to ra v chui s ca n nu ging nhau th n chp nhn gi tin. c. AH Header

Hnh 2. 5: AH Header Next Header: Trng ny di 8 bits, cha ch s giao thc IP. Trong Tunnel Mode, Payload l gi tin IP, gi tr Next Header c ci t l 4. Trong Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

20

Transport Mode, Payload lun l giao thc Transport-Layer. Nu giao thc lp Transport l TCP th trng giao thc trong IP l 6. Nu giao thc lp transport l UDP th trng giao thc trong IP l 17. Payload Length: Trng ny cha chiu di ca AH Header. Reserved: gi tr ny c dnh s dng trong tng lai ( cho n thi im ny n c biu th bng cc ch s 0). Security parameter Index (SPI): mi u cui ca mi kt ni IPSec tu chn gi tr SPI. Hot ng ny ch c dng nhn dng cho kt ni. Bn nhn s dng gi tr SPI cng vi a ch IP ch v loi giao thc IPSec (trng hp ny l AH) xc nh chnh sch SA c dng cho gi tin (C ngha l giao thc IPSec v cc thut ton no c dng p cho gi tin). Sequence Number: ch s ny tng ln 1 cho mi AH datagram khi mt host gi c lin quan n chnh sch SA. Gi tr bt u ca b m l 1. chui s ny khng bao gi cho php ghi ln l 0. v khi host gi yu cu kim tra m n khng b ghi v n s tho thun chnh sch SA mi nu SA ny c thit lp. Host nhn s dng chui s pht hin replayed datagrams. Nu kim tra bn pha host nhn, bn nhn c th ni cho bn gi bit rng bn nhn khng kim tra chui s, nhng i hi n phi lun c trong bn gi tng v gi chui s. Authentication Data: Trng ny cha kt qu ca gi tr Integrity Check Value (ICV). Trng ny lun l bi ca 32-bit (t) v phi c m vo nu chiu di ca ICV trong cc bytes cha y. d. Hot ng ca giao thc AH Hng tt nht hiu AH lm vic nh th no, ta s xem v phn tch cc gi tin AH.

Hnh 2. 6: Sample AH Transport Mode Packet Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

21

Hnh trn cho thy cc thnh phn ca gi tin AH tht s. Mi section ca AH Packet gm: Ethernet header, IP header, AH header v Payload. Da trn cc trng ca phn AH mode, ta thy y l gi tin Transport Mode v n ch cha IP Header. Trong trng hp ny, payload cha ICMP echo request (hay l Ping). Ping gc cha chui mu t c miu t trong gi tin tng dn bi gi tr Hex ( vd: 61, 62, 63). Sau khi giao thc AH c p dng, ICMP Payload khng thay i. V AH ch cung cp dch v m bo ton vn d liu, khng m ho.

Hnh 2. 7: AH Header Fields from Sample Packet Cc trng trong AH Header t 4 gi tin u tin trong AH session gia host A v host B. Cc trng trong header u tin ch l nhn, p ng trong vic nhn dng AH mode. SPI: host A s dng gi tr s Hex cdb59934 cho SPI trong c cc gi tin ca n. Trong khi host B s dng gi tr s Hex a6b32c00 cho SPI trong c cc gi tin. iu ny phn nh c rng kt ni AH tht s gm hai thnh phn kt ni mt chiu. Sequence Number: c hai host bt u thit lp ch s bng 1, v c hai tng ln l 2 cho gi tin th hai ca chng. Authentication information: Xc thc (m bo ton vn ) thng tin, l mt keyed hash da trn hu nh tt c cc bytes trong gi tin.

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network e. AH version 3

22

Mt chun mi ca AH l Version 3, phin bn c pht trin da trn phin bn phc tho. Tnh nng khc nhau gia Version 2 v Version 3 l mi quan h th yu cc qun tr vin IPSec v ngi dng - mt vi s thay i n SPI, v tu chn ch s di hn. Chun phc tho version 3 cng ch n mt chun phc tho khc rng lit k thut ton m ho yu cu cho AH. Bn phc tho u nhim h tr cho HMACSHA1-96, gii thiu thut ton h tr mnh hn l AES-XCBC-MAC-96, v cng gii thiu thut ton: HMAC-MD5-96. f. AH Summary AH cung cp dch v m bo ton vn cho tt c cc header v data gi tin. Ngoi tr mt s trng IP Header m nh tuyn thay i trong chuyn tip. AH bao gm a ch ngun v a ch ch trong dch v m bo ton vn. AH thng khng tng thch vi NAT. Hin nay, hu ht IPSec b sung h tr phin bn th hai ca IPSec m ESP c th cung cp dch cc v m bo ton vn d liu qua s xc thc. AH cung cp mt li ch m ESP khng c, l: m bo ton vn cho outermost IP Header. 2.2.4. Encapsulation Security Payload ESP l giao thc bo mt chnh th hai. Trong phin bn u ca IPSec, ESP chi cung cp m ho cho packet payload data. Khi cn, giao thc AH cung cp dch v m bo ton vn. Trong phin bn th hai ca IPSec, ESP tr nn mm do hn. N c th thc hin xc thc cung cp dch v m bo ton vn, mc d khng h tr cho outermost IP header. S m ho ca ESP c th b v hiu ho qua thut ton m ho Null ESP algorithm. Do , ESP c th cung cp ch m ho; m ho v m bo ton vn d liu; hoc ch m bo ton vn d liu. a. ESP Mode ESP c hai mode: Transport Mode v Tunnel Mode. Trong Tunnel Mode: ESP to mt IP Header mi cho mi gi tin. IP Header mi lit kt cc u cui ca ESP Tunnel (nh hai IPSec gateway) ngun v

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network VPN.

23

ch ca gi tin. V Tunnel mode c th dng vi tt c 3 m hnh cu trc

Hnh 2. 8: ESP Tunnel Mode Packet ESP Tunnel Mode c s dng thng xuyn nhanh hn ESP Transport Mode. Trong Tunnel Mode, ESP dng IP header gc thay v to mt IP header mi. Trong Transport Mode, ESP c th ch m ho v/hoc bo m tnh ton vn ni dung gi tin v mt s cc thnh phn ESP, nhng khng c vi IP header. Giao thc AH, ESP trong Transport mode thng s dng trong cu trc hostto-host. Trong Transport mode khng tng thch vi NAT.

Hnh 2. 9: ESP Transport Mode Packet

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network b. ESP Packet Fields

24

Hnh 2. 10: ESP Packet Fields ESP thm mt header v Trailer vo xung quanh ni dung ca mi gi tin. ESP Header c cu thnh bi hai trng: SPI v Sequence Number. SPI (32 bits): mi u cui ca mi kt ni IPSec c tu chn gi tr SPI. Pha nhn s dng gi tr SPI vi a ch IP ch v giao thc IPSec xc nh chnh sch SA duy nht m n c p cho gi tin. Sequence Number: thng c dng cung cp dch v anti-replay. Khi SA c thit lp, ch s ny c khi u v 0. Trc khi mi gi tin c gi, ch s ny lun tng ln 1 v c t trong ESP header. chc chn rng s khng c gi tin no c cng nhn, th ch s ny khng c php ghi ln bng 0. Ngay khi ch s 232-1 c s dng, mt SA mi v kha xc thc c thit lp. Phn k tip ca gi tin l Payload, n c to bi Payload data (c m ho) v IV khng c m ho). Gi tr ca IV trong sut qu trnh m ho l khc nhau trong mi gi tin. Phn th ba ca gi tin l ESP Trailer, n cha t nht l hai trng. Padding ( 0-255 bytes): c thm vo cho kch thc ca mi gi tin. Pad length: chiu di ca Padding Next header: Trong Tunnel mode, Payload l gi tin IP, gi tr Next Header c ci t l 4 cho IP-in-IP. Trong Transport mode, Payload lun l giao thc lp 4. Nu giao thc lp 4 l TCP th trng giao thc Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network ESP Trailer cha mt gi tr Next Header. -

25

trong IP l 6, giao thc lp 4 l UDP th trng giao thc IP l 17. Mi Authentication data: trng ny cha gi tr Integrity Check Value (ICV) cho gi tin ESP. ICV c tnh ln ton b gi tin ESP cng nhn cho trng d liu xc thc ca n. ICV bt u trn ranh gii 4-byte v phi l bi s ca 32-bit (n v t). c. Qu trnh m ha v hot ng ca giao thc ESP

ESP s dng mt m i xng cung cp s mt ho d liu cho cc gi tin IPSec. Cho nn, kt ni ca c hai u cui u c bo v bi m ho ESP th hai bn phi s dng key ging nhau mi m ho v gii m c gi tin. Khi mt u cui m ho d liu, n s chia d liu thnh cc block nh, v sau thc hin thao tc m ho nhiu ln s dng cc block d liu v key. Thut ton m ho hot ng trong chiu ny c xem nh blocks cipher algorithms. Khi mt u cui khc nhn c d liu m ho, n thc hin gii m s dng key ging nhau v qu trnh thc hin tng t, nhng trong bc ny ngc vi thao tc m ho. V d: ESP s dng thut ton m ho l AES-Cipher Block Chaining (AESCBC), AES Counter Mode (AES-CTR), v Triple DES ( 3DES). Khi so snh vi gi tin AH, gi tin ESP c dng ging vi gi tin AH. chui mu t c th xc nh c trong AH-protected Payload nhng khng xc nh c trong ESP-protected payload, v trong ESP n c m ho. Gi tin ESP c cha 5 on: Ethernet Header, IP Header, ESP Header, Encrypted Data (Payload v ESP Trailer), v (option) authentication information. D liu c m ho khng th xc nh c d gi tin truyn Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

26

trong Transport Mode hay Tunnel Mode. Tuy nhin, v IP Header khng c m ho, trng giao thc IP trong Header vn pht hin c giao thc dng cho Payload ( trong trng hp ny l ESP).

Hnh 2. 11: ESP Packet Capture

Hnh 2. 12: ESP Header Fields from Sample Packets Hnh trn cho thy, cc trng ESP Header t 4 gi tin u trong ESP session gia host A v host B. Cc trng SPI v Sequence Number trong ESP lm vic mt chiu nh chng thc hin trong AH. Mi host s dng mt gi tr SPI khc nhau cho cc gi tin ca n, tng thch vi kt ni ESP gm hai thnh phn kt ni mt chiu. C hai host cng bt u thit lp sequence number l 1, v s tng dn ln l 2 cho gi tin th hai. d. ESP Version 3 Mt chun mi cho ESP l phin bn 3, mt phin bn va c b sung, c da trn chun phc tho. Tm ra c chc nng chnh cho thy s khc nhau gia version 2 v version 3, bao gm nhng iu sau: Chun ESP version 2 i hi ESP b sung h tr ESP ch s dng cho m ho (khng c tnh nng bo v ton vn d liu). Do , chun ESP version 3 c a ra nhm h tr cho s la chn ny. ESP c th dng chui s di hn, ging vi chun AH version 3. Phan Anh Tun

Khoa: Khoa Hc My Tnh Lp MM03C

Tm hiu v trin khai IPSec trong Virtual Private Network -

27

ESP version 3 h tr trong vic s dng kt hp cc thut ton ( EAS Counter vi CBC-MAC [EAS-CMC]. Nh vy kt qu m ho v tnh bo v ton vn d liu t c s nhanh hn l s dng tch ri thut ton.

e. ESP Summary Trong Tunnel Mode, ESP cung cp s m ho v s m bo an ton cho ng gi IP Packet, cng xc thc tt ging nh ca ESP Header, ESP c th tng thch vi NAT. Trong Transport Mode, ESP cung cp s m ho v m bo an ton cho Payload ca gi tin IP, cng m bo an ton tt ging nh ca ESP Header. Transport Mode th khng tng thch vi NAT. ESP Tunnel Mode thng s dng ph bin trong IPSec, v n m ho IP Header gc, n c th giu a ch source v des tht ca gi tin. ESP cng c th thm vt m vo gi tin. ESP thng c dng cung cp cho m ho hoc m bo an ton ( hoc c hai ). 2.2.5. Cc Mode chnh ca giao thc IPSec a. Transport Mode Transport mode bo v giao thc tng trn v cc ng dng. Trong transport mode, phn IPSec header c chn vo gia phn IP header v phn header ca giao thc tng trn. V vy, ch c IP payload l c m ha v IP header ban u l c gi nguyn vn. Transport mode c th c dng khi c hai host h tr IPSec.

Hnh 2. 13: IPSec Transport Mode

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

28

Transport mode c dng bo mt kt ni gia hai host: hot ng ca ESP trong Transport mode c s dng bo v thng tin gia hai host c nh. Bo v cc giao thc lp trn ca IP datagram.

Hnh 2. 14: Transport Mode Tunnel Trong Transport Mode, AH header c chn vo trong IP datagram sau IP header v cc tu chn.

Hnh 2. 15: Transport Mode Packet Ch transport ny c thun li l ch thm vo vi bytes cho mi packets v n cng cho php cc thit b trn mng thy c a ch ch cui cng ca gi. b. Tunnel Mode

Hnh 2. 16: Tunnel Mode - AH Tunnel

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

29

Hnh 2. 17: ESP Tunnel - Mode VPN Khng ging nh transport mode, Tunnel mode bo v ton b gi d liu. Ton b gi d liu IP c ng gi trong mt gi d liu IP khc. V mt IPSec header c chn vo gia phn u nguyn bn v phn u mi ca IP

. Hnh 2. 18: IPSec Tunnel Mode Ton b gi IP ban u s b ng gi bi AH hoc ESP v mt IP header mi s c bao bc xung quanh gi d liu. Ton b gi IP s c m ho v tr thnh d liu mi ca gi IP mi. ch ny cho php cc thit b mng, chng Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

30

hn nh Router, hot ng nh mt IPSec proxy thc hin chc nng m ha thay cho host. Router ngun s m ha cc packets v truyn chng dc theo tunnel. Router ch s gii m gi IP ban u v chuyn n v h thng cui. Vi tunnel hot ng gia hai security gateway, a ch ngun v ch c th c m ha. V d: Lung gi tin c gi t host A2 n host B3:

Hnh 2. 19: Packet Flow from Host A2 to Host B3 Gi s rng host A2 gi TCP segment n host B3. IP datagram ri khi host A2 i n host B3. khi IP datagram ri khi host A2, n c a ch ngun l 10.0.1.2 v a ch ch l 10.0.2.3. Trng giao thc trong IP header l 6 (ch rng giao thc lp di l TCP). Host A2 c default route n GWA hoc nh tuyn n mng 10.0.2.0/24 vi GWA l next hop, th datagram c nh tuyn n GWA. Khi datagram n GWA, gateway kim tra SPD ca n v thng bo n ch r chnh sch bt k datagram t mng 10.0.1.0/24 n mng 10.0.2.0/24 nn c ng gi vi mode-tunnel ESP v gi n GWB ti 2.2.2.2. Sau khi GWA ng gi IP datagram, IP header bn ngoi c a ch ngun 1.1.1.1 (GWA) v a ch ch 2.2.2.2 (GWB). trng giao thc ca IP header bn ngoi l 50 ( ch r giao thc ESP c dng). Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network gi IP datagram). V IP header bn trong khng thay i. -

31

Trng giao thc ca gi tin ESP l 4 ( ch ra gi tin ESP ang ng Khi ng gi IP datagram n ti GWB, gateway thy rng n cha gi tin ESP v xc thc li v key m ho t SA thch hp, thc hin kim tra xc thc v gii m ESP Payload. IP header bn ngoi, ESP header v Trailer, v ICV c tch ra khi, v IP datagram bn trong c forward n ch ca n (10.0.2.3). Bng so snh gia giao thc AH v ESP: Security Layer 3 IP Protocol Number Provides for data integrity Provides for data authentication Provides for data encryption Protects against data replay attacks Works with NAT Works with PAT Protects the IP Packet Protects only the data AH 51 Y Y N Y N N Y N ESP 50 Y Y Y Y Y N N Y

3. PUBLIC KEY INFRASTRUCTURE 3.1. Tng quan PKI Public Key Infrastructure (PKI) l mt c ch cho mt bn th ba (thng l nh cung cp chng thc s ) cung cp v xc thc nh danh cc bn tham gia vo qu trnh trao i thng tin. C ch ny cng cho php gn cho mi ngi s dng trong h thng mt cp public/private. Cc qu trnh ny thng c thc hin bi mt phn mm t ti trung tm v cc phn mm khc ti cc a im ca ngi dng. Kho cng khai thng c phn phi trong chng thc kha cng khai hay Public Key Infrastructure. Khi nim h tng kho cng khai (PKI) thng c dng ch ton b h thng bao gm c nh cung cp chng thc s (CA) cng cc c ch lin quan ng thi vi ton b vic s dng cc thut ton m ho cng khai trong trao i thng tin. Tuy nhin

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network nht thit s dng cc thut ton m ho cng khai. 3.2. Cc thnh phn ca PKI 3.2.1. Cc thnh phn ca PKI

32

phn sau c bao gm khng hon ton chnh xc bi v cc c ch trong PKI khng

PKIs da vo mt thit b mt m bo m cc kho cng khai c qun l an ton. Cc thit b ny khng hot ng cng lc c thc hin cc hm mng rng c lin quan n vic qun l phn phi kho, bao gm cc thnh phn sau: Chng thc v ng k mt m u cui Kim tra tnh ton vn ca kho cng khai Chng thc yu cu trong qu trnh bo qun cc kho cng khai B mt cp pht kho cng cng Hu b kho cng khai khi n khng c gi tr di Duy tr vic thu hi cc thng tin v kho cng cng (CRL) v phn b thng tin (thng qua CRL cp pht hoc p ng n Online Certificate Status Protocol [OCSP] messages). m bo an ton v ln ca kho. Public Keys Certificates: Mc tiu ca vic trao i kho bt i xng l pht mt cch an ton kho cng khai t ngi gi (m ho) n ngi nhn (gii m). PKI h tr to iu kin cho vic trao i kho an ton m bo xc thc cc bn trao i vi nhau. Public key Certificate c pht bi Certificate Authority(CA ). CA pht public key certificate cho p ng mt m u cui th u cui u tin phi ng k vi CA. Qu trnh ng k gm: s ng k, s kch hot, v s chng nhn ca mt m u cui vi PKI (CAs v RAs). Qu trnh ng k nh sau: Mt m u cui ng k vi CA hoc RA. Trong qu trnh ng k, mt m u cui a ra cch nhn bit n CA. CA s xc thc u cui, pht public key n u cui. Cc u cui bt u khi to phase bng cch to ra mt public/private keypair v public key ca keypair c chuyn n CA. CA vit mt hiu ln public key certificate cng vi private key to mt public key certificate cho mt m u cui.

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network -

33

Lc ny cc mt m u cui c th yu cu public key certificate t mt m u cui khc. Chng c th s dng CAs public key gii m public key certificate thu c kho thch hp.

Registration Authorities: Trong nhiu trng hp, CA s cung cp tt c cc dch v cn thit ca PKI qun l cc public key bn trong mng. Tuy nhin c nhiu trng hp CA c th u nhim lm cng vic ca RA. mt s chc nng m CA c th u nhim thay th cho RA nh: Kim tra mt m u cui th ng k public key vi CA c private key m c dng kt hp vi public key. Pht public/private keypairs c dng khi to phase ca qu trnh ng k. Xc nhn cc thng s ca public key. Pht gin tip cc certificate Revocation List (CRL).

Certificate Authorities: CA dng cp pht chng nhn, xc thc PKI clients, v khi cn thit thu hi li chng nhn. CA i din cho ngun tin cy chnh ca PKI. V CA l yu t duy nht trong PKI m c th pht Public Key Certificates n cc mt m u cui. CA cng lun p ng cho vic duy tr CRL v phc v cc loi nh: CRL Issuer. PKI khng phi ch c 1 CA m PKI c th thit lp nhiu CAs. CAs gip thit lp cho vic nhn dng ca cc thc th giao tip vi nhau c ng n. CAs khng ch chng cho PKI client m cn cho nhng CAs khc bng cch cp pht nhng chng nhn s n chng. Nhng CAs chng nhn ln lt c th chng nhn cho nhng CAs khc cho n khi mi thc th c th u nhim cho nhng thc th khc c lin quan trong qu trnh giao dch. 3.2.2. Mc ch v chc nng ca PKI PKI cho php nhng ngi tham gia xc thc ln nhau v s dng cc thng tin t cc chng thc kho cng khai mt m ho v gii m thng tin trong qu trnh trao i. PKI cho php cc giao dch in t c din ra m bo tnh b mt, ton v v xc thc ln nhau m khng cn trao i cc thng tin bo mt t trc. Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

34

Mc tiu chnh ca PKI l cung cp kho cng khai v xc nh mi lin h gia kho v nh dng ngi dng. Nh vy, ngi dng c th s dng trong mt s ng dng nh: M ho Email hoc xc thc ngi gi Email M ho hoc chng thc vn bn Xc thc ngi dng ng dng Cc giao thc truyn thng an ton: trao i bng kho bt i xng, m ho bng kho i xng. PKI bao gm cc thnh phn sau y: Pht sinh mt cp kho ring v kho chung cho PKI client To v xc nhn ch k in t cp pht chng nho ngi dng nh du nhng kho cp pht v bo tr qu trnh s dng ca mi kho Hy b nhng ng k sai v ht hn Xc nhn PKI client M ho: gi b mt thng tin v ch c ngi c kho b mt mi gii m c. To ch k s: cho php kim tra mt vn bn c phi c to vi mt kho b mt no hay khng. Tho thun kho: cho php thit lp kho dng trao i thng tin bo mt gia 2 bn. 3.3. C s h tng ca PKI 3.3.1. Cc bc m ha Bc 1:

PKI c s dng vi cc mc ch: -

Dng gii thut bm thay i thng ip cn truyn i. kt qu ta c mt message digest. Dng gii thut MD5 (message digest 5) ta c digest c chiu di 128 bit, dng gii thut SHA (Secure Hash Algorithm) ta c chiu di 160 bit. Bc 2:

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

35

S dng kha private key ca ngi gi m ha message digest thu c bc 1. Thng thng bc ny dng gii thut RSA ( hay DSA, RC2, 3DES, ). Kt qu thu c gi l digital signature ca thng ip ban u. Bc 3:

S dng public key ca ngi nhn m ho nhng thng tin cn gi i. Bc 4: Gp digital signature vo message c m ho v gi i. Nh vy sau khi k nhn digital signature vo message c m ho, mi s thay i trn message s b pht hin trong giai on kim tra. Ngoi ra, vic k nhn ny m bo ngi nh tin tng message ny xut pht t ngi gi ch khng phi l ai khc. 3.3.2. Cc bc kim tra Bc 1:

Ngi nhn dng private key ca mnh gii m thng tin nhn c gm 2 phn: phn message v phn ch k ngi gi. Bc 2:

Dng Public key ca ngi gi (kha ny c thng bo n mi ngi) gii m ch k s ca message, ta c message digest Bc 3:

Dng gii thut MD5 (hoc SHA) bm message nh km ta c message digest Bc 4:

So snh kt qu thu c bc 2 v bc 3 nu trng nhau, ta kt lun message ny khng b thay i trong qu trnh truyn v message ny l ca ngi gi.

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network 4. DYNAMIC MULTIPOINT VIRTUAL PRIVATE NETWORK 4.1. Khi qut v DMVPN 4.1.1. DMVPN l g?

36

Dynamic Multipoint Virtual Private Network (DMVPN) l s kt hp ca cc cng ngh: IPSec, mGRE, v NHRP. cc cng ngh ny kt hp li cho php trin khai IPSec trong mng ring o mt cch d dng. 4.1.2. u im ca DMVPN Khi ta c cu trc mng vi nhiu site v to m ho tunnel gia mi site vi nhau, ta thit lp c: [n(n-1)] /2 tunnels V d: nh hnh di ta c 3 tunnel

4.1.3. Cng ngh s dng trong DMVPN IPSec (Internet Protocol Security) Giao thc cho php bo v s thay i ca cc gi tin ti lp IP. Da trn kho cng khai trn mode Tunnel, ni dung v tiu ca gi tin c m ho. c hai u c bo v mGRE (Generic Routing Encapsulation) Giao thc truyn trn tunnel, ng gi cc loi gi tin thnh 1 loi ln trong IP tunnels. Sau to Point-to-Point virtual kt ni vi cc Router xa trong cu trc mng IP. NHRP (Next Hop Resolution Protocol) Giao thc c s dng bi cc Router pht hin MAC address ca cc Router khc v host khc.

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network 4.1.4. Hot ng ca DMVPN DMVPN l gii php phn mm ca h iu hnh cisco. DMVPN da vo 2 cng ngh ca cisco th nghim: Next Hop Resolution Protocol (NHRP) o HUB duy tr c s d liu ca a ch thc ca tt c spoke Mi spoke ng k a ch thc ca n khi n khi ng.

37

Sau cc spoke yu cu c s d liu trong NHRP cho a ch thc ca cc spoke ch m xy dng tunnel trc tip. o Multipoint GRE Tunnel Interface Cho php 1 interface GRE h tr nhiu IPSec tunnels Kch thc n gin v cu hnh phc tp DMVPN khng lm thay i cc chun ca IPSec VPN tunnel, nhng n thay i cu hnh ca chng. Cc spoke c 1 IPSec tunnel c nh n Hub, nhng khng c n cc spoke. Cc spoke c xem nh l client ca NHRP server. Khi 1 spoke cn gi gi tin n ch (private) mng cp di trn spoke khc, n yu cu NHRP cp cc a ch thc ca spoke ch. n y spoke ngun c th khi to 1 dynamic IPSec tunnel n spoke ch. Tunnel t spoke-to-spoke c xy dng qua mGRE tunnel nh tuyn ng c yu cu qua tunnel Hub-to-spoke. Spoke hc tt c cc mng ring trn cc spoke khc v Hub thng qua cp nht t bng nh tuyn c gi bi Hub. IP next-hop cho 1 mng spoke l interface tunnel cho spoke. Cc giao thc nh tuyn c dng: o Enhanced Interior Gateway Routing Protocol (EIGRP) o Open Shortest Path First (OSPF) o Border Gateway Protocol (BGP) o Routing Information Protocol (RIP) 4.1.6. DMVPN Phase Phase 1: Tnh nng ca Hub v Spoke o Tinh nng: Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

4.1.5. nh tuyn vi DMVPN -

Tm hiu v trin khai IPSec trong Virtual Private Network Tt c lu lng i qua phi thng qua Hub Trin khai d dng Files cu hnh Hub nh o u im ca DMVPN Phase 1 Hub v Spoke cu hnh n gin v gn nh H tr multicast traffic t Hub n cc Spoke H tr a ch cho cc Spoke mt cch linh ng Phase 2: Tnh nng ca Spoke-to-Spoke

38

o Trong Phase 2, NHRP khi ng NHC-to-NHS tunnel v giao thc nh tuyn ng thng c s dng pht thng tin nh tuyn tt c cc mng m Hub c v tt c cc Spoke. Cc thng tin ny l: IP Next Hop ca Spoke ch v h tr ring mng ch. o Khi mt gi tin c forward n s ti outbound interface v ip next hop t bng nh tuyn mu. Nu Interface NHRP l Interface outbound n s tm NHRP mapping vo IP Next Hop. Nu khng c s trng khp ca bng NHRP mapping, th NHRP c kch khi gi NHRP resolution request n thng tin mapping (a ch IP next hop n a ch vt l layer). NHRP registration reply packet cha thng tin mapping ny v khi thng tin ny c nhn cc spoke s cung cp y thng tin ng gi d liu chnh xc gi trc tip n spoke u xa qua c s h tng mng. Phase 3: Kh nng thay i Spoke-to-Spoke quy m cc mng c m rng. o NHRP khi ng NHC v NHS tunnel v giao thc nh tuyn ng c dng pht thng tin nh tuyn ca tt c cc mng m tt c cc spoke c n Hub. Sau hub s gi li bng thng tin nh tuyn ny n cc spoke, nhng trong trng hp ny hub c th tng kt li thng tin nh tuyn. N s t IP next hop ca tt c cc mng ch n NHS (hub). iu ny lm gim lng thng tin trong bng giao thc nh tuyn cn phn phi t Hub n cc spoke, gim vic cp nht giao thc nh tuyn ang chy trn hub.

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

39

o Khi data packet c forward, n s ti outbound interface v ip next hop t bng nh tuyn mu nhp vo. Nu interface NHRP l interface outbound th n s tm mapping NHRP vo IP next hop. Trong trng hp ny IP next hop s c hub coi nh l NHRP mapping (n ci 1 tunnel vi hub), cc spoke s ch gi data packet n Hub. o Hub nhn c data packet v n kim tra bng nh tuyn. V data packet ny c tr nh t trc cho mng bn cnh cc spoke khc n s forward ra khi interface NHRP n next hop v hng spoke. Ti y, hub pht hin packet n v gi n ra khi interface NHRP. C ngha l data packet chim t nht 2 hop trong mng NHRP v do ng ny thng qua hub khng phi l 1 ng ti u. Cho nn hub gi trc tip li thng ip NHRP n spoke. Thng ip pht li trc tip ny l thng tin gi n spoke v IP gi tin ch m thng ip pht li ny kch khi NHRP. o Khi spoke nhn c NHRP c pht li, n s to v gi NHRP resolution request cho d liu IP ch t thng ip NHRP c gi li. NHRP resolution request s forward n spoke u xa cc dch v mng cho IP ch. o Spoke u xa s pht NHRP resolution reply vi a ch NBMA ca n v ton b subnet (t bng nh tuyn ca n) ph hp vi a ch IP d liu ch t gi tin NHRP resolution request. Spoke u xa sau s gi NHRP resolution reply trc tip tr li spoke ni b. n thi im ny y thng tin cho data traffic c gi trc tip qua spoke-tospoke m ng dn va c to. o Bng nh tuyn IP v nh tuyn c hc bi hng ca hub l quan trng khi xy dng tunnel spoke-to-spoke. Do kh nng ca NHS (cc hub) l ti hn cho tnh nng ca mng NHRP. khi ch c 1 hub m hub b down, spoke xo ng i m n hc c t bng nh tuyn ca hub. bi v n b mt hub ging nh mt i routing neighbor. Tuy nhin, spoke khng xo bt k tunnels spoke-to-spoke (NHRP mapping) m vn cn hot ng. Mc d tunnel spoke-to-spoke vn cn nhng n

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network n mng ch na.

40

khng c s dng v trong bng nh tuyn khng cn ng i no o Trong qu trnh b sung thm, Khi bng nh tuyn a vo b xo khng c kch hot n NHRP. kt qu l NHRP s timeout, khi hub s b down. o Trong phase 2 nu xy ra vn nh tuyn trong bng nh tuyn (c th l nh tuyn tnh) vi chnh xc IP next hop th spoke vn c th dng spoke-to-spoke tunnel ngay c khi hub b down. NHRP s kh c th lm ti NHRP mapping a vo v NHRP resolution yu cu hoc cn p ng i qua hub. o Trong phase 3, ta ch cn nh tuyn ra interface tunnel, khng cn phi chnh xc IP next hop ( NHRP b qua IP next-hop trong phase 3). NHRP c kh nng lm ti NHRP mapping. V NHRP resolution yu cu hoc p ng s i qua trc tip spoke-to-spoke tunnel. o Nu ta c 2 (hoc nhiu hn) NHS Hub trong 1 mng NBMA (1 mGRE, frame-relay, hoc ATM interface), sau khi hub u tin b down, spoke Router s loi b ng i t bng nh tuyn m n hc c t hub ny, nhng n s hc t cc router tng t (c metric cao hn) t hub th hai. Lc ny nh tuyn s c thit lp ngay. Do lu lng spoke-to-spoke s tip tc i qua spoke-spoke tunnel, v n khng b nh hng bi hub u tin. 4.2. Next Hop Resolution Protocol 4.2.1. Tng tc NHRP v NBMA NHRP l giao thc ging giao thc ARP (giao thc phn gii a ch) m lm gim nhng vn mng NBMA. Vi NHRP, cc h thng hc a ch NBMA ca cc h thng khc c c nh n mng NBMA mt cch linh ng. Cho php cc mng ny thng trc tip vi nhau m traffic c dng khng cn qua hop trung gian. Hai chc nng ca NHRP h tr cho cc mng NBMA: Giao thc NHRP ging nh giao thc phn gii a ch cho php Next Hop Clients (NHCs) c ng k mt cch linh ng vi Next Hop Servers (NHSs). iu ny cho php NHCs c ni n mng NBMA m khng cn thay i cu hnh trn NHSs, c bit l trong trng hp NHCs c a ch IP Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

41

vt l ng hoc l Router c Network Address Translation (NAT) s lm thay i a ch IP vt l. Trong cc trng hp ny n khng th cu hnh li c logical Virtual Private Network (VPN IP) n physical (NBMA IP) mapping cho NHC trn NHS. Chc nng ny c gi l s ng k NHRP. NHRP l mt giao thc phn gii cho php mt NHC client (Spoke) nh v logical VPN IP n NBMA IP mapping cho NHC client khc (spoke) trong cng mng NBMA. Nu khng c s nh v ny, cc gi tin IP ang i t cc host ca mt spoke ny n cc host ca mt spoke khc s i qua hng ca NHS (hub). iu ny s lm tng s s dng bng thng ca hub v CPU cho vic x l cc gi tin ny. y thng c gi l hair- pinning. Vi NHRP, cc h thng hc a ch NBMA ca cc h thng khc c c nh n mng NBMA mt cch linh ng, cho php cc mng thng trc tip vi nhau m traffic c dng khng cn qua hop trung gian. iu ny lm gim ti trn hop trung gian (NHS) v c th tng bng thng tng ca mng NBMA c ln hn bng thng ca hub. 4.2.2. Li ch ca NHRP v NBMA Router, Access Server, v cc host c th s dng NHRP tm a ch ca cc Router v cc host khc kt ni n mng NBMA. Ring mng NBMA li l c cu hnh vi nhiu mng hp li cung cp y cc kt ni cho cc lp mng. Nh trong cc cu hnh, cc gi tin c th to mt vi hops qua mng NBMA trc khi n ti u ra Router (mng ch gn nht Router). Mng NBMA c coi l NonBroadcast v n khng h tr Broadcasting (vd: mt mng IP mGRE tunnel) hoc Broadcasting qu tn km (vd: SMDS Broadcast group qu ln). NRP cung cp ging nh giao thc ARP gim cc vn mng NBMA. Vi NHRP, cc h thng hc a ch ca cc h thng khc c c nh n mng NBMA mt cch linh ng, cho php cc h thng ny thng trc tip vi nhau m traffic c dng khng cn qua hop trung gian. 4.2.3. Next Hop Server Resolution NHRP resolution request i qua mt hoc nhiu hop (hubs) trong mng con NBMA hub-to-spoke trc khi pht p ng n trm cn n. Mi trm (gm trm ngun la chn NHS ln cn n forward request. NHS chn phng php in hnh thc Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

42

hin nh tuyn da trn a ch ch lp mng ca NHRP request. NHRP resolution request cui cng n trm ni m pht NHRP resolution reply. Trm p ng ny a ra tr li s dng a ch ch t trong gi tin NHRP xc nh ni cn gi reply. Hinh di y minh ha cho 4 Router kt ni n mng NBMA

Trong mng l IP ca cc Router cn thit cho cc Router thng ln nhau bng cch to IP cc gi tin tunneling trong IP cc gi tin tunnels GRE. Cc router h tr kt ni IP tunnel (xem hop 1, hop 2 v hop 3 trong hnh). Khi router A th forward IP gi tin t host ngun n host ch, NHRP c kch khi. Thay cho host ngun, router A gi NHRP resolution request packet c ng gi trong GRE IP packet, m theo trn hnh th 3 hop qua mng n Router D kt ni n host ch. sau khi router A nhn NHRP resolution reply, Router A xc nh rng router D l NBMA IP next hop, v router A s gi subsequence data IP packet cui n router D trong GRE IP next hop. Vi NHRP, NBMA next hop c xc nh, host ngun cng bt u gi d liu gi tin n ch (khng kt ni qua NBMA nh IP GRE v SMDS) hoc thit lp 1 VC o kt ni n ch. kt ni ny c cu hnh vi p ng bng thng v cht lng dch v cho kt ni nh hng mng NBMA nh: frame relay, ATM, hoc DMVPN m IPSec m ho ngang hng phi c thit lp.

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network 4.2.4. NHRP s dng vi DMVPN

43

NHRP thng thun tin cho vic xy dng VPN. VPN bao gm: mng o layer 3 c xy dng trn nn layer 3 mng thc t. cu trc m ta s dng qua VPN l c lp i vi mng lp trn v cc giao thc m ta chy qua hon ton c lp vi n. mng VPN (DMVPN) da trn GRE logical tunnel m c th c bo v bng cch thm vo IPSec m ho GRE IP tunnels. Kt ni n mng NBMA l mt hay nhiu trm m NHRP thc hin v c xem nh l NHSs v NHCs. tt c cc Router chy h iu hnh cisco phin bn 10.3 hoc phin bn sau ny c th c NHRP thc hin, v vy cc router c th hot ng nh NHSs hoc NHCs. Nn tng ca DMVPN (GRE IP + IPSec ) m NHRP s dng cn chy phin bn 12.3 (9), 12.3 (8), hoc l phin bn v sau ny. 4.2.5. S ng k NHRP Qu trnh ng k NHRP c gi t NHCs n NHSs mi ln 1/3 khong thi gian holdtime (ip nhrp holdtime value), trong trng hp ng k c gi thi gian timeout th lnh ip nhrp registration timeout value c cu hnh. Nu qu trnh NHRP ng k khng nhn c bi NHRP registration request, th NHRP registration request s truyn li ti 1, 2, 4, 8, 16, 32, v 64 giy. Sau chui s ny bt u pht qua 1 ln na. NHSs c cng khai nu qu trnh ng k NHRP reply khng nhn c sau 3 ln truyn li (7 giy), v NHRP resolution packets s khng c gi na. Qu trnh ng k s tip tc c gi trong cc khong thi gian 0, 1, 2, 4, 8, 16, 32, 64 nhm thm d NHS n khi NHRP registration reply c nhn. Qu trnh NHRP registration reply c nhn cng sm, NHS c cng khai cng nhanh. NHRP registration reply bt u li vic gi mi ln 1/3 khong thi gian holdtime hoc cu hnh gi tr trong lnh ip nhrp registration timeout, v NHRP registration request c gi li.

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network CHNG II: THC HNH 1. M HNH CHUNG

44

192.168.0.0/24

HUB

Static Dynamic

Internet DMVPN 10.0.0.0/24

Spoke1 192.168.1.0/24

Spoke<n> X.X.X.X/n Spoke2 192.168.2.0/24

2. CU HNH Hub ! hostname Hub ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0 ! Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network ! crypto ipsec transform-set trans2 esp-des esp-md5-hmac mode transport ! crypto ipsec profile vpnprof set transform-set trans2 ! ! ! ! ! interface Loopback0 ip address 192.168.0.1 255.255.255.0 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 600 ip ospf network broadcast ip ospf priority 2 delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface FastEthernet0/0 Khoa: Khoa Hc My Tnh Lp MM03C

45

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network ip address 172.17.0.1 255.255.255.0 duplex auto speed auto ! ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.255 area 0 network 192.168.0.0 0.0.0.255 area 0 !

46

Spoke1 ! hostname Spoke1 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set trans2 esp-des esp-md5-hmac mode transport ! crypto ipsec profile vpnprof set transform-set trans2 ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 300 ip nhrp nhs 10.0.0.1 ip ospf network broadcast ip ospf priority 0 delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface FastEthernet0/0 ip address 172.17.0.2 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 !

47

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network Spoke2 ! hostname Spoke2 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set trans2 esp-des esp-md5-hmac mode transport ! crypto ipsec profile vpnprof set transform-set trans2 ! ! ! ! ! interface Loopback0 ip address 192.168.2.1 255.255.255.0 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 300 Khoa: Khoa Hc My Tnh Lp MM03C

48

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network ip nhrp nhs 10.0.0.1 ip ospf network broadcast ip ospf priority 0 delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface FastEthernet0/0 ip address 172.17.0.3 255.255.255.0 duplex auto speed auto ! ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 0 !

49

3. KIM TRA Trn cc router, thc hin lnh show ip route, show ip nhrp, show crypto engine connections active Hub#show ip route 172.17.0.0/24 is subnetted, 1 subnets C 172.17.0.0 is directly connected, FastEthernet0/0 10.0.0.0/24 is subnetted, 1 subnets C 10.0.0.0 is directly connected, Tunnel0

C 192.168.0.0/24 is directly connected, Loopback0 192.168.1.0/32 is subnetted, 1 subnets Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network O 192.168.1.1 [110/101] via 10.0.0.2, 00:35:13, Tunnel0 192.168.2.0/32 is subnetted, 1 subnets O 192.168.2.1 [110/101] via 10.0.0.3, 00:35:13, Tunnel0

50

Hub#show ip nhrp 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:35:41, expire 00:04:17 Type: dynamic, Flags: unique registered NBMA address: 172.17.0.2 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:35:57, expire 00:04:01 Type: dynamic, Flags: unique registered NBMA address: 172.17.0.3 Hub#show crypto engine connections active Crypto Engine Connections ID Interface Type Algorithm 1 Fa0/0 2 Fa0/0 3 Fa0/0 4 Fa0/0 1001 Fa0/0 1002 Fa0/0 IPsec DES+MD5 IPsec DES+MD5 IPsec DES+MD5 IPsec DES+MD5 IKE SHA+DES IKE SHA+DES Encrypt Decrypt IP-Address 0 274 0 277 0 0 277 172.17.0.1 0 172.17.0.1 272 172.17.0.1 0 172.17.0.1 0 172.17.0.1 0 172.17.0.1

Thc hin Ping vo cc interface Loopback (i din ca mng bn trong) ca cc Router Hub#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 100/164/200 ms Hub#ping 192.168.2.1 Khoa: Khoa Hc My Tnh Lp MM03C Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 124/158/216 ms

51

Spoke1#ping 192.168.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 136/143/152 ms Spoke1#ping 192.168.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 124/268/388 ms Dng WireShark bt gi tin gia cc Router, nhn thy cc gi tin u b m ha

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

52

KT LUN
Mng ring o VPN (Virtual Private Network) l thut ng c cc nh cung cp dch v v cc Carrier s dng. ng nh tn gi ca n, VPN l mt mng ring ca khch hng da trn c s h tng mng cng cng dng dung. Chng c th c to ra bng cch s dng phn mm hay phn cng hay kt hp c 2 gii php to ra mt kt ni bo mt gia hai mng ring i qua mng cng cng. VPN c cc doanh nghip trn th gii s dng rt ph bin. S kt hp vi IPSec mang li kh nng bo mt tuyt vi cho VPN. Dynamic Multipoint Virtual Network (DMVPN) l s kt hp gia cc cng ngh: IPSec, mGRE v NHRP. Cc cng ngh ny kt hp li cho php trin khai IPSec trong VPN mt cch d dng. Trong qu trnh thc tp, v kin thc v kinh nghim cn hn ch, nn khng trnh khi nhng sai st trong bi bo co ny. Rt mong nhn c s ng gp kin ca cc thy c v cc bn. hon thnh tt qu trnh thc tp, em nhn c nhiu s ng gp ca cc thy ang cng tc ti Trng Tn v cc bn. c bit em mun gi li cm n n thy Nguyn c Vit Khi, cn b ang cng tc v lm vic ti Trng Tn tn tnh hng dn em trong qu trnh thc tp ti Cng ty. Xin cm n n ton b Cng ty Trng Tn to mi iu kin cung cp thit b em hon thnh cc bi thc hnh, bi Lab trong qu trnh thc tp. Cui cng, em xin gi li cm n n cc thy c trong b mn Mng My Tnh trng Cao ng Cng Ngh Thng Tin Hu Ngh Vit Hn to iu kin cho em c c hi thc tp trong mi trng thc t. Xin cm n! Phan Anh Tun

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun

Tm hiu v trin khai IPSec trong Virtual Private Network

53

TI LIU THAM KHO


Cc Website [1] http://www.vnpro.org [2] http://www.nhatnghe.com [3] http://www.truongtan.edu.vn [4] http://www.cisco.com [5] http://www.gns3-labs.com

Khoa: Khoa Hc My Tnh Lp MM03C

Phan Anh Tun