Hoʻonohonoho ʻo CISCO SD-WAN i nā ʻāpana palekana

E hoʻonohonoho i nā ʻāpana palekana

Nānā

No ka hoʻokō ʻana i ka maʻalahi a me ke kūpaʻa, ua hoʻololi hou ʻia ka hopena Cisco SD-WAN e like me Cisco Catalyst SD-WAN. Eia kekahi, mai Cisco IOS XE SD-WAN Release 17.12.1a a me Cisco Catalyst SD-WAN Release 20.12.1, ua pili kēia mau hoʻololi ʻāpana: Cisco vManage iā Cisco Catalyst SD-WAN Manager, Cisco vAnalytics i Cisco Catalyst SD-WAN Analytics, Cisco vBond iā Cisco Catalyst SD-WAN Validator, a me Cisco vSmart iā Cisco Catalyst SD-WAN Controller. E ʻike i nā memo hoʻokuʻu hou loa no kahi papa inoa piha o nā hoʻololi inoa inoa ʻāpana. ʻOiai mākou e hoʻololi nei i nā inoa hou, aia paha kekahi mau mea like ʻole i ka palapala i hoʻonohonoho ʻia ma muli o ke ala ʻana i ka hoʻololi ʻana i nā mea hoʻohana o ka huahana lako polokalamu.

Hōʻike kēia ʻāpana i ke ʻano o ka hoʻololi ʻana i nā ʻāpana palekana no ka mokulele hoʻokele a me ka mokulele data ma ka Cisco Catalyst SD-WAN overlay network.

• E hoʻonohonoho i nā ʻāpana palekana o ka mokulele, ma
• E hoʻonohonoho i nā ʻāpana palekana ʻikepili Plane, ma
• E hoʻonohonoho i nā Tunnels IPsec Hoʻohana ʻia IKE, ma
• Hoʻopau i nā Algorithms Encryption Weak SSH ma Cisco SD-WAN Manager, ma

E hoʻonohonoho i nā ʻāpana palekana o ka mokulele

Ma ka maʻamau, hoʻohana ka mokulele hoʻokele i ka DTLS ma ke ʻano he protocol e hāʻawi i ka pilikino ma kāna mau tunnels. Holo ʻo DTLS ma luna o UDP. Hiki iā ʻoe ke hoʻololi i ka protocol palekana plane control i TLS, e holo ana ma luna o TCP. ʻO ke kumu nui e hoʻohana ai i ka TLS, ʻo ia, inā ʻoe e noʻonoʻo i ka Cisco SD-WAN Controller he kikowaena, ʻoi aku ka maikaʻi o ka pale ahi i nā kikowaena TCP ma mua o nā kikowaena UDP. Hoʻonohonoho ʻoe i ka protocol tunnel control plane ma kahi Cisco SD-WAN Controller: vSmart(config)# security control protocol tls Me kēia hoʻololi ʻana, ʻo nā tunnel plane control āpau ma waena o ka Cisco SD-WAN Controller a me nā mea ala a ma waena o ka Cisco SD-WAN Controller. a me Cisco SD-WAN Manager e hoʻohana iā TLS. Hoʻohana mau ʻia nā tunnels mokulele iā Cisco Catalyst SD-WAN Validator i ka DTLS, no ka mea, pono e mālama ʻia kēia mau pilina e UDP. Ma kahi kikowaena me nā Cisco SD-WAN Controllers he nui, ke hoʻonohonoho ʻoe iā TLS ma kekahi o nā Cisco SD-WAN Controllers, hoʻohana nā tunnel plane āpau mai kēlā mea hoʻoponopono a i nā mea hoʻokele ʻē aʻe i ka TLS. Wahi a kekahi ʻaoʻao, ʻoi mau ka TLS ma mua o DTLS. Eia naʻe, mai ka manaʻo o nā Cisco SD-WAN Controllers ʻē aʻe, inā ʻaʻole ʻoe i hoʻonohonoho i ka TLS ma luna o lākou, hoʻohana lākou i ka TLS ma ke kaila mokulele hoʻokele wale nō i kēlā Cisco SD-WAN Controller, a hoʻohana lākou i nā tunnels DTLS i nā mea ʻē aʻe. ʻO Cisco SD-WAN Controllers a me kā lākou mau mea hoʻokele pili. No ka hoʻohana ʻana i nā Mana Cisco SD-WAN āpau i ka TLS, hoʻonohonoho iā ia ma luna o lākou āpau. Ma ka maʻamau, hoʻolohe ka Cisco SD-WAN Controller ma ke awa 23456 no nā noi TLS. No ka hoʻololi ʻana i kēia: vSmart(config)# security control tls-port number Hiki i ke awa ke helu mai 1025 a hiki i 65535. No ka hōʻike ʻana i ka ʻike palekana o ka mokulele, e hoʻohana i ke kauoha hōʻike mana hoʻohui ma ka Cisco SD-WAN Controller. No example: vSmart-2# hōʻike i nā pilina mana

E hoʻonohonoho i ka DTLS ma Cisco SD-WAN Manager

Inā hoʻonohonoho ʻoe i ka Cisco SD-WAN Manager e hoʻohana i ka TLS ma ke ʻano he protocol palekana mokulele, pono ʻoe e ʻae i ka hoʻouna ʻana i ke awa ma kāu NAT. Inā ʻoe e hoʻohana ana i ka DTLS ma ke ʻano he protocol palekana mokulele, ʻaʻole pono ʻoe e hana i kekahi mea. ʻO ka helu o nā awa i hoʻouna ʻia ma muli o ka helu o nā kaʻina vdaemon e holo ana ma ka Cisco SD-WAN Manager. No ka hōʻike ʻana i ka ʻike e pili ana i kēia mau kaʻina hana a me ka helu o nā awa e hoʻouna ʻia nei, e hoʻohana i ke kauoha hōʻuluʻulu mana hōʻike hōʻike e holo ana nā kaʻina daemon ʻehā:

No ka ʻike ʻana i nā awa hoʻolohe, e hoʻohana i ke kauoha show control local-properties: vManage# show control local-properties

Hōʻike kēia hoʻopuka i ka port TCP hoʻolohe ʻo 23456. Inā ʻoe e holo nei i ka Cisco SD-WAN Manager ma hope o kahi NAT, pono ʻoe e wehe i kēia mau awa ma ka hāmeʻa NAT:

• 23456 (kumu - kumu 0 awa)
• 23456 + 100 (kumu + 100)
• 23456 + 200 (kumu + 200)
• 23456 + 300 (kumu + 300)

E hoʻomaopopo i ka helu o nā manawa like me ka helu o nā cores āu i hāʻawi ai no ka Cisco SD-WAN Manager, a hiki i ka 8 kiʻekiʻe.

E hoʻonohonoho i nā ʻāpana palekana me ka hoʻohana ʻana i ke ʻano hiʻohiʻona palekana

E hoʻohana i ka hiʻohiʻona hiʻohiʻona palekana no nā polokalamu Cisco vEdge a pau. Ma ka ʻaoʻao o nā ala ala a ma ka Cisco SD-WAN Validator, e hoʻohana i kēia mamana e hoʻonohonoho IPsec no ka palekana mokulele. Ma luna o Cisco SD-WAN Manager a me Cisco SD-WAN Controller, e hoʻohana i ka hiʻohiʻona hiʻohiʻona palekana no ka hoʻonohonoho ʻana iā DTLS a i ʻole TLS no ka palekana o ka mokulele.

E hoʻonohonoho i nā ʻāpana palekana

1. Mai ka papa kuhikuhi Cisco SD-WAN Manager, koho i ka Configuration > Templates.
2. Kaomi i ka Feature Templates a laila kaomi i ka Add Template.
   Nānā Ma Cisco vManage Release 20.7.1 a me nā mea i hoʻokuʻu mua ʻia, kapa ʻia ʻo Feature Templates.
3. Mai ka papa inoa Devices ma ka ʻaoʻao hema, koho i kahi mea hana. Hōʻike ʻia nā mamana e pili ana i ka mea i koho ʻia ma ka ʻaoʻao ʻākau.
4. Kaomi iā Security e wehe i ka template.
5. Ma ke kahua Name Template, e hoʻokomo i kahi inoa no ka template. Hiki i ka inoa ke piʻi i ka 128 mau huaʻōlelo a hiki ke loaʻa nā huapalapala alphanumeric wale nō.
6. I loko o ka Palapala Hōʻikeʻike kahua, e hoʻokomo i ka wehewehe ʻana o ka template. Hiki i ka wehewehe ʻana ke piʻi i ka 2048 mau huaʻōlelo a hiki ke loaʻa nā huapalapala alphanumeric wale nō.

Ke wehe mua ʻoe i kahi hiʻohiʻona hiʻohiʻona, no kēlā me kēia ʻāpana i loaʻa ka waiwai paʻamau, ua hoʻonohonoho ʻia ka laulā i Default (i hōʻike ʻia e kahi māka), a hōʻike ʻia ka hoʻonohonoho paʻamau a i ʻole ka waiwai. No ka hoʻololi ʻana i ka mea paʻamau a i ʻole ke komo ʻana i kahi waiwai, e kaomi i ka papa kuhikuhi hāʻule i lalo ma ka ʻaoʻao hema o ke kahua parameter a koho i kekahi o kēia:

Papa 1:

ʻĀpana ʻĀpana

Ka wehewehe ʻana

Mea kikoʻī (hōʻike ʻia e kahi ikona hoʻokipa)

E hoʻohana i ka waiwai kikoʻī no ka ʻāpana. No nā ʻāpana kikoʻī o ka hāmeʻa, ʻaʻole hiki iā ʻoe ke hoʻokomo i kahi waiwai ma ka hiʻohiʻona hiʻohiʻona. Hoʻokomo ʻoe i ka waiwai i ka wā e hoʻopili ai ʻoe i kahi hāmeʻa Viptela i kahi laʻa hāmeʻa. Ke kaomi ʻoe i ka Device Specific, wehe ka pahu Enter Key. Hōʻike kēia pahu i kahi kī, ʻo ia kahi kaula kūʻokoʻa e ʻike ai i ka ʻāpana i kahi CSV file au i hana ai. ʻO kēia file he papapalapala Excel i loaʻa hoʻokahi kolamu no kēlā me kēia kī. Aia i ka lālani poʻomanaʻo nā inoa kī (hoʻokahi kī i kēlā me kēia kolamu), a ʻo kēlā me kēia lālani ma hope o ia mea e pili ana i kahi mea hana a wehewehe i nā waiwai o nā kī no kēlā mea hana. Hoʻouka ʻoe i ka CSV file ke hoʻopili ʻoe i kahi hāmeʻa Viptela i kahi laʻa hāmeʻa. No ka 'ike hou aku, e 'ike i ka hana 'ana i ka lapalapala ho'ololi. No ka hoʻololi i ke kī paʻamau, e kikokiko i kahi kaula hou a hoʻoneʻe i ka cursor mai ka pahu Enter Key. ExampʻO ka liʻiliʻi o nā ʻāpana kikoʻī kikoʻī o ka ʻōnaehana IP address, hostname, kahi GPS, a me ka ID pūnaewele.

ʻĀpana ʻĀpana	Ka wehewehe ʻana
Ka honua (hōʻike ʻia e kahi kiʻi honua)	E hoʻokomo i kahi waiwai no ka ʻāpana, a hoʻopili i kēlā waiwai i nā mea hana a pau. ExampʻO nā ʻāpana ʻokoʻa āu e hoʻopili ai ma ka honua holoʻokoʻa i kahi pūʻulu o nā hāmeʻa he DNS server, syslog server, a me nā MTU interface.

E hoʻonohonoho i ka palekana o ka mokulele

Nānā
E pili ana ka pauku Configure Control Plane Security i ka Cisco SD-WAN Manager a me Cisco SD-WAN Controller wale nō. a hoʻonohonoho i nā ʻāpana penei:

Papa 2:

ʻĀpana inoa	wehewehe
Kūkākūkā	E koho i ka protocol e hoʻohana ai ma ka hoʻokele mokulele pili i kahi Cisco SD-WAN Controller: • DTLS (Datagram Transport Layer Security). ʻO kēia ka paʻamau. • TLS (Transport Layer Security)
E hoʻomalu i ke awa TLS	Inā koho ʻoe iā TLS, hoʻonohonoho i ka helu awa e hoʻohana ai:Laulā: 1025 a hiki i 65535Paʻamau: 23456

Kaomi iā Save

E hoʻonohonoho i ka palekana o ka mokulele ʻikepili
No ka hoʻonohonoho ʻana i ka palekana mokulele data ma kahi Cisco SD-WAN Validator a i ʻole Cisco vEdge router, e koho i nā ʻaoʻao Basic Configuration and Authentication Type, a hoʻonohonoho i kēia mau ʻāpana:

Papa 3:

ʻĀpana inoa	wehewehe
Manawa Rekey	E wehewehe i ka manawa pinepine o ka Cisco vEdge router e hoʻololi i ke kī AES i hoʻohana ʻia ma kāna pili DTLS paʻa i ka Cisco SD-WAN Controller. Inā ʻae ʻia ka hoʻomaka hou ʻana o OMP, ʻoi aku ka liʻiliʻi o ka manawa hoʻihoʻi hou i ʻelua ʻelua o ka waiwai o ka manawa hoʻomaka hou o OMP.Laulā: 10 a hiki i 1209600 kekona (14 lā)Paʻamau: 86400 kekona (24 hola)
Paaniani pukaaniani	E wehewehe i ka nui o ka puka aniani hoʻoheheʻe. Waiwai: 64, 128, 256, 512, 1024, 2048, 4096, 8192 mau ʻekePaʻamau: 512 mau ʻeke
IPsec kī pālua	Ua pio kēia ma ka paʻamau. Kaomi On e hoala.

ʻĀpana inoa

wehewehe

ʻAno hōʻoia

E koho i nā ʻano hōʻoia mai ka Hōʻoiaʻiʻo Papa inoa, a kaomi i ka pua e kuhikuhi ana i ka akau e hoʻoneʻe i nā ʻano hōʻoia i ka Papa inoa i wae ʻia kolamu. Kākoʻo ʻia nā ʻano hōʻoia mai Cisco SD-WAN Release 20.6.1: •  esp: Hiki i ka Encapsulating Security Payload (ESP) encryption and integrity checking on the ESP header. •  ip-udp-esp: Hiki iā ESP hoʻopunipuni. Ma waho aʻe o ka nānā pono ʻana i ka poʻomanaʻo ESP a me ka uku uku, ua komo pū nā loiloi i waho IP a me nā poʻomanaʻo UDP. •  ip-udp-esp-no-id: Hoʻowahāwahā i ke kahua ID ma ke poʻomanaʻo IP i hiki iā Cisco Catalyst SD-WAN ke hana pū me nā mea ʻole Cisco. •  ʻaʻohe: Hoʻohuli i ka nānā pono ʻana i nā ʻeke IPSec. ʻAʻole mākou manaʻo e hoʻohana i kēia koho.   Kākoʻo ʻia nā ʻano hōʻoia ma Cisco SD-WAN Release 20.5.1 a ma mua: •  ʻaʻohe-id: E hoʻā i ka mana hoʻonui o AH-SHA1 HMAC a me ESP HMAC-SHA1 e nānā ʻole ana i ke kahua ID ma ke poʻomanaʻo IP waho o ka ʻeke. •  ah-sha1-hmac: Ho'ā i ka AH-SHA1 HMAC a me ESP HMAC-SHA1. •  ʻaʻohe: Mai koho i ka hōʻoia. •  sha1-hmac: Ho'ā i ka ESP HMAC-SHA1.   Nānā              No kahi mea lihi e holo ana ma Cisco SD-WAN Release 20.5.1 a i ʻole ma mua, ua hoʻonohonoho paha ʻoe i nā ʻano hōʻoia me ka hoʻohana ʻana i kahi Palekana template. Ke hoʻomaikaʻi ʻoe i ka hāmeʻa iā Cisco SD-WAN Release 20.6.1 a i ʻole ma hope, e hōʻano hou i nā ʻano hōʻoia i koho ʻia ma ka Palekana hoʻohālikelike i nā ʻano hōʻoia i kākoʻo ʻia mai Cisco SD-WAN Release 20.6.1. No ka hōʻano hou i nā ʻano hōʻoia, e hana i kēia: 1.      Mai ka Cisco SD-WAN Manager menu, koho Hoʻonohonoho > Nā kumu hoʻohālike. 2.      Kaomi Nā Papahana Hiʻona. 3.      E huli i ka Palekana template e hoʻohou a kaomi ... a kaomi Hoʻoponopono. 4.      Kaomi Hōʻano hou. Mai hoʻololi i kekahi hoʻonohonoho. Hoʻohou ʻo Cisco SD-WAN Manager i ka Palekana template e hōʻike i nā ʻano hōʻoia i kākoʻo ʻia.

Kaomi iā Save.

E hoʻonohonoho i nā ʻāpana palekana o ka mokulele ʻikepili

Ma ka mokulele ʻikepili, hiki ke hoʻohana ʻia ʻo IPsec ma ka paʻamau ma nā mea ala āpau, a ma ke ʻano maʻamau, hoʻohana nā pilina tunnel IPsec i kahi mana i hoʻonui ʻia o ka protocol Encapsulating Security Payload (ESP) no ka hōʻoia ʻana ma nā tunnels IPsec. Ma nā alalai, hiki iā ʻoe ke hoʻololi i ke ʻano o ka hōʻoia, ka IPsec rekeying timer, a me ka nui o ka puka aniani anti-replay IPsec.

E hoʻonohonoho i nā ʻano hōʻoia i ʻae ʻia

Nā ʻano hōʻoia ma Cisco SD-WAN Hoʻokuʻu 20.6.1 a ma hope
Mai ka Cisco SD-WAN Release 20.6.1, ua kākoʻo ʻia nā ʻano ʻano pono:

• esp: Hiki i kēia koho ke hoʻopili i ka Encapsulating Security Payload (ESP) a me ka nānā pono ʻana ma ke poʻo ESP.
• ip-udp-esp: Hāʻawi kēia koho i ka hoʻopunipuni ESP. Ma waho aʻe o ka nānā pono ʻana i ka poʻomanaʻo ESP a me ka uku uku, ʻo nā loiloi pū kekahi me nā poʻomanaʻo IP waho a me UDP.
• ip-udp-esp-no-id: Ua like kēia koho me ip-udp-esp, akā naʻe, ʻaʻole mālama ʻia ke kahua ID o ke poʻo IP waho. E hoʻonohonoho i kēia koho ma ka papa inoa o nā ʻano kūpaʻa i ka polokalamu Cisco Catalyst SD-WAN e haʻalele i ke kahua ID ma ke poʻo IP i hiki i ka Cisco Catalyst SD-WAN ke hana pū me nā mea ʻole Cisco.
• ʻAʻohe: Hoʻohuli kēia koho i ka nānā pono ʻana i nā ʻeke IPSec. ʻAʻole mākou manaʻo e hoʻohana i kēia koho.

Ma ka maʻamau, hoʻohana nā pilina tunnel IPsec i kahi mana i hoʻonui ʻia o ka protocol Encapsulating Security Payload (ESP) no ka hōʻoia. No ka hoʻololi ʻana i nā ʻano interity i kūkākūkā ʻia a i ʻole e hoʻopau i ka nānā pono, e hoʻohana i kēia kauoha: integrity-type { ʻaʻohe | ip-udp-esp | ip-udp-esp-no-id | esp }

Nā ʻano hōʻoia ma mua o ka hoʻokuʻu ʻana o Cisco SD-WAN 20.6.1
Ma ka maʻamau, hoʻohana nā pilina tunnel IPsec i kahi mana i hoʻonui ʻia o ka protocol Encapsulating Security Payload (ESP) no ka hōʻoia. No ka hoʻololi i nā ʻano hōʻoia i kūkākūkā ʻia a i ʻole e hoʻopau i ka hōʻoia ʻana, e hoʻohana i kēia kauoha: Device(config)# security ipsec authentication-type (ah-sha1-hmac | ah-no-id | sha1-hmac | | ʻaʻohe) Ma ka paʻamau, IPsec Hoʻohana nā pilina tunnel i ka AES-GCM-256, e hāʻawi ana i ka hoʻopili a me ka hōʻoia. E hoʻonohonoho i kēlā me kēia ʻano hōʻoia me kahi kauoha ipsec authentication-type ʻokoʻa. Hoʻopaʻa ʻia nā koho kauoha i nā ʻano hōʻoia ma lalo nei, i helu ʻia ma ka papa mai ka ikaika a hiki i ka ikaika ʻole:

Nānā
Hoʻohana ʻia ka sha1 i nā koho hoʻonohonoho no nā kumu mōʻaukala. Hōʻike nā koho hōʻoia i ka nui o ka nānā pono ʻana o ka packet i hana ʻia. ʻAʻole lākou i kuhikuhi i ka algorithm e nānā i ka pono. Ma waho aʻe o ka hoʻopili ʻana o nā kaʻa multicast, ʻaʻole hoʻohana nā algorithms hōʻoia i kākoʻo ʻia e Cisco Catalyst SD WAN i SHA1. Eia nō naʻe ma Cisco SD-WAN Release 20.1.x a ma luna, ʻaʻole hoʻohana ka unicast a me ka multicast i SHA1.

• ʻAe ʻo ah-sha1-hmac i ka hoʻopili ʻana a me ka encapsulation me ka hoʻohana ʻana iā ESP. Eia nō naʻe, ma waho aʻe o ka nānā pono ʻana i ke poʻo ESP a me ka uku uku, ua komo pū nā loiloi i nā poʻomanaʻo IP waho a me UDP. No laila, kākoʻo kēia koho i ka nānā pono o ka ʻeke e like me ka protocol Authentication Header (AH). Hoʻohana ʻia ka pono a me ka hoʻopili ʻana me ka hoʻohana ʻana iā AES-256-GCM.
• Hiki i ka ah-no-id ke ʻano like me ah-sha1-hmac, akā naʻe, ʻaʻole mālama ʻia ke kahua ID o ke poʻo IP waho. Hoʻokomo ʻia kēia koho i kekahi mau mea ʻaʻole Cisco Catalyst SD-WAN, me ka Apple AirPort Express NAT, i loaʻa kahi pahu e hoʻololi ai i ke kahua ID ma ke poʻo IP, kahi kahua non-mutable, e hoʻololi ʻia. E hoʻonohonoho i ka koho ah-no-id i ka papa inoa o nā ʻano hōʻoia e loaʻa i ka polokalamu Cisco Catalyst SD-WAN AH e haʻalele i ke kahua ID ma ke poʻo IP i hiki i ka polokalamu Cisco Catalyst SD-WAN ke hana pū me kēia mau mea.
• Hāʻawi ka sha1-hmac i ka hoʻopunipuni ESP a me ka nānā pono.
• ʻaʻohe palapala ʻāina i ka hōʻoia ʻole. Pono e hoʻohana wale ʻia kēia koho inā pono ia no ka hoʻopau ʻana i ka manawa. Hiki iā ʻoe ke koho i kēia koho i nā kūlana i pilikia ʻole ai ka hōʻoia ʻana o ka mokulele ʻikepili a me ka pololei. ʻAʻole ʻōlelo ʻo Cisco e hoʻohana i kēia koho no nā pūnaewele hana.

No ka ʻike e pili ana i nā kahua packet data e pili ana i kēia mau ʻano hōʻoia, e ʻike i ka Data Plane Integrity. Hoʻolaha nā polokalamu Cisco IOS XE Catalyst SD-WAN a me Cisco vEdge i kā lākou mau ʻano hōʻoia i hoʻonohonoho ʻia i kā lākou mau waiwai TLOC. ʻO nā mea ala ʻelua ma kēlā ʻaoʻao kēia ʻaoʻao o kahi pilina IPsec tunnel e kūkākūkā i ka hōʻoia e hoʻohana ai ma ka pilina ma waena o lākou, me ka hoʻohana ʻana i ke ʻano hōʻoia ikaika loa i hoʻonohonoho ʻia ma nā mea ʻelua. No exampe, inā hoʻolaha hoʻokahi mea alalai i nā ʻano ah-sha1-hmac a me ah-no-id, a hoʻolaha ka mea alalai ʻelua i ke ʻano ah-no-id, kūkākūkā nā mea hoʻokele ʻelua e hoʻohana i ka ah-no-id ma ka pilina tunnel IPsec ma waena. lakou. Inā ʻaʻole i hoʻonohonoho ʻia nā ʻano hōʻoia maʻamau i nā hoa ʻelua, ʻaʻole i hoʻokumu ʻia kahi tunnel IPsec ma waena o lākou. ʻO ka algorithm encryption ma nā pilina tunnel IPsec e pili ana i ke ʻano o ke kaʻa:

• No ka holo unicast, ʻo ka algorithm encryption ʻo AES-256-GCM.
• No ke kalaiwa multicast:
• Hoʻokuʻu ʻo Cisco SD-WAN i ka 20.1.x a ma hope aku - ʻo ka algorithm hoʻopunipuni ʻo AES-256-GCM
• Nā hoʻokuʻu mua - ʻo ka algorithm encryption ʻo AES-256-CBC me SHA1-HMAC.

Ke hoʻololi ʻia ke ʻano hōʻoia IPsec, hoʻololi ʻia ke kī AES no ke ala ʻikepili.

E hoʻololi i ka Rekeying Timer

Ma mua o Cisco IOS XE Catalyst SD-WAN a me nā Cisco vEdge hiki ke hoʻololi i ka ʻikepili, ua hoʻonohonoho lākou i kahi alaloa kamaʻilio paʻa i waena o lākou. Hoʻohana nā mea ala i nā tunnels IPSec ma waena o lākou e like me ke kahawai, a me ka cipher AES-256 e hana i ka hoʻopili. Hoʻopuka kēlā me kēia mea alalai i kahi kī AES hou no kāna ala ʻikepili i kēlā me kēia manawa. Ma ka maʻamau, paʻa ke kī no 86400 kekona (24 mau hola), a ʻo ka lōʻihi o ka manawa he 10 kekona a hiki i 1209600 kekona (14 lā). No ka hoʻololi ʻana i ka waiwai o ka manawa rekey: Device(config)# security ipsec rekey seconds Penei ke ʻano o ka hoʻonohonoho:

• palekana ipsec rekey kekona !

Inā makemake ʻoe e hoʻopuka koke i nā kī IPsec hou, hiki iā ʻoe ke hana pēlā me ka ʻole o ka hoʻololi ʻana i ka hoʻonohonoho o ke alalai. No ka hana ʻana i kēia, e hoʻopuka i ke kauoha palekana ipsecrekey noi ma ka router i hoʻopaʻa ʻia. No exampʻO ka mea hoʻopuka ma lalo nei e hōʻike ana he Security Parameter Index (SPI) ka SA kūloko o 256:

Hoʻopili ʻia kahi kī kūikawā me kēlā me kēia SPI. Inā ʻae ʻia kēia kī, e hoʻohana i ke kauoha palekana ipsec-rekey e hana koke i kahi kī hou. Hoʻonui kēia kauoha i ka SPI. I ko mākou exampe, hoʻololi ka SPI i 257 a ua hoʻohana ʻia ke kī pili me ia:

• Noi ka polokalamu # ipsecrekey palekana
• Hōʻike ka mea # ipsec local-sa

Ma hope o ka hana ʻia ʻana o ke kī hou, hoʻouna koke ke alalai iā ia i nā Cisco SD-WAN Controllers me ka hoʻohana ʻana iā DTLS a i ʻole TLS. Hoʻouna nā Cisco SD-WAN Controllers i ke kī i nā mea hoʻokele hoa. Hoʻomaka ka hoʻohana ʻana i nā mea ala i ka wā e loaʻa ai. E hoʻomanaʻo e hoʻohana mau ʻia ke kī pili me ka SPI kahiko (256) no ka manawa pōkole a hiki i ka pau ʻana. No ka ho'ōki koke ʻana i ka hoʻohana ʻana i ke kī kahiko, e hoʻopuka i ke kauoha palekana ipsec-rekey i ʻelua mau manawa, i ka holomua wikiwiki. Hoʻopau kēia kaʻina o nā kauoha iā SPI 256 a me 257 a hoʻonohonoho i ka SPI i 258. A laila hoʻohana ka mea alalai i ke kī pili o SPI 258. E hoʻomanaʻo naʻe, e hoʻokuʻu ʻia kekahi mau ʻeke no ka manawa pōkole a aʻo nā mea ala mamao a pau. ke kī hou.

E hoʻololi i ka nui o ka puka makani Anti-Replay

Hāʻawi ka hōʻoia IPsec i ka pale anti-replay ma ka hāʻawi ʻana i kahi helu kaʻina kūʻokoʻa i kēlā me kēia ʻeke ma kahi kahawai data. Mālama kēia helu helu ʻana i ka mea hoʻouka kaua e hoʻopālua i nā ʻeke ʻikepili. Me ka pale anti-replay, hāʻawi ka mea hoʻouna i ka monotonically e hoʻonui i nā helu kaʻina, a nānā ka mea e hele ai i kēia mau helu kaʻina e ʻike i nā kope. No ka hiki ʻole mai o nā ʻeke ma ka hoʻonohonoho ʻana, mālama ka wahi e hele ai i kahi puka aniani o nā helu kaʻina e ʻae ʻia.

ʻO nā ʻeke me nā helu kaʻina e hāʻule ana ma ka ʻaoʻao hema o ka laulima puka aniani e manaʻo ʻia he kahiko a i ʻole he kope, a hāʻule ka wahi e hele ai. Hoʻopaʻa ka huakaʻi i ka helu kaʻina kiʻekiʻe loa i loaʻa iā ia, a hoʻoponopono i ka puka aniani i ka wā e loaʻa ai kahi ʻeke me ka waiwai ʻoi aku ka nui.

Ma ka maʻamau, ua hoʻonohonoho ʻia ka puka aniani i 512 mau ʻeke. Hiki ke hoʻonoho ʻia i kekahi waiwai ma waena o 64 a me 4096 ʻo ia ka mana o 2 (ʻo ia hoʻi, 64, 128, 256, 512, 1024, 2048, a i ʻole 4096). No ka hoʻololi ʻana i ka nui o ka puka aniani anti-replay, e hoʻohana i ke kauoha replay-window, e kuhikuhi ana i ka nui o ka pukaaniani:

Meahana(config)# palekana ipsec replay-window number

Penei ka hoʻonohonoho ʻana:
palekana ipsec replay-window number ! !

No ke kōkua ʻana me QoS, mālama ʻia nā puka makani hoʻokaʻawale ʻokoʻa no kēlā me kēia o nā ala kaʻa mua ʻewalu. Hoʻokaʻawale ʻia ka nui puka aniani i hoʻonohonoho ʻia e ʻewalu no kēlā me kēia kanal. Inā hoʻonohonoho ʻia ʻo QoS ma kahi alalai, hiki i kēlā mea alalai ke ʻike i ka helu nui o ka hāʻule ʻana o ka packet ma muli o ka IPsec anti-replay mechanism, a ʻo ka nui o nā ʻeke i hāʻule ʻia he mau mea kūpono. Loaʻa kēia ma muli o ka hoʻonohonoho hou ʻana o QoS i nā ʻeke, e hāʻawi ana i nā ʻeke ʻoi aku ka nui o ka mālama ʻana a me ka hoʻopaneʻe ʻana i nā ʻeke haʻahaʻa. No ka hōʻemi a pale ʻana paha i kēia kūlana, hiki iā ʻoe ke hana i kēia:

• E hoʻonui i ka nui o ka puka aniani anti-replay.
• ʻEnekinia kaʻa ma nā ala kaʻa mua ʻewalu no ka hōʻoia ʻana ʻaʻole i hoʻonohonoho hou ʻia ke kaʻa i loko o kahi ala.

E hoʻonohonoho i nā Tunnel IPsec i hoʻohana ʻia e IKE
No ka hoʻoneʻe paʻa ʻana i nā kaʻa mai ka pūnaewele overlay i kahi pūnaewele lawelawe, hiki iā ʻoe ke hoʻonohonoho i nā tunnels IPsec e holo ana i ka protocol Internet Key Exchange (IKE). Hāʻawi nā tunnels IPsec i hoʻohana ʻia e IKE i ka hōʻoia a me ka hoʻopili ʻana e hōʻoia i ka lawe ʻana i ka ʻeke. Hana ʻoe i kahi tunnel IPsec i hoʻohana ʻia e IKE ma ka hoʻonohonoho ʻana i kahi interface IPsec. ʻO nā interface IPsec he mau pilina pili pono, a hoʻonohonoho ʻoe iā lākou e like me nā mea pili kino ʻē aʻe. Hoʻonohonoho ʻoe i nā ʻāpana protocol IKE ma ka interface IPsec, a hiki iā ʻoe ke hoʻonohonoho i nā waiwai interface ʻē aʻe.

Nānā Manaʻo ʻo Cisco i ka hoʻohana ʻana i ka IKE Version 2. Mai ka Cisco SD-WAN 19.2.x hoʻokuʻu ma mua, pono ke kī mua i kaʻana like ma kahi o 16 bytes ka lōʻihi. ʻAʻole hiki ke hoʻokumu ʻia ka tunnel IPsec inā ʻoi aku ka nui o ke kī ma mua o 16 mau huaʻōlelo ke hoʻonui ʻia ke alalai i ka mana 19.2.

Nānā
Kākoʻo ka polokalamu Cisco Catalyst SD-WAN i ka IKE Version 2 e like me ka wehewehe ʻana ma RFC 7296. Hoʻokahi hoʻohana no nā tunnels IPsec e ʻae i ka vEdge Cloud router VM i nā manawa e holo ana ma Amazon AWS e hoʻopili i ka Amazon virtual private cloud (VPC). Pono ʻoe e hoʻonohonoho i ka IKE Version 1 ma kēia mau mea ala. Kākoʻo nā polokalamu Cisco vEdge i nā VPN e pili ana i ke ala ma kahi hoʻonohonoho IPSec no ka mea ʻaʻole hiki i kēia mau mea ke wehewehe i nā mea koho kaʻa ma ka domain encryption.

E hoʻonohonoho i kahi Tunnel IPsec
No ka hoʻonohonoho ʻana i kahi interface tunnel IPsec no ka hoʻokele kaʻa ʻana mai kahi pūnaewele lawelawe, hana ʻoe i kahi interface IPsec kūpono:

Hiki iā ʻoe ke hana i ka tunnel IPsec i ka lawe VPN (VPN 0) a i kekahi lawelawe VPN (VPN 1 a hiki i 65530, koe wale no 512). He inoa ka IPsec interface ma ka format ipsecnumber, kahi e hiki ai ka helu mai ka 1 a hiki i ka 255. Pono e loaʻa i kēlā me kēia kikowaena IPsec kahi helu IPv4. Pono kēia helu wahi he prefix /30. ʻO nā kaʻa a pau i loko o ka VPN i loko o kēia IPv4 prefix ua kuhikuhi ʻia i kahi kikowaena kino i VPN 0 e hoʻouna paʻa ʻia ma luna o kahi tunnel IPsec. ka pilina kino (ma ke kauoha tunnel-source) a i ʻole ka inoa o ke kino kino (ma ke kauoha tunnel-source-interface). E hōʻoia i ka hoʻonohonoho ʻana o ke kino kino ma VPN 0. No ka hoʻonohonoho ʻana i ka wahi o ka tunnel IPsec, e kuhikuhi i ka IP address o ka mea mamao ma ke kauoha tunnel-destination. ʻO ka hui pū ʻana o kahi helu wahi kumu (a i ʻole ka inoa interface kumu) a me kahi helu wahi e wehewehe ai i kahi tunnel IPsec hoʻokahi. Hoʻokahi wale nō tunnel IPsec hiki ke noho e hoʻohana ana i kahi helu kumu kikoʻī (a i ʻole inoa interface) a me ka lua o ka helu wahi.

E hoʻonohonoho i kahi IPsec Static Alanui

No ke kuhikuhi ʻana i ke kaʻa mai ka lawelawe VPN i kahi kaila IPsec i ka lawe ʻana VPN (VPN 0), hoʻonohonoho ʻoe i kahi ala kikoʻī kikoʻī IPsec i kahi lawelawe VPN (kahi VPN ʻē aʻe VPN 0 a i ʻole VPN 512):

• vEdge(config)# vpn vpn-id
• vEdge(config-vpn)# ip ipsec-alanui prefix/lōʻihi vpn 0 interface
• helu helu [ipsecnumber2]

ʻO ka VPN ID ka mea o kēlā me kēia lawelawe VPN (VPN 1 a hiki i 65530, koe wale no 512). ʻO ka prefix/lōʻihi ka helu IP a i ʻole ka prefix, ma ka helu helu ʻehā ʻāpana, a me ka lōʻihi prefix o ke ala kūʻokoʻa IPsec. ʻO ka interface ka IPsec tunnel interface ma VPN 0. Hiki iā ʻoe ke hoʻonohonoho i hoʻokahi a ʻelua paha mau kikowaena tunnel IPsec. Inā ʻoe e hoʻonohonoho i ʻelua, ʻo ka mua ka tunnel IPsec mua, a ʻo ka lua ka waihona. Me nā ʻaoʻao ʻelua, hoʻouna ʻia nā ʻeke a pau i ka tunnel mua wale nō. Inā hāʻule kēlā tunnel, e hoʻouna ʻia nā ʻeke a pau i ka tunnel lua. Inā hoʻi hou ka tunnel mua, hoʻihoʻi ʻia nā kaʻa a pau i ka tunnel IPsec mua.

E ho'ā i ka IKE Version 1
Ke hana ʻoe i kahi tunnel IPsec ma kahi router vEdge, hiki ke hoʻohana ʻia ʻo IKE Version 1 ma ka paʻamau ma ka interface tunnel. Hoʻohana ʻia kēia mau waiwai ma ka paʻamau no IKEv1:

• ʻO ka hōʻoia ʻana a me ka hoʻopili ʻana—AES-256 holomua hoʻopunipuni maʻamau CBC encryption me ka HMAC-SHA1 keyed-hash message code authentication code algorithm no ka pono.
• Helu hui Diffie-Hellman—16
• Hoʻopaʻa manawa manawa-4 hola
• Ke ano hookumu SA—Main

Ma ka maʻamau, hoʻohana ʻo IKEv1 i ke ʻano kumu nui IKE e hoʻokumu i nā IKE SA. Ma kēia ʻano, hoʻololi ʻia nā ʻeke kūkākūkā ʻeono e hoʻokumu i ka SA. No ka hoʻololi ʻana i ʻekolu mau ʻeke kūkākūkā wale nō, hiki ke hoʻololi i ke ʻano hana ʻino:

Nānā
Pono e ʻalo ʻia ke ʻano hana ʻino IKE me nā kī i kaʻana like ʻia ma nā wahi āpau e hiki ai. A i ʻole, pono e koho ʻia kahi kī kaʻana like ikaika.

• vEdge(config)# vpn vpn-id interface ipsec helu ike
• vEdge(config-ike)# ʻano ʻino

Ma ka maʻamau, hoʻohana ʻo IKEv1 i ka hui Diffie-Hellman 16 i ka hoʻololi kī IKE. Hoʻohana kēia pūʻulu i ka hui 4096-bit more modular exponential (MODP) i ka wā o ka hoʻololi kī IKE. Hiki iā ʻoe ke hoʻololi i ka helu hui i 2 (no 1024-bit MODP), 14 (2048-bit MODP), a i ʻole 15 (3072-bit MODP):

• vEdge(config)# vpn vpn-id interface ipsec helu ike
• vEdge(config-ike)# helu hui

Ma ka maʻamau, hoʻohana ʻo IKE key exchange AES-256 advanced encryption standard CBC encryption me ka HMAC-SHA1 keyed-hash message authentication code algorithm no ka pono. Hiki iā ʻoe ke hoʻololi i ka hōʻoia:

• vEdge(config)# vpn vpn-id interface ipsec helu ike
• vEdge(config-ike)# cipher-suite suite

Hiki i ka suite authentication kekahi o kēia:

• aes128-cbc-sha1—AES-128 holomua hoʻopunipuni maʻamau CBC encryption me ka HMAC-SHA1 keyed-hash code authentication code algorithm no ka pono.
• aes128-cbc-sha2—AES-128 holomua hoʻopunipuni maʻamau CBC encryption me ka HMAC-SHA256 keyed-hash code authentication code algorithm no ka pono.
• aes256-cbc-sha1—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm no ka pono; ʻO kēia ka paʻamau.
• aes256-cbc-sha2—AES-256 holomua hoʻopunipuni maʻamau CBC encryption me ka HMAC-SHA256 keyed-hash code authentication code algorithm no ka pono.

Ma ka paʻamau, hōʻano hou ʻia nā kī IKE i kēlā me kēia 1 hola (3600 kekona). Hiki iā ʻoe ke hoʻololi i ka wā hoʻihoʻi hou i kahi waiwai mai 30 kekona a hiki i 14 mau lā (1209600 kekona). Manaʻo ʻia ʻo ka wā rekeying ma kahi o 1 hola.

• vEdge(config)# vpn vpn-id interface ipsec helu like
• vEdge(config-ike)# rekey kekona

No ka hoʻoikaika ʻana i nā kī hou no kahi kau IKE, e hoʻopuka i ke kauoha ipsec ike-rekey noi.

• vEdge(config)# vpn vpn-id interfaceipsec helu ike

No IKE, hiki iā ʻoe ke hoʻonohonoho i ka hōʻoia preshared key (PSK):

• vEdge(config)# vpn vpn-id interface ipsec helu ike
• vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret password password ʻo ia ka ʻōlelo huna e hoʻohana ai me ke kī preshared. Hiki iā ia ke ASCII a i ʻole ke kaula hexadecimal mai 1 a 127 mau huaʻōlelo ka lōʻihi.

Inā makemake ka hoa IKE mamao i kahi ID kūloko a mamao paha, hiki iā ʻoe ke hoʻonohonoho i kēia mea hōʻike:

• vEdge(config)# vpn vpn-id interface ipsec number ike authentication-type
• vEdge(config-authentication-type)# local-id id
• vEdge(config-authentication-type)# mamao-id id

Hiki i ka mea hōʻike ke helu IP a i ʻole kekahi kaula kikokikona mai 1 a 63 mau huaʻōlelo ka lōʻihi. Ma ka paʻamau, ʻo ka ID kūloko ka helu IP kumu o ka tunnel a ʻo ka ID mamao ka helu IP wahi e hele ai ka tunnel.

E ho'ā i ka IKE Version 2
Ke hoʻonohonoho ʻoe i kahi tunnel IPsec no ka hoʻohana ʻana i ka IKE Version 2, hiki ke hoʻohana ʻia kēia mau waiwai ma ka paʻamau no IKEv2:

• ʻO ka hōʻoia ʻana a me ka hoʻopili ʻana—AES-256 holomua hoʻopunipuni maʻamau CBC encryption me ka HMAC-SHA1 keyed-hash message code authentication code algorithm no ka pono.
• Helu hui Diffie-Hellman—16
• Hoʻopaʻa manawa manawa-4 hola

Ma ka maʻamau, hoʻohana ʻo IKEv2 i ka hui Diffie-Hellman 16 i ka hoʻololi kī IKE. Hoʻohana kēia pūʻulu i ka hui 4096-bit more modular exponential (MODP) i ka wā o ka hoʻololi kī IKE. Hiki iā ʻoe ke hoʻololi i ka helu hui i 2 (no 1024-bit MODP), 14 (2048-bit MODP), a i ʻole 15 (3072-bit MODP):

• vEdge(config)# vpn vpn-id interface ipsecnumber ike
• vEdge(config-ike)# helu hui

Ma ka maʻamau, hoʻohana ʻo IKE key exchange AES-256 advanced encryption standard CBC encryption me ka HMAC-SHA1 keyed-hash message authentication code algorithm no ka pono. Hiki iā ʻoe ke hoʻololi i ka hōʻoia:

• vEdge(config)# vpn vpn-id interface ipsecnumber ike
• vEdge(config-ike)# cipher-suite suite

Hiki i ka suite authentication kekahi o kēia:

• aes128-cbc-sha1—AES-128 holomua hoʻopunipuni maʻamau CBC encryption me ka HMAC-SHA1 keyed-hash code authentication code algorithm no ka pono.
• aes128-cbc-sha2—AES-128 holomua hoʻopunipuni maʻamau CBC encryption me ka HMAC-SHA256 keyed-hash code authentication code algorithm no ka pono.
• aes256-cbc-sha1—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm no ka pono; ʻO kēia ka paʻamau.
• aes256-cbc-sha2—AES-256 holomua hoʻopunipuni maʻamau CBC encryption me ka HMAC-SHA256 keyed-hash code authentication code algorithm no ka pono.

Ma ka paʻamau, hōʻano hou ʻia nā kī IKE i kēlā me kēia 4 hola (14,400 kekona). Hiki iā ʻoe ke hoʻololi i ka wā hoʻihoʻi hou i kahi waiwai mai 30 kekona a hiki i 14 mau lā (1209600 kekona):

• vEdge(config)# vpn vpn-id interface ipsecnumber ike
• vEdge(config-ike)# rekey kekona

No ka hoʻoikaika ʻana i nā kī hou no kahi kau IKE, e hoʻopuka i ke kauoha ipsec ike-rekey noi. No IKE, hiki iā ʻoe ke hoʻonohonoho i ka hōʻoia preshared key (PSK):

• vEdge(config)# vpn vpn-id interface ipsecnumber ike
• vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret password password ʻo ia ka ʻōlelo huna e hoʻohana ai me ke kī preshared. Hiki iā ia ke ASCII a i ʻole ke kaula hexadecimal, a i ʻole he kī i hoʻopili ʻia e AES. Inā makemake ka hoa IKE mamao i kahi ID kūloko a mamao paha, hiki iā ʻoe ke hoʻonohonoho i kēia mea hōʻike:
• vEdge(config)# vpn vpn-id interface ipsecnumber ike authentication-type
• vEdge(config-authentication-type)# local-id id
• vEdge(config-authentication-type)# mamao-id id

Hiki i ka mea hōʻike ke helu IP a i ʻole kekahi kaula kikokikona mai 1 a 64 mau huaʻōlelo ka lōʻihi. Ma ka paʻamau, ʻo ka ID kūloko ka helu IP kumu o ka tunnel a ʻo ka ID mamao ka helu IP wahi e hele ai ka tunnel.

E hoʻonohonoho i nā ʻāpana Tunnel IPsec

Papa 4: Hiʻona Moʻolelo

Hiʻona inoa	Hoʻokuʻu ʻIke	wehewehe
Hoʻohui Cryptographic	Hoʻokuʻu ʻia ʻo Cisco SD-WAN 20.1.1	Hoʻohui kēia hiʻona i ke kākoʻo no
Kākoʻo Algorithmic no IPSec		HMAC_SHA256, HMAC_SHA384, a
Nā ʻauwai		HMAC_SHA512 algorithms no
		hoʻonui i ka palekana.

ʻO ka mea paʻamau, hoʻohana ʻia nā ʻāpana aʻe ma ke kaila IPsec e lawe ana i ka huakaʻi IKE:

• ʻO ka hōʻoia a me ka hoʻopili ʻana—AES-256 algorithm ma GCM (Galois/counter mode)
• Ka wā hoʻihoʻi hou - 4 mau hola
• Hoʻokani hou i ka puka makani—32 ʻeke

Hiki iā ʻoe ke hoʻololi i ka hoʻopunipuni ma ka tunnel IPsec i ka cipher AES-256 ma CBC (cipher block chaining mode, me HMAC me ka hoʻohana ʻana i ka SHA-1 a i ʻole SHA-2 keyed-hash message authentication a i ʻole ka null me HMAC me ka hoʻohana ʻana iā SHA-1 a i ʻole. SHA-2 keyed-hash message authentication, i ʻole e hoʻopili i ka IPsec tunnel i hoʻohana ʻia no ke kālepa hoʻololi kī IKE:

• vEdge(config-interface-ipsecnumber)# ipsec
• vEdge(config-ipsec)# cipher-suite (aes256-gcm | aes256-cbc-sha1 | aes256-cbc-sha256 |aes256-cbc-sha384 | aes256-cbc-sha512 | aes256-null-sha1 | aes256-sha256 | aes256-sha384 | aes256-null-sha512 | aesXNUMX-null-shaXNUMX)

Ma ka paʻamau, hōʻano hou ʻia nā kī IKE i kēlā me kēia 4 hola (14,400 kekona). Hiki iā ʻoe ke hoʻololi i ka wā hoʻihoʻi hou i kahi waiwai mai 30 kekona a hiki i 14 mau lā (1209600 kekona):

• vEdge(config-interface-ipsecnumber)# ipsec
• vEdge(config-ipsec)# rekey kekona

No ka hoʻoikaika ʻana i nā kī hou no kahi tunnel IPsec, e hoʻopuka i ke kauoha ipsec ipsec-rekey. ʻO ka mea paʻamau, hiki ke hoʻohana ʻia ka huna huna mua (PFS) ma nā tunnels IPsec, e hōʻoia ʻaʻole e hoʻopilikia ʻia nā kau i hala inā e hoʻopili ʻia nā kī e hiki mai ana. Hoʻoikaika ʻo PFS i kahi hoʻololi kī Diffie-Hellman hou, ma ka hoʻohana ʻana i ka 4096-bit Diffie-Hellman prime module group. Hiki iā ʻoe ke hoʻololi i ka hoʻonohonoho PFS:

• vEdge(config-interface-ipsecnumber)# ipsec
• vEdge(config-ipsec)# hoʻonohonoho pfs-huna pono-mua

Hiki i ka pfs-setting ke lilo i kekahi o kēia:

• pūʻulu-2—E hoʻohana i ka pūʻulu modulus prime 1024-bit Diffie-Hellman.
• pūʻulu-14—E hoʻohana i ka pūʻulu modulus prime 2048-bit Diffie-Hellman.
• pūʻulu-15—E hoʻohana i ka pūʻulu modulus prime 3072-bit Diffie-Hellman.
• pūʻulu-16—E hoʻohana i ka pūʻulu modulus prime 4096-bit Diffie-Hellman. ʻO kēia ka paʻamau.
• ʻaʻohe—Hoʻopau i ka PFS.

ʻO ka mea paʻamau, ʻo ka puka aniani IPsec replay ma ka IPsec tunnel he 512 bytes. Hiki iā ʻoe ke hoʻonohonoho i ka nui o ka puka aniani i 64, 128, 256, 512, 1024, 2048, a i ʻole 4096 mau ʻeke:

• vEdge(config-interface-ipsecnumber)# ipsec
• vEdge(config-ipsec)# helu pukaaniani replay

Hoʻololi IKE Make-Peer Detection

Hoʻohana ʻo IKE i kahi mīkini ʻike maka-peer e hoʻoholo inā he hana a hiki ke loaʻa ka pilina me kahi hoa IKE. No ka hoʻokō ʻana i kēia hana, hoʻouna ʻo IKE i kahi ʻeke Hello i kona hoa, a hoʻouna ka hoa i kahi hōʻoia ma ka pane. Ma ka maʻamau, hoʻouna ʻo IKE i nā ʻeke Hello i kēlā me kēia 10 kekona, a ma hope o ʻekolu mau ʻeke i ʻike ʻole ʻia, haʻi ʻo IKE i ka hoalauna ua make a wāwahi i ke alahele i ka hoa. Ma hope iho, hoʻouna ʻo IKE i kahi ʻeke Hello i ka hoa, a hoʻokumu hou i ka tunnel ke hoʻi mai ka hoa ma ka pūnaewele. Hiki iā ʻoe ke hoʻololi i ka wā ʻike ola i kahi waiwai mai 0 a hiki i 65535, a hiki iā ʻoe ke hoʻololi i ka helu o nā hoʻāʻo hou i kahi waiwai mai 0 a hiki i 255.

Nānā

No ka lawe ʻana i nā VPN, ua hoʻololi ʻia ka manawa ʻike ola i kekona ma o ka hoʻohana ʻana i kēia ʻano: Interval no ka hoʻouna hou ʻana i ka helu hoʻāʻo N = waena * 1.8N-1For example, ina ua hoonohoia ka manawa i 10 a e hoao hou i ka 5, e pii ana ka manawa ike penei:

• Hoao 1: 10 * 1.81-1= 10 kekona
• Hoao 2: 10 * 1.82-1= 18 kekona
• Hoao 3: 10 * 1.83-1= 32.4 kekona
• Hoao 4: 10 * 1.84-1= 58.32 kekona
• Hoao 5: 10 * 1.85-1= 104.976 kekona

vEdge(config-interface-ipsecnumber)# make-peer-detection interval hoʻihoʻi i ka helu

E hoʻopaʻa i nā ʻano hoʻohālike ʻē aʻe

No ka IPsec tunnel interfaces, hiki iā ʻoe ke hoʻonohonoho i kēia mau waiwai hoʻohui hou aʻe:

• vEdge(config-interface-ipsec)# mtu bytes
• vEdge(config-interface-ipsec)# tcp-mss-hoʻololi i nā bytes

Hoʻopau i nā Algorithms Encryption Weak SSH ma Cisco SD-WAN Manager

Papa 5: Papa Moolelo Hiʻona

Hiʻona inoa	Hoʻokuʻu ʻIke	Hiʻona wehewehe
Hoʻopau i nā Algorithms Encryption Weak SSH ma Cisco SD-WAN Manager	Hoʻokuʻu ʻia ʻo Cisco vManage 20.9.1	Hāʻawi kēia hiʻohiʻona iā ʻoe e hoʻopau i nā algorithm SSH nāwaliwali ma luna o Cisco SD-WAN Manager i hiki ʻole ke hoʻokō i kekahi mau kūlana palekana data.

ʻIke e pili ana i ka hoʻopau ʻana i nā Algorithms Encryption Weak SSH ma luna o Cisco SD-WAN Manager
Hāʻawi ʻo Cisco SD-WAN Manager i kahi mea kūʻai aku SSH no ke kamaʻilio ʻana me nā ʻāpana o ka pūnaewele, me nā mea hoʻokele a me nā mea ʻaoʻao. Hāʻawi ka mea kūʻai aku SSH i kahi pilina paʻa no ka hoʻoili ʻana i ka ʻikepili paʻa, e pili ana i nā ʻano algorithms encryption. Pono nā hui he nui i ka hoʻopunipuni ʻoi aku ka ikaika ma mua o ka SHA-1, AES-128, a me AES-192. Mai Cisco vManage Release 20.9.1, hiki iā ʻoe ke hoʻopau i nā algorithms hoʻopunipuni nāwaliwali i ʻole e hoʻohana ka mea kūʻai aku SSH i kēia mau algorithm:

• SHA-1
• AES-128
• AES-192

Ma mua o ka hoʻopau ʻana i kēia mau algorithms encryption, e hōʻoia i ka hoʻohana ʻana o nā polokalamu Cisco vEdge, inā he, i loko o ka pūnaewele, i ka hoʻokuʻu polokalamu ma hope o Cisco SD-WAN Release 18.4.6.

Nā pōmaikaʻi o ka hoʻopau ʻana i nā Algorithms Encryption Weak SSH ma luna o Cisco SD-WAN Manager
ʻO ka hoʻopau ʻana i nā algorithm encryption SSH nāwaliwali e hoʻomaikaʻi i ka palekana o ke kamaʻilio SSH, a e hōʻoia i ka hoʻokō ʻana o nā hui e hoʻohana ana iā Cisco Catalyst SD-WAN i nā lula palekana.

Hoʻopau i nā Algorithms Encryption Weak SSH ma Cisco SD-WAN Manager me ka hoʻohana ʻana iā CLI

1. Mai ka Cisco SD-WAN Manager menu, koho i nā mea hana> SSH Terminal.
2. E koho i ka polokalamu Cisco SD-WAN Manager kahi āu e makemake ai e hoʻopau i nā algorithms SSH nāwaliwali.
3. E hoʻokomo i ka inoa inoa a me ka ʻōlelo huna e komo ai i ka hāmeʻa.
4. E komo i ke ʻano kikowaena SSH.
   • vmanage(config)# ʻōnaehana
   • vmanage(config-system) # ssh-server
5. E hana i kekahi o kēia mau mea e hoʻopau ai i kahi algorithm encryption SSH:
   • Hoʻopau iā SHA-1:
6. hoʻokele (config-ssh-server) # ʻaʻohe kex-algo sha1
7. hoʻokele (config-ssh-server) # hana
   Hōʻike ʻia kēia memo hoʻolaha: Ua hana ʻia kēia mau ʻōlelo aʻo: 'system ssh-server kex-algo sha1': WARNING: E ʻoluʻolu e hōʻoia i ka holo ʻana o kāu mau ʻaoʻao āpau i ka mana code> 18.4.6 e kūkākūkā maikaʻi ana ma mua o SHA1 me vManage. A i ʻole, lilo paha kēlā mau kihi i waho. E hoʻomau? [ʻae, ʻaʻole] ʻae
   • E hōʻoia i ka holo ʻana o nā polokalamu Cisco vEdge i ka pūnaewele Cisco SD-WAN Release 18.4.6 a i ʻole ma hope a komo i ka ʻae.
   • Hoʻopau i ka AES-128 a me ka AES-192:
   • vmanage(config-ssh-server)# ʻaʻohe cipher aes-128-192
   • vmanage(config-ssh-server) # hana
     Hōʻike ʻia kēia memo hoʻolaha:
     Ua hana ʻia kēia mau ʻōlelo aʻo:
     'System ssh-server cipher aes-128-192': WARNING: E ʻoluʻolu e hōʻoia i ka holo ʻana o kāu mau ʻaoʻao āpau i ka mana helu > 18.4.6 e kūkākūkā maikaʻi ana ma mua o AES-128-192 me vManage. A i ʻole, lilo paha kēlā mau kihi i waho. E hoʻomau? [ʻae, ʻaʻole] ʻae
   • E hōʻoia i ka holo ʻana o nā polokalamu Cisco vEdge i ka pūnaewele Cisco SD-WAN Release 18.4.6 a i ʻole ma hope a komo i ka ʻae.

E hōʻoia i ka Weak SSH Encryption Algorithms i pio ma Cisco SD-WAN Manager e hoʻohana ana i ka CLI

1. Mai ka Cisco SD-WAN Manager menu, koho i nā mea hana> SSH Terminal.
2. E koho i ka polokalamu Cisco SD-WAN Manager āu e makemake ai e hōʻoia.
3. E hoʻokomo i ka inoa inoa a me ka ʻōlelo huna e komo ai i ka hāmeʻa.
4. E holo i kēia kauoha: hōʻike i ka holo-config system ssh-server
5. E hōʻoia e hōʻike ana ka mea hoʻopuka i hoʻokahi a ʻoi aku paha o nā kauoha e hoʻopau i nā algorithm hoʻopunipuni nāwaliwali.
   • ʻaʻohe cipher aes-128-192
   • aole kex-algo sha1

Palapala / Punawai

Hoʻonohonoho ʻo CISCO SD-WAN i nā ʻāpana palekana [pdf] Ke alakaʻi hoʻohana SD-WAN Hoʻonohonoho i nā ʻāpana palekana, SD-WAN, hoʻonohonoho i nā ʻāpana palekana, nā ʻāpana palekana

Nā kuhikuhi

• Palapala Hoʻohana