ọdịnaya zoo
1 CISCO SD-WAN Hazie oke nchekwa
2 Hazie oke nchekwa
3 Hazie oke nchekwa ụgbọ elu njikwa
4 Hazie DTLS na Cisco SD-WAN Manager
5 Hazie ihe nchekwa ụgbọ elu data
6 Hazie ụdị nkwenye anabatara
7 Gbanwee ngụ oge rekeying
8 Gbanwee nha nke windo mgbochi-emegharịgharị
9 Hazie okporo ụzọ IPsec Static
10 Hazie Paramita Ọwara IPsec
11 Gbanwee nchọpụta IKE nwụrụ anwụ-ọgbọ
12 Hazie Njirimara Interface Ndị ọzọ
13 Gbanyụọ Algorithms nzuzo SSH adịghị ike na Cisco SD-WAN Manager
14 Akwụkwọ / akụrụngwa
14.1 Ntụaka

CISCO-LoGO

CISCO SD-WAN Hazie oke nchekwa

CISCO-SD-WAN-Hazie-Nchekwa-Nkọwa-ngwaahịa

Hazie oke nchekwa

Rịba ama

Iji nweta mfe na nkwụsi ike, Cisco SD-WAN ngwọta emegharịrị ka Cisco Catalyst SD-WAN. Na mgbakwunye, site na Cisco IOS XE SD-WAN Mwepụta 17.12.1a na Cisco Catalyst SD-WAN Mwepụta 20.12.1, ndị na-esonụ akụrụngwa mgbanwe na ọdabara: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Nchịkọta, Cisco vBond ka Cisco Catalyst SD-WAN Validator, na Cisco vSmart na Cisco Catalyst SD-WAN Controller. Hụ ndetu mwepụta kacha ọhụrụ maka ndepụta zuru oke nke mgbanwe aha aha akụrụngwa niile. Ka anyị na-atụgharị gaa na aha ọhụrụ ahụ, ụfọdụ ekwekọghị ekwekọ nwere ike ịdị na nhazi akwụkwọ n'ihi usoro agbaziri agbaziri maka mmelite interface onye ọrụ nke ngwaahịa ngwanrọ.

Akụkụ a na-akọwa otu esi agbanwe paramita nchekwa maka ụgbọ elu njikwa yana ụgbọ elu data na netwọọdụ mkpuchi Cisco Catalyst SD-WAN.

  • Hazie Parameters Nchekwa ụgbọ elu, na
  • Hazie Paramita Nchekwa Ụgbọelu Data, na
  • Hazie Ọwara IPsec agbanyere IKE, gbanye
  • Gbanyụọ Algorithms nzuzo SSH na-adịghị ike na Cisco SD-WAN Manager, na

Hazie oke nchekwa ụgbọ elu njikwa

Site na ndabara, ụgbọ elu njikwa na-eji DTLS dị ka protocol na-enye nzuzo na ọwara ya niile. DTLS na-agba ọsọ n'elu UDP. Ị nwere ike ịgbanwe ụkpụrụ nchekwa ụgbọ elu njikwa na TLS, nke na-agafe TCP. Isi ihe kpatara eji TLS bụ na, ọ bụrụ na ị na-atụle Cisco SD-WAN Controller ka ọ bụrụ ihe nkesa, firewalls na-echebe TCP sava karịa UDP sava. Ị na-ahazi protocol njikwa ụgbọ elu na Cisco SD-WAN Controller: vSmart(config)# security control protocol tls Na mgbanwe a, ihe niile na-achịkwa ọwara ụgbọ elu n'etiti Cisco SD-WAN Controller na routers na n'etiti Cisco SD-WAN Controller. na Cisco SD-WAN Manager jiri TLS. Ọwara ụgbọ elu njikwa na Cisco Catalyst SD-WAN Validator na-eji DTLS mgbe niile, n'ihi na njikọ ndị a ga-abụrịrị UDP ga-edozi. Na ngalaba nwere ọtụtụ Cisco SD-WAN Controllers, mgbe ị haziri TLS n'otu n'ime Cisco SD-WAN Controllers, ọwara ụgbọ elu niile sitere na njikwa ahụ gaa na ndị njikwa ndị ọzọ na-eji TLS. Ekwuru ụzọ ọzọ, TLS na-ebute ụzọ karịa DTLS mgbe niile. Otú ọ dị, site n'echiche nke Cisco SD-WAN Controllers ndị ọzọ, ọ bụrụ na ị hazieghị TLS na ha, ha na-eji TLS na ọdụ ụgbọ elu na-achịkwa naanị otu Cisco SD-WAN Controller, ha na-ejikwa DTLS tunnels na ndị ọzọ niile. Ndị na-ahụ maka Cisco SD-WAN yana ndị rawụta ha niile ejikọrọ. Iji nweta ndị njikwa Cisco SD-WAN niile jiri TLS, hazie ya na ha niile. Site na ndabara, Cisco SD-WAN Controller na-ege ntị na ọdụ ụgbọ mmiri 23456 maka arịrịọ TLS. Ka ịgbanwee nke a: vSmart(config)# security control tls-port number ọdụ ụgbọ mmiri ahụ nwere ike ịbụ nọmba site na 1025 ruo 65535. Iji gosipụta ozi nchekwa ụgbọ elu njikwa, jiri iwu njikọ njikwa ihe ngosi na Cisco SD-WAN Controller. Maka example: vSmart-2# na-egosi njikọ njikwa

CISCO-SD-WAN-Hazie-Security-Parameters-FIG-1

Hazie DTLS na Cisco SD-WAN Manager

Ọ bụrụ na ị hazie Cisco SD-WAN Manager ka ọ jiri TLS dị ka ụkpụrụ nchekwa ụgbọ elu na-achịkwa, ị ga-emerịrị ka mbugharị ọdụ ụgbọ mmiri na NAT gị. Ọ bụrụ na ị na-eji DTLS dị ka ụkpụrụ nchekwa ụgbọ elu na-achịkwa, ịgaghị eme ihe ọ bụla. Ọnụọgụ ọdụ ụgbọ mmiri ebugara dabere na ọnụọgụ vdaemon usoro na-agba na Cisco SD-WAN Manager. Iji gosipụta ozi gbasara usoro ndị a yana gbasara yana ọnụọgụ ọdụ ụgbọ mmiri ndị a na-ebuga, jiri iwu nchịkọta njikwa ihe ngosi gosipụtara na usoro daemon anọ na-agba:CISCO-SD-WAN-Hazie-Security-Parameters-FIG-2

Ka ịhụ ọdụ ụgbọ mmiri ndị na-ege ntị, jiri iwu njikwa ihe ngosi mpaghara-ihe onwunwe: vManage# show control local-Properties

CISCO-SD-WAN-Hazie-Security-Parameters-FIG-3

Ihe mmepụta a na-egosi na ọdụ ụgbọ mmiri TCP na-ege ntị bụ 23456. Ọ bụrụ na ị na-agba Cisco SD-WAN Manager n'azụ NAT, ị ga-emeghe ọdụ ụgbọ mmiri ndị a na ngwaọrụ NAT:

  • 23456 (isi - ihe atụ 0 ọdụ ụgbọ mmiri)
  • 23456 + 100 (isi + 100)
  • 23456 + 200 (isi + 200)
  • 23456 + 300 (isi + 300)

Rịba ama na ọnụ ọgụgụ nke ikpe ahụ bụ otu ọnụọgụ cores ị kenyere maka Cisco SD-WAN Manager, ruo 8 kachasị.

Hazie oke nchekwa site na iji ndebiri atụmatụ nchekwa

Jiri ndebiri atụmatụ nchekwa maka ngwaọrụ Cisco vEdge niile. N'akụkụ ndị na-anya ụgbọ elu yana na Cisco SD-WAN Validator, jiri ndebiri a hazie IPsec maka nchekwa ụgbọ elu data. Na Cisco SD-WAN Manager na Cisco SD-WAN Controller, jiri ndebiri atụmatụ nchekwa hazie DTLS ma ọ bụ TLS maka nchekwa ụgbọ elu.

Hazie oke nchekwa

  1. Site na nchịkọta nhọrọ njikwa Cisco SD-WAN, họrọ Nhazi> Ụdị.
  2. Pịa Templates atụmatụ wee pịa Tinye Template.
    Rịba ama Na Cisco vManage Release 20.7.1 na ewepụtara na mbụ, a na-akpọ ndebiri atụmatụ atụmatụ.
  3. Site na ndetu ngwaọrụ dị na pane aka ekpe, họrọ ngwaọrụ. Ndebiri nke dabara na ngwaọrụ ahọpụtara na-egosi na pane nri.
  4. Pịa Nche ka imepe ndebiri.
  5. Na Template Aha ubi, tinye aha maka template. Aha ahụ nwere ike ruo mkpụrụedemede 128 ma nwee ike ịnwe naanị mkpụrụedemede mkpụrụedemede.
  6. N'ubi nkọwa Template, tinye nkọwa nke ndebiri. Nkọwa ahụ nwere ike ruo mkpụrụedemede 2048 ma nwee ike ịnwe naanị mkpụrụedemede mkpụrụedemede.

Mgbe mbụ imepere ndebiri atụmatụ, maka oke nke ọ bụla nwere uru ndabara, a na-edobe oke ya ka ọ bụrụ Default (nke akara nrịbama gosipụtara), yana ntọala ma ọ bụ uru ndabara ga-egosi. Ka ịgbanwee ndabara ma ọ bụ ịbanye uru, pịa scope ndọda menu n'aka ekpe nke ubi paramita wee họrọ otu n'ime ihe ndị a:

Tebụl 1:

Oke Oke Nkọwa oke
Specific ngwaọrụ (nke akara ngosi ndị ọbịa gosipụtara) Jiri uru akọwapụtara ngwaọrụ maka oke. Maka paramita akọwapụtara ngwaọrụ, ịnweghị ike itinye uru na ndebiri njirimara. Ị na-abanye uru mgbe itinyere ngwaọrụ Viptela na ndebiri ngwaọrụ.

Mgbe ị pịrị Specific Device, igbe Tinye igodo ga-emepe. Igbe a na-egosiputa igodo, nke bụ eriri pụrụ iche nke na-achọpụta oke na CSV file nke ị na-emepụta. Nke a file bụ akwụkwọ mpịakọta Excel nke nwere otu kọlụm maka igodo ọ bụla. Ahịrị nkụnye eji isi mee nwere aha igodo (otu igodo kwa kọlụm), na ahịrị nke ọ bụla gachara dabara na ngwaọrụ wee kọwaa ụkpụrụ igodo maka ngwaọrụ ahụ. Ị na-ebugote CSV file mgbe itinye ngwaọrụ Viptela na ndebiri ngwaọrụ. Maka ozi ndị ọzọ, lee Mepụta mpempe akwụkwọ ngbanwe mgbanwe Template.

Ka ịgbanwee igodo ndabara, pịnye eriri ọhụrụ wee bupụ cursor na igbe Tinye igodo.

ExampAkụkụ ndị akọwapụtara maka ngwaọrụ bụ adreesị IP sistemụ, aha nnabata, ọnọdụ GPS, na NJ saịtị.
Oke Oke Nkọwa oke
Global (nke akara ngosi ụwa gosipụtara) Tinye uru maka oke, ma tinye uru ahụ na ngwaọrụ niile.

ExampOtu n'ime ihe ndị ị nwere ike itinye n'ụwa niile na otu ngwaọrụ bụ sava DNS, sava syslog, na interface MTU.

Hazie Nchekwa ụgbọ elu Control

Rịba ama
Ngalaba nchekwa nchekwa ụgbọ elu na-emetụta Cisco SD-WAN Manager na Cisco SD-WAN Controller naanị. Iji hazie usoro njikọ ụgbọ elu njikwa na ihe atụ Cisco SD-WAN Manager ma ọ bụ Cisco SD-WAN Controller, họrọ mpaghara nhazi ntọala. ma hazie paramita ndị a:

Tebụl 2:

Oke Aha Nkọwa
Protocol Họrọ protocol iji na njikọ ụgbọ elu njikwa na Cisco SD-WAN Controller:

• DTLS (Datagram Transport Layer Security). Nke a bụ ndabara.

• TLS (Nchekwa oyi akwa ụgbọ njem)
Jikwaa ọdụ ụgbọ mmiri TLS Ọ bụrụ na ị họrọ TLS, hazie nọmba ọdụ ụgbọ mmiri ka ị jiri:Oke: 1025 ruo 65535Ebube: 23456

Pịa Chekwa

Hazie Nchekwa ụgbọ elu data
Iji hazie nchekwa ụgbọ elu data na Cisco SD-WAN Validator ma ọ bụ Cisco vEdge rawụta, họrọ taabụ nhazi ntọala na ụdị nyocha, wee hazie paramita ndị a:

Tebụl 3:

Oke Aha Nkọwa
Oge Rekey Kọwaa ugboro ole Cisco vEdge rawụta na-agbanwe igodo AES ejiri na njikọ DTLS echekwara na Cisco SD-WAN Controller. Ọ bụrụ na agbanyere OMP amara ịmalitegharị, oge nrụgharị ga-abụrịrị opekata mpe okpukpu abụọ karịa uru OMP ngụgharị mmalite mmalite.Oke: 10 ruo 1209600 sekọnd (ụbọchị 14)Ebube: 86400 sekọnd (awa 24)
Ohere megharịa Ezipụta nha nke windo mmegharị na-amị amị.

Uru: 64, 128, 256, 512, 1024, 2048, 4096, 8192 ngwugwu.Ebube: 512 ngwugwu
IPsec

ụzọ ụzọ-igodo

 Agbanyụrụ nke a na ndabara. Pịa On ịgbanwuo ya.
Oke Aha Nkọwa
Ụdị njirimara Họrọ ụdị njirimara site na Nyocha Ndepụta, wee pịa akụ na-atụ aka nri iji bugharịa ụdị nyocha na nke Ndepụta ahọpụtara kọlụm.

Ụdị nkwenye kwadoro site na Cisco SD-WAN Mwepụta 20.6.1:

•  esp: Na-eme ka izo ya ezo na ịlele iguzosi ike n'ezi ihe na nkụnye eji isi mee ESP.

•  ip-udp-esp: Na-akwado izo ya ezo ESP. Na mgbakwunye na nlele iguzosi ike n'ezi ihe na nkụnye eji isi mee ESP na ụgwọ akwụ ụgwọ, ndenye ego ahụ gụnyekwara isi IP na mpụta UDP.

•  ip-udp-esp-enweghị-id: Na-eleghara oghere ID dị na IP nkụnye eji isi mee ka Cisco Catalyst SD-WAN nwee ike ịrụ ọrụ na njikọ na-abụghị Cisco ngwaọrụ.

•  onweghi: Na-atụgharị ịlele iguzosi ike n'ezi ihe na ngwugwu IPSec. Anyị anaghị akwado iji nhọrọ a.

 

Ụdị nkwenye kwadoro na Cisco SD-WAN Mwepụta 20.5.1 na mbụ:

•  ah-enweghị-id: Kwado ụdị AH-SHA1 HMAC na ESP HMAC-SHA1 emelitere nke na-eleghara oghere NJ dị na nkụnye eji isi mee IP nke mpụta.

•  ah-sha1-hmacKwado AH-SHA1 HMAC na ESP HMAC-SHA1.

•  onweghi: Họrọ enweghị nyocha.

•  sha 1-hmacKwado ESP HMAC-SHA1.

 

Rịba ama              Maka ngwaọrụ ihu na-agba na Cisco SD-WAN Release 20.5.1 ma ọ bụ tupu mgbe ahụ, ị ​​nwere ike haziela ụdị njirimara site na iji Nchekwa ndebiri. Mgbe ị kwalitere ngwaọrụ na Cisco SD-WAN Release 20.6.1 ma ọ bụ karịa, melite ụdị njirimara ahọpụtara na Nchekwa ndebiri na ụdị njirimara akwadoro site na Cisco SD-WAN Mwepụta 20.6.1. Ka imelite ụdị njirimara, mee ihe ndị a:

1.      Site na Cisco SD-WAN Manager menu, họrọ Nhazi >

Ụdị.

2.      Pịa Ụdị njirimara.

3.      Chọta nke Nchekwa template ka imelite wee pịa… wee pịa Dezie.

4.      Pịa Mmelite. Agbanwela nhazi ọ bụla.

Cisco SD-WAN Manager na-emelite ya Nchekwa template iji gosi ụdị njirimara akwadoro.

Pịa Chekwa.

Hazie ihe nchekwa ụgbọ elu data

N'ime ụgbọ elu data, IPsec na-enyere ya aka na ndabara na ndị na-anya ụgbọ ala niile, yana na ndabara njikọ ọwara IPsec na-eji ụdị nkwalite nke Encapsulating Security Payload (ESP) protocol maka nyocha na ọwara IPsec. Na routers, ị nwere ike ịgbanwe ụdị nyocha, IPsec rekeying timemer, na nha nke windo mgbochi-replay IPsec.

Hazie ụdị nkwenye anabatara

Ụdị njirimara dị na Cisco SD-WAN Mwepụta 20.6.1 na mgbe e mesịrị
Site na Cisco SD-WAN Mwepụta 20.6.1, ụdị iguzosi ike n'ezi ihe na-akwado:

  • esp: Nhọrọ a na-enyere Encapsulating Security Payload (ESP) izo ya ezo na ịlele iguzosi ike n'ezi ihe na nkụnye eji isi mee ESP.
  • ip-udp-esp: Nhọrọ a na-enyere izo ya ezo ESP. Na mgbakwunye na nlele iguzosi ike n'ezi ihe na nkụnye eji isi mee ESP na ụgwọ a na-akwụ, nlele ahụ gụnyekwara isi IP na mpụta UDP.
  • ip-udp-esp-no-id: Nhọrọ a yiri ip-udp-esp, Otú ọ dị, a na-eleghara oghere ID nke isi IP dị n'èzí anya. Hazie nhọrọ a na ndepụta nke ụdị iguzosi ike n'ezi ihe ka Cisco Catalyst SD-WAN software na-eleghara oghere ID dị na nkụnye eji isi mee IP ka Cisco Catalyst SD-WAN nwee ike ịrụ ọrụ na njikọ na-abụghị Cisco ngwaọrụ.
  • Ọ dịghị: Nhọrọ a na-atụgharị ịlele iguzosi ike n'ezi ihe na ngwugwu IPSec. Anyị anaghị akwado iji nhọrọ a.

Site na ndabara, njikọ ọwara IPsec na-eji ụdị nkwalite nke Encapsulating Security Payload (ESP) protocol maka nyocha. Iji gbanwee ụdị mkparita ụka ahụ ma ọ bụ iji gbanyụọ nlele iguzosi ike n'ezi ihe, jiri iwu na-esonụ: integrity-type { none | ip-udp-esp | ip-udp-esp-enweghị-id | esp }

Ụdị njirimara Tupu Cisco SD-WAN Mwepụta 20.6.1
Site na ndabara, njikọ ọwara IPsec na-eji ụdị nkwalite nke Encapsulating Security Payload (ESP) protocol maka nyocha. Iji gbanwee ụdị nkwenye nkwekọrịta ma ọ bụ iji gbanyụọ nyocha, jiri iwu na-esonụ: Ngwaọrụ(config)# security ipsec authentication-type (ah-sha1-hmac | ah-no-id | sha1-hmac | | ọ dịghị) Site na ndabara, IPsec Njikọ ọwara na-eji AES-GCM-256, nke na-enye ma nzuzo na nyocha. Hazie ụdị nyocha ọ bụla na iwu ụdị nyocha ipsec dị iche. Map nhọrọ iwu na ụdị njirimara ndị a, nke edepụtara n'usoro site na nke siri ike ruo na nke kacha nta:

Rịba ama
A na-eji sha1 na nhọrọ nhazi mee ihe maka akụkọ ihe mere eme. Nhọrọ nyocha ahụ na-egosi ole nleba anya nke ngwungwu a na-eme. Ha anaghị akọwapụta algọridim na-enyocha iguzosi ike n'ezi ihe. Ewezuga izo ya ezo nke okporo ụzọ multicast, algọridim nyocha nke Cisco Catalyst SD WAN na-akwado anaghị eji SHA1. Agbanyeghị na Cisco SD-WAN Mwepụta 20.1.x na gaba, ma unicast na multicast anaghị eji SHA1.

  • ah-sha1-hmac na-enyere ezoro ezo na encapsulation aka site na iji ESP. Agbanyeghị, na mgbakwunye na nlele iguzosi ike n'ezi ihe na nkụnye eji isi mee ESP na ụgwọ akwụ ụgwọ, ndenye ego ahụ gụnyekwara isi IP na mpụta UDP. N'ihi ya, nhọrọ a na-akwado nlele iguzosi ike n'ezi ihe nke ngwugwu ahụ yiri protocol nke Isi Nyocha (AH). A na-eme iguzosi ike n'ezi ihe na nzuzo niile site na iji AES-256-GCM.
  • ah-no-id na-enyere ọnọdụ yiri ah-sha1-hmac, agbanyeghị, a na-eleghara oghere ID nke isi ihe IP dị n'èzí anya. Nhọrọ a na-anabata ụfọdụ ngwaọrụ ndị na-abụghị Cisco Catalyst SD-WAN, gụnyere Apple AirPort Express NAT, nke nwere ahụhụ na-eme ka oghere ID dị na isi IP, ubi na-adịghị agbanwe agbanwe, gbanwee. Hazie ah-no-id nhọrọ na ndepụta nke ụdị njirimara ka Cisco Catalyst SD-WAN AH software na-eleghara oghere ID na nkụnye eji isi mee IP ka Cisco Catalyst SD-WAN software nwere ike ịrụ ọrụ na njikọ ndị a.
  • sha1-hmac na-enyere aka izo ya ezo ESP na ịlele iguzosi ike n'ezi ihe.
  • ọ nweghị maapụ enweghị nyocha. Ekwesịrị iji nhọrọ a naanị ma ọ bụrụ na achọrọ ya maka nbipu nwa oge. Ị nwekwara ike ịhọrọ nhọrọ a n'ọnọdụ ebe nyocha ụgbọ elu data na iguzosi ike n'ezi ihe abụghị nchegbu. Cisco anaghị akwado iji nhọrọ a maka netwọk mmepụta.

Maka ozi gbasara ụdị nyocha ndị a metụtara mpaghara ngwugwu data, lee Data Plane Integrity. Ngwa Cisco IOS XE Catalyst SD-WAN na ngwaọrụ Cisco vEdge na-akpọsa ụdị njirimara ha ahaziri na akụrụngwa TLOC ha. Ndị na-anya ụgbọ mmiri abụọ dị n'akụkụ ọ bụla nke njikọ ọwara IPsec na-ekwurịta maka njirimara iji na njikọ dị n'etiti ha, na-eji ụdị njirimara kachasị ike nke ahaziri na ndị na-anya ụgbọ mmiri abụọ ahụ. Maka exampỌ bụrụ na otu rawụta na-akpọsa ụdị ah-sha1-hmac na ah-no-id, na nke abụọ rawụta na-akpọsa ụdị ah-no-id, ndị na-anya ụgbọ mmiri abụọ na-ekwurịta iji ah-no-id na njikọ ọwara IPsec n'etiti. ha. Ọ bụrụ na ahazighị ụdị nkwenye a na-ahụkarị na ndị ọgbọ abụọ ahụ, ọ nweghị ọwara IPsec emebere n'etiti ha. Algọridim nzuzo na njikọ ọwara IPsec dabere n'ụdị okporo ụzọ:

  • Maka okporo ụzọ unicast, algọridim nzuzo bụ AES-256-GCM.
  • Maka okporo ụzọ multicast:
  • Cisco SD-WAN Mwepụta 20.1.x na emesia – ihe nzuzo algọridim bụ AES-256-GCM
  • Mwepụta ndị gara aga – algọridim nzuzo bụ AES-256-CBC nwere SHA1-HMAC.

Mgbe ụdị nyocha IPsec gbanwere, igodo AES maka ụzọ data gbanwere.

Gbanwee ngụ oge rekeying

Tupu Cisco IOS XE Catalyst SD-WAN ngwaọrụ na Cisco vEdge ngwaọrụ nwere ike ịgbanwe okporo ụzọ data, ha na-ewepụtara ọwa ozi echekwara echedoro n'etiti ha. Ndị na-anya ụgbọ mmiri na-eji ọwara IPSec n'etiti ha dị ka ọwa, yana cipher AES-256 iji mee nzuzo. Onye ọ bụla rawụta na-ewepụta igodo AES ọhụrụ maka ụzọ data ya kwa oge. Site na ndabara, igodo na-arụ ọrụ maka 86400 sekọnd (awa 24), na ngụ oge bụ 10 sekọnd ruo 1209600 sekọnd (ụbọchị iri na anọ). Ka ịgbanwee uru ngụ oge rekey: Device(config)# security ipsec rekey sekọnd Nhazi ahụ dị ka nke a:

  • nchekwa ipsec rekey sekọnd!

Ọ bụrụ na ịchọrọ ịmepụta igodo IPsec ọhụrụ ozugbo, ị nwere ike ime ya na-enweghị gbanwee nhazi nke rawụta. Iji mee nke a, nye iwu nchekwa ipsecrekey arịrịọ na rawụta mebiri emebi. Maka examplee, mmepụta na-esote na-egosi na SA mpaghara nwere akara nchekwa nchekwa nchekwa (SPI) nke 256:CISCO-SD-WAN-Hazie-Security-Parameters-FIG-4

Ejikọtara igodo pụrụ iche na SPI ọ bụla. Ọ bụrụ na emebiela igodo a, jiri iwu nchekwa ipsec-rekey maka imepụta igodo ọhụrụ ozugbo. Iwu a na-abawanye SPI. Na nke anyị bụ example, SPI na-agbanwe na 257 na igodo ejikọtara ya na-eji ugbu a:

  • Ngwaọrụ # arịrịọ nchekwa ipsecrekey
  • Ngwaọrụ# gosi ipsec local-sa

CISCO-SD-WAN-Hazie-Security-Parameters-FIG-5

Mgbe emechara igodo ọhụrụ ahụ, rawụta na-eziga ya ozugbo na Cisco SD-WAN Controllers site na iji DTLS ma ọ bụ TLS. Ndị na-ahụ maka Cisco SD-WAN na-eziga igodo na ndị ọkwọ ụgbọ ala ndị ọgbọ. Ndị na-anya ụgbọ mmiri na-amalite iji ya ozugbo ha nwetara ya. Rịba ama na igodo ejikọtara na SPI ochie (256) ga-aga n'ihu na-eji obere oge ruo mgbe ọ ga-agwụ. Ka ịkwụsị iji igodo ochie ozugbo, nye iwu nchekwa ipsec-rekey arịrịọ ugboro abụọ, n'usoro ngwa ngwa. Usoro iwu a na-ewepụ ma SPI 256 na 257 wee tọọ SPI ka ọ bụrụ 258. Onye rawụta ahụ na-eji igodo jikọtara ya nke SPI 258. Rịba ama na a ga-atụfu ụfọdụ ngwugwu maka obere oge ruo mgbe ndị niile na-anya ụgbọ ala ga-amụta. igodo ọhụrụ ahụ.CISCO-SD-WAN-Hazie-Security-Parameters-FIG-6

Gbanwee nha nke windo mgbochi-emegharịgharị

Nyocha IPsec na-enye nchebe mgbochi-emegharị site na-ekenye nọmba usoro pụrụ iche na ngwugwu ọ bụla na iyi data. Ọnụọgụ usoro a na-echebe megide onye mwakpo na-emegharị ngwugwu data. Site na nchebe mgbochi-emegharị, onye na-ezipụ na-ekenye ọnụọgụ usoro na-abawanye n'otu n'otu, ebe ebe a na-aga na-enyocha ọnụọgụ usoro ndị a ka ịchọpụta oyiri. N'ihi na ngwugwu anaghị abịakarị n'usoro, ebe ebe a na-aga na-edobe mpio nke nọmba usoro nke ọ ga-anabata.CISCO-SD-WAN-Hazie-Security-Parameters-FIG-7

A na-ewere ngwugwu nwere nọmba usoro dabara n'aka ekpe nke windo na-amị amị, nke a na-ewere dị ka nke ochie ma ọ bụ nke oyiri, ebe ebe a na-aga tụfuru ha. Ebe ebe a na-eso usoro ọnụọgụ kachasị elu ọ natara, ma na-edozi windo na-amị amị mgbe ọ natara ngwugwu nwere uru dị elu.CISCO-SD-WAN-Hazie-Security-Parameters-FIG-8

Site na ndabara, a na-atọkwa mpio amịgharị ka ọ bụrụ ngwugwu 512. Enwere ike ịtọ ya na uru ọ bụla n'etiti 64 na 4096 nke bụ ike nke 2 (ya bụ, 64, 128, 256, 512, 1024, 2048, ma ọ bụ 4096). Ka ịgbanwee nha mpio mgbochi imegharị, jiri iwu mmeghari-window, na-akọwa nha mpio ahụ:

Ngwaọrụ(nhazi)# nọmba nchekwa ipsec replay-window

Nhazi ahụ dị ka nke a:
nọmba nchekwa ipsec replay-window! !

Iji nyere aka na QoS, a na-edobe windo mmeghari dị iche iche maka ọwa okporo ụzọ asatọ mbụ. A na-ekewa nha windo ahaziri ahazi maka ọwa ọ bụla. Ọ bụrụ na ahaziri QoS na rawụta, onye rawụta ahụ nwere ike nweta ọnụ ọgụgụ ngwugwu buru ibu karịa nke a tụrụ anya ya n'ihi usoro mgbochi imegharị IPsec, yana ọtụtụ ngwugwu ndị a tụfuru bụ ndị ziri ezi. Nke a na-eme n'ihi na QoS na-edegharị ngwugwu, na-enye ngwungwu nhọrọ dị elu nke ọma na-egbu oge na ngwugwu dị ala. Iji belata ma ọ bụ gbochie ọnọdụ a, ị nwere ike ime ihe ndị a:

  • Welite nha nke windo mgbochi imegharị.
  • Ndị injinia na-abanye na ọwa okporo ụzọ asatọ mbụ iji hụ na ahazigharịghị okporo ụzọ dị n'ime ọwa.

Hazie Ọwara IPsec agbanyere IKE
Iji bufee okporo ụzọ na nzuzo site na netwọk machie gaa na netwọk ọrụ, ị nwere ike hazie ọwara IPsec nke na-eme ụkpụrụ mgbanwe igodo ịntanetị (IKE). Ọwara IPsec enyere IKE na-enye nyocha na izo ya ezo iji hụ na mbufe ngwugwu echekwara. Ị na-emepụta ọwara IPsec kwadoro IKE site na ịhazi interface IPsec. Oghere IPsec bụ oghere ezi uche dị na ya, ma ị na-ahazi ha dị ka ihu anụ ahụ ọ bụla ọzọ. Ị na-ahazi IKE protocol parameters na IPsec interface, ma ị nwere ike hazie njirimara interface ndị ọzọ.

Rịba ama Cisco kwadoro iji ụdị IKE 2. Site na Cisco SD-WAN 19.2.x ntọhapụ gaa n'ihu, igodo ekekọrịtara kwesịrị ịdịkarịa ala 16 bytes n'ogologo. Ntọala ọwara IPsec ga-ada ma ọ bụrụ na nha igodo erughị mkpụrụedemede 16 mgbe emelitere rawụta ka ọ bụrụ ụdị 19.2.

Rịba ama
The Cisco Catalyst SD-WAN software na-akwado IKE Version 2 dị ka akọwara na RFC 7296. Otu ojiji maka IPsec tunnels bụ ikwe ka vEdge Cloud router VM omume na-agba ọsọ na Amazon AWS jikọọ Amazon mebere onwe ígwé ojii (VPC). Ị ga-ahazi ụdị IKE 1 na ndị na-anya ụgbọ elu ndị a. Ngwaọrụ Cisco vEdge na-akwado naanị VPN dabere n'ụzọ na nhazi IPSec n'ihi na ngwaọrụ ndị a enweghị ike ịkọwa ndị na-ahọpụta okporo ụzọ na ngalaba nzuzo.

Hazie ọwara IPsec
Iji hazie interface ọwara IPsec maka okporo ụzọ ụgbọ njem echedoro site na netwọk ọrụ, ị mepụtara interface IPsec nwere ezi uche:CISCO-SD-WAN-Hazie-Security-Parameters-FIG-9

Ị nwere ike ịmepụta ọwara IPsec na njem VPN (VPN 0) na ọrụ ọ bụla VPN (VPN 1 ruo 65530, ma e wezụga 512). The IPsec interface nwere aha na format ipsecnumber, ebe ọnụ ọgụgụ nwere ike si 1 ruo 255. Onye ọ bụla IPsec interface ga-enwe adreesị IPv4. Adreesị a ga-abụrịrị prefix/30. A na-eduzi okporo ụzọ niile dị na VPN nke dị na prefix IPv4 a na interface anụ ahụ na VPN 0 ka ezipụ ya na ọwara IPsec. Iji hazie isi iyi nke ọwara IPsec na ngwaọrụ mpaghara, ị nwere ike ịkọwapụta ma adreesị IP nke interface anụ ahụ (na iwu ọwara-isi iyi) ma ọ bụ aha interface anụ ahụ (na iwu ọwara-isi iyi-interface). Gbaa mbọ hụ na a na-ahazi interface anụ ahụ na VPN 0. Iji hazie ebe ebe ọwara IPsec, kọwaa adreesị IP nke ngwaọrụ dịpụrụ adịpụ na iwu ọwara-ebe. Njikọ nke adreesị isi iyi (ma ọ bụ aha interface isi mmalite) na adreesị ebe njedebe na-akọwa otu ọwara IPsec. Naanị otu ọwara IPsec nwere ike ịdị nke na-eji adreesị isi mmalite (ma ọ bụ aha interface) yana ụzọ adreesị ebe aga.

Hazie okporo ụzọ IPsec Static

Iji duzie okporo ụzọ site na VPN ọrụ gaa na ọwara IPsec na VPN njem (VPN 0), ị na-ahazi ụzọ static nke IPsec na VPN ọrụ (VPN na-abụghị VPN 0 ma ọ bụ VPN 512):

  • vEdge(nhazi) # vpn vpn-id
  • vEdge(config-vpn)# ip ipsec-route prefix/ogologo vpn 0 interface
  • ipsecnumber [ipsecnumber2]

NJ VPN bụ nke ọrụ VPN ọ bụla (VPN 1 ruo 65530, ewezuga 512). prefix/ogologo bụ adreesị IP ma ọ bụ nganiihu, na nrịbama nwere ntụpọ akụkụ anọ, yana ogologo prefix nke ụzọ IPsec akọwapụtara. The interface bụ IPsec ọwara interface na VPN 0. Ị nwere ike hazi otu ma ọ bụ abụọ IPsec ọwara interfaces. Ọ bụrụ na ị hazie abụọ, nke mbụ bụ ọwara IPsec bụ isi, nke abụọ bụ ndabere. Site na oghere abụọ, a na-eziga ngwugwu niile na ọwara mbụ. Ọ bụrụ na ọwara ahụ daa, a ga-eziga ngwugwu niile na ọwara nke abụọ. Ọ bụrụ na ọwara mbụ ahụ laghachitere azụ, a na-ebugharị okporo ụzọ niile na ọwara IPsec bụ isi.

Kwado ụdị IKE 1
Mgbe ị mepụtara ọwara IPsec na vEdge router, IKE Version 1 na-enyere ya aka na ndabara na interface ọwara. A na-akwadokwa akụrụngwa ndị a na ndabara maka IKEv1:

  • Nyocha na nzuzo-AES-256 ọkọlọtọ nzuzo nzuzo CBC nwere koodu HMAC-SHA1 keyed-hash code algorithm maka iguzosi ike n'ezi ihe.
  • Nọmba otu Diffie-Hellman—16
  • Ogologo oge imeghari - awa 4
  • Ọnọdụ ntọala SA — Isi

Site na ndabara, IKEv1 na-eji ọnọdụ isi IKE guzobe IKE SAs. Na ọnọdụ a, a na-agbanwe ngwugwu mkparita ụka isii iji guzobe SA. Ka ịgbanwee naanị ngwugwu mkparịta ụka atọ, mee ka ọnọdụ ike ike:

Rịba ama
Ekwesịrị izere ọnọdụ ike ike IKE nwere igodo ekekọrịtara n'ebe ọ bụla enwere ike. Ma ọ bụghị ya, a ga-ahọrọ igodo siri ike tupu ekekọrịta.

  • vEdge(config)# vpn vpn-id interface ipsec nọmba ike
  • vEdge(config-ike)# mode ike ike

Site na ndabara, IKEv1 na-eji otu Diffie-Hellman 16 na mgbanwe igodo IKE. Otu a na-eji otu 4096-bit more modular exponential (MODP) n'oge mgbanwe igodo IKE. Ị nwere ike ịgbanwe nọmba otu ka ọ bụrụ 2 (maka 1024-bit MODP), 14 (2048-bit MODP), ma ọ bụ 15 (3072-bit MODP):

  • vEdge(config)# vpn vpn-id interface ipsec nọmba ike
  • vEdge(config-ike)# nọmba otu

Site na ndabara, mgbanwe igodo IKE na-eji AES-256 izo ya ezo ọkọlọtọ CBC na koodu HMAC-SHA1 keyed-hash code algorithm maka iguzosi ike n'ezi ihe. Ị nwere ike ịgbanwe nkwenye:

  • vEdge(config)# vpn vpn-id interface ipsec nọmba ike
  • vEdge(config-ike)# cipher-suite suite

Ụlọ nyocha ahụ nwere ike ịbụ otu n'ime ihe ndị a:

  • aes128-cbc-sha1-AES-128 ọkọlọtọ nzuzo nzuzo CBC nwere koodu HMAC-SHA1 keyed-hash koodu koodu maka iguzosi ike n'ezi ihe.
  • aes128-cbc-sha2-AES-128 ọkọlọtọ nzuzo nzuzo CBC nwere koodu HMAC-SHA256 keyed-hash koodu koodu maka iguzosi ike n'ezi ihe.
  • aes256-cbc-sha1-AES-256 ọkwa nzuzo nzuzo CBC dị elu yana koodu nyocha koodu HMAC-SHA1 keyed-hash maka iguzosi ike n'ezi ihe; nke a bụ ndabara.
  • aes256-cbc-sha2-AES-256 ọkọlọtọ nzuzo nzuzo CBC nwere koodu HMAC-SHA256 keyed-hash koodu koodu maka iguzosi ike n'ezi ihe.

Site na ndabara, igodo IKE na-enye ume ọhụrụ kwa elekere 1 (sekọnd 3600). Ị nwere ike ịgbanwe oge imegharị ka ọ bụrụ uru site na sekọnd 30 ruo ụbọchị 14 (1209600 sekọnd). A na-atụ aro ka oge imegharị ya bụrụ opekata mpe otu elekere.

  • vEdge(nhazi)# vpn vpn-id interface ipsec nọmba dị ka
  • vEdge(config-ike)# rekey sekọnd

Iji manye ọgbọ igodo ọhụrụ maka nnọkọ IKE, nye iwu ipsec ike-rekey arịrịọ.

  • vEdge(config)# vpn vpn-id interfaceipsec nọmba ike

Maka IKE, ị nwekwara ike hazie igodo preshared (PSK) nyocha:

  • vEdge(config)# vpn vpn-id interface ipsec nọmba ike
  • vEdge(config-ike)# authentication-ụdị pre-shaed-key pre-shared- secret password bụ paswọọdụ iji igodo ekekọrịtara. Ọ nwere ike ịbụ eriri ASCII ma ọ bụ hexadecimal sitere na mkpụrụedemede 1 ruo 127 ogologo.

Ọ bụrụ na ndị ọgbọ IKE dịpụrụ adịpụ chọrọ ID mpaghara ma ọ bụ nke dịpụrụ adịpụ, ị nwere ike hazie njirimara a:

  • vEdge(config)# vpn vpn-id interface ipsec nọmba ike ụdị nyocha
  • vEdge(ụdị config-authentication-ụdị)# local-id id
  • vEdge(ụdị config-authentication-ụdị)# remote-id id

Ihe nchọpụta ahụ nwere ike ịbụ adreesị IP ma ọ bụ eriri ederede ọ bụla site na mkpụrụedemede 1 ruo 63 ogologo. Site na ndabara, ID mpaghara bụ adreesị IP isi iyi nke ọwara yana ID dịpụrụ adịpụ bụ adreesị IP ebe ọwara a na-aga.

Kwado ụdị IKE 2
Mgbe ị na-ahazi ọwara IPsec iji jiri ụdị IKE 2, a na-enyekwa akụrụngwa ndị a na ndabara maka IKEv2:

  • Nyocha na nzuzo-AES-256 ọkọlọtọ nzuzo nzuzo CBC nwere koodu HMAC-SHA1 keyed-hash code algorithm maka iguzosi ike n'ezi ihe.
  • Nọmba otu Diffie-Hellman—16
  • Ogologo oge imeghari - awa 4

Site na ndabara, IKEv2 na-eji otu Diffie-Hellman 16 na mgbanwe igodo IKE. Otu a na-eji otu 4096-bit more modular exponential (MODP) n'oge mgbanwe igodo IKE. Ị nwere ike ịgbanwe nọmba otu ka ọ bụrụ 2 (maka 1024-bit MODP), 14 (2048-bit MODP), ma ọ bụ 15 (3072-bit MODP):

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# nọmba otu

Site na ndabara, mgbanwe igodo IKE na-eji AES-256 izo ya ezo ọkọlọtọ CBC na koodu HMAC-SHA1 keyed-hash code algorithm maka iguzosi ike n'ezi ihe. Ị nwere ike ịgbanwe nkwenye:

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# cipher-suite suite

Ụlọ nyocha ahụ nwere ike ịbụ otu n'ime ihe ndị a:

  • aes128-cbc-sha1-AES-128 ọkọlọtọ nzuzo nzuzo CBC nwere koodu HMAC-SHA1 keyed-hash koodu koodu maka iguzosi ike n'ezi ihe.
  • aes128-cbc-sha2-AES-128 ọkọlọtọ nzuzo nzuzo CBC nwere koodu HMAC-SHA256 keyed-hash koodu koodu maka iguzosi ike n'ezi ihe.
  • aes256-cbc-sha1-AES-256 ọkwa nzuzo nzuzo CBC dị elu yana koodu nyocha koodu HMAC-SHA1 keyed-hash maka iguzosi ike n'ezi ihe; nke a bụ ndabara.
  • aes256-cbc-sha2-AES-256 ọkọlọtọ nzuzo nzuzo CBC nwere koodu HMAC-SHA256 keyed-hash koodu koodu maka iguzosi ike n'ezi ihe.

Site na ndabara, igodo IKE na-enye ume ọhụrụ kwa awa anọ (sekọnd 4). Ị nwere ike ịgbanwe oge imegharị ka ọ bụrụ uru site na sekọnd 14,400 ruo ụbọchị 30 (sekọnd 14):

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# rekey sekọnd

Iji manye ọgbọ igodo ọhụrụ maka nnọkọ IKE, nye iwu ipsec ike-rekey arịrịọ. Maka IKE, ị nwekwara ike hazie igodo preshared (PSK) nyocha:

  • vEdge(config)# vpn vpn-id interface ipsecnumber ike
  • vEdge(config-ike)# authentication-ụdị pre-shaed-key pre-shared- secret password bụ paswọọdụ iji igodo ekekọrịtara. Ọ nwere ike ịbụ eriri ASCII ma ọ bụ hexadecimal, ma ọ bụ ọ nwere ike ịbụ igodo ezoro ezo AES. Ọ bụrụ na ndị ọgbọ IKE dịpụrụ adịpụ chọrọ ID mpaghara ma ọ bụ nke dịpụrụ adịpụ, ị nwere ike hazie njirimara a:
  • vEdge(nhazi)# vpn vpn-id interface ipsecnumber ike ụdị nyocha
  • vEdge(ụdị config-authentication-ụdị)# local-id id
  • vEdge(ụdị config-authentication-ụdị)# remote-id id

Ihe nchọpụta ahụ nwere ike ịbụ adreesị IP ma ọ bụ eriri ederede ọ bụla site na mkpụrụedemede 1 ruo 64 ogologo. Site na ndabara, ID mpaghara bụ adreesị IP isi iyi nke ọwara yana ID dịpụrụ adịpụ bụ adreesị IP ebe ọwara a na-aga.

Hazie Paramita Ọwara IPsec

Tebụl 4: Akụkọ njirimara

Njirimara Aha Ozi mwepụta Nkọwa
Cryptographic agbakwunyere Cisco SD-WAN Mwepụta 20.1.1 Njirimara a na-agbakwunye nkwado maka
Nkwado Algorithmic maka IPSec   HMAC_SHA256, HMAC_SHA384, na
Ọwara   HMAC_SHA512 algọridim maka
    enwekwukwa nchekwa.

Site na ndabara, a na-eji paramita ndị a na ọwara IPsec nke na-ebu okporo ụzọ IKE:

  • Nyocha na izo ya ezo-AES-256 algọridim na GCM (ụdị Galois/counter)
  • Ogologo oge imeghari - awa 4
  • Window megharịa — ngwugwu 32

Ị nwere ike ịgbanwe izo ya ezo na IPsec ọwara na AES-256 cipher na CBC (cipher block chaining mode, na HMAC na-eji ma SHA-1 ma ọ bụ SHA-2 keyed-hash ozi nkwenye ma ọ bụ mebie na HMAC site na iji SHA-1 ma ọ bụ Nyocha ozi SHA-2 keyed-hash, ka ị ghara izochi ọwara IPsec ejiri maka okporo ụzọ mgbanwe igodo IKE:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge (config-ipsec)# cipher-suite (aes256-gcm | aes256-cbc-sha1 | aes256-cbc-sha256 | aes256-cbc-sha384 | aes256-cbc-sha512 | aes256-null-sha1 | aes256-null-sha256 | aes256 | aes384-null-sha256 | aes512-null-shaXNUMX)

Site na ndabara, igodo IKE na-enye ume ọhụrụ kwa awa anọ (sekọnd 4). Ị nwere ike ịgbanwe oge imegharị ka ọ bụrụ uru site na sekọnd 14,400 ruo ụbọchị 30 (sekọnd 14):

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# rekey sekọnd

Iji manye ọgbọ igodo ọhụrụ maka ọwara IPsec, wepụta arịrịọ ipsec ipsec-rekey iwu. Site na ndabara, akwadoro nzuzo nzuzo zuru oke (PFS) na ọwara IPsec, iji hụ na emetụtaghị oge ndị gara aga ma ọ bụrụ na emebie igodo n'ọdịnihu. PFS na-amanye mgbanwe igodo Diffie-Hellman ọhụrụ, na ndabara site na iji otu 4096-bit Diffie-Hellman prime module. Ị nwere ike ịgbanwe ntọala PFS:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# zuru oke-n'ihu-nzuzo pfs-setting

pfs-setting nwere ike ịbụ otu n'ime ihe ndị a:

  • otu-2-Jiri otu 1024-bit Diffie-Hellman prime modulus group.
  • otu-14-Jiri otu 2048-bit Diffie-Hellman prime modulus group.
  • otu-15-Jiri otu 3072-bit Diffie-Hellman prime modulus group.
  • otu-16-Jiri otu 4096-bit Diffie-Hellman prime modulus group. Nke a bụ ndabara.
  • ọ dịghị - Gbanyụọ PFS.

Site na ndabara, windo replay IPsec dị na ọwara IPsec bụ 512 bytes. Ị nwere ike ịtọ nha windo mkpọgharị ka ọ bụrụ 64, 128, 256, 512, 1024, 2048, ma ọ bụ 4096 ngwugwu:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# nọmba replay-window

Gbanwee nchọpụta IKE nwụrụ anwụ-ọgbọ

IKE na-eji usoro nchọpụta ndị ọgbọ nwụrụ anwụ iji chọpụta ma njikọ ya na ndị ọgbọ IKE ọ na-arụ ọrụ ma nwee ike iru. Iji mejuputa usoro a, IKE na-ezigara ndị ọgbọ ya ngwugwu Hello, onye ọgbọ na-ezigara nkwenye na nzaghachi. Site na ndabara, IKE na-eziga ngwugwu Hello kwa sekọnd iri, na mgbe ngwugwu atọ a na-anabataghị, IKE na-ekwupụta na onye agbata obi anwụọla ma na-akwatu ọwara ahụ n'ihu ndị ọgbọ. Mgbe nke ahụ gasịrị, IKE na-ezigara ndị ọgbọ otu ngwugwu Ndewo oge, ma megharịa ọwara ahụ mgbe onye ọgbọ ahụ lọghachiri na ntanetị. Ị nwere ike ịgbanwe oge nchọpụta ndụ ka ọ bụrụ uru site na 10 ruo 0, ma ị nwere ike ịgbanwe ọnụ ọgụgụ nke nyochagharị ka ọ bụrụ uru site na 65535 ruo 0.

Rịba ama

Maka njem VPNs, a na-atụgharị oge nchọpụta ndụ ka ọ bụrụ sekọnd site na iji usoro a: Oge oge maka nnwagharị nọmba N = etiti * 1.8N-1For example, ọ bụrụ na etiti etiti atọrọ na 10 wee malitegharịa na 5, oge nchọta na-abawanye dịka ndị a:

  • Mgbalị 1: 10 * 1.81-1 = 10 sekọnd
  • Mgbalị 2: 10 * 1.82-1 = 18 sekọnd
  • Mgbalị 3: 10 * 1.83-1 = 32.4 sekọnd
  • Mgbalị 4: 10 * 1.84-1 = 58.32 sekọnd
  • Mgbalị 5: 10 * 1.85-1 = 104.976 sekọnd

vEdge(config-interface-ipsecnumber)# nwụrụ anwụ-ọgbọ-nchọpụta oge na-emegharị nọmba.

Hazie Njirimara Interface Ndị ọzọ

Maka oghere ọwara IPsec, ị nwere ike hazie naanị njirimara interface ndị ọzọ:

  • vEdge(config-interface-ipsec)# mtu bytes
  • vEdge(config-interface-ipsec)# tcp-mss-adjust bytes

Gbanyụọ Algorithms nzuzo SSH adịghị ike na Cisco SD-WAN Manager

Tebụl 5: Tebụl akụkọ ihe mere eme

Njirimara Aha Ozi mwepụta Njirimara Nkọwa
Gbanyụọ Algorithms nzuzo SSH adịghị ike na Cisco SD-WAN Manager Cisco vManage Mwepụta 20.9.1 Njirimara a na-enye gị ohere gbanyụọ algọridim SSH na-adịghị ike na Cisco SD-WAN Manager nke nwere ike ọ gaghị agbaso ụfọdụ ụkpụrụ nchekwa data.

Ozi gbasara ịgbanyụ Algorithms nzuzo SSH adịghị ike na onye njikwa Cisco SD-WAN
Onye njikwa Cisco SD-WAN na-enye onye ahịa SSH maka nkwurịta okwu na akụrụngwa dị na netwọkụ, gụnyere ndị njikwa na ngwaọrụ ihu. Onye ahịa SSH na-enye njikọ ezoro ezo maka ịnyefe data echekwara, dabere na algọridim dị iche iche nke nzuzo. Ọtụtụ òtù chọrọ izo ya ezo siri ike karịa nke SHA-1, AES-128, na AES-192 nyere. Site na Cisco vManage Release 20.9.1, ị nwere ike gbanyụọ algorithms nzuzo ndị na-esighị ike ka onye ahịa SSH ghara iji algọridim ndị a:

  • SHA-1
  • AES-128
  • AES-192

Tupu ị gbanyụọ algọridim nzuzo ndị a, hụ na ngwaọrụ Cisco vEdge, ọ bụrụ na ọ bụla, na netwọk ahụ, na-eji ntọhapụ ngwanrọ na-emecha karịa Cisco SD-WAN Release 18.4.6.

Uru nke gbanyụọ Algorithms nzuzo SSH adịghị ike na onye njikwa Cisco SD-WAN
Ịkwụsị algọridim nke nzuzo SSH na-esighị ike na-eme ka nchekwa nke nkwurịta okwu SSH dịkwuo mma, ma hụ na òtù dị iche iche na-eji Cisco Catalyst SD-WAN na-agbaso ụkpụrụ nchekwa siri ike.

Gbanyụọ Algorithms nzuzo SSH na-adịghị ike na Cisco SD-WAN Manager Iji CLI

  1. Site na nchịkọta nhọrọ njikwa Cisco SD-WAN, họrọ Ngwaọrụ> SSH Terminal.
  2. Họrọ ngwaọrụ njikwa Cisco SD-WAN nke ịchọrọ gbanyụọ algọridim SSH adịghị ike.
  3. Tinye aha njirimara na paswọọdụ ịbanye na ngwaọrụ ahụ.
  4. Tinye ụdị nkesa SSH.
    • vmanage(nhazi) # sistemụ
    • vmanage(nhazi-sistemu) # ssh-sava
  5. Mee otu n'ime ihe ndị a iji gbanyụọ algorithm nzuzo SSH:
    • Gbanyụọ SHA-1:
  6. jikwaa(config-ssh-server)# no kex-algo sha1
  7. jikwaa (config-ssh-server) # eme
    E gosipụtara ozi ịdọ aka ná ntị ndị a: Ewepụtara ịdọ aka ná ntị ndị a: 'system ssh-server kex-algo sha1': ỊDỌ AKA NA NTỊ: Biko hụ na akụkụ gị niile na-agba ụdị koodu> 18.4.6 nke na-ekwurịta karịa SHA1 na vManage. Ma ọ bụghị ya, akụkụ ndị ahụ nwere ike ịdị na-anọghị n'ịntanetị. Gaba? [ee, mba] ee
    • Gbaa mbọ hụ na ngwaọrụ Cisco vEdge ọ bụla dị na netwọk na-agba Cisco SD-WAN Mwepụta 18.4.6 ma ọ bụ karịa wee tinye ee.
    • Gbanyụọ AES-128 na AES-192:
    • vmanage(config-ssh-server)# enweghị cipher aes-128-192
    • vmanage(config-ssh-server)# eme
      Egosiri ozi ịdọ aka na ntị a:
      Ewepụtara ịdọ aka ná ntị ndị a:
      'system ssh-server cipher aes-128-192': ỊDỌ AKA NA NTỊ: Biko hụ na akụkụ gị niile na-agba ụdị koodu> 18.4.6 nke na-emekọrịta ihe karịa AES-128-192 na vManage. Ma ọ bụghị ya, akụkụ ndị ahụ nwere ike ịdị na-anọghị n'ịntanetị. Gaba? [ee, mba] ee
    • Gbaa mbọ hụ na ngwaọrụ Cisco vEdge ọ bụla dị na netwọk na-agba Cisco SD-WAN Mwepụta 18.4.6 ma ọ bụ karịa wee tinye ee.

Nyochaa na Algorithms nzuzo SSH adịghị ike na Cisco SD-WAN Manager Iji CLI

  1. Site na nchịkọta nhọrọ njikwa Cisco SD-WAN, họrọ Ngwaọrụ> SSH Terminal.
  2. Họrọ ngwaọrụ njikwa Cisco SD-WAN ịchọrọ iji nyochaa.
  3. Tinye aha njirimara na paswọọdụ ịbanye na ngwaọrụ ahụ.
  4. Gbaa iwu a: gosi Run-config system ssh-server
  5. Kwenye na mmepụta na-egosi otu ma ọ bụ karịa n'ime iwu na-ewepụ algọridim nzuzo nzuzo:
    • enweghị akara aes-128-192
    • enweghị kex-algo sha1

Akwụkwọ / akụrụngwa

CISCO SD-WAN Hazie oke nchekwa [pdf] Ntuziaka onye ọrụ
SD-WAN Hazie oke nchekwa, SD-WAN, Hazie oke nchekwa, oke nchekwa

Ntụaka

Hapụ ikwu

Agaghị ebipụta adreesị ozi-e gị. Akara mpaghara achọrọ akara *