Zamkatimu kubisa
1 CISCO SD-WAN Konzani Zosintha Zachitetezo
2 Konzani Ma Parameters a Chitetezo
3 Konzani Control Plane Security Parameters
4 Konzani DTLS mu Cisco SD-WAN Manager
5 Konzani Ma Parameters a Data Plane Security
6 Konzani Mitundu Yovomerezeka Yovomerezeka
7 Sinthani Rekeying Timer
8 Sinthani Kukula kwa Zenera la Anti-Replay
9 Konzani IPsec Static Route
10 Konzani IPsec Tunnel Parameters
11 Sinthani IKE Dead-Peer Detection
12 Konzani Zina Zachiyankhulo
13 Letsani Ma Algorithms Ofooka a SSH pa Cisco SD-WAN Manager
14 Zolemba / Zothandizira
14.1 Maumboni

CISCO-LOGO

CISCO SD-WAN Konzani Zosintha Zachitetezo

CISCO-SD-WAN-Configure-Security-Parameters-PRODUCT

Konzani Ma Parameters a Chitetezo

Zindikirani

Kuti mufewetse komanso kusasinthasintha, yankho la Cisco SD-WAN lasinthidwa kukhala Cisco Catalyst SD-WAN. Kuonjezera apo, kuchokera ku Cisco IOS XE SD-WAN Release 17.12.1a ndi Cisco Catalyst SD-WAN Release 20.12.1, zosintha zotsatirazi zikugwiritsidwa ntchito: Cisco vManage ku Cisco Catalyst SD-WAN Manager, Cisco vAnalytics ku Cisco Catalyst SD-WAN Analytics, Cisco vBond kupita ku Cisco Catalyst SD-WAN Validator, ndi Cisco vSmart ku Cisco Catalyst SD-WAN Controller. Onani Zolemba Zaposachedwa kuti mupeze mndandanda wazonse zosintha zamitundu. Pamene tikupita ku mayina atsopano, zosagwirizana zina zikhoza kukhalapo muzolemba zomwe zakhazikitsidwa chifukwa cha njira yapang'onopang'ono yosintha mawonekedwe a pulogalamu ya mapulogalamu.

Gawoli likufotokoza momwe mungasinthire magawo otetezera ndege yolamulira ndi ndege ya data mu Cisco Catalyst SD-WAN overlay network.

  • Konzani Control Plane Security Parameters, pa
  • Konzani Ma Parameter a Data Plane Security, pa
  • Konzani IKE-Enabled IPsec Tunnels, pa
  • Letsani Ma Algorithms Ofooka a SSH pa Cisco SD-WAN Manager, pa

Konzani Control Plane Security Parameters

Mwachikhazikitso, ndege yowongolera imagwiritsa ntchito DTLS ngati protocol yomwe imapereka zinsinsi pamakina ake onse. DTLS imayenda pa UDP. Mutha kusintha protocol yachitetezo cha ndege kukhala TLS, yomwe imayenda pa TCP. Chifukwa chachikulu chogwiritsira ntchito TLS ndi chakuti, ngati mukuganiza kuti Cisco SD-WAN Controller ndi seva, zozimitsa moto zimateteza ma seva a TCP kuposa ma seva a UDP. Mumakonza ndondomeko yoyendetsera ndege pa Cisco SD-WAN Controller: vSmart(config)# security control protocol tls Ndi kusinthaku, njira zonse zoyendetsera ndege pakati pa Cisco SD-WAN Controller ndi ma routers ndi pakati pa Cisco SD-WAN Controller. ndi Cisco SD-WAN Manager amagwiritsa TLS. Kuwongolera ma tunnel a ndege kupita ku Cisco Catalyst SD-WAN Validator nthawi zonse mumagwiritsa ntchito DTLS, chifukwa maulumikizidwewa ayenera kuyendetsedwa ndi UDP. Pamalo omwe ali ndi Olamulira angapo a Cisco SD-WAN, mukakonza TLS pa imodzi mwa Olamulira a Cisco SD-WAN, ma tunnel onse oyendetsa ndege kuchokera kwa wolamulirayo kupita kwa olamulira ena amagwiritsa ntchito TLS. Adanenanso mwanjira ina, TLS nthawi zonse imakhala patsogolo kuposa DTLS. Komabe, malinga ndi olamulira ena a Cisco SD-WAN, ngati simunakonze TLS pa iwo, amagwiritsa ntchito TLS panjira yoyendetsa ndege kupita ku Cisco SD-WAN Controller, ndipo amagwiritsa ntchito tunnels za DTLS kwa ena onse. Cisco SD-WAN Controllers ndi ma router awo onse olumikizidwa. Kuti mukhale ndi Olamulira onse a Cisco SD-WAN agwiritse ntchito TLS, ikonzeni pa onsewo. Mwachikhazikitso, Wolamulira wa Cisco SD-WAN amamvetsera pa doko 23456 pazopempha za TLS. Kuti musinthe izi: vSmart(config)# chitetezo chitetezo tls-port number Doko likhoza kukhala nambala kuchokera ku 1025 mpaka 65535. Kuti muwonetse zambiri za chitetezo cha ndege, gwiritsani ntchito lamulo lowonetsera zowonetserako pa Cisco SD-WAN Controller. Za example: vSmart-2# chiwonetsero chowongolera kulumikizana

CISCO-SD-WAN-Configure-Security-Parameters-FIG-1

Konzani DTLS mu Cisco SD-WAN Manager

Ngati mukonza Cisco SD-WAN Manager kuti agwiritse ntchito TLS ngati njira yoyendetsera chitetezo cha ndege, muyenera kuloleza kutumiza doko pa NAT yanu. Ngati mukugwiritsa ntchito DTLS ngati njira yoyendetsera chitetezo cha ndege, simuyenera kuchita chilichonse. Kuchuluka kwa madoko omwe amatumizidwa kumadalira kuchuluka kwa njira za vdaemon zomwe zikuyenda pa Cisco SD-WAN Manager. Kuti muwonetse zambiri za njirazi komanso za kuchuluka kwa madoko omwe akutumizidwa, gwiritsani ntchito lamulo lachidule la chiwonetsero likuwonetsa kuti njira zinayi za daemon zikuyenda:CISCO-SD-WAN-Configure-Security-Parameters-FIG-2

Kuti muwone madoko omvera, gwiritsani ntchito lamulo lachiwonetsero lazinthu zakuderalo: vManage# wonetsani zowongolera zakuderalo.

CISCO-SD-WAN-Configure-Security-Parameters-FIG-3

Kutulutsa uku kukuwonetsa kuti doko la TCP lomvera ndi 23456. Ngati mukuyendetsa Cisco SD-WAN Manager kuseri kwa NAT, muyenera kutsegula madoko otsatirawa pa chipangizo cha NAT:

  • 23456 (m'munsi - chitsanzo 0 doko)
  • 23456 + 100 (m'munsi + 100)
  • 23456 + 200 (m'munsi + 200)
  • 23456 + 300 (m'munsi + 300)

Dziwani kuti kuchuluka kwa zochitika ndizofanana ndi kuchuluka kwa ma cores omwe mudapereka kwa Cisco SD-WAN Manager, mpaka 8.

Konzani Zoyimira Zachitetezo Pogwiritsa Ntchito Chiwonetsero Chachitetezo

Gwiritsani ntchito template ya Chitetezo pazida zonse za Cisco vEdge. M'mphepete mwa ma routers ndi pa Cisco SD-WAN Validator, gwiritsani ntchito template iyi kuti mukonze IPsec ya chitetezo cha ndege. Pa Cisco SD-WAN Manager ndi Cisco SD-WAN Controller, gwiritsani ntchito template ya Chitetezo kuti mukonze DTLS kapena TLS pakuwongolera chitetezo cha ndege.

Konzani Ma Parameters a Chitetezo

  1. Kuchokera pa menyu ya Cisco SD-WAN Manager, sankhani Kusintha> Ma templates.
  2. Dinani Feature Templates ndiyeno dinani Add Template.
    Zindikirani Mu Cisco vManage Release 20.7.1 ndi kutulutsa koyambirira, Feature Templates imatchedwa Feature.
  3. Kuchokera pa Zida mndandanda kumanzere, sankhani chipangizo. Ma templates omwe amagwiritsidwa ntchito pa chipangizo chosankhidwa amawonekera pagawo lakumanja.
  4. Dinani Security kuti mutsegule template.
  5. M'gawo la Template Name, lowetsani dzina lachiwonetserocho. Dzinali litha kukhala ndi zilembo 128 ndipo litha kukhala ndi zilembo za alphanumeric zokha.
  6. Mugawo la Mafotokozedwe a Template, lowetsani tsatanetsatane wa template. Kufotokozeraku kumatha kukhala zilembo 2048 ndipo zitha kukhala ndi zilembo za alphanumeric zokha.

Mukatsegula koyamba template, pa parameter iliyonse yomwe ili ndi mtengo wokhazikika, kuchuluka kwake kumayikidwa ku Default (kusonyezedwa ndi chizindikiro), ndipo zoikamo zokhazikika kapena mtengo zimawonetsedwa. Kuti musinthe zosasintha kapena kuyika mtengo, dinani menyu yotsikira kumanzere kwa gawo la parameter ndikusankha chimodzi mwa izi:

Gulu 1:

Parameter Mbali Kufotokozera za Kukula
Chipangizo Chachindunji (chosonyezedwa ndi chizindikiro cha wolandira) Gwiritsani ntchito mtengo wapachipangizo pazimenezi. Pazida zapachipangizo, simungathe kuyika mtengo muzowonetsera. Mumalowetsa mtengo mukalumikiza chipangizo cha Viptela ku template ya chipangizocho.

Mukadina Chachidule cha Chipangizo, bokosi la Enter Key limatsegulidwa. Bokosi ili likuwonetsa kiyi, yomwe ndi chingwe chapadera chomwe chimazindikiritsa magawo mu CSV file kuti mulenga. Izi file ndi spreadsheet ya Excel yomwe ili ndi gawo limodzi pa kiyi iliyonse. Mzere wapamutu uli ndi mayina ofunikira (kiyi imodzi pa ndime), ndipo mzere uliwonse pambuyo pake umafanana ndi chipangizo ndikutanthauzira zofunikira za makiyi a chipangizocho. Mukukweza CSV file pamene mulumikiza chipangizo cha Viptela ku template ya chipangizo. Kuti mudziwe zambiri, onani Pangani Template Variables Spreadsheet.

Kuti musinthe fungulo losasintha, lembani chingwe chatsopano ndikusuntha cholozera kuchokera mu bokosi la Enter Key.

Exampzotsalira za chipangizochi ndi adilesi ya IP, dzina la alendo, malo a GPS, ndi ID ya tsamba.
Parameter Mbali Kufotokozera za Kukula
Padziko lonse lapansi (zowonetsedwa ndi chithunzi chapadziko lonse lapansi) Lowetsani mtengo wa chizindikirocho, ndikugwiritsa ntchito mtengowo pazida zonse.

Exampzina zomwe mungagwiritse ntchito padziko lonse lapansi ku gulu la zida ndi seva ya DNS, seva ya syslog, ndi mawonekedwe a MTU.

Konzani Control Plane Security

Zindikirani
Gawo la Configure Control Plane Security limagwira ntchito kwa Cisco SD-WAN Manager ndi Cisco SD-WAN Controller kokha.Kukonza protocol yolumikizira ndege pa Cisco SD-WAN Manager kapena Cisco SD-WAN Controller, sankhani gawo loyambira ndi kukonza magawo otsatirawa:

Gulu 2:

Parameter Dzina Kufotokozera
Ndondomeko Sankhani ndondomeko yoti mugwiritse ntchito polumikizira ndege ku Cisco SD-WAN Controller:

• DTLS (Datagram Transport Layer Security). Izi ndiye zokhazikika.

• TLS (Transport Layer Security)
Control TLS Port Ngati mwasankha TLS, konzani nambala ya doko kuti mugwiritse ntchito:Ranji: 1025 ku 65535Zofikira: 23456

Dinani Save

Konzani Data Plane Security
Kuti mukonze chitetezo cha ndege ya data pa Cisco SD-WAN Validator kapena Cisco vEdge rauta, sankhani ma tabu a Basic Configuration and Authentication Type, ndikusintha magawo awa:

Gulu 3:

Parameter Dzina Kufotokozera
Nthawi ya Rekey Tchulani kangati rauta ya Cisco vEdge imasintha kiyi ya AES yomwe imagwiritsidwa ntchito polumikizana ndi DTLS yotetezeka kupita ku Cisco SD-WAN Controller. Ngati kuyambitsanso mwachisomo kwa OMP ndikoyatsidwa, nthawi yobwezeretsanso iyenera kukhala kuwirikiza kawiri mtengo wa chowerengera choyambira mwachisomo cha OMP.Ranji: 10 mpaka 1209600 masekondi (masiku 14)Zofikira: 86400 masekondi (24 maola)
Seweraninso Zenera Tchulani kukula kwa zenera losewereranso.

Makhalidwe: 64, 128, 256, 512, 1024, 2048, 4096, 8192 mapaketiZofikira: 512 paketi
IPsec

pairwise-keying

 Izi zimazimitsidwa mwachisawawa. Dinani On kuyatsa.
Parameter Dzina Kufotokozera
Mtundu Wotsimikizira Sankhani mitundu yotsimikizira kuchokera ku Kutsimikizira Mndandanda, ndipo dinani muvi wolozera kumanja kuti musunthire mitundu yotsimikizira ku Mndandanda Wosankhidwa ndime.

Mitundu yotsimikizika yothandizidwa kuchokera ku Cisco SD-WAN Release 20.6.1:

•  esp: Imathandizira kubisa kwa Encapsulating Security Payload (ESP) ndikuwunika kukhulupirika pamutu wa ESP.

•  ip-udp-esp: Imayatsa kubisa kwa ESP. Kuphatikiza pa cheke cha kukhulupirika pamutu wa ESP ndi kulipira, macheke amaphatikizanso mitu yakunja ya IP ndi UDP.

•  ip-udp-esp-no-id: Imanyalanyaza gawo la ID pamutu wa IP kuti Cisco Catalyst SD-WAN igwire ntchito limodzi ndi zida zomwe si za Cisco.

•  palibe: Imatembenuza kukhulupirika kwa mapaketi a IPSec. Sitikulimbikitsa kugwiritsa ntchito njirayi.

 

Mitundu yotsimikizika yothandizidwa mu Cisco SD-WAN Release 20.5.1 ndi kale:

•  ayi ayi: Yambitsani mtundu wowongoleredwa wa AH-SHA1 HMAC ndi ESP HMAC-SHA1 womwe umanyalanyaza gawo la ID pamutu wakunja wa IP wa paketi.

•  ah-sha1-hmac: Yambitsani AH-SHA1 HMAC ndi ESP HMAC-SHA1.

•  palibe: Sankhani palibe kutsimikizika.

•  sha1-hmc: Yambitsani ESP HMAC-SHA1.

 

Zindikirani              Pazida zam'mphepete zomwe zikuyenda pa Cisco SD-WAN Release 20.5.1 kapena kale, mwina mwakonza mitundu yotsimikizika pogwiritsa ntchito Chitetezo template. Mukakweza chipangizocho kukhala Cisco SD-WAN Release 20.6.1 kapena kenako, sinthani mitundu yotsimikizika yosankhidwa mu Chitetezo template ku mitundu yotsimikizika yothandizidwa kuchokera ku Cisco SD-WAN Release 20.6.1. Kuti musinthe mitundu yotsimikizira, chitani izi:

1.      Kuchokera pa menyu ya Cisco SD-WAN Manager, sankhani Kusintha >

Zithunzi.

2.      Dinani Ma templates.

3.      Pezani Chitetezo template kuti musinthe ndikudina ... ndikudina Sinthani.

4.      Dinani Kusintha. Osasintha masinthidwe aliwonse.

Cisco SD-WAN Manager akusintha ma Chitetezo template kuti muwonetse mitundu yovomerezeka yothandizidwa.

Dinani Save.

Konzani Ma Parameters a Data Plane Security

Mu ndege ya data, IPsec imayatsidwa mwachisawawa pa ma routers onse, ndipo mwachisawawa maulumikizidwe a tunnel a IPsec amagwiritsa ntchito ndondomeko yowonjezereka ya Encapsulating Security Payload (ESP) protocol kuti atsimikizidwe pa IPsec tunnel. Pa ma routers, mukhoza kusintha mtundu wa kutsimikizika, IPsec rekeying timer, ndi kukula kwa IPsec anti-replay zenera.

Konzani Mitundu Yovomerezeka Yovomerezeka

Mitundu Yotsimikizika mu Cisco SD-WAN Kutulutsidwa 20.6.1 ndi Pambuyo pake
Kuchokera ku Cisco SD-WAN Release 20.6.1, mitundu yotsatirayi yokhulupirika imathandizidwa:

  • esp: Njira iyi imathandizira kubisa kwa Encapsulating Security Payload (ESP) ndikuwunika kukhulupirika pamutu wa ESP.
  • ip-udp-esp: Njira iyi imathandizira kubisa kwa ESP. Kuphatikiza pa cheke cha kukhulupirika pamutu wa ESP ndi malipiro, macheke amaphatikizanso mitu yakunja ya IP ndi UDP.
  • ip-udp-esp-no-id: Njira iyi ndi yofanana ndi ip-udp-esp, komabe, gawo la ID la mutu wakunja wa IP silinyalanyazidwa. Konzani izi pamndandanda wamitundu yokhulupirika kuti pulogalamu ya Cisco Catalyst SD-WAN inyalanyaza gawo la ID pamutu wa IP kuti Cisco Catalyst SD-WAN igwire ntchito limodzi ndi zida zomwe si za Cisco.
  • palibe: Njira iyi imatembenuza kukhulupirika kwa mapaketi a IPSec. Sitikulimbikitsa kugwiritsa ntchito njirayi.

Mwachikhazikitso, maulumikizidwe a IPsec amagwiritsira ntchito ndondomeko yowonjezera ya Encapsulating Security Payload (ESP) protocol pofuna kutsimikizira. Kuti musinthe mitundu yomwe mwakambirana kapena kuletsa cheke, gwiritsani ntchito lamulo ili: mtundu wa chilungamo {palibe | ip-udp-esp | ip-udp-esp-no-id | esp}

Mitundu Yotsimikizika Pamaso pa Cisco SD-WAN Kutulutsidwa 20.6.1
Mwachikhazikitso, maulumikizidwe a IPsec amagwiritsira ntchito ndondomeko yowonjezera ya Encapsulating Security Payload (ESP) protocol pofuna kutsimikizira. Kuti musinthe mitundu yotsimikizika yomwe mwakambirana kapena kuletsa kutsimikizira, gwiritsani ntchito lamulo ili: Chipangizo(config)# chitetezo ipsec kutsimikizika-mtundu (ah-sha1-hmac | ah-no-id | sha1-hmac | | palibe) Mwachikhazikitso, IPsec Malumikizidwe a ngalande amagwiritsa ntchito AES-GCM-256, yomwe imapereka kubisa komanso kutsimikizika. Konzani mtundu uliwonse wotsimikizira ndi lamulo losiyana la chitetezo cha ipsec. Mapu a zosankha zamalamulo ku mitundu yotsimikizika yotsatirayi, yomwe yandandalikidwa kuchokera ku amphamvu kwambiri mpaka amphamvu kwambiri:

Zindikirani
Sha1 muzosankha zosintha zimagwiritsidwa ntchito pazifukwa zakale. Zosankha zotsimikizira zikuwonetsa kuchuluka kwa kuwunika kwa paketi kukhulupirika. Iwo samatchula algorithm yomwe imayang'ana kukhulupirika. Kupatula kubisa kwa magalimoto ambiri, ma aligorivimu otsimikizira omwe amathandizidwa ndi Cisco Catalyst SD WAN sagwiritsa ntchito SHA1. Komabe mu Cisco SD-WAN Release 20.1.x ndi mtsogolo, unicast ndi multicast sagwiritsa ntchito SHA1.

  • ah-sha1-hmac imathandizira kubisa ndi kubisa pogwiritsa ntchito ESP. Komabe, kuwonjezera pa cheke cha kukhulupirika pamutu wa ESP ndi kulipira, macheke amaphatikizanso mitu yakunja ya IP ndi UDP. Chifukwa chake, njirayi imathandizira cheke cha kukhulupirika kwa paketi yofanana ndi protocol ya Authentication Header (AH). Kukhulupirika konse ndi kubisa kumachitika pogwiritsa ntchito AES-256-GCM.
  • ah-no-id imathandizira mawonekedwe omwe ali ofanana ndi ah-sha1-hmac, komabe, gawo la ID la mutu wakunja wa IP limanyalanyazidwa. Njirayi imakhala ndi zida zina zomwe sizili za Cisco Catalyst SD-WAN, kuphatikiza Apple AirPort Express NAT, yomwe ili ndi cholakwika chomwe chimapangitsa gawo la ID pamutu wa IP, gawo losasinthika, kuti lisinthidwe. Konzani njira ya ah-no-id pamndandanda wa mitundu yotsimikizika kuti pulogalamu ya Cisco Catalyst SD-WAN AH inyalanyaza gawo la ID pamutu wa IP kuti pulogalamu ya Cisco Catalyst SD-WAN igwire ntchito limodzi ndi zidazi.
  • sha1-hmac imathandizira kubisa kwa ESP ndikuwunika kukhulupirika.
  • palibe mamapu osatsimikizira. Izi zikuyenera kugwiritsidwa ntchito pokhapokha ngati zikufunika pakuwongolera kwakanthawi. Mutha kusankhanso izi mukakhala kuti kutsimikizika kwa ndege ya data ndi kukhulupirika sizodetsa nkhawa. Cisco samalimbikitsa kugwiritsa ntchito njirayi pakupanga maukonde.

Kuti mudziwe zambiri za magawo a paketi ya data omwe akhudzidwa ndi mitundu yotsimikizirayi, onani Data Plane Integrity. Zida za Cisco IOS XE Catalyst SD-WAN ndi zida za Cisco vEdge zimalengeza mitundu yawo yotsimikizika yokhazikika muzinthu zawo za TLOC. Ma routers awiri kumbali zonse za IPsec tunnel Connection amakambirana za kutsimikizika kuti agwiritse ntchito pa kugwirizana pakati pawo, pogwiritsa ntchito mtundu wotsimikizirika kwambiri womwe umakonzedwa pa ma router onse awiri. Za example, ngati rauta imodzi imatsatsa mitundu ya ah-sha1-hmac ndi ah-no-id, ndipo rauta yachiwiri imatsatsa mtundu wa ah-no-id, ma router awiriwa amakambirana kuti agwiritse ntchito ah-no-id pa IPsec tunnel kugwirizana pakati. iwo. Ngati palibe mitundu yotsimikizika yodziwika yomwe yakhazikitsidwa pa anzawo awiriwa, palibe IPsec tunnel yomwe imakhazikitsidwa pakati pawo. The aligorivimu encryption pa IPsec tunnel kugwirizana zimadalira mtundu wa magalimoto:

  • Pamsewu wamtundu umodzi, algorithm ya encryption ndi AES-256-GCM.
  • Kwa magalimoto ambiri:
  • Cisco SD-WAN Release 20.1.x ndipo kenako- encryption algorithm ndi AES-256-GCM
  • Zomwe zatulutsidwa m'mbuyomu- kalembedwe kachinsinsi ndi AES-256-CBC yokhala ndi SHA1-HMAC.

Mtundu wotsimikizika wa IPsec ukasinthidwa, kiyi ya AES ya njira ya data imasinthidwa.

Sinthani Rekeying Timer

Pamaso pa zida za Cisco IOS XE Catalyst SD-WAN ndi zida za Cisco vEdge zitha kusinthanitsa magalimoto, amakhazikitsa njira yolumikizirana yotsimikizika yotsimikizika pakati pawo. Ma routers amagwiritsa ntchito njira za IPSec pakati pawo ngati njira, ndi AES-256 cipher kuti azitha kubisa. Router iliyonse imapanga kiyi yatsopano ya AES panjira yake ya data nthawi ndi nthawi. Mwachikhazikitso, kiyi imakhala yogwira masekondi 86400 (maola 24), ndipo nthawi yowerengera ndi masekondi 10 mpaka masekondi 1209600 (masiku 14). Kusintha mtengo wa rekey timer: Chipangizo(config)# chitetezo ipsec rekey masekondi Kukonzekera kumawoneka motere:

  • chitetezo ipsec rekey masekondi!

Ngati mukufuna kupanga makiyi atsopano a IPsec nthawi yomweyo, mutha kutero popanda kusintha kasinthidwe ka rauta. Kuti muchite izi, perekani pempho la chitetezo ipsecrekey lamulo pa rauta yowonongeka. Za exampndi, zotsatirazi zikuwonetsa kuti SA yakumaloko ili ndi Security Parameter Index (SPI) ya 256:CISCO-SD-WAN-Configure-Security-Parameters-FIG-4

Kiyi yapadera imalumikizidwa ndi SPI iliyonse. Ngati kiyi iyi yasokonezedwa, gwiritsani ntchito pempho lachitetezo cha ipsec-rekey kuti mupange kiyi yatsopano nthawi yomweyo. Lamulo ili likuwonjezera SPI. Mu example, SPI ikusintha kukhala 257 ndipo fungulo lolumikizidwa nalo tsopano likugwiritsidwa ntchito:

  • Chipangizo# pemphani chitetezo ipsecrekey
  • Chipangizo # chikuwonetsa ipsec local-sa

CISCO-SD-WAN-Configure-Security-Parameters-FIG-5

Kiyi yatsopano ikapangidwa, rauta imatumiza nthawi yomweyo kwa Olamulira a Cisco SD-WAN pogwiritsa ntchito DTLS kapena TLS. Olamulira a Cisco SD-WAN amatumiza makiyi kwa ma rauta a anzawo. Ma routers amayamba kugwiritsa ntchito atangolandira. Zindikirani kuti fungulo logwirizana ndi SPI yakale (256) lipitiliza kugwiritsidwa ntchito kwakanthawi kochepa mpaka litatha. Kuti musiye kugwiritsa ntchito kiyi yakale nthawi yomweyo, perekani lamulo lachitetezo ipsec-rekey kawiri, motsatizana mwachangu. Kutsatira malamulowa kumachotsa onse SPI 256 ndi 257 ndikuyika SPI ku 258. Routeryo imagwiritsa ntchito kiyi yogwirizana ya SPI 258. Komabe, dziwani kuti mapaketi ena adzagwetsedwa kwa kanthawi kochepa mpaka ma routers onse akutali aphunzire. kiyi watsopano.CISCO-SD-WAN-Configure-Security-Parameters-FIG-6

Sinthani Kukula kwa Zenera la Anti-Replay

Kutsimikizika kwa IPsec kumapereka chitetezo chotsutsa-replay popereka nambala yapadera yotsatizana pa paketi iliyonse mumtsinje wa data. Nambala yotsatizana iyi imateteza kuti chiwembu chisabwereze mapaketi a data. Ndi chitetezo choletsa kubwereza, wotumizayo amapereka manambala otsatizana omwe akuchulukirachulukira, ndipo kopita amayang'ana manambala awa kuti adziwe zobwereza. Chifukwa mapaketi nthawi zambiri safika mwadongosolo, komwe akupita amakhala ndi zenera lolowera la manambala omwe angavomereze.CISCO-SD-WAN-Configure-Security-Parameters-FIG-7

Mapaketi okhala ndi manambala otsatizana omwe amagwera kumanzere kwa mazenera otsetsereka amatengedwa akale kapena obwereza, ndipo komwe akupita amawagwetsa. Kopitako amatsata nambala yotsatizana kwambiri yomwe adalandira, ndikusintha zenera lotsetsereka likalandira paketi yokhala ndi mtengo wapamwamba.CISCO-SD-WAN-Configure-Security-Parameters-FIG-8

Mwachikhazikitso, zenera lotsetsereka limayikidwa ku mapaketi 512. Itha kukhazikitsidwa pamtengo uliwonse pakati pa 64 ndi 4096 yomwe ndi mphamvu ya 2 (ndiko, 64, 128, 256, 512, 1024, 2048, kapena 4096). Kuti musinthe kukula kwazenera la anti-replay, gwiritsani ntchito lamulo la replay-window, kufotokoza kukula kwazenera:

Chipangizo(config)# chitetezo IPsec replay-window nambala

Kukonzekera kumawoneka motere:
chitetezo ipsec replay-windows nambala! !

Kuti muthandizire ndi QoS, mazenera obwereza osiyana amasungidwa pamayendedwe asanu ndi atatu oyamba. Kukula kwazenera kokonzedwanso kumagawidwa ndi eyiti panjira iliyonse. Ngati QoS imakonzedwa pa rauta, rautayo ikhoza kukhala ndi madontho ochulukirapo kuposa momwe amayembekezeredwa chifukwa cha IPsec anti-replay mechanism, ndipo mapaketi ambiri omwe amatsitsidwa ndi ovomerezeka. Izi zimachitika chifukwa QoS imayitanitsanso mapaketi, kupereka mapaketi otsogola kwambiri komanso kuchedwetsa mapaketi omwe amafunikira kwambiri. Kuti muchepetse kapena kupewa izi, mutha kuchita izi:

  • Wonjezerani kukula kwa zenera lotsutsa-replay.
  • Kuchuluka kwa mainjiniya pamayendedwe asanu ndi atatu oyambilira kuti awonetsetse kuti magalimoto mkati mwa tchanelo sasinthidwanso.

Konzani IKE-Enabled IPsec Tunnels
Kuti musunthire motetezeka kuchuluka kwa magalimoto kuchokera pa netiweki yophatikizika kupita ku netiweki yautumiki, mutha kukonza ma IPsec tunnel omwe amayendetsa protocol ya Internet Key Exchange (IKE). Ma tunnel a IPsec othandizidwa ndi IKE amapereka chitsimikiziro ndi kubisa kuti atsimikizire zoyendera zotetezedwa. Mumapanga njira ya IPsec yothandizidwa ndi IKE pokonza mawonekedwe a IPsec. IPsec interfaces ndi zolumikizira zomveka, ndipo mumazikonza ngati mawonekedwe ena aliwonse. Mumakonza magawo a protocol a IKE pa mawonekedwe a IPsec, ndipo mutha kukonza mawonekedwe ena.

Zindikirani Cisco imalimbikitsa kugwiritsa ntchito IKE Version 2. Kuchokera ku Cisco SD-WAN 19.2.x kumasulidwa mtsogolo, fungulo lomwe linagawidwa liyenera kukhala osachepera 16 byte m'litali. Kukhazikitsidwa kwa tunnel ya IPsec kumalephera ngati kukula kwa kiyi kuli kosakwana zilembo 16 pomwe rauta yasinthidwa kukhala 19.2.

Zindikirani
Pulogalamu ya Cisco Catalyst SD-WAN imathandizira IKE Version 2 monga tafotokozera mu RFC 7296. Ntchito imodzi ya IPsec tunnel ndikulola vEdge Cloud router VM zochitika zomwe zikuyenda pa Amazon AWS kuti zigwirizane ndi mtambo wachinsinsi wa Amazon (VPC). Muyenera kukonza IKE Version 1 pama router awa. Zida za Cisco vEdge zimathandizira ma VPN okhazikika panjira pamasinthidwe a IPSec chifukwa zidazi sizingatanthauze osankhidwa a traffic mu domain encryption.

Konzani IPsec Tunnel
Kuti mukonze mawonekedwe a IPsec tunnel yamayendedwe otetezeka kuchokera pa netiweki yautumiki, mumapanga mawonekedwe omveka a IPsec:CISCO-SD-WAN-Configure-Security-Parameters-FIG-9

Mutha kupanga njira ya IPsec mumayendedwe a VPN (VPN 0) komanso muutumiki uliwonse wa VPN (VPN 1 mpaka 65530, kupatula 512). Mawonekedwe a IPsec ali ndi dzina mumtundu wa ipsecnumber, pomwe nambala ingakhale kuchokera ku 1 mpaka 255. Mawonekedwe aliwonse a IPsec ayenera kukhala ndi adilesi ya IPv4. Adilesiyi iyenera kukhala /30 choyambirira. Magalimoto onse a VPN omwe ali mkati mwa prefix iyi ya IPv4 amalunjikitsidwa ku mawonekedwe akuthupi a VPN 0 kuti atumizidwe motetezedwa pa IPsec tunnel. mawonekedwe akuthupi (mu lamulo la tunnel-source) kapena dzina la mawonekedwe akuthupi (mu lamulo la tunnel-source-interface). Onetsetsani kuti mawonekedwe akuthupi akukonzedwa mu VPN 0. Kuti mukonze kopita ku ngalande ya IPsec, tchulani adilesi ya IP ya chipangizo chakutali mu lamulo lopita ku tunnel. Kuphatikiza kwa adilesi (kapena dzina lachidziwitso) ndi adilesi yopita kumatanthawuza njira imodzi ya IPsec. Njira imodzi yokha ya IPsec ingakhalepo yomwe imagwiritsa ntchito adilesi inayake (kapena dzina la mawonekedwe) ndi ma adilesi omwe akupita.

Konzani IPsec Static Route

Kuti muwongolere kuchuluka kwa magalimoto kuchokera ku VPN kupita ku IPsec mumsewu wa VPN (VPN 0), mumakonza njira yokhazikika ya IPsec mu service VPN (VPN ina kupatula VPN 0 kapena VPN 512) :

  • vEdge(config)# vpn vpn-id
  • vEdge(config-vpn)# ip ipsec-route prefix/utali vpn 0 mawonekedwe
  • ipsecnumber [ipsecnumber2]

ID ya VPN ndi ya VPN yamtundu uliwonse (VPN 1 mpaka 65530, kupatula 512). prefix/utali ndi adilesi ya IP kapena mawu oyambira, muzolemba zamadontho-gawo zinayi, komanso kutalika kwa njira ya IPsec-specific static. Mawonekedwewa ndi mawonekedwe a IPsec tunnel mu VPN 0. Mukhoza kukonza njira imodzi kapena ziwiri za IPsec. Ngati mukonza ziwiri, yoyamba ndiyo njira yoyamba ya IPsec, ndipo yachiwiri ndiyosungirako. Ndi ma interfaces awiri, mapaketi onse amatumizidwa kunjira yoyambira. Ngati ngalandeyo yalephera, mapaketi onse amatumizidwa ku ngalande yachiwiri. Ngati msewu woyambira ubwereranso, magalimoto onse amabwereranso ku njira yayikulu ya IPsec.

Yambitsani mtundu wa IKE 1
Mukapanga njira ya IPsec pa rauta ya vEdge, IKE Version 1 imayatsidwa mwachisawawa pamawonekedwe amsewu. Zinthu zotsatirazi zimathandizidwanso mwachisawawa pa IKEv1:

  • Kutsimikizira ndi kubisa—AES-256 kabisidwe kapamwamba ka CBC kachinsinsi ka HMAC-SHA1 keyed-hash code code algorithm for kukhulupirika
  • Nambala ya gulu la Diffie-Hellman—16
  • Nthawi yobwezeretsanso - maola 4
  • Kukhazikitsa kwa SA-Main

Mwachikhazikitso, IKEv1 imagwiritsa ntchito njira yayikulu ya IKE kukhazikitsa IKE SAs. Munjira iyi, mapaketi asanu ndi limodzi okambirana amasinthidwa kuti akhazikitse SA. Kuti musinthe mapaketi atatu okha okambilana, yambitsani mode aukali:

Zindikirani
Mawonekedwe aukali a IKE okhala ndi makiyi omwe adagawana nawo akuyenera kupewedwa ngati kuli kotheka. Kupanda kutero, kiyi yamphamvu yogawana kale iyenera kusankhidwa.

  • vEdge(config)# vpn vpn-id mawonekedwe ipsec number ike
  • vEdge(config-ike)# mode mwamakani

Mwachikhazikitso, IKEv1 imagwiritsa ntchito gulu la Diffie-Hellman 16 posinthana makiyi a IKE. Gululi limagwiritsa ntchito gulu la 4096-bit more modular exponential (MODP) panthawi ya IKE key exchange. Mutha kusintha nambala ya gulu kukhala 2 (ya 1024-bit MODP), 14 (2048-bit MODP), kapena 15 (3072-bit MODP):

  • vEdge(config)# vpn vpn-id mawonekedwe ipsec number ike
  • vEdge(config-ike)# nambala ya gulu

Mwachikhazikitso, kusinthana kwachinsinsi kwa IKE kumagwiritsa ntchito AES-256 encryption standard CBC encryption ndi HMAC-SHA1 keyed-hash code code algorithm for kukhulupirika. Mutha kusintha kutsimikizika:

  • vEdge(config)# vpn vpn-id mawonekedwe ipsec number ike
  • vEdge(config-ike)# cipher-suite suite

Kutsimikizika kwa suite kungakhale chimodzi mwa izi:

  • aes128-cbc-sha1—AES-128 kabisidwe kapamwamba ka CBC kachinsinsi ndi HMAC-SHA1 keyed-hash code code algorithm for kukhulupirika
  • aes128-cbc-sha2—AES-128 kabisidwe kapamwamba ka CBC kachinsinsi ndi HMAC-SHA256 keyed-hash code code algorithm for kukhulupirika
  • aes256-cbc-sha1—AES-256 kabisidwe kapamwamba ka CBC kachinsinsi ndi HMAC-SHA1 keyed-hash code code algorithm for kukhulupirika; izi ndizosakhazikika.
  • aes256-cbc-sha2—AES-256 kabisidwe kapamwamba ka CBC kachinsinsi ndi HMAC-SHA256 keyed-hash code code algorithm for kukhulupirika

Mwachikhazikitso, makiyi a IKE amatsitsimutsidwa maola 1 aliwonse (masekondi 3600). Mutha kusintha nthawi yobwezeretsanso kukhala mtengo kuchokera masekondi 30 mpaka masiku 14 (masekondi 1209600). Ndikofunikira kuti nthawi yobwezeretsanso ikhale yosachepera ola limodzi.

  • vEdge(config)# vpn vpn-id mawonekedwe ipsec nambala ngati
  • vEdge(config-ike)# rekey masekondi

Kukakamiza kupanga makiyi atsopano a gawo la IKE, perekani lamulo la ipsec ike-rekey.

  • vEdge(config)# vpn vpn-id interfaceIPsec nambala ike

Kwa IKE, muthanso kukhazikitsa makiyi ogawana nawo (PSK):

  • vEdge(config)# vpn vpn-id mawonekedwe ipsec number ike
  • vEdge(config-ike)# mtundu wotsimikizira-mtundu wogawana-chinsinsi chogawana-chinsinsi chachinsinsi ndi mawu achinsinsi oti mugwiritse ntchito ndi kiyi yogawana. Itha kukhala ASCII kapena chingwe cha hexadecimal kuchokera pa zilembo 1 mpaka 127 kutalika.

Ngati mnzako wakutali wa IKE akufuna chizindikiritso chapafupi kapena chakutali, mutha kukonza chozindikiritsa ichi:

  • vEdge(config)# vpn vpn-id mawonekedwe ipsec nambala ike kutsimikizika-mtundu
  • vEdge(config-authentication-type)# id ya komweko
  • vEdge(config-authentication-type)# id yakutali

Chizindikiritso chingakhale adilesi ya IP kapena zingwe zilizonse kuchokera pa zilembo 1 mpaka 63 kutalika. Mwachisawawa, ID yakumaloko ndiye adilesi ya IP ya ngalandeyo ndipo ID yakutali ndi adilesi ya IP yomwe mukupita.

Yambitsani mtundu wa IKE 2
Mukakonza njira ya IPsec kuti mugwiritse ntchito IKE Version 2, zinthu zotsatirazi zimathandizidwanso mwachisawawa pa IKEv2:

  • Kutsimikizira ndi kubisa—AES-256 kabisidwe kapamwamba ka CBC kachinsinsi ka HMAC-SHA1 keyed-hash code code algorithm for kukhulupirika
  • Nambala ya gulu la Diffie-Hellman—16
  • Nthawi yobwezeretsanso - maola 4

Mwachikhazikitso, IKEv2 imagwiritsa ntchito gulu la Diffie-Hellman 16 posinthana makiyi a IKE. Gululi limagwiritsa ntchito gulu la 4096-bit more modular exponential (MODP) panthawi ya IKE key exchange. Mutha kusintha nambala ya gulu kukhala 2 (ya 1024-bit MODP), 14 (2048-bit MODP), kapena 15 (3072-bit MODP):

  • vEdge(config)# vpn vpn-id mawonekedwe ipsecnumber ike
  • vEdge(config-ike)# nambala ya gulu

Mwachikhazikitso, kusinthana kwachinsinsi kwa IKE kumagwiritsa ntchito AES-256 encryption standard CBC encryption ndi HMAC-SHA1 keyed-hash code code algorithm for kukhulupirika. Mutha kusintha kutsimikizika:

  • vEdge(config)# vpn vpn-id mawonekedwe ipsecnumber ike
  • vEdge(config-ike)# cipher-suite suite

Kutsimikizika kwa suite kungakhale chimodzi mwa izi:

  • aes128-cbc-sha1—AES-128 kabisidwe kapamwamba ka CBC kachinsinsi ndi HMAC-SHA1 keyed-hash code code algorithm for kukhulupirika
  • aes128-cbc-sha2—AES-128 kabisidwe kapamwamba ka CBC kachinsinsi ndi HMAC-SHA256 keyed-hash code code algorithm for kukhulupirika
  • aes256-cbc-sha1—AES-256 kabisidwe kapamwamba ka CBC kachinsinsi ndi HMAC-SHA1 keyed-hash code code algorithm for kukhulupirika; izi ndizosakhazikika.
  • aes256-cbc-sha2—AES-256 kabisidwe kapamwamba ka CBC kachinsinsi ndi HMAC-SHA256 keyed-hash code code algorithm for kukhulupirika

Mwachikhazikitso, makiyi a IKE amatsitsimutsidwa maola 4 aliwonse (masekondi 14,400). Mutha kusintha nthawi yobwezeretsanso kukhala mtengo kuchokera masekondi 30 mpaka masiku 14 (masekondi 1209600):

  • vEdge(config)# vpn vpn-id mawonekedwe ipsecnumber ike
  • vEdge(config-ike)# rekey masekondi

Kukakamiza kupanga makiyi atsopano a gawo la IKE, perekani lamulo la ipsec ike-rekey. Kwa IKE, muthanso kukhazikitsa makiyi ogawana nawo (PSK):

  • vEdge(config)# vpn vpn-id mawonekedwe ipsecnumber ike
  • vEdge(config-ike)# mtundu wotsimikizira-mtundu wogawana-chinsinsi chogawana-chinsinsi chachinsinsi ndi mawu achinsinsi oti mugwiritse ntchito ndi kiyi yogawana. Itha kukhala ASCII kapena chingwe cha hexadecimal, kapena ikhoza kukhala kiyi ya AES-encrypted. Ngati mnzake wakutali wa IKE akufuna ID yapafupi kapena yakutali, mutha kukonza chozindikiritsa ichi:
  • vEdge(config)# vpn vpn-id mawonekedwe ipsecnumber ike kutsimikizika-mtundu
  • vEdge(config-authentication-type)# id ya komweko
  • vEdge(config-authentication-type)# id yakutali

Chizindikiritso chingakhale adilesi ya IP kapena zingwe zilizonse kuchokera pa zilembo 1 mpaka 64 kutalika. Mwachisawawa, ID yakumaloko ndiye adilesi ya IP ya ngalandeyo ndipo ID yakutali ndi adilesi ya IP yomwe mukupita.

Konzani IPsec Tunnel Parameters

Gulu 4: Mbiri Yakale

Mbali Dzina Kutulutsa Zambiri Kufotokozera
Zowonjezera Cryptographic Kutulutsidwa kwa Cisco SD-WAN 20.1.1 Izi zimawonjezera chithandizo cha
Thandizo la Algorithmic la IPSec   HMAC_SHA256, HMAC_SHA384, ndi
Ngalande   HMAC_SHA512 ma aligorivimu a
    chitetezo chowonjezereka.

Mwachikhazikitso, magawo otsatirawa amagwiritsidwa ntchito pamsewu wa IPsec womwe umanyamula magalimoto a IKE:

  • Kutsimikizika ndi kubisa - AES-256 algorithm mu GCM (Galois/counter mode)
  • Rekeying nthawi - 4 hours
  • Seweraninso zenera - mapaketi 32

Mutha kusintha ma encryption pa IPsec tunnel kukhala AES-256 cipher mu CBC (cipher block chaining mode, ndi HMAC pogwiritsa ntchito SHA-1 kapena SHA-2 keyed-hash uthenga kutsimikizika kapena kusokoneza ndi HMAC pogwiritsa ntchito SHA-1 kapena SHA-2 keyed-hash message kutsimikizika, kuti asabisike njira ya IPsec yomwe imagwiritsidwa ntchito pa IKE key exchange traffic:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# cipher-suite (aes256-gcm | aes256-cbc-sha1 | aes256-cbc-sha256 |aes256-cbc-sha384 | aes256-cbc-sha512 | aes256-null-1sha256 | | aes256-null-sha256 | aes384-null-sha256)

Mwachikhazikitso, makiyi a IKE amatsitsimutsidwa maola 4 aliwonse (masekondi 14,400). Mutha kusintha nthawi yobwezeretsanso kukhala mtengo kuchokera masekondi 30 mpaka masiku 14 (masekondi 1209600):

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# rekey masekondi

Kukakamiza kupanga makiyi atsopano a IPsec tunnel, perekani lamulo la ipsec ipsec-rekey. Mwachikhazikitso, perfect forward secret secret (PFS) imayatsidwa pa IPsec tunnels, kuonetsetsa kuti magawo am'mbuyomu sakukhudzidwa ngati makiyi amtsogolo asokonezedwa. PFS imakakamiza kusinthana kwachinsinsi kwa Diffie-Hellman, mwachisawawa pogwiritsa ntchito 4096-bit Diffie-Hellman prime module gulu. Mutha kusintha makonda a PFS:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# wangwiro-patsogolo-chinsinsi pfs-kukhazikitsa

pfs-setting ikhoza kukhala imodzi mwa izi:

  • gulu-2—Gwiritsani ntchito 1024-bit Diffie-Hellman prime modulus gulu.
  • gulu-14—Gwiritsani ntchito 2048-bit Diffie-Hellman prime modulus gulu.
  • gulu-15—Gwiritsani ntchito 3072-bit Diffie-Hellman prime modulus gulu.
  • gulu-16—Gwiritsani ntchito 4096-bit Diffie-Hellman prime modulus gulu. Izi ndiye zokhazikika.
  • palibe-Letsani PFS.

Mwachikhazikitso, zenera la IPsec replay pa IPsec tunnel ndi 512 byte. Mutha kuyikanso kukula kwazenera kwa 64, 128, 256, 512, 1024, 2048, kapena 4096 mapaketi:

  • vEdge(config-interface-ipsecnumber)# ipsec
  • vEdge(config-ipsec)# replay-windows nambala

Sinthani IKE Dead-Peer Detection

IKE imagwiritsa ntchito njira yodziwira anzawo omwe adamwalira kuti adziwe ngati kulumikizana ndi anzawo a IKE kuli kothandiza komanso kofikirika. Kuti agwiritse ntchito njirayi, IKE imatumiza paketi ya Moni kwa anzawo, ndipo mnzakeyo amatumiza kuvomereza poyankha. Mwachikhazikitso, IKE imatumiza mapaketi a Moni masekondi 10 aliwonse, ndipo pakadutsa mapaketi atatu osavomerezeka, IKE imalengeza kuti woyandikana naye wamwalira ndikugwetsa msewu kwa anzawo. Pambuyo pake, IKE nthawi ndi nthawi imatumiza paketi ya Moni kwa anzawo, ndikukhazikitsanso ngalandeyo pomwe mnzakeyo abweranso pa intaneti. Mutha kusintha nthawi yodziwikiratu kukhala pamtengo kuchokera pa 0 mpaka 65535, ndipo mutha kusintha kuchuluka kwa zoyeserera kukhala pamtengo kuchokera pa 0 mpaka 255.

Zindikirani

Pama VPN oyendetsa, nthawi yodziwikiratu imasinthidwa kukhala masekondi pogwiritsa ntchito njira iyi: Nthawi yoyesera kuyesanso nambala N = interval * 1.8N-1For ex.ample, ngati nthawiyo yakhazikitsidwa ku 10 ndikuyesanso 5, nthawi yozindikira imawonjezeka motere:

  • Yesani 1: 10 * 1.81-1 = 10 masekondi
  • Kuyesera 2: 10 * 1.82-1 = 18 masekondi
  • Kuyesera 3: 10 * 1.83-1 = 32.4 masekondi
  • Kuyesera 4: 10 * 1.84-1 = 58.32 masekondi
  • Kuyesera 5: 10 * 1.85-1 = 104.976 masekondi

vEdge(config-interface-ipsecnumber)# nambala yoyesanso nthawi yowonera anzawo

Konzani Zina Zachiyankhulo

Pamawonekedwe a IPsec tunnel, mutha kusintha mawonekedwe owonjezera awa:

  • vEdge(config-interface-ipsec)# mtu mabayiti
  • vEdge(config-interface-ipsec)# tcp-mss-adjust bytes

Letsani Ma Algorithms Ofooka a SSH pa Cisco SD-WAN Manager

Gulu 5: Table History Table

Mbali Dzina Kutulutsa Zambiri Mbali Kufotokozera
Letsani Ma Algorithms Ofooka a SSH pa Cisco SD-WAN Manager Cisco vManage Kutulutsidwa 20.9.1 Izi zimakupatsani mwayi woletsa ma aligorivimu ofooka a SSH pa Cisco SD-WAN Manager omwe mwina sangagwirizane ndi mfundo zina zachitetezo cha data.

Zambiri Zokhudza Kuyimitsa Ma Algorithms Ofooka a SSH pa Cisco SD-WAN Manager
Cisco SD-WAN Manager imapereka kasitomala wa SSH kuti azilumikizana ndi zida zapaintaneti, kuphatikiza owongolera ndi zida zam'mphepete. Makasitomala a SSH amapereka kulumikizana kwachinsinsi kuti musamutsire deta motetezedwa, kutengera ma algorithms osiyanasiyana obisa. Mabungwe ambiri amafuna kubisa kolimba kuposa komwe kumaperekedwa ndi SHA-1, AES-128, ndi AES-192. Kuchokera ku Cisco vManage Release 20.9.1, mutha kuletsa ma aligorivimu ofowoka otsatirawa kuti kasitomala wa SSH asagwiritse ntchito ma aligorivimu awa:

  • SHA-1
  • Chithunzi cha AES-128
  • Chithunzi cha AES-192

Musanalepheretse ma aligorivimu achinsinsiwa, onetsetsani kuti zida za Cisco vEdge, ngati zilipo, pamaneti, zikugwiritsa ntchito pulogalamu yotulutsidwa mochedwa kuposa Cisco SD-WAN Release 18.4.6.

Ubwino Woyimitsa Ma Algorithms Ofooka a SSH pa Cisco SD-WAN Manager
Kuletsa ma algorithms ocheperako a SSH kumathandizira chitetezo cha kulumikizana kwa SSH, ndikuwonetsetsa kuti mabungwe omwe amagwiritsa ntchito Cisco Catalyst SD-WAN akutsatira malamulo okhwima achitetezo.

Letsani Ma Algorithms Ofooka a SSH pa Cisco SD-WAN Manager Pogwiritsa Ntchito CLI

  1. Kuchokera pa menyu ya Cisco SD-WAN Manager, sankhani Zida> SSH Terminal.
  2. Sankhani chipangizo cha Cisco SD-WAN Manager chomwe mukufuna kuletsa ma algorithms ofooka a SSH.
  3. Lowetsani dzina lolowera ndi mawu achinsinsi kuti mulowe mu chipangizocho.
  4. Lowetsani mawonekedwe a seva ya SSH.
    • vmanage(config)# system
    • vmanage(config-system)# ssh-server
  5. Chitani chimodzi mwa izi kuti mulepheretse algorithm ya SSH encryption:
    • Letsani SHA-1:
  6. kusamalira(config-ssh-server)# palibe kex-algo sha1
  7. manage(config-ssh-server)# commit
    Uthenga wochenjeza wotsatirawu ukuwonetsedwa: Machenjezo otsatirawa adapangidwa: 'system ssh-server kex-algo sha1': CHENJEZO: Chonde onetsetsani kuti m'mphepete mwanu muli ndi code > 18.4.6 yomwe imakambirana bwino kuposa SHA1 ndi vManage. Kupanda kutero m'mphepete mwake mutha kukhala opanda intaneti. Ndipitilize? [inde, ayi] inde
    • Onetsetsani kuti zida zilizonse za Cisco vEdge pamaneti zikuyenda Cisco SD-WAN Release 18.4.6 kapena mtsogolo ndikulowetsa inde.
    • Letsani AES-128 ndi AES-192:
    • vmanage(config-ssh-server)# palibe cipher aes-128-192
    • vmanage(config-ssh-server)# commit
      Machenjezo otsatirawa akuwonetsedwa:
      Machenjezo otsatirawa adapangidwa:
      'system ssh-server cipher aes-128-192': CHENJEZO: Chonde onetsetsani kuti m'mphepete mwanu muli ndi code > 18.4.6 yomwe imakambirana bwino kuposa AES-128-192 ndi vManage. Kupanda kutero m'mphepete mwake mutha kukhala opanda intaneti. Ndipitilize? [inde, ayi] inde
    • Onetsetsani kuti zida zilizonse za Cisco vEdge pamaneti zikuyenda Cisco SD-WAN Release 18.4.6 kapena mtsogolo ndikulowetsa inde.

Tsimikizirani kuti Ma algorithms Ofooka a SSH Ndi Olemala pa Cisco SD-WAN Manager Pogwiritsa ntchito CLI

  1. Kuchokera pa menyu ya Cisco SD-WAN Manager, sankhani Zida> SSH Terminal.
  2. Sankhani chipangizo cha Cisco SD-WAN Manager chomwe mukufuna kutsimikizira.
  3. Lowetsani dzina lolowera ndi mawu achinsinsi kuti mulowe mu chipangizocho.
  4. Thamangani lamulo ili: onetsani kuthamanga-config system ssh-server
  5. Tsimikizirani kuti zomwe zatuluka zikuwonetsa lamulo limodzi kapena angapo omwe amalepheretsa ma aligorivimu achinsinsi:
    • palibe cipher aes-128-192
    • palibe kex-algo sha1

Zolemba / Zothandizira

CISCO SD-WAN Konzani Zosintha Zachitetezo [pdf] Buku Logwiritsa Ntchito
SD-WAN Konzani Ma Parameters a Chitetezo, SD-WAN, Konzani Ma Parameters a Chitetezo, Ma Parameters a Chitetezo

Maumboni

Siyani ndemanga

Imelo yanu sisindikizidwa. Minda yofunikira yalembedwa *